Text

Technical Specifications Bases, Manual
	ML19078A211
Person / Time
Site:	Susquehanna
Issue date:	03/06/2019
From:	; Susquehanna
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML19078A211 (287)
	v • d • e

J.".IU.L

VUt .&..V..L..J Page 1 of 5 MANUAL HARD COPY DISTRIBUTION DOCUMENT TRANSMITTAL 2019-3755 USER INFORMATION:

GERLACH*ROSEY M EMPL#: 028401 CA#: 0363 Address: NUCSA2 Phone#: 542-3194 TRANSMITTAL INFORMATION:

TO: GERLACH*ROSEY M 03/06/2019 LOCATION: USNRC FROM: NUCLEAR RECORDS DOCUMENT CONTROL CENTER (NUCSA-2)

THE FOLLOWING CHANGES HAVE OCCURRED TO THE HARDCOPY OR ELECTRONIC MANUAL ASSIGNED TO YOU. HARDCOPY USERS MUST ENSURE THE DOCUMENTS PROVIDED MATCH THE INFORMATION ON THIS TRANSMITTAL. WHEN REPLACING THIS MATERIAL IN YOUR HARDCOPY MANUAL, ENSURE THE UPDATE DOCUMENT ID IS THE SAME DOCUMENT ID YOU'RE REMOVING FROM YOUR MANUAL. TOOLS FROM THE HUMAN PERFORMANCE TOOL BAG SHOULD BE UTILIZED TO ELIMINATE THE CHANCE OF

.-~ERRORS.

1rTENTION: "REPLACE" directions do not affect the Table of Contents, Therefore no 1

)C will be issued with the updated material.

TSB2 - TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL REMOVE MANUAL TABLE OF CONTENTS DATE: 02/27/2019 ADD MANUAL TABLE OF CONTENTS DATE: 03/05/2019 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.10.1 ADD: REV: 2 REMOVE : REV: 1

VV1 ~V.J...J Page 2 of 5 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.3.5.1 REMOVE: REV:6 ADD: REV: 7 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.3.5.2 REMOVE: REV:1 ADD: REV: 2 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3. 3. 5. 3 ADD: REV: 0 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.3.6.1 REMOVE: REV:8 ADD: REV: 9 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.3.6.2

'.)D: REV: 6 1<..ti::MOVE: REV:5 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.3.7.1 REMOVE: REV:3 ADD: REV: 4 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.5.1 ADD: REV: 6 REMOVE: REV:5 CATEGORY: DOCUMENTS TYPE: TSB2

\

VUt .£.V.J...J Page 3 of 5 ID: TEXT 3.5.2 ADD: REV: 5 REMOVE: REV:4 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.5.3 REMOVE : REV: 5 ADD: REV: 6 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.6.1.3 REMOVE : REV: 16 ADD: REV: 17 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.6.2.2 REMOVE : REV: 1 ADD: REV: 2 CATEGORY: DOCUMENTS TYPE: TSB2

) . TEXT 3.6.4.1

)D: REV: 16 REMOVE: REV:15 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.6.4.2 REMOVE: REV:13 ADD: REV: 14 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.6.4.3 REMOVE: REV: 6 ADD: REV: 7

L"J.<A.L.

VVt ~V..1..J Page 4 of 5 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.7.3 REMOVE: REV: 3 ADD: REV: 4 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.7.4 ADD: REV: 2 REMOVE: REV:l CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.8.1 REMOVE: REV:11 ADD: REV: 12 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.8.2 ADD: REV: 1 REMOVE: REV:O 1:~TEGORY: DOCUMENTS TYPE: TSB2 r): TEXT 3.8.5

.ADD: REV: 2 REMOVE: REV:l CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT 3.8.8 REMOVE: REV:l ADD: REV: 2 CATEGORY: DOCUMENTS TYPE: TSB2 ID: TEXT TOC ADD: REV: 25 REMOVE: REV:24

Page 5. of 5 ANY DISCREPANCIES WITH THE MATERIAL PROVIDED, CONTACT DCS@ X3171 OR X3194 FOR ASSISTANCE. UPDATES FOR HARDCOPY MANUALS WILL BE DISTRIBUTED WITHIN 3 DAYS IN ACCORDANCE WITH DEPARTMENT PROCEDURES. PLEASE MAKE ALL CHANGES AND ACKNOWLEDGE COMPLETE IN YOUR NIMS INBOX UPON COMPLETION OF UPDATES. FOR ELECTRONIC MANUAL USERS, ELECTRONICALLY REVIEW THE APPROPRIATE DOCUMENTS AND ACKNOWLEDGE COMPLETE IN YOUR NIMS INBOX.

')

,,/.'

SSES MANUAL Manual Name: TSB2 Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL Table Of Contents Issue Date: 03/05/2019 Procedure Name Rev Issue Date Change ID Change Number TEXT LOES 138 01/03/2019

Title:

LIST OF EFFECTIVE SECTIONS TEXT TOC 25 03/05/2019

Title:

TABLE OF CONTENTS TEXT 2.1.1 5 01/22/2015

Title:

SAFETY LIMITS (SLS) REACTOR TEXT 2 .1.2 1 10/04/2007 <'--. ~

Title:

SAFETY LIMITS (SLS) REACTOR COOLANT SYSTEM~R~~PRESSURE SL 0\V/

TEXT 3.0 4

~ ,:*~'-))

01/03/2~1~.~'

Title:

LIMITING CONDITION FOR OPERATION _(LCS:d')~BICABILITY TEXT 3.1.1 1 ~~~~

Title:

REACTIVITY CONTROL SYSTEMS""SHNTDOWN>MARGIN (SDM)

TEXT 3 .1.2 ~~8/2002

Title:

REACTIVITY CON((e~---:\~s REACTIVITY ANOMALIES TEXT 3 .1. 3 ~ \:_()) 3 11/16/2016 Ti t1e, REACTIVI(SJJ°1TSYST EMS ~:T/::L/ :o: OPERABILITY TEXT 3.1.4 5 2 6

Title:

REACTIVITY CONTROL SYSTEMS CONTROL ROD SCRAM TIMES

'TEXT 3 .1. 5 2 11/16/2016 *

Title:

REACTIVITY CONTROL SYSTEMS CONTROL ROD SCRAM ACCUMULATORS TEXT 3 .1. 6 4 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS ROD PATTERN CONTROL Page 1. of 8 Report Date: 03/06/19

SSES MANUAL Manual Name: TSB2 Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL TEXT 3 .1. 7 4 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS STANDBY LIQUID CONTROL (SLC) SYSTEM TEXT 3 .1. 8 4 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS SCRAM DISCHARGE VOLUME (SDV) VENT AND DRAIN VALVES TEXT 3.2.1 5 11/16/2016

Title:

POWER DISTRIBUTION LIMITS AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)

TEXT 3.2.2 4 11/16/2016

Title:

POWER DISTRIBUTION LIMITS MINIMUM CRITICAL POWER RATIO (MCPR)

TEXT 3.2.3 3 11/16/2016

Title:

POWER DISTRIBUTION LIMITS LINEAR HEAT GENERATION RATE LHGR TEXT 3 . 3 . 1. 1 6 11/16/2016

Title:

INSTRUMENTATION REACTOR PROTECTION SYSTEM (RPS) INSTRUMENTATION TEXT 3.3.1.2 4 01/23/2018

Title:

INSTRUMENTATION SOURCE RANGE MONITOR (SRM) INSTRUMENTATION TEXT 3.3.2.1 4 11/16/2016

Title:

INSTRUMENTATION CONTROL ROD BLOCK INSTRUMENTATION TEXT 3.3.2.2 3 11/16/2016

Title:

INSTRUMENTATION FEEDWATER - MAIN TURBINE HIGH WATER LEVEL TRIP INSTRUMENTATION TEXT 3.3.3.1 9 11/16/2016

Title:

INSTRUMENTATION POST ACCIDENT MONITORING (PAM) INSTRUMENTATION TEXT 3.3.3.2 2 11/16/2016

Title:

INSTRUMENTATION REMOTE SHUTDOWN SYSTEM TEXT 3.3.4.1 2 11/16/2016

Title:

INSTRUMENTATION END OF CYCLE RECIRCULATION PUMP TRIP (EOC-RPT) INSTRUMENTATION Page~ of 8 Report Date: 03/06/19

-./

'f' SSES MANUAL Manual Name: TSB2 Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL TEXT 3.3.4.2 1 11/16/2016

Title:

INSTRUMENTATION ANTICIPATED TRANSIENT WITHOUT SCRAM RECIRCULATION PUMP TRIP (ATWS-RPT) INSTRUMENTATION TEXT 3.3.5.1 7 03/05/2019

Title:

INSTRUMENTATION EMERGENCY CORE COOLING SYSTEM (ECCS) INSTRUMENTATION TEXT 3.3.5.2 2 03/05/2019

Title:

REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL INSTRUMENTATION TEXT 3.3.5.3 0 03/05/2019

Title:

INSTRUMENTATION REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM INSTRUMENTATION_

(PREVIOUSLY TEXT 3.3.5.2 REVISION 1)

TEXT 3.3.6.1 9 03/05/2019

Title:

INSTRUMENTATION PRIMARY CONTAINMENT ISOLATION INSTRUMENTATION TEXT 3.3.6.2 6 03/05/2019

Title:

INSTRUMENTATION SECONDARY CONTAINMENT ISOLATION INSTRUMENTATION TEXT 3.3.7.1 4 03/05/2019

Title:

INSTRUMENTATION CONTROL ROOM EMERGENCY OUTSIDE AIR SUPPLY (CREOAS) SYSTEM INSTRUMENTATION TEXT 3.3.8.1 4 11/16/2016

Title:

INSTRUMENTATION LOSS OF POWER (LOP) INSTRUMENTATION TEXT 3.3.8.2 1 11/16/2016

Title:

INSTRUMENTATION REACTOR PROTECTION SYSTEM (RPS) ELECTRIC POWER MONITORING TEXT 3.4.1 5 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RECIRCULATION LOOPS OPERATING TEXT 3.4.2 4 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) JET PUMPS TEXT 3.4.3 3 01/13/2012

Title:

REACTOR COOLANT SYSTEM (RCS) SAFETY/RELIEF VALVES (S/RVS)

Pagel of 8 Report Date: 03/06/19

SSES MANUAL Manual Name: TSB2

( Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL TEXT 3.4.4 1 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS OPERATIONAL LEAKAGE TEXT 3.4.5 3 03/10/2010

Title:

REACTOR COOLANT SYSTEM (RCS) RCS PRESSURE ISOLATION VALVE (PIV) LEAKAGE TEXT 3.4.6 5 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS LEAKAGE DETECTION INSTRUMENTATION TEXT 3.4.7 3 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS SPECIFIC ACTIVITY TEXT 3.4.8 3 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RESIDUAL HEAT REMOVAL (RHR) SHUTDOWN COOLING SYSTEM

- HOT SHUTDOWN TEXT 3.4.9 2 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RESIDUAL HEAT REMOVAL (RHR) SHUTDOWN COOLING SYSTEM

- COLD SHUTDOWN TEXT 3.4.10 5 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS PRESSURE AND TEMPERATURE (P/T) LIMITS TEXT 3.4.11 1 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) REACTOR STEAM DOME PRESSURE TEXT 3.5.1 6 03/05/2019

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING TEXT 3.5.2 5 03/05/2019

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING TEXT 3.5.3 6 03/05/2019

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING Page .1. of ~ Report Date: 03/06/19

,r' SSES MANUAL Manual Name: TSB2 Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL TEXT 3 . 6 . 1. 1 6 11/16/2016

Title:

PRIMARY CONTAINMENT TEXT 3 . 6 . 1. 2 2 11/16/2016

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT AIR LOCK TEXT 3.6.1.3 17 03/05/2019

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT ISOLATION VALVES (PCIVS)

TEXT 3 . 6 . 1. 4 2 11/16/2016

Title:

CONTAINMENT SYSTEMS CONTAINMENT PRESSURE TEXT 3.6.1.5 2 11/16/2016

Title:

CONTAINMENT SYSTEMS DRYWELL AIR TEMPERATURE TEXT 3 . 6 . 1. 6 1 11/16/2016

Title:

CONTAINMENT SYSTEMS SUPPRESSION CHAMBER-TO-DRYWELL VACUUM BREAKERS TEXT 3.6.2.1 3 11/16/2016

Title:

CONTAINMENT SYSTEMS SUPPRESSION POOL AVERAGE TEMPERATURE TEXT 3.6.2.2 2 03/05/2019

Title:

CONTAINMENT SYSTEMS SUPPRESSION POOL WATER LEVEL TEXT 3.6.2.3 2 11/16/2016

Title:

CONTAINMENT SYSTEMS RESIDUAL HEAT REMOVAL (RHR) SUPPRESSION POOL COOLING TEXT 3.6.2.4 1 11/16/2016

Title:

CONTAINMENT SYSTEMS RESIDUAL HEAT REMOVAL (RHR) SUPPRESSION POOL SPRAY TEXT 3.6.3.1 2 06/13/2006

Title:

CONTAINMENT SYSTEMS INTENTIONALLY LEFT BLANK TEXT 3.6.3.2 3 09/29/2017

Title:

CONTAINMENT SYSTEMS DRYWELL AIR FLOW SYSTEM Page~ of 8 Report Date: 03/06/19

SSES MANUAL Manual Name: TSB2

(***:"* Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL TEXT 3.6.3.3 3 09/29/2017

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT OXYGEN CONCENTRATION TEXT 3.6.4.1 16 03/05/2019

Title:

CONTAINMENT SYSTEMS SECONDARY CONTAINMENT TEXT 3.6.4.2 14 03/05/2019

Title:

CONTAINMENT SYSTEMS SECONDARY CONTAINMENT ISOLATION VALVES (SCIVS)

TEXT 3.6.4.3 7 03/05/2019

Title:

CONTAINMENT SYSTEMS STANDBY GAS TREATMENT (SGT) SYSTEM TEXT 3.7.1 7 03/01/2017

Title:

PLANT SYSTEMS RESIDUAL HEAT REMOVAL SERVICE WATER (RHRSW) SYSTEM AND THE ULTIMATE HEAT SINK (UHS)

TEXT 3.7.2 3 11/16/2016

Title:

PLANT SYSTEMS EMERGENCY SERVICE WATER (ESW) SYSTEM TEXT 3.7.3 4 03/05/2019

Title:

PLANT SYSTEMS CONTROL ROOM EMERGENCY OUTSIDE AIR SUPPLY (CREOAS) SYSTEM TEXT 3.7.4 2 03/05/2019

Title:

PLANT SYSTEMS CONTROL ROOM FLOOR COOLING SYSTEM TEXT 3.7.5 2 11/16/2016

Title:

PLANT SYSTEMS MAIN CONDENSER OFFGAS TEXT 3.7.6 4 11/16/2016

Title:

PLANT SYSTEMS MAIN TURBINE BYPASS SYSTEM TEXT 3.7.7 2 11/16/2016

Title:

PLANT SYSTEMS SPENT FUEL STORAGE POOL WATER LEVEL TEXT 3.7.8 1 11/16/2016'

Title:

MAINE TURBINE PRESSURE REGULATION SYSTEM

(

Page§. of 8 Report Date: 03/06/19

SSES MANUAL Manual Name: TSB2 Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL TEXT 3.8.1 12 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS AC SOURCES - OPERATING TEXT 3.8.2 1 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS AC SOURCES - SHUTDOWN TEXT 3.8.3 6 12/14/2017

Title:

ELECTRICAL POWER SYSTEMS DIESEL FUEL OIL LUBE OIL AND STARTING AIR TEXT 3.8.4 4 11/16/2016

Title:

ELECTRICAL POWER SYSTEMS DC SOURCES - OPERATING TEXT 3.8.5 2 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS DC SOURCES - SHUTDOWN TEXT 3.8.6 2 11/16/2016

Title:

ELECTRICAL POWER SYSTEMS BATTERY CELL PARAMETERS TEXT 3.8.7 6 03/01/2017

Title:

ELECTRICAL POWER SYSTEMS DISTRIBUTION SYSTEMS - OPERATING TEXT 3.8.8 2 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS DISTRIBUTION SYSTEMS - SHUTDOWN TEXT 3.9.1 1 11/16/2016

Title:

REFUELING OPERATIONS REFUELING EQUIPMENT INTERLOCKS TEXT 3.9.2 2 11/16/2016

Title:

REFUELING OPERATIONS REFUEL POSITION ONE-ROD-OUT INTERLOCK TEXT 3.9.3 1 11/16/2016

Title:

REFUELING OPERATIONS CONTROL ROD POSITION TEXT 3.9.4 0 11/18/2002

Title:

REFUELING OPERATIONS CONTROL ROD POSITION INDICATION Page 2 of 8 Report Date: 03/06/19

SSES MANUAL Manual Name: TSB2

( Manual

Title:

TECHNICAL SPECIFICATIONS BASES UNIT 2 MANUAL TEXT 3.9.5 1 11/16/2016

Title:

REFUELING OPERATIONS CONTROL ROD OPERABILITY - REFUELING TEXT 3.9.6 2 11/16/2016

Title:

REFUELING OPERATIONS REACTOR PRESSURE VESSEL (RPV) WATER LEVEL TEXT 3.9.7 1 11/16/2016

Title:

REFUELING OPERATIONS RESIDUAL HEAT REMOVAL (RHR) - HIGH WATER LEVEL TEXT 3.9.8 1 11/16/2016

Title:

REFUELING OPERATIONS RESIDUAL HEAT REMOVAL (RHR) - LOW WATER LEVEL TEXT 3.10.1 2 03/05/2019

Title:

SPECIAL OPERATIONS INSERVICE LEAK AND HYDROSTATIC TESTING OPERATION TEXT 3.10.2 1 il/16/2016

Title:

SPECIAL OPERATIONS REACTOR MODE SWITCH INTERLOCK TESTING TEXT 3.10.3 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD WITHDRAWAL - HOT SHUTDOWN TEXT 3.10.4 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD WITHDRAWAL - COLD SHUTDOWN TEXT 3.10.5 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD DRIVE (CRD) REMOVAL - REFUELING TEXT 3.10.6 1 11/16/2016

Title:

SPECIAL OPERATIONS MULTIPLE CONTROL ROD WITHDRAWAL - REFUELING TEXT 3.10.7 1 03/24/2005

Title:

SPECIAL OPERATIONS CONTROL ROD TESTING - OPERATING TEXT 3.10.8 3 11/16/2016

Title:

SPECIAL OPERATIONS SHUTDOWN MARGIN (SDM) TEST - REFUELING Page~ of 8 Report Date: 03/06/19

TABLE OF CONTENTS (TECHNICAL SPECIFICATIONS BASES) 82.0 SAFETY LIMITS (SLs) ................................................................................... 2.0-1 82.1.1 Reactor Core SLs ............................................................................ 2.0-1 82.1.2 Reactor Coolant System (RCS) Pressure SL .................................. 2.0-6 83.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY .............. 3.0-1 83.1 REACTIVITY CONTROL SYSTEMS ..................................................... 3.1-1 83.1.1 Shutdown Margin (SOM) ................................................................. 3.1-1 83.1.2 Reactivity Anomalies ....................................................................... 3.1-8 83.1.3 Control Rod OPERABILITY ............................................................. 3.1-13 83.1.4 Control Rod Scram Times .................................... / ....... ,................ 3.1-22

---~

83.1.5 Control Rod Scram Accumulators .................... ::: '

<~:::-... \ ............

.. -~ \ J 3.1-29 83.1.6 Rod Pattern Control ...................................... ,-::*:".':: ... \ .... I...!............. 3.1-34 83.1.7 Standby Liquid Control (SLC) System ..... ,./"<./..,...':\._..~-~/. ............. 3.1-39 83.1.8 Scram Discharge Volume (SDV) Vent an'epr~r.i\(a:lyes ................ 3.1-47

' V /

/* "-. /

83.2 POWER DISTRIBUTION LIMITS ........ :.,..:.-.,_. ..... ,.:~:*.. ( ...,. ....................... 3.2-1 83.2.1 Average Pla.nar Linear Heat Generation Rat~.-(APLHGR) ............... 3.2-1 83.2.2 Minimum Critical Power Ratio.{MCPR).':':: ... / .................................. 3.2-5

* \ ' /'. V 83.2.3 Linear Heat Generation ~~te.(!;:l:;!GR),-;.;,.:-........................................ 3.2-1 O 83.3

/

INSTRUMENTATION ....... .!... \ *....\ *..

\ " /

\ .. :".'*.*...*......*.*...............*...*..***..**.* 3.3-1 1

83.3.1.1 Reactor Protectio,IJ*?Yst'erri(RP~ ) lnstrume~tation ......................... 3.3-1 83.3.1.2 Source Range Mor:11tor (SRM)~lnstrumentat,on ................................ 3.3-35

</ ~/ --.........--.....,

./**,' **.... .,*,., /

83.3.2.1 Control Rod'Block,.lnstrumentation .................................................. 3.3-44 83.3.2.2 Feedwate(:,: rvlq}n Turbine High Water Level Trip

lnstn.1mentatibn .......................................................................... 3.3-55 83.3.3.1 Post6cqia~nt Mori1toring (PAM) Instrumentation ............................ 3.3-64 83.3.3.2 R~moteShutqown System .............................................................. 3.3-76 83.3.4.1 .. En9 .of'Qycle'Recirculation Pump Trip (EOC-RPT)

_/ .* *~., *1ristrumentation .......................................................................... 3.3-81 83.3.4.2 , , Anticipated Transient Without Scram Recirculation

/ \ , ',,_,'!;Limp Trip (ATWS-RPT) Instrumentation .................................. 3.3-92 83.3.5.1 :' .:r , .-. Em*ergency Core Cooling System (ECCS)

. \

\ *., Instrumentation .......................................................................... 3.3-101

'". '-....M ~

83.3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control Instrumentation .......................................................................... 3.3-133 83.3.5.3 Reactor Core Isolation Cooling (RCIC) System Instrumentation .......................................................................... 3.3-141 83.3.6.1 Primary Containment Isolation Instrumentation ............................... 3.3-152 83.3.6.2 Secondary Containment Isolation Instrumentation .......................... 3.3-183 83.3.7.1 Control Room Emergency Outside Air Supply (CREOAS)

System Instrumentation ............................................................. 3.3-194 (continued)

SUSQUEHANNA - UNIT 2 TOC-1 Revision 25

TABLE OF CONTENTS (TECHNICAL SPECIFICATIONS BASES) 83.3 INSTRUMENTATION (continued) 83.3.8.1 Loss of Power (LOP) Instrumentation ............................................. 3.3-206 83.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ...............................................,, .................................. 3.3-214 83.4 REACTOR COOLANT SYSiEM (RCS) ................................................ 3.4-1 83.4.1 Recirculation Loops Operating ........................................................ 3.4-1 83.4.2 Jet Pumps ........................................................................................ 3.4-10 83.4.3 Safety/Relief Valves (S/RVs) ........................................................... 3.4-15 83.4.4 RCS Operational LEAKAGE ............................................................ 3.4-19 83.4.5 RCS Pressure Isolation Valve (PIV) Leakage ................................. 3.4-24 83.4.6 RCS Leakage Detection Instrumentation ........................................ 3.4-30 83.4.7 RCS Specific Activity ........................ :.............................................. 3.4-35 83.4.8 Residual Heat Removal (RHR) Shutdown Cooling

. System - Hot Shutdown ............................................................ 3.4-39 83.4.9 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown ............................................. .'............ 3.4-44 83.4.10 RCS Pressure and Temperature (PIT) Limits .................................. 3.4-49, 83.4.11 Reactor Steam Dome Pressure ...................................................... 3.4-58 83.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ... :............ 3,.5-1 83.5.1 ECCS - Operating .............................................................,, ............. 3.5-1 B3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control ............ :.. 3.5-17 83.5.3 RCIC System ............................ '. .............................. :....................... 3.5-27 *1 83.6 CONTAINMENT SYSTEMS .................................................................. 3.6-1 83.6.1.1 Primary Containment ....................................................................... 3.6-1 83.6.1.2 Primary Containment Air Lock ......................................................... 3,6-7 83.6.1.3 Primary Containment Isolation Valves (PCIVs) ............................... 3.6-15 83.6.1.4 Containment Pressure ..................................................................... 3.6-40 83.6.1.5 Drywell Air Temperature .................................................................. 3.6-43 83.6.1.6 Suppression Chamber-to-Drywell Vacuum Breakers ...................... 3.6-46 83.6.2.1 Suppression Pool Average Temperature ........................................ 3.6-52 83.6.2.2 Suppression Pool Water Level ........................................................ 3.6-58 83.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling ....................................................................................... 3.6-61 83.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray ................ 3.6-65 83.6.3.1 Not Used ..........................................._... ;.......................................... 3.6-69 83.6.3.2 Drywell Air Flow System .................................................................. 3.6-75 83.6.3.3 Primary Containment Oxygen Concentration .................................. 3.6-80 83.6.4.1 Secondary Containment .................................................................. 3.6-83 83.6.4.2 Secondary Containment Isolation Valves (SC IVs) .......................... 3.6-91 83.6.4.3 Standby Gas Treatment (SGT) System ........................................... 3.6-104 (continued)

SUSQUEHANNA - UNIT 2 TOC-2 Revision 25

TABLE OF CONTENTS (TECHNICAL SPECIFICATIONS BASES) 83.7 PLANT SYSTEMS ................................................................................. 3.7-1 83.7.1 Residual Heat Removal Service Water (RHRSW) System and the Ultimate Heat Sink (UHS) ............................................. 3.7-1 83.7.2

Emergency Service Water (ESW) System ...................................... 3.7-7 83.7.3 Control Room Emergency Outside Air Supply (CREOAS) System .................................................................... 3.7-12 83.7.4 Control Room Floor Cooling System ............................................... 3.7-20 83.7.5 Main Condenser Offgas ................................................................... 3.7-24 83.7.6 Main Turbine Bypass System .......................................................... 3.7-27 83.7.7 Spent Fuel Storage Pool Water Level ............................................. 3.7-31 83.7.8 Main Turbine Pressure Regulation System ..................................... 3.7-34 83.8 ELECTRICAL POWER SYSTEM .......................................................... 3.8-1 83.8.1 AC Sources - Operating .................................................................. 3.8-1 83.8.2 AC Sources - Shutdown ................................................................. 3.8-39 83.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ....................................... 3.8-47 83.8.4 DC Sources - Operating ......................................... , .. :.................... 3.8-56 83.8.5 DC Sources - Shutdown ................................................................. 3.8-70 83.8.6 Battery Cell Parameters .................................................................. 3.8-77 83.8.7 Distribution Systems - Operating .................................................... 3.8-84 83.8.8 Distribution Systems - Shutdown .................................................... 3.8-94 83.9 REFUELING OPERATIONS ................................................................. 3.9-1 83.9.1 Refueling Equipment Interlocks ....................................................... 3.9-1 83.9.2 Refuel Position One-Rod-Out Interlock ........................................... 3.9-5 83.9.3 Control Rod Position ........................................................................ 3.9-9 83.9.4 Control Rod Position Indication ....................................................... 3.9-12 83.9.5 Control Rod OPERABILITY..:.. Refueling .......................................... 3.9-16 83.9.6. Reactor Pressure Vessel (RPV) Water Level. ................................. 3.9-19 83.9.7 Residual Heat Removal (RHR) - High Water Level ........................ 3.9-22 83.9.8 Residual Heat Removal (RHR) - Low Water Level ......................... 3.9-26 83.10 SPECIAL OPERATIONS ....................................................................... 3.10-1 83.10.1 lnservice Leak and Hydrostatic Testing Operation .......................... 3.10-1 83.10.2 Reactor Mode Switch Interlock Testing ........................................... 3.10-6 83.10.3 Single Control Rod Withdrawal - Hot Shutdown ............................. 3.10-11 83.10.4 Single Control Rod Withdrawal-Cold Shutdown ....................... :... 3.10-16 83.10.5 Single Control Rod Drive (CRD) Removal - Refueling .................... 3.10-21 83.10.6 Multiple Control Rod Withdrawal - Refueling .................................. 3.10-26 83.10.7 Control Rod Testing - Operating ..................................................... 3.10-30 83.10.8 SHUTDOWN MARGIN (SOM) Test- Refueling .............................. 3.10-34 SUSQUEHANNA - UNIT 2 TOC-3 Revision 25

Rev. 7 ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1

Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI),

Automatic Depressurization System (ADS), the diesel generators (DGs) and other features described in the DG background. The equipment involved with each of these systems with exception of the DGs and other features, is described in the Bases for LCO 3.5.1, "ECCS-Operating."

Core Spray System The CS System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level Low, Low, Low, Level 1 or Drywell Pressure - High concurrent with Reactor Pressure - Low. Each of these diverse variables is monitored by four redundant instruments. The initiation logic for one CS loop is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1), both level sensors are tripped, or (2) two high drywell pressure sensors and two low reactor vessel pressure sensors are tripped, or (3) a combination of one channel of level sensor and one of the other channels of high drywell pressure sensor together with its associated low reactor vessel pressure sensor (i.e., Channel A level sensor and Channel C high drywell pressure sensor and low reactor vessel pressure sensor).

(continued)

SUSQUEHANNA - UNIT 2 3.3-101

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Core Spray System (continued)

(continued)

Once an initiation signal is received by the CS control circuitry, the signal is sealed in until manually reset. The logic can also be initiated by use of a manual push button (one push button per subsystem). Upon receipt of an initiation signal, the CS pumps are started 15 seconds after initiation signal if normal offsite power is available and 10.5 seconds after diesel generator power is available.

The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full sy~tem flow assumed in the accident analyses and maintain primary containment isolated. The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR)

System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level Low, Low, Low, Level 1 or Drywell Pressure - High concurrent with Reactor Pressure - Low. Each of these diverse variables is monitored by four instruments in two divisions.

Each division is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1) both level sensors are tripped, or (2) two high drywell pressure sensors and two low reactor vessel pressure sensors are tripped, or (3) a combination of one channel of level sensor and one of the other channel of high drywell pressure sensor together with its associated low reactor vessel pressure sensor (i.e., Channel A level sensor and Channel C high drywell and low reactor vessel pressure sensor).

(continued)

SUSQUEHANNA- UNIT 2 3.3-102

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued)

(continued)

The initiation logic is cross connected between divisions (i.e., either start signal will start all four pumps and open both loop's injection valves).

Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset. The cross division start signals for the pumps affect both the opposite division's start logic and the pump's 4KV breaker start logic. The cross division start signal to the opposite division's start logic is for improved reliability. The cross division start signals to the pump's 4KV breaker start logic is needed to ensure specific control power failures do not prevent the start of an adequate number of LPCI pumps.

Upon receipt of an initiation signal, all LPCI pumps start after a 3 second time delay when normal AC power is lost and standby diesel generator power is available. If normal power is available, LPCI pumps A and B will start immediately and pumps C and D will start 7.0 seconds after initiation signal to limit loading of the offsite sources.

The RHR test line and spray line are also isolated on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and for those valves which are also PCIVs maintain primary containment isolated.

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Logic is provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The logic consists of an initiation signal (Low reactor water level and high drywell pressure in a one out of two taken twice logic) from both divisions of LPCI instruments and a pressure permissive.

The pressure variable is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

(continued)

SUSQUEHANNA - UNIT 2 3.3-103

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND High Pressure Coolant Injection System (continued)

The HPCI System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low, Level 2 or Drywell Pressure-High. Each of these variables is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI System also monitors the water level in the condensate storage tank (CST). HPCI suction is normally maintained on the CST until it transfers to the suppression pool on low CST level or is manually transferred by the operator. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the suppression pool suction valve is open. If the water level in the CST falls to the level switch process setpoint value, an automatic suction transfer is initiated. The suppression pool suction valve receives a signal to open and in parallel, the CST suction valve receives a signal to close to complete the transfer. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valve to open and the CST suction valve to close.

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level-High, Level 8 trip, at which time the HPCI turbine trips, which causes the turbine's stop valve, minimum flow valve, the cooling water isolation valve, and the injection valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level-Low Low, Level 2 signal is subsequently received.

Automatic Depressurization System The ADS may be initiated by either automatic or manual means.

Automatic initiation occurs when signals indicating Reactor Vessel Water Level-Low Low Low, Level 1; Drywell Pressure-High or ADS Drywell Bypass Actuation Timer; confirmed Reactor Vessel Water Level-Low, Level 3; and CS or LPCI Pump Discharge Pressure-High are all present and the ADS Initiation Timer has timed out. There are two instruments each for Reactor Vessel Water Level-Low Low Low, Level 1 and Drywell Pressure-High, and one instrument for confirmed Reactor Vessel Water Level-Low, Level 3 in each of the two ADS trip systems. Each of these instruments drives a relay whose contacts form the initiation logic.

(continued)

SUSQUEHANNA - UNIT 2 3.3-104

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Automatic Depressurization System (continued)

(continued)

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint is chosen to be long enough that the HPCI system has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers. The ADS also monitors the discharge pressures of the four LPCI pumps and the four CS pumps. Each ADS trip system includes two discharge pressure permissive instruments from both CS pumps in the division and from either of the two LPCI pumps in the associated Division (i.e., Division 1 LPCI pumps A or C input to ADS trip system A, and Division 2 LPCI pumps B or D input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. With both CS pumps in a division or one of the LPCI pumps operating sufficient flow is available to permit automatic depressurization.

The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel Water Level-Low Low Low, Level 1; Drywell Pressure-High; or Drywell Pressure Bypass Actuation Timer. One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level-Low, Level 3. All contacts in both logic strings must close, the ADS initiation timer must time out, and a loop of CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure-High signal, the ADS Drywell Pressure Bypass Actuation Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset.

Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibitf:d when required to be OPERABLE).

(continued)

SUSQUEHANNA - UNIT 2 3.3-105

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Diesel Generators and Other Initiated Features (continued)

The DGs may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low Low, Level 1 or Drywell Pressure-High. The DGs are also initiated upon loss of voltage signals (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) The initiation logic is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1) both level sensors are tripped, or (2) both high drywell pressure sensors are tripped, or (3) a combination of one level sensor and one high drywell pressure sensor is tripped.

DGs A and B receive their initiation signal from CS system initiation logic Division I and Division II respectively. DGs C and D receive their initiation signals from either LPCI systems initiation logic Division I or Division II.

The DGs can also be started manually from the control room and locally from the associated DG room. The DG initiation signal is a sealed in signal and must be manually reset. The DG initiation logic is reset by resetting the associated ECCS initiation logic. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each DG is automatically started, is ready to load in approximately 1O seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature buses if a loss of offsite power occurs. (Refer to Bases for LCO 3.3.8.1.) ..

In addition to DG initiation, the ECCS instrumentation initiates other design features. Signals from the CS System logic initiate (1) the reset of two Emergency Service Water (ESW) timers, (2) the reset of the degraded grid timers for the 4kV buses on both units, (3) LOCA load shed schemes, and (4) the trip of Drywell Cooling equipment. Signals from the LPCI System logic initiate (1) the reset of two Emergency Service Water (ESW) timers, (2) the trip of turbine building chillers, and (3) the trip of reactor building chillers.{) The ESW pump timer reset (continued)

SUSQUEHANNA - UNIT 2 3.3-106

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Diesel Generators and Other Initiated Features (continued)

(continued) feature assures the ESW pumps do not start concurrently with the CS or LPCI pumps. If one _or both ESW pump timer resets in a division or reactor building/turbine building chiller trips are inoperable; two offsite circuits with the 4kV buses aligned to their normal configuration are required to be OPERABLE. If one or both ESW pump timer resets in a division or reactor building/turbine building chiller trips are inoperable; the effects on one offsite circuit have not been analyzed; and therefore, the offsite circuit is assumed not to be capable of accepting the required loads during certain accident events. The ESW pump timer reset is not required in MODES 4 and 5 because concurrent pump starts, on a LOCA signal, of the ESW pumps (initiated by the DG start circuitry) with CS or LPCI pumps cannot occur in these MODES.

APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY ANALYSES, References 1 and 2. The ECCS is initiated to preserve the integrity of the LCO, and fuel cladding by limiting the post LOCA peak cladding temperature to less APPLICABILITY than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. E_ach ECCS subsystem must also respond within its assumed response time.

Table 3.3.5.1-1, footnotes (a) and (b), are added to show that certain ECCS instrumentation Functions are also required to be OPERABLE to perform DG initiation and actuation of other Technical Specifications (TS) function.

(continued)

SUSQUEHANNA - UNIT 2 3.3-107

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Allowable Values are specified for each ECCS Function specified in the SAFETY ANALYSES, table. Nominal trip setpoints are specified in the setpoint calculations.

LCO, and The nominal setpoints are selected to ensure that the setpoints do not APPLICABILITY exceed the Allowable Value between CHANNEL CALIBRATIONS.

(continued) Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors.

The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

An exception to the methodology described to derive the Allowable Value is the methodology used to determine the Allowable Values for the ECCS pump start time delays and HPCI CST Level 1 - Low. These Allowable Values are based on system calculations and/or engineering judgement which establishes a conservative limit at which the function should occur.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-108

Rev. 7 EGGS Instrumentation B 3.3.5.1 BASES APPLICABLE Core Spray and Low Pressure Coolant Injection Systems SAFETY ANALYSES LCO, and 1.a, 2.a. Reactor Vessel Water Level-Low Low Low, Level 1 APPLICABILITY (continued) Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level-Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 2. In addition, the Reactor Vessel Water Level-Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the EGGS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low Low, Level 1 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to

. activate and provide adequate cooling.

The initiation logic for LPCI pumps and injection valves is cross connected such that either division's start signal will start all four pumps and open both loop's injection valves. This cross division logic is required in MODES 1, 2, and 3.

DGs C and D which are initiated from the LPCI LOCA initiation are cross connected such that both DGs receive an initiation signal from both Divisions of the LPCI LOCA initiation circuitry. This cross connected logic is only required in MODES 1, 2, and 3.

Four channels of Reactor Vessel Water Level-Low Low Low, Level 1 Function are only required to be.OPERABLE when the ECCS or DG(s) are required to be OPERABLE to ensure that no single instrument failure can preclude EGGS and DG initiation.

(continued)

SUSQUEHANNA - UNIT 2 3.3-109

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.b. 2.b. Drywell Pressure-High SAFETY ANALYSES,

LCO, and High pressure in the drywell could indicate a break in the reactor coolant APPLICABILITY pressure boundary (RCPB). The low pressure ECCS (provided a (continued) concurrent low reactor pressure signal is present) and associated DGs, without a concurrent low reactor pressure signal, are initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High Function, along with the Reactor Water Level-Low Low Low, Level 1 Function, is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initi_ated from four pressure instruments

that sense drywell pressure. The Allowable Value was selected to be as low as practical and be indicative of a LOCA inside primary containment.

The Drywell Pressure-High Function'is required to be OPERABLE when.

the ECCS or DG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure-High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation. In MODES 4 and 5, the Drywell Pressure-High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure-High setpoint. Refer to LCO 3 ..5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.

1.c. 1.d, 2.c. 2.d Reactor Steam Dome Pressure-Low Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. The low reactor pressure permissive is provided to prevent a high drywell pressure condition which is not accompanied by low reactor pressure, i.e. a false LOCA signal, from disabling two RHR pumps on the other unit. The low reactor steam dome pressure permissive also ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design (continued)

SUSQUEHANNA - UNIT 2 3.3-110

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.c, 1.d, 2.c, 2.d Reactor Steam Dome Pressure-Low (continued)

SAFETY ANALYSES, LCO, and pressure. The Reactor Steam Dome Pressure-Low is one of the APPLICABILITY Functions assumed to be OPERABLE and capable of permitting initiation (continued) of the ECCS during the transients analyzed in Reference 2. In addition, the Reactor Steam Dome Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Steam Dome Pressure-Low signals are initiated from four pressure instruments that sense the reactor dome pressure.

The pressure instruments are set to actuate between the Upper and Lower Allowable Values on decreasing reactor dome pressure.

The Upper Allowable Value is low enough to ensure that the reactor dome pressure has fallen to a value below the Core Spray and RHR/LPCI maximum design pressures to preclude overpressurization.

The Lower Allowable Value is high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

DGs C and D which are initiated from the LPCI LOCA initiation are cross connected such that both DGs receive an initiation signal from both Divisions of the LPCI LOCA initiation circuitry. This cross connected logic is only required in MODES 1, 2, and 3. In MODES 4 and 5, redundancy in the DG initiation circuitry is not required. Therefore, in MODES 4 and 5 for DGs C and D only one division of ECCS initiation logic is required.

Four channels of Reactor Steam Dome Pressure-Low Function are required to be OPERABLE only when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation.

(continued)

SUSQUEHANNA - UNIT 2 3.3-111

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.e, 2.f. Manual Initiation SAFETY ANALYSES, LCO, and The Manual Initiation push button channels introduce signals into the .

APPLICABILITY appropriate ECCS logic to provide manual initiation capability and are (continued) redundant to the automatic protective instrumentation. There is one push button for each of the CS and LPCI subsystems (i.e., two for CS and two for LPCI).

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the low pressure ECCS function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

E:ach channel of the Manual Initiation Function (one channel per subsystem) is required to be OPERABLE only when the associated ECCS is required to be OPERABLE.

2.e. Reactor Steam Dome Pressur~Low (Recirculation Discharge Valve Permissive)

Low reactor steam dome pressure signals are used as permissives for recirculation discharge and bypass valves closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Steam Dome Pressur~Low is one of the Functions assumed to be OPERABLE and capable of closing the valves during the transients analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Steam Dome Pressure--:Low !=unction is directly assumed in the analysis of the recirculation line break (Ref. 1).

The Reactor Steam Dome Pressur~Low signals are initiated from four pressure instruments that sense the reactor dome pressure.

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-112

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.e. Reactor Steam Dome Pressure-Low (Recirculation SAFETY ANALYSES, Discharge Valve Permissive) (continued)

LCO, and APPLICABILITY Four channels of the Reactor Steam Dome Pressure-Low Function are (continued) only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

HPCI System 3.a Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel Water Level-Low Low, Level 2 is one of the Functions assumed to be OPERABLE analyzed in Reference 2. Additionally, the Reactor Vessel Water Level-Low Low, Level 2 Function associated with HPCI is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The HPCI Reactor Vessel Water Level-Low Low, Level 2 Allowable Value is chosen to be consistent with the Reactor Core Isolation Cooling (RCIC) System Reactor Vessel Water Level - Low Low, Level 2 Allowable value.

Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation . .Refer to LCO 3.5.1 for HPCI Applicability Bases.

(continued)

SUSQUEHANNA - UNIT 2 3.3-113

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.b. Drywell Pressure-High SAFETY ANALYSES, LCO, and High pressure in the drywell could indicate a break in the RCPB. The *

. APPLICABILITY HPCI .System is initiated upon receipt of the Drywell Pressure-High (continued) Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High Function, along with the Reactor Water Level-Low Low, Level 2 Function, is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiatio*n. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level-High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the r~actor vessel such that there is no danger to the fuel.

Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level-High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.

Reactor Vessel Water Level-High, Level 8 signals for HPCI are initiated from two level instruments. Both Level 8 signals are required in order to trip HPCI. This ensures that no single instrument failure can preclude an HPCI initiation or trip. The Reactor Vessel Water Level-High, Level 8 Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.

Twq channels of Reactor Vessel Water Level-High, Level 8 Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

(continued)

SUSQUEHANNA - UNIT 2 3.3-114

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.d. Condensate Storage Tank Level-Low SAFETY ANALYSES, LCO, and The Condensate Storage Tank-Low signal indicates that a conservatively APPLICABILITY calculated NPSH-available limit is being approached.

(continued)

Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CST. However, if the water level in the CST falls to the level switch process setpoint value, an automatic suction transfer is initiated. The suppression pool suction valve receives a signal to open and in parallel, the CST suction valve receives a signal to close to complete the transfer. The HPCI suction transfer must be initiated prior to CST level dropping below the technical specification allowable value to ensure that an adequate suctio_n head for the pump and an uninterrupted supply of makeup water is available to the HPCI pump. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Condensate Storage Tank Level-Low signals are initiated from two level instruments.

The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Storage Tank Level-Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of the Condensate Storage Tank Level-Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Manual Initiation The Manual Initiation push button channel introduces signals into the HPCI logic to provide manual initiation capability and is redundant to the automatic protective instrumentation. There is one push button for the HPCI System.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the HPCI function as required by the NRC in the plant licensing basis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-115

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.e. Manual Initiation (continued)

SAFETY ANALYSES, LCO, and There is no Allowable Value for this Function since the channel is APPLICABILITY mechanically actuated based solely on the position of the push button.

(continued) One channel of the Manual Initiation Function is required to be OPERABLE only when the HPCI System is required to be OPERABLE.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

Automatic Depressurization System 4.a, 5.a. Reactor Vessel Water Level-Low Low Low, Level 1 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level-Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 1. The core.cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low Low, Level 1 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low, Level 1 Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip $ystem A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

(continued)

SUSQUEHANNA - UNIT 2 3.3-116

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.b, 5.b Drywell Pressure - High SAFETY ANALYSES, LCO, and High pressure in the drywell could indicate a break in the RCPB.

APPLICABILITY Therefore, ADS receives one of the signals necessary for initiation from (continued) this Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure-High signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

Four channels of Drywell Pressure-High Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.c, 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently.

The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 1 that require ECCS initiation and assume failure of the HPCI System.

(continued)

SUSQUEHANNA - UNIT 2 3.3-117

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.c, 5.c. Automatic Depressurization System Initiation Timer, SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY There are two Automatic Depressurization System Initiation Timer relays, (continued) one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required-to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d, 5.d. Reactor Vessel Water Level-Low, Level 3 The Reactor Vessel Water Level-Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level-Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

Reactor Vessel Water Level-Low, Level 3 signals are initiated from two level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level-Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function.

Two channels of Reactor Vessel Water Levell-Low, Level 3 Function are required to be OPERABLE only when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

(continued)

SUSQUEHANNA- UNIT 2 3.3-118

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.e, 4.f, 5.e, 5.f. Core Spray and Low Pressure Coolant Injection Pump SAFETY ANALYSES, Discharge Pressure - High LCO, and APPLICABILITY The Pump Discharge Pressure-High signals from the CS and LPCI Q

(continued) pumps are used as permissives for ADS initiation, indicating that there is a source of low pre~sure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure-High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 1 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions.

This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Pump discharge pressure signals are initiated from twelve pressure instruments, two on the discharge side of each of the four LPCI pumps and one on the discharge of each of CS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one LPCI pump or one CS subsystem indicate the high discharge pressure condition. The Pump Discharge Pressure-High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accident analysis.

Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS channels associated with CS pumps A and C and four LPCI channels associated with LPCI pumps A and C are required for trip system A Two CS channels associated with CS pumps B and D and four LPCI channels associated with LPCI pumps B and D are required for trip system B.

Refer to LCO 3.5.1 for ADS Applicability Bases.

(continued)

SUSQUEHANNA - UNIT 2 3.3-119

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.g. 5.g. Automatic Depressurization System Drywell Pressure Bypass SAFETY ANALYSES, Actuation Timer LCO, and APPLICABILITY One of the signals required for ADS initiation is Drywell Pressure-High.

(continued) However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer is used to bypass the Drywell Pressure-High Function after a certain time period has elapsed. Operation of the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer Function is not assumed in any accident analysis. The instrumentation is retained in the TS because ADS is part of the primary success path for mitigation of a OBA.

There are four Automatic Depressurization System Drywell Pressure Bypass Actuation Timer relays, two in each of the two ADS trip systems.

The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS sub~ystems to provide adequate core cooling.

Four channels of the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer Function are required to be OPERABLE only when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.h. 5.h. Manual Initiation The Manual Initiation push button channels introduce signals into the ADS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There are two push buttons for each ADS trip system for a total of four.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the ADS functions as required by the NRC in the plant licensing basis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-120

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.h. 5.h. Manual Initiation (continued)

SAFETY ANALYSES, LCO, and There is no Allowable Value for this Function since the channels are APPLICABILITY mechanically actuated based solely on the position of the push buttons.

(continued) Four channels of the Manual Initiation Function (two channels per trip system) are only required to be OPERABLE when the ADS is required to be OPERABLE. Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure; with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

8.1, 8.2, and 8.3 Required Actions B.1 and 8.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 1.c, 2.a, 2.b, and 2.c (e.g., low pressure ECCS). The Required Action 8.2 system would be HPCI. For Required Action 8.1, redundant automatic initiation capability is lost if (a) one Function 1.a, 1.b, 1.c, 2.a, or 2.b is inoperable and untripped with only one offsite source OPERABLE, or (b) one or more Function 1.a or Function 2.a channels in both divisions are inoperable and untripped, or (c) one or more Function 1.b or Function 2.b channels in both divisions are inoperable and untripped, or (d) one or more Function 1.c or Function 2.c channels in both divisions are inoperable and untripped.

(continued)

SUSQUEHANNA - UNIT 2 3.3-121

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS 8.1, 8.2, and 8.3 (continued)

(continued)

For (a) above (Function 1.a, 1.b, 1.c, 2.a, or 2.b is inoperable and untripped with only one offsite source OPERABLE), the ESW pump timer resets may not receive a reset signal and the Reactor Building chillers, Turbine Building chillers and the Drywell cooling equipment may not receive a trip signal. Without the reset of the ESW pump timers and without the trip of the Reactor Building and Turbine Building chillers, the OPERABLE offsite circuit may not be capable of accepting starts of the ESW pumps concurrently with CS or LPCI pumps. For this situation, both the OPERABLE offsite circuit and the DG, that would not be capable of starting, should be declared inoperable. ACTIONS required by LCO 3.8.1 "AC Sources Operating" or LCO 3'.8.2 "AC Sources Shutdown" should be taken or disable the affected reactor building/turbine building chillers and disable the affected ESW pumps automatic initiation capability and take the ACTIONS required by*LCO 3.7.2 "ESW System".

For the Drywell cooling equipment trip, inoperability of this feature would require that the associated drywell cooling fans be declared inoperable in accordance with LCO 3.6.3.2 "Drywell Air Flow System".

With two offsite sources OPERABLE and one Function 1.a, 1.b, 1.c, 2.a or 2.b inoperable and untripped, sufficient ECCS equipment is available to meet the design basis accident analyses.

For (b), (c) and (d) above, for each Division, since each inoperable channel would have Required Action 8.1 applied separately (refer to

ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS, DGs, and associated features to be declared inoperable. However, since channels in both Divisions are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in*the associated low pressure ECCS and DGs being concurrently declared inoperable.

(continued)

SUSQUEHANNA - UNIT 2 3.3-122

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS 8.1. 8.2, and 8.3 (continued}

(continued)

For Required Action 8.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action 8.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Notes are also provided (the Note to Required Action 8. 1 and the Note to Required Action 8.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel i$ inoperable. This ensures that the proper loss of initiation capability check is performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action 8.1, the Completion Time only begins upon discovery that a redundant fea.ture in both Divisions (e.g., both CS subsystems) cannot bffautomatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action 8.2, the Completion Time only begins upon discovery that the HPCI System .

cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 8.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability

. to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition G must be entered and its Required Action taken.

(continued)

SUSQUEHANNA - UNIT 2 3.3-123

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

INTERIM ADMINISTRATIVE DIRECTION Technical Specification Table 3.3.5.1-1, "HPCI System, Function 3.e, Conditions Referenced from Required Action A.1" contains a typographical error (CR 620823). The "D" referenced should be "C." In accordance with Administrative Letter 98-10, direction is provided until proposed TS change (LDCN 3798) is approved by the NRC.

Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).

Required Action C.1 features would be those that are initiated by Functions 1.d, 2.d, and 2.e (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) two or more Function 1.d channels are inoperable such that the trip system loses initiation capability, (b) two or more Function 2.d channels are inoperable in the same trip system such that the trip system loses initiation capability, or (c) two or more Function 2.e channels are inoperable affecting LPCI pumps in different subsystems. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable wi~hin 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both

. subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.d, 2.d, and 2.e, the affected portions are the associated low pressure ECCS pumps.

The Note states that Required Action C.1 is only applicable for Functions 1.d, 2.d, and 2.e. Required Action C.1 is not applicable to Functions 1.e, 2.f, and 3.e (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action C.2) is allowed. Required Action C.1 is also not applicable to Function 3.c (which also requires entry into this (continued)

SUSQUEHANNA - UNIT 2 3.3-124

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

(continued)

Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 3 and considered acceptable for the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels .

. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition G must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 INTERIM ADMINISTRATIVE DIRECTION Technical Specification Table 3.3.5.1-1, "HPCI System, Function 3.e, Conditions Referenced from Required Action A.1" contains a typographical error (CR 620823). The "D" referenced should be "C." In accordance with Administrative Letter 98-10, direction is provided until

proposed TS change (LDCN 3798) is approved by the NRC.

Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if*two Function 3.d channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required (continued)

SUSQUEHANNA - UNIT 2

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS D.1. D.2.1. and D.2.2 (continued)

(continued)

Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared.inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of HPCI initiation capability. A Note identifies that Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed. This allows the HPCI pump suction to be realigned to the Suppression Pool within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , if desired.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be

automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If it is not desired to perform Required Actions D.2.1 and D.2.2, Condition G must be entered and its Required Action taken.

E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one Function 4.a channel and one Function 5.a channel are inoperable and untripped, (b) one Function 4.b channel and one Function 5.b channel are inoperable and untripped, or (c) one Function 4.d channel and one Function 5.d channel are inoperable and untripped.

(continued)

SUSQUEHANNA - UNIT 2 3.3-126

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued)

(continued)

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action E.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action E.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the* inoperable channel _in trip would result in an initiation), Condition G must be entered and its Required Action taken.

(continued)

SUSQUEHANNA - UNIT 2 3.3-127

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued)

Required Action F .1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.

Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (b) a combination of Function 4.e, 4.f, 5.e, and 5.f channels*are inoperable such that both ADS trip systems lose initiation capability, or (c) one or more Function 4.g channels and one or more Function 5.g channels are inoperable.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action F.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability. The Note to Required Action F.1 states that Required Action F.1 is only applicable for Functions 4.c, 4.e, 4.f, 4.g, 5.c, 5.e, 5.f, and 5.g. Required Action F.1 is not applicable to Functions 4.h and 5.h (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 days (as allowed by Required Action F.2) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action F.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the (continued)

SUSQUEHANNA - UNIT 2 3.3-128

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES 0

ACTIONS F.1 and F.2 (continued)

(continued)

Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition G must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

With any Required Action and associated Completion Time not met, the associated supported feature(s) may be incapable of performing the intended function, and those associated with inoperable untripped channels must be declared inoperable immediately.

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months as follows: (a) for Function 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided. the associated

Function or redundant Function maintains ECCS initiation capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

In addition, for Functions 1.a, 1.b, 1.c, 2.a, and 2.b, the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance is acceptable provided both offsite sources are OPERABLE.

(continued)

SUSQUEHANNA - UNIT 2 3.3-129

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected channel failure is limited; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessary indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary becatJse the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic. (Reference 5) Performance of such a test could result in a plant transient or place the plant in an undo risk situation.

Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.5.1.5. This is acceptable (continued)

SUSQUEHANNA - UNIT 2 3.3-130

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.2 (continued)

REQUIREMENTS (continued) because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.3 and SR 3.3.5.1.4 A CHANNEL CALIBRATION is a complete check that .verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusteq to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function. The LOGIC SYSTEM FUNCTIONAL TEST tests the operation of the initiation logic up to but not including the first contact which is unique to an individually supported feature such as the starting of a DG.

The Surveillance Frequency is _controlled underthe Surveillance Frequency Control Program.

.(continued)

SUSQUEHANNA - UNIT 2 3.3-131

Rev. 7 ECCS Instrumentation B 3.3.5.1 BASES REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15.

3. NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2,"

December 1988.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193).

5. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA- UNIT 2 3.3-132

Rev.2 RPV Water Inventory Control Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control Instrumentation BASES BACKGROUND The RPV contains penetrations below the top of the active fuel (TAF) that have the potential to drain the reactor coolant inventory to below the TAF.

If the water level should drop below the TAF, the ability to remove decay heat is reduced, which could lead to elevated cladding temperatures and clad perforation. Safety Limit 2.1.1.3 requires the RPV water level to be above the top of the active irradiated fuel at all times to prevent such elevated cladding temperatures.

Technical Specifications are required by 10 CFR 50.36 to include limiting safety system settings (LSSS) for variables that have significant safety functions. LSSS are defined by the regulation as "Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that .

the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The actual settings for the automatic isolation channels are the same as those established for the same functions in MODES 1, 2, and 3 in LCO 3.3.5.1, "Emergency Core Cooling System (ECCS)

Instrumentation," or LCO 3.3.6.1, "Primary Containment Isolation instrumentation".

With the unit in MODE 4 or 5, RPV water inventory control is not required to mitigate any events or accidents evaluated in the safety analyses.

RPV water inventory control is required in MODES 4 and 5 to protect Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of radioactive material should a draining event occur. Under the definition of DRAIN TIME, some penetration flow paths may be excluded from the DRAIN TIME calculation if they will be isolated by valves that will close automatically without offsite power prior to the RPV water level being equal to the TAF when actuated by RPV water level isolation instrumentation.

(continued)

SUSQUEHANNA - UNIT 2 3.3-133

Rev.2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES BACKGROUND The purpose of the RPV Water Inventory Control Instrumentation is to (continued) support the requirements of LCO 3.5.2, "Reactor Pressure Vessel (RPV)

Water Inventory Control," and the definition ofORAIN TIME. There are functions that are required for manual initiation or operation of the ECCS injection/spray subsystem required to be OPERABLE by LCO 3.5.2 and other functions that support automatic isolation of Residual Heat Removal subsystem and Reactor Water Cleanup system penetration flow path(s) on low RPV water level.

The RPV Water Inventory Control Instrumentation supports operation of core spray (CS) and low pressure coolant injection (LPCI). The equipment involved with each of these systems is described in the Bases for LCO 3.5.2.

APPLICABLE With the unit in MODE 4 or 5, RPV water inventory control is not SAFETY required to mitigate any events or accidents evaluated in the safety ANALYSES, analyses. RPV water inventory control is required in MODES 4 and 5 to LCO, and protect Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the APPLICABILITY release of radioactive material should a draining event occur.

A double-ended guillotine break of the Reactor Coolant System (RCS) is not postulated in MODES 4 and 5 due to the reduced RCS pressure, reduced piping stresses, and ductile piping systems. Instead, an event is postulated in which a single operator error or initiating event allows draining of the RPV water inventory through a single penetration flow path with the highest flow rate, or the sum of the drain rates through multiple penetration flow paths susceptible to a common mode failure (e.g.,

seismic event, loss of normal power, single human error). It is assumed, based on engineering judgment, that while in MODES 4 and 5, one low pressure ECCS injection/spray subsystem can be manually initiat~d to maintain adequate reactor vessel water leveL As discussed in References 1, 2, 3, 4, and 5, operating experience has shown RPV water inventory to be significant to public health and safety.

Therefore, RPV Water Inventory Control satisfies Criterion 4 of 10 CFR 50.36( c)(2)(ii).

Permissive and interlock setpoints are generally considered as nominal values without regard to measurement accuracy.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-134

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE Core Spray and Low Pressure Coolant Injection Systems SAFETY 1.a. 2.a. Reactor Steam Dome Pressure - Low (Injection Permissive)

ANALYSES, LCO, and Low reactor steam dome pressure signals are used as permissives for APPLICABILITY the low pressure ECCS injection/spray subsystem manual injection (continued) functions. This function ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure ..

While it is assured during MODES 4 and 5 that the reactor steam dome pressure will be below the ECCS maximum design pressure, the Reactor Steam Dome Pressure - Low signals are assumed to be OPERABLE and capable of permitting initiation of the ECCS.

The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The

transmitters are connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS.

The four channels of Reactor Steam Dome Pressure - Low Function are required to be OPERABLE in MODES 4 and 5 when ECCS manual initiation is required to be OPERABLE by LCO 3.5.2.

1.b, 2.b. Manual Initiation The Manual Initiation push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability. There is one push button for each of the CS and LPCI subsystems (i.e., two for CS and two for LPCI).

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

A channel of the Manual Initiation Function (one channel per subsystem) is required to be OPERABLE in MODES 4 and 5 when the associated ECCS subsystems are required to be OPERABLE per LCO 3.5.2.

(continued)

SUSQUEHANNA - UNIT 2 3.3-135

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE RHR System Isolation SAFETY 3.a - Reactor Vessel Water Level - Low. Level 3 ANALYSES, LCO, and The definition of DRAIN TIME allows crediting the closing of penetration APPLICABILITY flow paths that are capable of being isolated by valves that will close (continued) automatically without offsite power prior to the RPV water level being equal to the TAF when actuated by RPV water level isolation instrumentation. The Reactor Vessel Water Level - Low, Level 3 Function associated with RHR System isolation may be credited for automatic isolation of penetration flow paths associated with the RHR System.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. While four channels (two channels per trip system) of the Reactor Vessel Water Level - Low, Level 3 Function are available. only two channels (all in the same trip system) are required to be OPERABLE.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the Primary Containment Isolation Instrumentation Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.6.1 ), since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE when automatic isolation of the associated penetration flow path is credited in calculating DRAIN TIME.

Reactor Water Cleanup (RWCU) System Isolation 4.a - Reactor Vessel Water level - Low Low. Level 2 The definition of DRAIN TIME allows crediting the closing of penetration flow paths that are capable of being isolated by valves that will close automatically without offsite power prior to the RPV water level being equal to the TAF when actuated by RPV water level isolation instrumentation. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with RWCU System isolation may be credited for automatic isolation of penetration flow paths associated with the RWCU System.

(continued)

SUSQUEHANNA - UNIT 2 3.3-136

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE Reactor Water Cleanup (RWCU) System Isolation SAFETY 4.a - Reactor Vessel Water level - Low Low, Level 2 (continued)

ANALYSES, LCO, and Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from APPLICABILITY four level transmitters that sense the difference between the pressure (continued) due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. While four channels (two channels per trip system) of the Reactor Vessel Water Level - Low Low, Level 2 Function are available, only two channels (all in the same trip system) are required to be OPERABLE.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level -

Low_Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level - Low Low, Level 2 Function is only required to be OPERABLE when automatic isolation of the associated penetration flow path is credited in calculating DRAIN TIME.

ACTIONS A Note has been provided to modify the ACTIONS related to RPV Water Inventory Control instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, suqsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limjts will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. HoVl(ever, the Required Actions for inoperable RPV Water Inventory Control instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable RPV Water Inventory Control instrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

(continued)

SUSQUEHANNA - UNIT 2 3.3-137

Rev.2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES ACTIONS (continued) 8.1 and 8.2 RHR System Isolation, Reactor Vessel Water Level - Low Level 3, and Reactor Water Cleanup System, Reactor Vessel Water Level - Low Low, Level 2 functions are applicable when automatic isolation of the associated penetration flow path is credited in calculating DRAIN TIME. If the instrumentation is inoperable, Required Action 8.1 directs an immediate declaration that the associated penetration flow path(s) are incapable of automatic isolation. Required Action 8.2 directs calculation of DRAIN TIME. The calculation cannot credit automatic isolation of the affected penetration flow paths.

Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS injection/spray subsystem manual injection functions. If the permissive is inoperable, manual initiation of ECCS is prohibited. Therefore, the permissive must be placed in the trip condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . With the permissive in the trip condition, manual initiation may be performed. Prior to placing the permissive in the tripped condition, the operator can take manual control of the pump and the injection valve to inject water into the RPV.

The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is intended to allow the operator time to evaluate any discovered inoperabilities and to place the channel in trip.

If a manual initiation function is inoperable, the ECCS subsystem pumps can be started manually and the valves can be opened manually, but this is not the preferred condition.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time was chosen to allow time for the operator to evaluate anc:I repair.any discovered inoperabilities. The Completion Time is appropriate given the ability to manually start the ECCS pumps and open the injection valves.

With the Required Action and associated Completion Time of Condition C or D not met; the associated low pressure ECCS injection/spray subsystem may be incapable of performing the intended function, and must be declared inoperable immediately. *

(continued)

SUSQUEHANNA - UNIT 2 3.3-138

Rev.2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RPV Water REQUIREMENTS inventory Control instrument Function are found in the SRs column of Table 3.3.5.2-1.

SR 3.3.5.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL FUNCTIONAL TEST.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definiti<;m of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

Performance of such a test could result in a plant transient or place the plant in an undue risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required (continued)

SUSQUEHANNA - UNIT 2 3.3-139

Rev.2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.2 (continued)

REQUIREMENTS (continued) contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.5.2.3. This is acceptable because operating experience shows that the contacts not .

tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2.3

fhe LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.2 overlaps this Surveillance to complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Information Notice 84-81 "Inadvertent Reduction in Primary Coolant Inventory in Boiling Water Reactors During Shutdown and Startup,"

November 1984.

2. Information Notice 86-74, "Reduction of Reactor Coolant Inventory Because of Misalignment of RHR Valves," August 1986. *

3. Generic Letter 92-04, "Resolution of the Issues Related to Reactor Vessel Water Level Instrumentation in BWRs Pursuant to 10 CFR 50.54(F), "August 1992.

4. NRC Bulletin 93-03, "Resolution of Issues Related to Reactor Vessel Water Leyel Instrumentation in BWRs," May 1993.

5. Information Notice 94-52, "Inadvertent Containment Spray and Reactor Vessel Draindown at Millstone 1," July 1994.

SUSQUEHANNA- UNIT 2 3.3-140

Rev.a RCIC System Instrumentation B 3.3.5.3 B 3.3 INSTRUMENTATION B 3.3.5.3 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is unavailable, such that initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System."

The RCIC System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of reactor vessel Low Low water level. The variable is monitored by four instruments. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared.

The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow and maintain primary containment isolated in the event RCIC is not operating.

The RCIC System also monitors the water levels in the condensate storage tank (CST) which is the normal suction source of reactor grade water for RCIC. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from the suppression pool valve is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens; and then the CST suction valve automatically closes. Two level switches are used to detect Iow water level in the CST. Either switch can cause the suppression pool suction valve to open and the CST suction valve to close.

The RCIC System provides makeup water to tlie reactor until the reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam supply and cooling water supply valves close (the injection valve also closes due to the .,

closure of the steam supply valves). The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2).

(continued)

SUSQUEHANNA - UNIT 2 3.3-141

Rev.a RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE The function of the RCIC System to provide makeup coolant to the SAFETY ANALYSES, reactor is used to respond to transient events. The RCIC System is not LCO, and an Engineered Safety Feature System and no credit is taken in the safety APPLICABILITY analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system, and therefore its instrumentation, are included in the Technical Specifications as required by the NRC Policy Statement (Ref. 2). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specifi~d in Table 3.3.5.3-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology.

An exception to the methodology described to derive the Allowable Value is the methodology used to determine the Allowable Value for the Condensate Storage Tank Low Level. This Allowable Value is based on a system calculation and and engineering judgement which establishes a conservative limit at which the Function should occur.

The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.)

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-142

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE 1. Reactor Vessel Water Level-Low Low, Level 2 SAFETY ANALYSES, LCO, and Low reactor pressure vessel (RPV) water level indicates that normal APPLICABILITY feedwater flow is insufficient to maintain reactor vessel water level and (continued) that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel.

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be

sufficient to avoid initiation of low pressure ECCS at Level 1.

Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

2. Reactor Vessel Water Level-High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.

Therefore, the Level 8 signal is used to close the RCIC steam supply and cooling water supply valves to prevent overflow into the main steam lines (MSLs). (The injection valve also closes due to the closure of the steam supply valve.)

Reactor Vessel Water Level-High, Level 8 signals for RCIC are initiated from two level instruments, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-High, Level 8 Allowable Value is high enough to preclude isolating the injection valve of the RCIC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.

(continued)

SUSQUEHANNA - UNIT 2 3.3-143

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE 2. Reactor Vessel Water Level-High, Level 8 (continued)

SAFETY ANALYSES, LCO, Two channels of Reactor Vessel Water Level-High, Level 8 Function and APPLICABILITY are available and are required to be OPERABLE when RCIC is required (continued) to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

3. Condensate Storage Tank Level-Low The Condensate Storage Tank-Low signal indicates that a conservatively calculated NPSH-available limit is being approached. Normally, the suction valve between the RCIC pump and the CST is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. This ensures that an adequate suction head for the pump and an uninterrupted supply of makeup water is available to the RCIC pump should it be desired to realign the suction to the remaining reserve volume in the CST. This logic also has a manual override function initiated by manual closure of the suppression pool suction valve. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes.

Two level switches are used to detect low water level in the CST. The Condensate Storage Tank Level-Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of Condensate Storage Tank Level-Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases.

(continued)

SUSQUEHANNA- UNIT 2 3.3-144

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE 4. Manual Initiation SAFETY ANALYSES, LCO, The Manual Initiation push button switch introduces a signal into the and APPLICABILITY RCIC System initiation logic that is redundant to the automatic protective (continued) instrumentation and provides manual initiation capability. There is one push button for the RCIC System resulting in a single channel trip Function.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the RCIC function as required by the NRG in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button.

One channel of Manual Initiation is required to be OPERABLE when RCIC is required to be OPERABLE.

ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.3-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

(continued)

SUSQUEHANNA - UNIT 2 3.3-145

Rev.a RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS B.1 andB.2 (continued)_

Required Action 8.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped. In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action 8.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of RCIC initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This .Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two inoperable, untripped Reactor Vessel Water Level-Low Low, Level 2 channels in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptaqle because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service tim!3, the channel must be placed in the tripped condition per Required Action 8.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

(continued)

SUSQUEHANNA - UNIT 2 3.3-146

Rev. 0 RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS (continued)

A risk based analysis was performed and determined that an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1 ). A Required Action (similar to Required Action 8.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required. This Condition applies to the Reactor Vessel Water Level-High, Level 8 Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC trip protection capability.

As stated above, this loss of automatic RCIC trip protection capability was analyzed and determined to be acceptable. This Condition also applies to the Manual Initiation Function. Since this Function is not assumed in any accident or transient analysis, a total loss of manual initiation capability (Required Action C.1) for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed. The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic initiation capability is lost if two Function 3 channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months from discovery of loss of RCIC initiation capability. A note identifies that required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed. This allows the RCIC pump suction to be realigned to the suppression pool within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , if desired.

(continued)

SUSQUEHANNA - UNIT 2 3.3-147

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)

(continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel (shifting the suction source to the suppression pool).

Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If it is not desired to perform Required Actions D.2.1 and D.2.2, Condition E must be entered and its Required Action taken.

With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately.

(continued)

SUSQUEHANNA - UNIT 2 3.3-148

Rev. 0 RCIC System Instrumentation B 3.3.5.3 BASES SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC System REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.3-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Function 2 and 4; and (b) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Functions other than Function 2 and 4, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channe! surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary.

SR 3.3.5.3.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.3-149

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES SURVEILLANCE SR 3.3.5.3.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay whfch input into the combinational logic. (Reference 3) Performance of such a test could result in a plant transient or place the plant in an undo risk situation.

Therefore, for this SR the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.5.2.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology mi.nimizes the risk of unplanned transients.

SR 3.3.5.3.3 and SR 3.3.5.3.4 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA- UNIT 2 3.3-150

Rev. 0 RCIC System Instrumentation B 3.3.5.3 BASES SURVEILLANCE

SR 3.3.5.3.5 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. NEDE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193). *

3. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA- UNIT 2 3.3-151

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 B 3.3.6.1 Primary Containment Isolation Instrumentation BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PC IVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a OBA.

The isolation instrumentation includes the sensors, relays, and instruments that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation.

When the setpoint is reached, the sensor actuates, which then outputs an .isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a) reactor vessel water level, (b) area ambient and emergency cooler temperatures, (c) main steam line (MSL) flow measurement, (ct) Standby Liquid Control (SLC) System initiation, (e) condenser vacuum, (f) main steam line pressure; (g) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line /J,. pressure, (h) SGTS Exhaust radiation, (i) HPCI and RCIC steam line pressure, U) HPCI and RCIC turbine exhaust diaphragm pressure, (k) reactor water cleanup (RWCU) differential flow and high flow, (I) reactor steam dome pressure, and (m) drywell pressure. Redundant sensor input signals from each parameter are provided for initiation of isolation. The only exception is SLC System initiation. In addition, manual isolation of the logics is provided.

Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.

1. Main Steam Line Isolation Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of all main steam isolation valves (MSIVs).

The outputs from the same channels are arranged into two two-out-of-two logic trip systems to isolate all MSL drain valves. The MSL drain line has two isolation valves with one two-out-of-two logic system associated with each valve.

(continued)

SUSQUEHANNA - UNIT 2 3.3-152

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1

BASES BACKGROUND 1. Main Steam Line Isolation (continued)

(continued)

The exceptions to this arrangement are the Main Steam Line Flow-High Function. The Main Steam Line Flow-High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic.

This is effectively a one-out-of-eight taken twice logic arrangement to

initiate isolation of the MSIVs. Similarly, the 16 flow channels are connected into two.two-out-of-two logic trip systems (effectively, two one-out-of-four twice logic), with each trip system isolating one of the two MSL drain valves.

2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged into two two-out-of-two logic trip systems. One trip system initiates isolation of all inboard primary containment isolation valves, while the other trip system initiates isolation of all outboard primary containment isolation valves.

Each logic closes one of the two valves on each penetration, so that operation of either logic isolates the penetration.

The exceptions to this arrangement are as follows. Hydrogen and Oxygen Analyzers, which isolate Division I Analyzer on a Division I isolation signal, and Division II Analyzer on a Division II isolation signal.

This is to ensure mqnitoring capability is not lost. Chilled Water to recirculation pumps and Liquid Radwaste Collection System isolation valves where both inboard and outboard valves will isolate on either division providing the isolation signal. Traversing incore probe ball valves and the instrument gas to the drywell to suppression chamber vacuum breakers only have one isolation valve and receives a signal from only one division.

3., 4. High Pressure Coolant Injection System Isolation and Reactor Core Isolation Cooling System Isolation Most Functions that isolate HPCI and RCIC receive input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems in each isolation group is connected to one of the two valves on each associated penetration.

(continued)

SUSQUEHANNA - UNIT 2 3.3-153

Rev. 9 Primary Containment lsol~tion Instrumentation B 3.3.6.1 BASES BACKGROUND 3., 4. High Pressure Coolant Injection System Isolation and Reactor (continued) Core Isolation Cooling System Isolation ( continued)

The exceptions are the HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High and Steam Supply Line Pressure-Low Functions.

These Functions receive inputs from four turbine exhaust diaphragm pressure and four steam supply pressure channels for each system. The outputs from the turbine exhaust diaphragm pressure and steam supply pressure channels are each connected to two two-out-of-two trip systems. Each trip system isolates one valve per associated penetration.

5. Reactor Water Cleanup System Isolation The Reactor Vessel Water Level-Low Low, Level 2 Isolation Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into two two-out-of-two trip systems. The Differential Flow-High, Flow- High, and SLC System Initiation Functions receive input from two channels, with each channel in one trip system using a one-out-of-one logic. The temperature isolations are divided into three Functions. These Functions are Pump Area, Penetration Area, and Heat Exchanger Area. Each area is monitored by two temperature monitors, one for each trip system.

These are configured so that any one input will trip the associated trip system. Each of the two trip systems is connected to one of the two valves on each RWCU penetration.

6. Shutdown Cooling System Isolation The Reactor Vessel Water Level-Low, Level 3 Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected to two two-out-of-two trip systems. The Reactor Vessel Pressure-High Function receives input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems is connected to one of the two valves on each shutdown cooling penetration.

7. Traversing lncore Probe System Isolation The Reactor Vessel Water Level-Low, Level 3 Isolation Function receives input from two reactor vessel water level channels. The Drywell Pressure-High Isolation Function receives input from two drywell pressure channels. The outputs from the reactor vessel water level channels and drywell pressure channels are connected into one fyvo-out-of-two logic trip system.

(continued)

SUSQUEHANNA - UNIT 2 3.3-154

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 7. Traversing lncore Probe System Isolation (continued)

(continued)

When either Isolation Function actuates, the TIP drive mechanisms will withdraw the TIPs, if inserted, and close the inboard TIP System isolation ball valves when the proximity probe senses the TIPs are withdrawn into the shield. The TIP System isolation ball valves are only open when the TIP System is in use. The outboard TIP System isolation valves are manual shear valves.

APPLICABLE The isolation signals generated by the primary*containment isolation SAFETY ANALYSES, instrumentation are implicitly assumed in the safety analyses of LCO, and References 1 and 2 to initiate closure of valves to limit offsite doses.

APPLICABILITY Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs),"

Applicable Safety Analyses Bases for more detail of the safety analyses.

Primary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 8) Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the primary containment instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each channel must also respond within its assumed response time, where appropriate.

Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified .in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety (continued)

SUSQUEHANNA - UNIT 2 3.3-155

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE analysis. The Allowable Values are derived from the analytic limits, SAFETY ANALYSES, corrected for calibration, process, and some of the instrument errors.

LCO, and The trip setpoints are then determined accounting for the remaining APPLICABILITY instrument errors (e.g., drift). The trip setpoints derived in this manner (continued) provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. .

In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment." Functions that have different Applicabilities are discussed below in the individual Functions discussion.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

The penetrations which are isolated by the below listed functions can be determined by referring to the PCIV Table found in the Bases of LCO 3.6.1.3, "Primary Containment Isolation Valves."

Main Steam Line Isolation 1.a. Reactor Vessel Water Level-Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of the MS IVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level-Low Low Low, Level 1 Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals.

The Reactor Vessel Water Level-Low Low Low, Level 1 Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MS Ls on Level 1 supports actions to ensure that offsite dose limits a,re not exceeded for a OBA.

Reactor vessel water level signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

SUSQUEHANNA - UNIT 2 3.3-156

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Main Steam Line Isolation SAFETY ANALYSES, LCd, and 1.a. Reactor Vessel Water Level-Low Low Low, Level 1 (continued)

APPLICABILITY (continued) The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MS Ls isolate on a potential loss of coolant accident (LOCA) to prevent offsite and control room doses from exceeding regulatory limits.

1.b. Main Steam Line Pressure-Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down more than 100°F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure-Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 2). For this event, the closure of the MS IVs ensures that the RPV temperature change limit (100°F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior*to pressure decreasing below 785 psig, which results in a scram due to MSIV closure, thus reducing reactor power to < 23% RTP.)

The MSL low pressure signals are initiated from four instruments that are connected to the MSL header. The instruments are arranged such that, even though physically separated from each other, each instrument is able to detect low MSL pressure. Four channels of Main Steam Line Pressure-Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Main Steam Line Pressure-Low trip will only occur after a 500 milli-second time delay to prevent any spurious isolations.

The Allowable Value was selected to be high enough to prevent excessive RPV depressurization. The Main Steam Line Pressure-Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 2).

(continued)

SUSQUEHANNA - UNIT 2 3.3-157

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.c. Main Steam Line Flow-High SAFETY ANALYSES, LCO, and Main Steam Line Flow-High is provided to detect a break of the MSL APPLICABILITY and to initiate closure of the MS IVs: If the steam were allowed to (continued) continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow-High Function is directly assumed in the analysis of the main steam line break (MSLB) (Ref. 1). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite and control room doses do not exceed regulatory limits.

The MSL flow signals are initiated from 16 instruments that are connected to the four MSLs. The instruments are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow-High Function for each unisolated MSL (two channels per trip system) are available an~ are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.

1.d. Condenser Vacuum-Low The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break.

The Condenser Vacuum-Low Function is provided to prevent overpressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum-Low Function is assumed to be OPERABLE and capable of initiating closure of the MS IVs. The closure of the MS IVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident.

Condenser vacuum pressure signals are derived from four pressure instruments that sense the pressure in the condenser. Four channels of Condenser Vacuum-Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

SUSQUEHANNA - UNIT 2 3.3-158

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.d. Condenser Vacuum-Low (continued)

SAFETY ANALYSES, LCO, and The Allowable Value is chosen to prevent damage to the condenser due APPLICABILITY to pressurization, thereby ensuring its integrity for offsite dose analysis.

(continued) As noted (footnote (a) to Table 3.3.6.1-1), the channels are not required to be OPERABLE in MODES 2 and 3 when all main turbine stop valves (TSVs) are closed, since the potential for condenser overpressurization is minimized. Switches are provided to manually bypass the channels when all TSVs are closed.

1.e. Reactor Building Main Steam Tunnel Temperature-High Reactor Building Main Steam Tunnel temperature is provided to detect a leak in the RCPB and provides diversity to the high flow instrumentation.

The isolation occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. However, credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks, such as MSLBs.

Area temperature signals are initiated from thermocouples located in the area being monitored. Four channels of Reactor Building Main Steam Tunnel Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The reactor building main steam tunnel temperature trip will only occur after a one second time delay.

The temperature monitoring Allowable Value is chosen to detect a leak equivalent to approximately 25 gpm of water.

1.f. Manual Initiation The Manual Initiation push button channels introduce signals into the MSL isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are four push buttons for the logic, two manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

(continued)

SUSQUEHANNA - UNIT 2 3.3-159

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.f. Manual Initiation (continued)

SAFETY ANALYSES, LCO, and Two channels of Manual Initiation Function are available and are APPLICABILITY required to be OPERABLE in MODES 1, 2, and 3, since these are the (continued) MODES in which the MSL isolation automatic Functions are required to be OPERABLE.

Primary Containment Isolation 2.a. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products.

The isolation of the primary containment on Level 3 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level-Low, Level 3 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level-Low, Level 3 signals are initiated from level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown.

2.b. Reactor Vessel Water Level-Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products.

The isolation of the primary containment on Level 2 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level- Low Low, Level 2 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

(continued)

SUSQUEHANNA - UNIT 2 3.3-160

Rev.9 Primary Containment Isolation Instrumentation

. B 3.3.6.1 BASES APPLICABLE 2.b. Reactor Vessel Water Level-Low Low, Level 2 (continued)

SAFETY ANALYSES, LCO, and Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from APPLICABILITY level instruments that sense the difference between the pressure due to a (continued) constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Level 2 Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA.

2.c. Reactor Vessel Water Level-Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The valves whose penetrations communicate with the primary containment are isolated.to limit the release of fission products. The isolation of the primary containment on Level 1 supports actions to ensure the offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level - Low Low Low, Level 1 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor vessel water level signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the associated penetrations isolate on a potential loss of coolant accident (LOCA) to prevent offsite and control room doses from exceeding regulatory limits.

(continued)

SUSQUEHANNA - UNIT 2 3.3-161

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.d. Drywell Pressure-High SAFETY ANALYSES, LCO, and High drywell pressure can indicate a break in the RCPB inside the APPLICABILITY primary containment. The isolation of some of the primary containment (continued) isolation valves on high drywell pressure supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywell. Four channels of Drywell Pressure-High per Function are available and are required to be OPERABLE to en*sure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure-High Allowable Value (LCO 3.3.5.1 ), since this may be indicative of a LOCA inside primary containment.

2.e. SGTS Exhaust Radiation-High High SGTS Exhaust radiation indicates possible gross failure of the fuel cladding. Therefore, when SGTS Exhaust Radiation High is detected, an isolation is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the FSAR because other leakage paths (e.g., MSIVs) are more limiting.

The SGTS Exhaust radiation signals are initiated from radiation detectors that are located in the SGTS Exhaust. Two channels of SGTS Exhaust Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is low enough to promptly detect gross failures in the fuel cladding.

2.f. Manual Initiation The Manual Initiation push button channels introduce signals into the primary containment isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

. (continuec;f)

SUSQUEHANNA - UNIT 2 3.3-162

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.f. Manual Initiation (continued)

SAFETY ANALYSES, LCO, and There are two push buttons for the logic, one manual initiation push APPLICABILITY button per trip system. There is no Allowable Value for this Function (continued) since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the Primary Containment Isolation automatic Functions are required to be OPERABLE.

High Pressure Coolant Injection and Reactor Core Isolation Cooling Systems Isolation 3.a., 4."a. HPCI and RCIC Steam Line A Pressure-High Steam Line A Pressure High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding.

The HPCI and RCIC Steam Line A Pressure - High signals are initiated from instruments (two for HPCI and two for RCIC) that are connected to the system steam lines. Two channels of both HPCI and RCIC Steam Line A pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The steam line A Pressure - High will only occur after a 3 second time delay to prevent any spurious isolations.

(continued)

SUSQUEHANNA - UNIT 2 3.3-163

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.a .* 4.a. HPCI and RCIC Steam Line /'J. Pressure-High (continued)

SAFETY ANALYSES, LCO, and *The Allowable Values are chosen to be low enough to ensure that the trip APPLICABILITY occurs to prevent fuel damage and maintains the MSLB event as the (continued) bounding event, and high enough to be above the maximum transient steam flow during system startup.

3.b .* 4.b. HPCI and RCIC Steam Supply Line Pressure-Low Low MSL pressure indicates that the pressure of the steam in the HPCI or RCIC turbine may be too low to continue operation of the associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. However, they also provide a diverse signal to indicate a possible system break.

Thes~ instruments are included in Technical Specifications (TS) because of the potential.for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 3).

The HPCI and RCIC Steam Supply Line Pressure-Low signals are initiated from instruments (four for HPCI and four for RCIC) that are connected to the system steam line. Four channels of both HPCI and RCIC Steam Supply Line Pressure-Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are selected to be high enough to prevent damage to the system's turbine.

3.c.* 4.c. HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High High turbine exhaust diaphragm pressure indicates that a release of steam into the associated compartment is possible. That is, one of two exhaust diaphragms has ruptured. These isolations are to prevent steam from entering the associated compartment and are not assumed in any transient or accident analysis in the FSAR. These instruments

are included in the TS because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 3).

The HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High signals are initiated from instrum*ents (four for HPCI and four for RCIC) that are connected to the area between the rupture diaphragms on each system's turbine exhaust line. Four channels of both HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High Functions are available and are .

required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

SUSQUEHANNA - UNIT 2 3.3-164

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY The Allowable Values is low enough*to identify a high turbine exhaust (continued) pressure condition resulting from a diaphragm rupture, or a leak in the diaphragm adjacent to the exhaust line and high enough to prevent inadvertent system isolation.

3.d., 4.d. Drywell Pressure-High High drywell pressure can indicate a break in the RCPB. The HPCI and RCIC isolation of the turbine exhaust vacuum breaker line is provided to prevent communication with the wetwell when high drywell pressure exists. A potential leakage path exists via the turbine exhaust. The isolation is delayed until the system becomes unavailable for injection (i.e., low steam supply line pressure). The isolation of the HPCI and RCIC turbine exhaust vacuum breaker line by Drywell Pressure-High is indirectly assumed in the FSAR accident analysis because the turbine exhaust vacuum breaker line leakage path is not assumed to contribute to offsite doses and is provided for long term containment isolation.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywell. Four channels of both HPCI and RCIC Drywall Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure-High Allowable Value (LCO 3.3.5.1), since this is indicative of a LOCA inside primary containment.

3.e., 3.f., 3.g., 4.e., 4.f., 4.g., HPCI and RCIC Area and Emergency Cooler Temperature-High HPCI and RCIC Area and Emergency Cooler temperatures are provided to detect a leak from the associated system steam piping. The isolation occurs when a small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

(continued)

SUSQUEHANNA - UNIT 2 3.3-165

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.e., 3.f.* 3.g .* 4.e .* 4.f.* 4.g.. HPCI and RCIC Area and Emergency SAFETY ANALYSES, Cooler Temperature-High (continued)

LCO, and APPLICABILITY Area and Emergency Cooler Temperature-High signals are initiated (continued) from thermocouples that are appropriately located to protect the system that is being monitored. Two instruments monitor each area. Two channels for each HPCI and RCIC Area and Emergency Cooler

Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The HPCI and RCIC Pipe Routing area temperature trips will only occur after a 15 minute time delay to prevent any spurious temperature isolations due to short temperature increases and allows operators sufficient time to determine which system is leaking. The other ambient temperature trips will only occur after a one second time delay to prevent any spurious temperature isolations.

The Allowable Values are set low enough to detect a leak equivalent to 25 gpm, and high enough to avoid trips at expected operating temperature.

3.h .* 4.h. Manual Initiation The Manual Initiation push button channels introduce signals into the HPCI and RCIC systems'. isolation logics that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for these Functions. They are retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There is one manual initiation push button for each of the HPCI and RCIC systems. One isolation pushbutton per system will introduce an isolation to one of the two trip systems. There is no Allowable Value for these Functions, since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of both HPCI and RCIC Manual Initiation Functions are available and are required to be OPERABLE in MODES 1, 2, and 3 since

these are the MODES in which the HPCI and RCIC systems' Isolation automatic Functions are required to be OPERABLE. *

(continued)

SUSQUEHANNA - UNIT 2 3.3-166

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Reactor Water Cleanup System Isolation SAFETY ANALYSES, LCO, and 5.a. RWCU Differential Flow-High APPLICABILITY (continued) The high differential flow signal is provided to detect a break in the RWCU System. This will detect leaks in the RWCU System when area temperature would not provide detection (i.e., a cold leg break). Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation of the RWCU System is initiated D

when high differential flow is sensed to prevent exceeding offsite doses.

A 45 second time delay is provided to prevent spurious trips during most RWCU operational transients. This Function is not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.

The high differential flow signals are initiated from instruments that are connected to the inlet (from the recirculation suction) and outlets (to condenser and feedwater) of the RWCU System. Two channels of Differential Flow-High Function are available and .are required to be OPERABLE to ensure that no single instrument failure downstream of the common summer can preclude the isolation function.

The Differential Flow-High Allowable Value ensures that a break of the RWCU piping is detected.

5.b, 5.c, 5.d RWCU Area Temperatures-High RWCU area temperatures are provided to detect a leak from the RWCU System. The isolation occurs even when small leaks have occurred and is diverse to the high differential flow instrumentation for the hot portions

, of the RWCU System. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as recirculation or MSL'breaks.

Area temperature signals are initiated from temperature elements that are located in the area that is being monitored. Six thermocouples provide input to the Area Temperature-High Function (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The area temperature trip will only occur after a one second time to prevent any spurious temperature isolations.

(continued)

SUSQUEHANNA - UNIT 2 3.3-167 0

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.b, 5.c, 5.d RWCU Area Temperatures-High (continued)

SAFETY ANALYSES, LCO, and The Area Temperature-High Allowable Values are set low enough to APPLICABILITY detect a leak equivalent to 25 gpm.

(continued) 5.e. SLC System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron solution by the RWCU System (Ref. 4). SLC System initiation signals are initiated from the two SLC pump start signals.

There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.

Two channels (one from each pump) of the SLC System Initiation Function are available and are required to be OPERABLE only in MODES 1, 2, and 3 which is consistent with the Applicability for the SLC System (LCO 3.1. 7).

As noted (footnote (b) to Table 3.3.6.1-1), this Function is only required to close the outboard RWCU isolation valve trip systems.

5.f. Reactor Vessel Water Level-Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 2 supports actions to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level-Low Low, Level 2 Function associated with RWCU isolation is not directly assumed in the FSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting).

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

SUSQUEHANNA - UNIT 2 3.3-168

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.f. Reactor Vessel Water Level-Low Low, Level 2 (continued)

SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value was APPLICABILITY chosen to be the same as the ECCS Reactor Vessel Water Level-Low (continued) Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened.

5.g. RWCU Flow - High RWCU Flow-High Function is provided to detect a break of the RWCU System. Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation is initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for this Function is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks.

The RWCU Flow-High signals are initiated from two instruments. Two channels of RWCU Flow-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The RWCU flow trip will only occur after a 5 second time delay to prevent spurious trips.

The Allowable Value is chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event.

5.h. Manual Initiation The Manual Initiation push button channels introduce signals into the RWCU System isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on the position of the push buttons.

(continued)

SUSQUEHANNA - UNIT 2 3.3-169

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.h. Manual Initiation (continued)

SAFETY ANALYSES, LCO, and Two channels of the Manual Initiation Function are available and are APPLICABILITY required to be OPERABLE in MODES 1, 2, and 3 since these are the (continued) MODES in which the RWCU System Isolation automatic Functions are required to be OPERABLE.

Shutdown Cooling System Isolation 6.a. Reactor Steam Dome Pressure-High The Reactor Steam Dome Pressure-High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR)

System. This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the FSAR.

The Reactor Steam Dome Pressure-High signals are initiated from two instruments. Two channels of Reactor Steam Dome Pressure-High Function are available and are required to be OPERABLE to ensure that no sjngle instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized with the exception of Special Operations LCO 3.10.1; thus, equipment protection is needed. The Allowable Value was chosen to be low.enough to protect the system equipment from overpressurization.

6.b. Reactor Vessel Water Level-Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The_ Reactor Vessel Water Level-Low, Level 3 Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Coc:,ling System is bounded by breaks of the recirculation and MSL.

The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.*

(continued)

SUSQUEHANNA - UNIT 2 3.3-170

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level-Low, Level 3 (continued)

SAFETY ANALYSES, LCO, and Reactor Vessel Water Level-Low, Level 3 signals are initiated from four APPLICABILITY level instruments that sense the difference between the pressure due to a (continued) constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water *Level-Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low, Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low, Level 3 Allowable Value (LCO 3.3.1.1 ), since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level-Low, Level 3 Function is only required to be OPERABLE in MODE 3 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel.

In MODES 1 and 2, another isolation (i.e., Reactor Steam Dome Pressure-High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.

6.c Manual Initiation The Manual Initiation push button channels introduce signals to RHR Shutdown Cooling System isolation logic that is redundant to the automatic protective instrumentation and provide manual isolatio_n capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

(continued)

SUSQUEHANNA - UNIT 2 3.3-171

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.c Manual Initiation (continued)

SAFETY ANALYSES, LCO, and Two channels of the Manual Initiation Function are available and are APPLICABILITY required to be OPERABLE in MODE 3:

(continued)

Traversing lncore Probe System Isolation 7.a Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products.

The isolation of the primary containment on Level 3 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level - Low, Level 3 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA. Reactor

Vessel Water Level - Low, Level 3 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Two channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent isolation actuation. The isolation function is ensured by the manual shear valve in each penetration.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1 ), since isolation of these valves is not critical to orderly plant shutdown.

7.b. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

(continued)

SUSQUEHANNA - UNIT 2 3.3-172

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 7.b. Drywell Pressure - High (continued)

SAFETY ANALYSES, LCO, and High drywell pressure signals are initiated from pressure transmitters that APPLICABILITY sense the pressure in the drywell. Two channels of Drywell Pressure -

(c.ontinued) High per Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent actuation. The isolation function is ensured by the manual shear valve in each penetration.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1 ), since this may be indicative of a LOCA inside primary containment.

ACTIONS The ACTIONS are modified by two Notes. Note 1 allows penetration flow path(s) to be unisolated intermittently under administrative controls.

These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room.

In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated. Note 2 has been provided to modify the ACTIONS related to primary c*ontainment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

(continued)

SUSQUEHANNA - UNIT 2 3.3-173

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued)

Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Functions 2.a, 2.d, 6.b, 7.a and 7.b and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Functions other than Functions 2.a, 2.d, 6.b, 7.a and 7.b has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time,.

the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Action taken.

B.1 and 8.2 Required Action 8.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic isolation capability being lost for the associated penetration flow path(s). The MSL Isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that both trip systems will generate a trip signal from the given Function on a valid signal. The other isolation functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that on~ trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two PC IVs in the associated penetration flow path can receive an isolation signal from the given Function. For Functions 1.a, 1.b, 1.d, and 1.e, this would require both trip systems to have one channel OPERABLE or in trip. For Function 1.c, this would require both trip systems to have one channel, associated with each

. MSL, OPERABLE or in trip. Therefore, this would require both trip systems to have one channel per location OPERABLE or in trip. For Functions 2.a, 2.b, 2.c, 2.d, 3.b, 3.c, 3.d, 4.b, 4.c, 4.d, 5.f, and 6.b, this would require one trip system to have two channels, each OPERABLE or in trip. For Functions 2.e, 3.a, 3.e, 3.f, 3.g, 4.a, 4.e, 4.f, 4.g, 5.a, 5.b, 5.c, 5.d, 5.e, 5.g, and 6.a, this would require one trip system to have one channel OPERABLE or in trip. The Condition does not include the Manual Initiation Functions (Functions 1.f, 2.f, 3.h, 4.h, 5.h, and 6.c),

(continued)

SUSQUEHANNA - UNIT 2 3.3-174

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS B.1 and B.2 (continued)

(continued) since they are not assumed in any aocident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action A.1) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and

provides for transfer to the appropriate subsequent Condition.

D.1, D.2.1, and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action D.1), and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated),

operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel. The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

(continued)

SUSQUEHANNA - UNIT 2 3.3-175

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS E.1 (continued)

(continued)

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems .

.Ll If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels.

If it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition H must be entered and its Required Actions taken.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s).

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is acceptable due to the fact that these Functions are either not assumed in any accident or transient analysis in the FSAR (Manual Initiation) or, in the case of the TIP System isolation, the TIP System penetration is a small bore (0.280 inch), its isolation in a design basis event (with loss of offsite power) would be via the manually operated shear valves, and the ability to manually isolate by either the normal isolation valve or the shear valve is unaffected by the inoperable instrumentation. It should be noted, however, that the TIP System is powered from an auxiliary instrumentation bus which has an uninterruptible power supply and hence, the TIP drive mechanisms and ball valve control will still function in the event of a loss of offsite power. Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram),

Condition H must be entered and its Required Actions taken.

(continued)

SUSQUEHANNA - UNIT 2 3.3-176

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS H.1 and H.2 (continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or any Required Action of Condition F or G is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

1.1 and 1.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated SLC subsystem(s) is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystems inoperable or isolating the RWCU System.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months *cor:npletion Time is acceptable because it minimizes risk .

while allowing sufficient time for personnel to isolate the RWCU System.

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status. Actions must continue until the channel is restored to OPERABLE status.

(continued)

SUSQUEHANNA - UNIT 2 3.3-177

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Primary REQUIREMENTS Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary.

SR 3.3.6.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO.

(continued)

SUSQUEHANNA - UNIT 2 3.3-178

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance_ Frequency is controlled under the Surveillance Frequency 0 Control Program.

This SR is modified by two Notes. Note 1 provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relays which input into the combinational logic. (Reference 11) Performance of such a test could result in a plant transient or place the plant in an undo risk situation.

Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.6.1.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

Note 2 provides a second specific exception to the definition of CHANNEL FUNCTIONAL TEST. For Functions 2.e, 3.a, and 4.a, certain channel relays are not included in the performance of the CHANNEL FUNCTIONAL TEST. These exceptions are necessary because the circuit design does not facilitate functional testing of the entire channel through to the coil of the relay which enters the combinational logic.

(Reference 11) Specifically, testing of all required relays would require rendering the affected system (i.e., HPCI or RCIC) inoperable, or require lifting of leads and inserting test equipment which could lead to unplanned transients. Therefore, for these circuits, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the actuation of circuit devices up to the point where further testing could result in an unplanned transient. (References 10 and 12) The required relays not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.6.1.5. This exception is acceptable because operating experience shows that the devices not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

(continued)

SUSQUEHANNA - UNIT 2 3.3-179

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.3 and SR 3.3.6.1.4 REQUIREMENTS (continued) A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. .

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

It should be noted that some of the Primary Containment High Drywell pressure instruments, although only required to be calibrated as a 24 month Frequency, are calibrated quarterly based on the TS requirements.

SR 3.3.6.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.1.6 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis.

Testing is performed only on channels where the guidance given in Reference 9 could not be met, which identified that degradation of response time can usually be detected by other surveillance tests.

As stated in Note 1, the response time of the sensors for Function 1. b is excluded from ISOLATION SYSTEM RESPONSE TIME testing.

Because the vendor does not provide a design instrument response time, a penalty value to account for the.sensor response time is included in determining total channel response time. The penalty value is based on the historical performance of the sensor. (Reference 13) This allowance is supported by Reference 9 which determined that significant degradation of the sensor channel response time can be detected during performance of other Technical Specification SRs and that the sensor response time is a small part of the overall ISOLATION RESPONSE TIME testing.

(continued)

SUSQUEHANNA - UNIT 2 3.3-180

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1

.BASES SURVEILLANCE SR 3.3.6.1.6 (continued)

REQUIREMENTS (cpntinued) Function 1.a and 1.c channel sensors and logic components are excluded from response time testing in accordance with the provisions of References 14 and 15.

As stated in Note 2, response time testing of isolating relays is not required for Function 5.a. This allowance is supported by Reference 9.

These relays isolate their respective isolation valve after a nominal 45 second time delay in the circuitry. No penalty value is included in the response time calculation of this function. This is due to the historical response time testing results of relays of the same manufacturer and model number being less than 100 milliseconds, which is well within the expected accuracy of the 45 second time delay relay.

ISOLATION SYSTEM RESPONSE TIME acceptance criteria are included in Reference 7. This test may be performed in one measurement, or in overlapping segments, with verification that all components are tested.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15.

3. NED0-'-31466, "Technical Specification Screening Criteria Application and Risk Assessment," November 1987.

4. FSAR, Section 4.2.3.4.3.

6. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

7. FSAR, Table 7.3-29.

8. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132)

9. NED0-32291 P-A "System Analyses for Elimination of Selected Response Time Testing Requirements," October 1995.

(continued)

SUSQUEHANNA - UNIT 2 3.3-181

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES REFERENCES 10. PPL Letter to NRC, PLA-2618, Response to NRC INSPECTION (continued) REPORTS 50-387/85-28 AND 50-388/85-23, dated April 22, 1986.

11. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

12. Susquehanna Steam Electric Station NRC REGION I COMBINED INSPECTION 50-387/90-20; 50-388/90-20, File R41-2, dated March 5, 1986.

13. NRC Safety Evaluation Report related to Amendment No. 171 for License No. NPF-14 and Amendment No. 144 for License No.

NPF-22.

14. NEDO 32291-A, Supplement 1 "System Analyses for the .

Elimination of Selected Response Time Testing Requirements,"

October 1999.

15. NEDO 32291, Supplement 1, Addendum 2, "System Analyses for the Elimination of Selected Response Time Testing Requirements," September 5, 2003.

SUSQUEHANNA- UNIT 2 3.3-182

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASES.

BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SC IVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation and establishment of vacuum with the SGT System within the assumed time limits ensures that fission products that leak from primary containment following a OBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits.

The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation. When the setpoint is reached, the channel sensor actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters.

The input parameters to the isolation logic are (1) reactor vessel water level, (2) drywell pressure, (3) refuel floor high exhaust duct radiation - high, (4) refuel floor wall exhaust duct radiation - high, and (5) railroad access shaft exhaust duct radiation - high. Only appropriate ventilation zones are isolated for different isolation signals. Isolation signals for drywell pressure and vessel water level will isolate the affected Unit's zone (Zone I for Unit 1 and Zone II for Unit 2) and Zone Ill. Redundant sensor input signals from each parameter are provided for initiation of isolation. In addition, manual initiation of the logic is provided.

The Functions are arranged as follows for each trip system. The Reactor Vessel Water Level - Low Low, Level 2 and Drywell Pressure - High are each arranged in a two-out-of-two logic. The Refuel Floor High Exhaust Duct Radiation - High, Refuel Floor Wall Exhaust Duct Radiation - High and the Railroad Access Shaft Exhaust Duct Radiation - High are arranged into one-out-of-one trip systems. One trip system initiates isolation of one automatic isolation valve (damper) and starts one SGT subsystem (includjng its associated reactor building recirculation subsystem) while the other trip system initiates isolation of the other automatic isolation valve in the penetration and starts the other SGT subsystem (including its associated reactor building recirculation subsystem). Each logic closes one of the two (continued)

SUSQUEHANNA - UNIT 2 3.3-183

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES BACKGROUND valves on each penetration and starts one SGT subsystem, so that operation (continued) of either logic isolates the secondary containment and provides for the necessary filtration of fission products.

APPLICABLE The isolation signals generated by the secondary containment isolation

SAFETY instrumentation are. implicitly assumed in the safety analyses of References 1 ANALYSES, and 2 to initiate closure of valves and start the SGT System to limit offsite LCO, and and control room doses.

APPLICABILITY Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs),"

and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," Applicable Safety Analyses Bases for more detail of the safety analyses.

The secondary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 7) Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the secondary containment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each channel

must also respond within its assumed response time, where appropriate.

Allowable Values are specified for each Function specified in the Table.

Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, (continued)

SUSQUEHANNA - UNIT 2 3.3-184

Rev.6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE and some of the instrument errors. The trip setpoints are then determined SAFETY accounting for the remaining instrument errors (e.g., drift). The trip SAFETY ANALYSES, ANALYSES, setpoints derived in this manner provide adequate protection LCO, and because instrumentation uncertainties, process effects, calibration APPLICABILITY, tolerances, instrument drift, and severe environment errors (for channels that (continued) must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SCIVs and the SGT System are required.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level-Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. T~e Reactor Vessel Water Level-Low Low, Level 2 Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The is.olation and initiation systems on Reactor Vessel Water Level-Low Low, Level 2 support actions to ensure that any offsite releases are within the limits calculated in the safety analysis.

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value was chosen to be the same as the High Pressure Coolant Injection/Reactor Core Isolation Cooling (HPCI/RCIC) Reactor Vessel Water Level-Low Low, Level 2 Allowable Value (LCO 3.3.5.1 and LCO 3.3.5.3), since this could indicate that the capability to cool the fuel is being threatened.

(continued)

SUSQUEHANNA - UNIT 2 3.3-185

Rev.6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 1. Reactor Vessel Water Level-Low Low. Level 2 (continued)

SAFETY ANALYSES, The Reactor Vessel Water Level-Low Low, Level 2 Function is required to be LCO, and OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the APPLICABILITY Reactor Coolant System (RCS); thus, there is a probability of pipe breaks (continued) resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required.

Reactor Vessel Water Level--Low Low, Level 2 will isolate the affected Unit's zone (i.e., Zone I for Unit 1 and Zone II for Unit 2) and Zone Ill.

2. Drywell Pressure-High High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the-potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. However, the Drywell Pressure-High Function associated with isolation is not assumed in any FSAR accident or transient analyses. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywell. Four channels of Drywell Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function.

The Allowable Value was chosen to be the same as the ECCS Drywell Pressure-High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA).

The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.

Drywell Pressure - High will isolate the affected Unit's zone (i.e., Zone I for Unit 1 and Zone II for Unit 2) and Zone Ill.

(continued)

SUSQUEHANNA - UNIT 2 3.3-186

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 3, 4, 5, 6 1 7 Refuel Floor High Exhaust Duct, Refuel Floor Wall Exhaust SAFETY Duct, and Railroad Access Shaft Exhaust Duct Radiation-High

ANALYSES, LCO, and High secondary containment exhaust radiation is an indication of possible APPLICABILITY gross failure of the fuel cladding due to a fuel handling accident. When (continued) Exhaust Radiation-High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the FSAR safety analyses (Ref. 4).

The Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust ductwork coming from the refueling floor zones and the Railroad Access Shaft. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Eight channels of Refuel Floor High Exhaust Duct and Wall Exhaust Duct Radiation-High Function (four from Unit 1 and four from Unit 2) and two channels of Railroad Access Shaft Exhaust Duct Radiation - High Function (both from Unit 1) are available to ensure that no single instrument failure can preclude the isolation function.

Operability of the Unit 1 and Unit 2 Refuel Floor High Exhaust Duct Radiation Instrumentation and the Unit 1 and Unit 2 Refuel Floor Wall Exhaust Duct Radiation Instrumentation does not require HVAC system airflow in the ductwork.

The Allowable Values are chosen to promptly detect gross failure of the fuel cladding.

The Refuel Floor Exhaust Radiation-High Functions are required to be OPE_RABLE during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (due to a fuel handling accident) must be provided to ensure that offsite and control room dose limits are not exceeded.

The Railroad Access Shaft Exhaust Duct Radiation - High Function is only required to be OPERABLE during handling of irradiated fuel within the Railroad Access Shaft, and directly above the Railroad Access Shaft with the Railroad Access Shaft Equipment Hatch open. This provides the capability of detecting radiation releases due to fuel failures resulting from dropped fuel assemblies which ensures that offsite and control room dose limits are not exceeded.

(continued)

SUSQUEHANNA - UNIT 2 3.3-187

.Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 3, 4, 5, 6, 7 Refuel Floor High Exhaust Duct, Refuel Floor Wall Exhaust SAFETY Duct, and Railroad Access Shaft Exhaust Duct Radiation-High (continued)

ANALYSES, LCO, and Refuel Floor High and Wall Exhaust Duct and Railroad Access Shaft Exhaust APPLICABILITY Duct Radiation - High Functions will isolate Zone Ill of secondary (continued) containment.

8. Manual Initiation A Manual Initiation can be performed for secondary containment isolation by initiating a Primary Containment Isolation. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

There are two push buttons for the logic, one manual initiation pysh button per trip system. There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, and during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment.

These are the MODES and other specified conditions in which the Secondary Containment Isolation automatic Functions are required to be OPERABLE.

ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrymentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel.

(continued)

SUSQUEHANNA - UNIT 2 3.3-188

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACT.IONS A.1 (continued)

Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Function 2, and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Functions other than Function 2, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would COrJServatively compensate for the inoperability; restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Actions taken.

B.1 Required Action 8.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic isolation capability for the associated penetration flow path(s) or a complete loss of automatic initiation capability

for the SGT System. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two SC IVs in the associated penetration flow path and one SGT subsystem (including its associated reactor building recirculation subsystem) can be initiated on an isolation signal from the given Function. For the Functions with two logic trip systems (Functions 1, 2, 3, 4, 5, 6 and 7), this would require one trip system to have the required channel(s) OPERABLE or in trip. The Condition does not include the Manual Initiation Function (Function 8), since it is not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action A.1) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

(continued)

SUSQUEHANNA - UNIT 2 3.3-189

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS C.1, C.2.1, and C.2.2 (continued)

If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function. Isolating the associated zone (closing the ventilation supply and exhaust automatic isolation dampers) and starting the associated SGT subsystem (including its associated reactor building recirculation subsystem) in the emergency mode (Required Action C.1) performs the intended function of the instrumentation and allows operation to continue.

Alternately, declaring the associated SCIVs and SGT subsystem(s)

(including its associated reactor building recirculation subsystem) inoperable (Required Actions C.2.1 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components.

One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Secondary REQUIREMENTS Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains secondary containment isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary.

(continued)

SUSQUEHANNA - UNIT 2 3.3-190

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks

of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.6.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 8) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.6.2.5.

This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

(continued)

SUSQUEHANNA - UNIT 2 3.3-191

Rev.6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.2 (continued)

REQUIREMENTS (continued) The Surveillance Frequency is controMed under the Surveillance Frequency Control Program.

SR 3.3.6.2.3 and SR 3.3.6.2.4 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled urider the Surveillance Frequency Control Program.

SR 3.3.6.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. *

(continued)

SUSQUEHANNA - UNIT 2 3.3-192

Rev.6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15

3. FSAR, Section 15.2.

4. FSAR, Sections_ 15.7.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

6. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

7. Final Policy Statement on Technical Specifications Improvements, July 22, 1993. (58 FR 32193)

8. NRG Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA - UNIT 2 3.3-193

Rev.4 CREOAS System Instrumentation B 3.3.7.1 83.3 INSTRUMENTATION B 3.3.7.1 Control Room Emergency Outside Air Supply (CREOAS) System lns~rumentation BASES BACKGROUND The CREOAS System is designed to provide a radiologic~lly controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent .

CREOAS subsystems are each capable of fulfilling the stated safety function.

Tbe instrumentation and controls for the CREOAS System automatically initiate action to pressurize the main control room to minimize the consequences of radioactive material in the control room environment.

In the event of a loss of coolant accident (LOCA) signal (Reactor Vessel Water Level-Low Low, Level 2 or Drywell Pressure-High), Refuel Floor High Exhaust Duct Radiation-High, Refuel Floor Wall Exhaust Duct Radiation-High, Railroad Access Shaft Exhaust Duct Radiation-High or Main Control Room Outside Air Intake Radiation-High signal, the CREOAS System is automatically started in the _pressurization/filtration mode.

The CREOAS System instrumentation has two trip systems. Each trip system receives input from each of the Functions listed above and initiates associated subsystem. The Functions are arranged for each trip system as follows: the Reactor Vessel Water Level-Low Low, Level 2 and Drywell Pressure-High are each arranged in a two-out-of-two logic. The Refuel Floor High Exhaust Duct Radiation - High, Refuel Floor Wall Exhaust Duct Radiation - High, the Main Control Room Outside Air Intake Radiation - High and the Railroad Access Shaft Exhaust Duct Radiation - High are arranged in a one-out-of-one logic. With the exception of the Main Control Room Outside Air Intake Radiation - High all the instruments also initiate a secondary containment isolation. When the setpoint is reached, the sensor actuates, which then outputs a CREOAS System initiation signal to the initiation logic.

(continued)

SUSQUEHANNA - UNIT 2 3.3-194

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE The ability of the CREOAS System to maintain the habitability of the main SAFETY control room is explicitly assumed for certain accidents as discussed in the ANALYSES, FSAR safety analyses (Refs. 1 and 2). CREOAS System operation ensures LCO, and that the radiation exposure of control room personnel, through the duration of APPLICABILITY any one of the postulated accidents, does not exceed regulatory limits.

CREOAS System instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 5)

The OPERABILITY of the CREOAS System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.7.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each CREOAS System Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowabl.e Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-195

Rev. 4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE 1. Reactor Vessel Water Level-Low Low, Level 2 SAFETY ANALYSES, Low reactor pressure vessel (RPV) water level indicates that the capability of LCO, and cooling the fuel may be threatened. A low reactor vessel water level could APPLICABILITY indicate a LOCA and will automatically initiate the CREOAS System, since (continued) this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude a CREOAS System initiation. The Reactor Vessel Water Level -Low Low, Level 2 Allowable Value was chosen to be the same as the HPCI and RCIC Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value (LCO 3.3.5.1, "ECCS Instrumentation and LCO 3.3.5.3 "RCIC Instrumentation").

The Reactor Vessel Water Level-Low Low, Level 2 Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that the control room personnel are protected during a LOCA. In MODES 4 and 5, adequate protection is performed by the Control Room Air Inlet Radiation-High Function. Therefore, this Function is not requir~d in other MODES and specified conditions.

2. Drywell Pressure-High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary. A high drywell pressure signal could indicate a LOCA and will automatically initiate the CREOAS System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

Drywell Pressure-High signals are initiated from four pressure instruments that sense drywell pressure. Four channels of Drywell Pressure-High Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude CREOAS System initiation. The Drywell Pressure-High Allowable Value was chosen to be the same as the ECCS Drywell Pressure-High Allowable Value (LCO 3.3.5.1 ).

(continued)

SUSQUEHANNA - UNIT 2 3.3-196

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE 2. Drywell Pressure-High (continued)

SAFETY ANALYSES, The Drywell Pressure-High Function is required to be OPERABLE in LCO, and MODES 1, 2, and 3 to ensure that control room personnel are protected in APPLICABILITY the event of a LOCA. In MODES 4 and 5, the Drywell Pressure-High (continued) Function is not required since there is insufficient energy in the reactor to pressurize the drywell to the Drywell Pressure-High setpoint.

3, 4. 5, 6, 7 Refuel Floor High Exhaust Duct. Refuel Floor Wall Exhaust Duct and Railroad Access Shaft Exhaust Duct Radiation-High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the refueling floor due to a fuel handling accident. When Exhaust Radiation-High is detected CREOAS is initiated to maintain the habitability of the main control room.

The Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust ducting coming from the refueling floor zone and the Railroad Access Shaft. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Eight total channels Refuel Floor High Exhaust Duct and Wall Exhaust Duct Radiation-High Function (four from Unit 1 and four from Unit 2), and two channels of the Railroad Access Shaft Exhaust Radiation - High Function (both from Unit 1) are available and are required to be OPERABLE when the associated Refuel Floor Exhaust System is in operation to ensure that no single instrument failure can preclude the initiation function.

The Allowable Values are chosen to promptly detect gross failure of the fuel cladding. The Refuel Floor Exhaust Duct and Wall Exhaust Duct Radiation-High are required to be OPERABLE during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (e.g., due to dropped fuel assemblies) must be provided to ensure that offsite and control room dose limits are not exceeded.

(continued)

SUSQUEHANNA - UNIT 2 3.3-197

Rev. 4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE 3, 4, 5, 6, 7 Refuel Floor High Exhaust Duct, Refuel Floor Wall Exhaust Duct SAFETY and Railroad Access Shaft Exhaust Duct Radiation-High (continued)

ANALYSES, LCO, and The Railroad Access Shaft Exhaust Duct Radiation - High Function is only APPLICABILITY required to be OPERABLE during handling of irradiated fuel within the (continued) Railroad Access Shaft, and directly above the Railroad Access Shaft with the Railroad Access Shaft Equipment Hatch open, because the Gapability of detecting radiation re.leases due to fuel failures (e.g., dropped fuel assemblies) must be provided to ensure that offsite and control room dose limits are not exceeded. *

8. Main Control Room Outside Air Intake Radiation-High The main control room outside air intake radiation monitors measure radiation levels at the control structure outside air intake duct. A high radiation level may pose a threat to main control room personnel; thus, automatically initiating the CREOAS System. The Control Room Air Inlet Radiation~High Function consists of two independent monitors. Two channels of Control Room Air Inlet Radiation-High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude CREOAS System initiation. The Allowable Value was selected to ensure protection of the control room personnel.

The Control Room Air Inlet Radiation-High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment, to ensure that control room personnel are protected during a LOCA or fuel handling event. During MODES 4 and 5, when these specified conditions are not in progress (e.g., CORE; ALTERATIONS), the probability of a LOCA or fuel damage is low; thus, the Function is not required.

9. Manual Initiation A Manual Initiation can be performed for CREOAS isolation by initiating a Primary Containment Isolation. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

(continued)

SUSQUEHANNA - UNIT 2 3.3-198

Rev. 4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE 9. Manual Initiation (continued)

SAFETY ANALYSES, There are two push buttons for the logic, one manual initiation push button LCO, and per trip system. There is no Allowable Value for this Function, since the APPLICABILITY channels are mechanically actuated based solely on the position of the push (continued) buttons.

Two channels of Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, and during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment.

These are the MODES and other specified conditions in which the Secondary Containment Isolation automatic Functions are required to be OPERABLE.

ACTIONS A Note has been provided to modify the ACTIONS related to CREOAS System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable CREOAS System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable CREOAS System instrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.7.1-1. The applicable Condition specified in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

(continued)

SUSQUEHANNA - UNIT 2 3.3-199

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES ACTIONS B.1.1, B.1.2, B.2.1, and B.2.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREOAS System design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Function 2 and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for all other Functions has been shown to be acceptable (Refs. 3 and 4) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function is still maintaining CREOAS System initiation capability. A Function is considered to be maintaining CREOAS System initiation capability when sufficient channels are OPERABLE or in trip such that one trip system will generate an initiation signal from the given Function on a valid signal. For Functions 1 and 2, this would require one trip system to have two channels per logic string OPERABLE or in trip. For Functions 3, 4, 5, 6 and 7, this would require one trip system to have one channel OPERABLE.

Required Action B.1.2 is provided to allow the associated CREOAS subsystem(s) to be placed in the pressurization/ filtration mode of operation

. within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This is acceptable because placing the associated CREOAS subsystem(s) in the pressurization/filtration mode performs the safety function of the affected instrumentation. The method used to place the CREOAS subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the CREOAS subsystem(s).

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time (B.1.1, B.1.2) is acceptable because it minimizes risk while allowing time for restoring, tripping of channels or placing in operation.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out ofservice time, the channel must be placed in the tripped condition per Required Action B.2.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Required Action B.2.2 is provided to allow the associated CREOAS subsystem(s) to be placed in the pressurization/filtration mode of operation.

This is acceptable because placing the associated CREOAS subsystem(s) in the pressurization/filtration mode performs the safety function of the affected instrumentation. The method used to place the CREOAS subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the CREOAS subsystem(s).

(continued)

SUSQUEHANNA - UNIT 2 3.3-200

Rev. 4 CREOAS System Instrumentation B 3.3.7.1 BASES ACTIONS C.1.1, C.1.2 and C.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREOAS System design, an allowable out of service time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is provided to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function is still maintaining CREOAS System initiation capability. A Function is considered to be maintaining CREOAS System initiation capability when sufficient channels are OPERABLE or in trip such that one trip system will generate an initiation signal from the given Function on a valid signal. For Function 8, this would require one trip system to have one channel OPERABLE or in trip. For loss of CREOAS System initiation capability, the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance of Required Action C.2 is not appropriate. If the Function is not maintaining CREOAS System initiation capability, the CREOAS System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery of the loss of CREOAS System initiation capability in both trip systems.

Required Action C.1.2 is provided to allow the associated CREOAS subsystem(s) to be placed in pressurization/ filtration mode of operation within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This is acceptable because placing the associated CREOAS subsystem(s) in the pressurization/filtration mode performs the safety function of the affected instrumentation. The method used to place the CREOAS subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the CREOAS subsystem(s).

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time (C.1.1 and C.1.2) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action C.2. Placing the inoperable channel in trip performs the intended function of the channel (starts the lead CREOAS subsystems in the pressurization/filtration mode). Alternately; if it is not desired to place the channel in trip (e.g., as in the case where it is not desired to start the subsystem), Condition D must be entered and its Required Action taken. The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Time is based on the consideration that this Function provides the primary signal to start the CREOAS System; thus, ensuring that the design basis of the CREOAS System is met.

(continued)

SUSQUEHANNA - UNIT 2 3.3-201

Rev. 4 CREOAS System Instrumentation B 3.3.7.1 BASES ACTIONS D.1 (continued)

With any Required Action and associated Completion Time not met, the associated CREOAS subsystem must be declared inoperable immediately per Required Action D.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each CREOAS System REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.7.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains CREOAS System initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 3 and 4) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the CREOAS System will initiate when necessary.

SR 3.3.7.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an.indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

(continued)

SUSQUEHANNA - UNIT 2 3.3-202

Rev. 4 CREOAS System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3. 7 .1.1 (continued)

REQUIREMENTS (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.7.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relays which input into the combinational logic. (Reference 6) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.7.1.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

Note 2 provides a second specific exception to the definition of CHANNEL FUNCTIONAL TEST. For Function* 8, certain channel relays are not included in the performance of the CHANNEL FUNCTIONAL TEST. These exceptions are necessary because the circuit design does not facilitate functional testing of the entire channel through to the coil of the relay which enters the combinational logic. (Reference 6) Specifically, testing of all required relays would require lifting of of leads and inserting test equipment which could lead to unplanned transients. Therefore, for these circuits, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the actuation of circuit devices up to the point where further testing would result in an unplanned transient. (References 7 and 8) The required relays (continued)

SUSQUEHANNA - UNIT 2 3.3-203

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.2 (continued)

REQUIREMENTS (continued) not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.7.1.5. This is acceptable because operating- experience shows that the devices not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

SR 3.3.7.1.3 and SR 3.3.7.1.4 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in.LCO 3.7.3, "Control Room Emergency Outside Air Supply (CREOAS) System," overlaps this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.3-204

Rev.4 CRl;OAS System Instrumentation B 3.3.7.1 BASES REFERENCES 1. .FSAR, Section 6.4.1.

2. FSAR, Table 15.2.

3. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

4. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

5. Final Policy Statement on Technical Specification Improvements, July 22, 1993 (58 FR 32193).

6. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

7. PPL Letter to NRC, PLA..,2618, Response to NRC INSPECTION REPORTS 50-387/85-28 and 50-388/85-23, dated April 22, 1986.

8. Susquehanna Steam Electric Station NRC REGION I COMBINED INSPECTION 50-387/90-20; 50-388/90-20, File R41-2, dated March 5, 1986.

SUSQUEHANNA - UNIT 2 3.3-205

Rev. 6

'o EGGS-Operating B 3.5.1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.1 EGGS-Operating BASES BACKGROUND The ECCS is designed, in conjunction whh the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during. a LOCA. The ECCS network consists of the High Pressure Coolant Injection (HPCI) System, the Core Spray (CS) System, the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System, and the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of

providing a source of water for the HPCI and CS systems.

On receipt of an initiation signal, ECCS pumps automatically start; simultaneously, the system aligns and the pumps inject water, taken either from the CST or suppression poo( into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps. Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed. The HPCI pump discharge pressure quickly exceeds that of the RCS, and the pump injects coolant into the vessel to cool the core. If the break is small, the HPCI System will maintain coolant inventory as well as vessel level while the RCS is still pressurized. If HPCI fails, it is backed up by'ADS in combination with LPCI and CS. In this event absent operator action, the ADS timed sequence would time out and open the selected safety/relief valves (S/RVs) depressurizing the RCS, thus allowing the LPCI and CS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly and the LPCI and CS cool the core.

Water from the break returns to the suppression pool where it is used again and again. Water in the suppression pool is circulated through a heat exchanger cooled by the RHR Service Water System. Depending on the location and size of the break, portions of the ECCS may be ineffective; however, the overall design is effective in cooling the core regardless of the size or location of the piping break. Although no credit is taken in the safety analysis for the RCIC System, it performs a similar function as HPCI, but has (continued)

SUSQUEHANNA - UNIT 2 3.5-1

Rev. 6 ECCS-Operating B 3.5.1 BASES BACKGROUND reduced makeup capability. Nevertheless, it will maintain inventory and cool (continued) the core while the RCS is still pressurized following a reactor pressure vessel (RPV) isolation.

All ECCS subsystems are designed to ensure that no single active component failure will prevent automatic initiation and successful operation of the minimum required ECCS equipment.

The CS System (Ref. 1) is composed of two independent subsystems. Each subsystem consists of two motor driven pumps, a spray sparger above the core, and piping and valves to transfer water from the suppression pool to the sparger. The CS System is designed to provide cooling to the reactor core when reactor pressure is low. Upon receipt of an initiation signal, the CS pumps in both subsystems are automatically started when AC power is available. When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water from and to the suppression pool to allow testing of the CS System without spraying water in the RPV.

LPCI is an independent operating mode of the RHR System. There are two LPCI subsystems (Ref. 2), each consisting of two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop. The two LPCI subsystems can be interconnected via the RHR System cross tie valves; however, at least one of the two cross tie valves is maintained closed with its power removed to prevent loss of both LPCI subsystems during a LOCA. The LPCI subsystems are designed to provide core cooling at low RPV pressure.

Upon receipt of an initiation signal, all four LPCI pumps are automatically started. RHR System valves in the LPCI flow path are automatically positioned to ensure the proper flow path for water from the suppression pool to inject into the recirculation loops. When the RPV pressure drops sufficiently, the LPCI flow to the RPV, via the corresponding recirculation loop, begins. The water then enters the reactor through the jet pumps.

Full flow test lines are provided for each LPCI subsystem to route water from the suppression pool, to allow testing of the LPCI pumps without injecting water into the RPV. These test lines also provide suppression pool cooling capability, as described in LCO 3.6.2.3, "RHR Suppression Pool Cooling."

(continued)

SUSQUEHANNA - UNIT 2 3.5-2

Rev. 6 EGGS-Operating B 3.5.1 BASES BACKGROUND The HPCI System (Ref. 3) consists of a steam driven turbine pump unit, (continued) piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping for the system is provided from the CST and the suppression pool. Pump suction for HPCI is normally aligned to the CST source to minimize injection of suppression pool water into the RPV.

Whenever the CST water supply is low, an automatic transfer to the suppression pool water source ensures an adequate suction head for the pump and an uninterrupted water supply for continuous operation of the HPCI System. The steam supply to the HPCI turbine is piped from a main steam line upstream of the associated inboard main steam isolation valve.

The HPCI System is designed to provide core cooling for a wide range of reactor pressures (165 psia to 1225 psia). Upon receipt of an initiation signal, the HPCI turbine stop valve and turbine control valve open and the turbine accelerates to a specified speed. As the HPCI flow increases, the turbine control valve is automatically adjusted to maintain design flow.

Exhaust steam from the HPCI turbine is discharged to the suppression pool.

A full flow test line is provided to route water to the CST to allow testing of the HPCI System during normal operation without injecting water into the RPV.

The ECCS pumps are provided with minimum flow bypass lines, which discharge to the suppression pool. The valves in these lines automatically open to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, all ECCS pump discharge lines are filled with water. The HPCI, LPCI and CS System discharge lines are kept full of water using a "keep fill" system that is supplied using the condensate transfer system.

The ADS (Ref. 4) consists of 6 of the 16 S/RVs. It is designed to provide depressurization of the RCS during a small break LOCA if HPCI fails or is unable to maintain required water level in the RPV. ADS operation reduces the RPV pressure to within the operating pressure range of the low pressure ECCS subsystems (CS and LPCI), so that these subsystems can provide coolant inventory makeup. Each of the S/RVs used for automatic depressurization is equipped with two gas accumulators and associated inlet check valves. The accumulators provide the pneumatic power to actuate the valves.

(continued)

SUSQUEHANNA - UNIT 2 3.5-3

Rev.6 ECCS-Operating B 3.5.1 BASES APPLICABLE The ECCS performance is evaluated for the entire spectrum of break sizes for SAFETY a postulated LOCA. The accidents for which ECCS operation is required are ANALYSES presented in References 5, 6, and 7. The required analyses and assumptions are defined in Reference 8. The results of these analyses are also described in Reference 9.

This LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref. 10), will be met following a LOCA, assuming the worst case single active component failure in the ECCS:

a. Maximum fuel element cladding temperature is s 2200°F;

b. Maximum cladding oxidation is s 0.17 times the total cladding thickness before oxidation;

c. Maximum hydrogen generation from a zirconium water reaction is s 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding.the plenum volume, were to react;

d. The core is maintained in a coolable geometry; and

e. Adequate long term cooling capability is maintained.

SPC performed LOCA calculations for the SPC ATRIUM'-10 fuel design.

The limiting single failures for the SPC analyses are discussed in Reference 11. The LOCA calculations examine both recirculation pipe and non-recirculation pipe breaks. For the recirculation pipe breaks, breaks on both the discharge and suction side of the recirculation pump are performed for two geometries; double-ended guillotine break and split break. The LOCA calculations demonstrate that the most limiting (highest PCT) break is a double-ended guillotine break in the recirculation pump suction piping. The limiting single failure is the failure of the LPCI injection valve in the intact recirculation loop to open.

One ADS valve failure is analyzed as a limiting single failure for events requiring ADS operation. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage.

The ECCS satisfy Criterion 3 of the NRC Policy Statement (Ref. 15).

(continued)

SUSQUEHANNA - UNIT 2 3.5-4

Rev. 6 ECCS-Operating B 3.5.1 BASES LCO Each ECCS injection/spray subsystem and six ADS valves are required to be OPERABLE. The ECCS injection/spray subsystems are defined as the two CS subsystems, the two LPCI subsystems, and one HPCI System. The low pressure ECCS injection/spray subsystems are defined as the two CS subsystems and the two LPCI subsystems.

With less than the required number of ECCS subsystems OPERABLE, the potential exists that during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in Reference 1O could be exceeded. All ECCS subsystems must therefore be OPERABLE to satisfy the single failure criterion required by Reference 10.

LPCI subsystems may be considered OPERABLE during alignment and operation for decay heat removal when below the actual RHR cut in permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. At these low pressures and decay heat levels, a reduced complement of ECCS subsystems should provide the required core cooling, thereby allowin*g operation of RHR shutdown cooling when necessary.

APPLICABILITY All ECCS subsystems are required to be OPERABLE during MODES 1, 2, and 3, when there is considerable energy in the reactor core and core cooling would be required to prevent fuel damage in the event of a break in the primary system piping. In MODES 2 and 3, when reactor steam dome pressure is::; 150 psig, ADS and HPCI are not required to be OPERABLE because the low pressure ECCS subsystems can provide sufficient flow below this pressure. Requirements for MODES 4 and 5 are specified in LCO 3.5.2, Reactor Pressure Vessel (RPV) Water Inventory Control."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable HPCI subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable HPCI subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

(continued)

SUSQUEHANNA - UNIT 2 3.5-5

Rev.6 ECCS-Operating B 3.5.1 BASES ACTIONS A.1 (continued)

If any one low pressure ECCS injection/spray subsystem is inoperable for reasons other than Condition B, the inoperable subsystem must be restored.

to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA.

However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not being able to perform its intended safety function.

The 7 day Completion Time is based on a reliability study (Ref. 12) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (i.e., Completion Times).

If one LPCI pump in one or both LPCI subsystems is inoperable, the inoperable LPCI pumps must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE LPCI pumps and at least one CS subsystem provide adequate core cooling during a LOCA.

However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not being able to perform its intended safety function. A 7 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

C.1 and C.2 If the inoperable low pressure ECCS subsystem or LPCI pump(s) cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 2 3.5-6

Rev. 6 EGGS-Operating B3.5.1 BASES ACTIONS D.1 and D.2 (continued)

If the HPCI System is inoperable and the RCIC System is verified to be OPERABLE, the HPCI System must be restored to OPERABLE status within 14 days. In this Condition, adequate core cooling is ensured by the OPERABILITY of the redundant and diverse low pressure ECCS injection/spray subsystems in conjunction with ADS. Also, the RCIC System will automatically provide makeup water at most reactor operating pressures.

Verification of RCIC OPERABILITY is therefore required when HPCI is inoperable. This may be performed as an administrative check by examining logs or other information to determine if RCIC is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate the OPERABILITY of the RCIC System. If the OPERABILITY of the RCIC System cannot be verified, however, Condition H must be immediately entered. If a single active component fails concurrent with a design basis LOCA, there is a potential, depending on the specific failure, that the minimum required ECCS equipment will not be available. A 14 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

E.1 and E.2 If Condition A or Condition B exists in addition to an inoperable HPCI System, the inoperable low pressure ECCS injection/spray subsystem or the LPCI pump(s) or the HPCI System must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this Condition, adequate core cooling is ensured by the OPERABILITY of the ADS and the remaining low pressure ECCS subsystems. However, the overall ECCS reliability is significantly reduced because a single failure in one of the remaining OPERABLE subsystems concurrent with a design basis LOCA may result in the ECCS not being able to perform its intended safety function. Since both a high pressure system (HPCI) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is required to restore either the HPCI System or the low pressure ECCS injection/spray subsystem to OPERABLE status.

This Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

(continued)

SUSQUEHANNA - UNIT 2 3.5-7

Rev.6 EGGS-Operating B 3.5.1 BASES ACTIONS E.1 (continued)

The LCO requires six ADS valves to be OPERABLE in order to provide the ADS function. Reference 11 contains the results of an analysis that evaluated the effect of one ADS valve being out of service. Per this analysis, operation of only five ADS valves will provide the required depressurization.

However, overall reliability of the ADS is reduced, because a single failure in the OPERABLE ADS valves could result in a reduction in depressurization capability. Therefore, operation is only allowed for a limited time. The 14 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

G.1 and G.2 If Condition A or Condition B exists in addition to one inoperable ADS valve, adequate core cooling is ensured by the OPERABILITY of HPCI and the remaining low pressure EGGS injection/spray subsystem. However, overall ECCS reliability is reduced because a single active component failure concurrent with a design basis LOCA could result in the minimum required ECCS equipment not being available. Since both a high pressure system (ADS} and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is required to restore either the low pressure ECCS subsystem or the ADS valve to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

H.1 and H.2 If any Required Action and associated Completion Time of Condition D, E, F, or G is not met, or if two or more ADS valves are inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and reactor steam dome pressure reduced to ~ 150 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

11 When multiple ECCS subsystems are inoperable, as stated in Condition I, LCO 3,0.3 must be entered immediately. *

(continued)

SUSQUEHANNA - UNIT 2 3.5-8

Rev.6 EGGS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the HPCI System, CS System, and LPCI subsystems full of water ensures that the ECCS will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent a water hammer following an ECCS initiation signal. One acceptable method of ensuring that the lines are full is to vent at the high points. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time.

This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the HPCI System, this SR also includes the steam flow path for the turbine and the flow controller position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that allows LPCI subsystems to be considered OPERABLE during alignment and operation for decay heat removal with

. reactor steam dome pressure less than the RHR cut in permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. This allows operation in the RHR shutdown cooling mode during MODE 3, if necessary.

(continued)

SUSQUEHANNA - UNIT 2 3.5-9

Rev. 6 ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.3 REQUIREMENTS (continued) Verification that ADS gas supply header pressure is ~ 135 psig ensures adequate gas pressure for reliable ADS operation. The accumulator on each ADS valve provides pneumatic pressure for valve actuation. The design pneumatic supply pressure requirements for the accumulator are such that, following a failure of the pneumatic supply to the accumulator, at least one valve actuations can occur with the drywell at 70% of design pressure.

The ECCS safety analysis assumes only one actuation to achieve the depressurization required for operation of the low pressure ECCS. This minimum required pressure of~ 135 psig is provided by the containment instrument gas system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.4 Verification that at least one RHR System cross tie valve is closed and power to its operator is disconnected ensures that each LPCI subsystem remains independent and a failure of the flow path in one subsystem will not affect the flow path of the other LPCI subsystem. Acceptable methods of removing*

power to the operator include opening the breaker, or racking out the breaker, or removing the breaker. If both RHR System cross tie valves are open or power has not been removed from at least one closed valve .

operator, both LPCI subsystems must be considered inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency ConJrol Program.

SR 3.5.1.5 Verification that each 480 volt AC swing bus transfers automatically from the normal source to the alternate source on loss of power while supplying its respective bus demonstrates that electrical power is available to ensure proper operation of the associated LPCI inboard injection and minimum flow valves and the recirculation pump discharge and bypass valves. Therefore, each 480 volt AC swing bus must be OPERABLE for the associated LPCI subsystem to be OPERABLE. The test is performed by actuating the load test switch or by disconnecting the preferred power source to the transfer switch and verifying that swing bus automatic transfer is accomplished. The Surveillance Frequency is controlled under the Surveillance Frequency Control Prowam.

(continued)

SUSQUEHANNA - UNIT 2 3.5-10

Rev.6 EGGS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.6 REQUIREMENTS (continued) Cycling the recirculation pump discharge and bypass valves through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and provides assurance that the valves will close when required to ensure the proper LPCI flow path is established. Upon initiation of an automatic LPCI subsystem injection signal, these valves are required to be closed to ensure full LPCI subsystem flow injection in the reactor via the recirculation jet pumps. De-energizing the valve in the closed position will also ensure the proper flow path for the LPCI subsystem. Acceptable methods of de-energizing the valve include opening the breaker, or racking out the br~aker, or removing the breaker.

The speeified Frequency is once during reactor startup before THERMAL POWER is > 25% RTP. However, this SR is modified by a Note that states the Surveillance is only required to be performed if the last performance was more than 31 days ago. Therefore, implementation of this Note requires this test to be performed during reactor startup before exceeding 25% RTP.

Verification during reactor startup prior to reaching > 25% RTP is an exception to the normal lnservice Testing Program generic valve cycling Frequency, but is considered acceptable due to the demonstrated reliability of these valves. If the valve is inoperable and in the open position, the associated LPCI subsystem must be declared inoperabl.e.

SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 The performance requirements of the low pressure ECCS pumps are determined through application of the 10 CFR 50, Appendix K criteria (Ref. 8). This periodic Surveillance is performed (in accordance with the ASME OM Code requirements for the ECCS pumps) to verify that the ECCS pumps will develop the flow rates required by the respective analyses.

Jhe low pressure ECCS pump flow rates ensure that adequate core cooling is provided to satisfy the acceptance criteria of Reference 10. The pump flow rates are verified against a system head equivalent to the RPV pressure expected during a LOCA. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure present during a LOCA. These values may be established during preoperational testing.

(continued)

SUSQUEHANNA - UNIT 2 3.5-11

Rev. 6 ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 (continued)

REQUIREMENTS

( continued) The flow tests for the HPCI System are performed at two different pressure ranges such that system capability to provide rated flow is tested at both the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the HPCl Systerri diverts steam flow. Reactor steam pressure is considered adequate when ~ 920 psig to perform SR 3.5.1.8 and~ 150 psig to perform SR 3.5.1.9. However, the requirements of SR 3.5.1.9 are met by a successful performance at any pressure < 165 psig. Adequate steam flow is represented by at least 1.25

turbine bypass valves open. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these tests. Reactor startup is allowed prior to performing the low pressure Surveillance test because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance test is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that HPCI is inoperable.

Therefore, SR 3.5.1.8 and SR 3.5.1.9 are modified by Notes that state the Surveillances are not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the reactor steam pressure and flow are adequate to perform the test.

The Frequency for SR 3.5.1. 7 and SR 3.5.1.8 is in accordance with the lnservice Testing Program requirements. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.5-12

Rev. 6 EGGS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.10 REQUIREMENTS (continued) The ECCS subsystems are required to actuate automatically to perform their design functions. This Surveillance verifies that; with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCI, GS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions. This functional test includes the LPCI and CS interlocks be~een Unit 1 and Unit 2 and specifically requires the following:

A functional test of the interlocks associated with the LPCI and CS pump starts in response to an automatic initiation signal in Unit 1 followed by a false automatic initiation signal in Unit2; A functional test of the interlocks associated with the LPCI and CS pump starts in response to an automatic initiation 0

signal in Unit 2 followed by a false automatic initiation signal in Unit 1; and 0 A functional test of the interlocks associated with the LPCI and CS pump starts in response to simultaneous occurrenc~s of an automatic initiation signal in both Unit 1 and Unit 2 and a loss of Offsite power condition affecting both Unit 1 and Unit 2.

The purpose of this functional test (preferred pump logic) is to assure that if a false LOCA signal were to be received on one Unit simultaneously with an actual LOCA signal on the second Unit, the preferred LPCI and CS pumps are started and the non,-preferred LPCI and CS pumps are tripped for each Unit. This functional test is performed by verifying that the non-preferred LPCI and CS pumps are tripped. The verification that preferred LPCI and CS pumps start is performed under a separate surveillance test. Only one division of LPCI preferred pump logic is required to be OPERABLE for each Unit, because no additional failures needs to be postulated with a false LOCA signal. If the preferred or non-preferred pump logic for CS is inoperable, the associated CS pumps shall be declared inoperable and the pumps should not be operated to ensure that th1;3 opposite Unit's CS pumps or 4.16 kV ESS Buses are protected.

(continued)

SUSQUEHANNA - UNIT 2 3.5-13

Rev.6 ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.10 (continued)

REQUIREMENTS (continued) This SR also ensures that the HPCI System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance. This SR can be

. accomplished by any series of sequential overlapping or total steps such that the entire channel is tested.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes vessel injection/spray during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

SR 3.5.1.11 The ADS designated S/RVs are required to actuate automatically upon receipt of specific initiati6n signals. A system functional test is performed to demonstrate that the mechanical portions of the ADS function (i.e.,

solenoids) operate as designed when initiated either by an actual or simulated initiation signal, causing proper actuation of all the required components. SR 3.5.1.12 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this SurveiHance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes valve actuation. This prevents an RPV pressure blowdown.

(continued)

SUSQUEHANNA - UNIT 2 3.5-14

Rev. 6 ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.12 REQUIREMENTS (continued) A manual actuation of each ADS valve actuator is performed to verify that the valve and solenoid are functioning properly. This is demonstrated by the method described below. Proper operation of the* valve tailpipes is ensured through the use of foreign material exclusion during maintenance.

Valve OPERABILITY and the setpoints for overpressure protection are verified, per ASME requirements, prior to valve installation.

Manual actuation of the actuator at atmospheric temperature and pressure during cold shutdown is performed. Proper functioning of the valve actuator and solenoid is demonstrated by visual observation of actuator movement.

The ADS actuator will be disconnected from the valve to ensure no damage is done to the valve seat or to the valve internals. Each valve shall be bench-tested prior to reinstallation. The bench-test along with the test on the ADS actuator establishes the OPERABILITY of the valves.

SR 3.5.1.11 and the LOGIC SYSTEM FUNCTIONAL T~ST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.13 This SR ensures that the ECCS RESPONSE TIME for each ECCS injection/spray subsystem is less than or equal to the maximum value assumed in the accident analysis. Response Time testing acceptance criteria are included in Reference 13. This SR is modified by a Note that allows the instrumentation portion of the response time to be assumed to be based on historical response time data and therefore, is excluded from the ECCS RESPONSE TIME testing. This is allowed since the instrumentation response time is a small part of the ECCS RESPONSE TIME (e.g., sufficient margin exists in the diesel generator start time when compared to the instrumentation response time) (Ref. 14).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.5-15

Rev.6 ECCS-Operating B 3.5.1 BASES REFERENCES 1. FSAR, Section 6.3.2.2.3.

2. fSAR, Section 6.3.2.2.4.

3. FSAR, Section 6.3.2.2.1.

4. FSAR, Section 6.3.2.2.2.

5. FSAR, Section 15.2.8.

6. FSAR, Section 15.6.4.

7. FSAR, Section 15.6.5.

8. 10 CFR 50, Appendix K.

9. FSAR, Section 6.3.3.

10. 10 CFR 50.46.

11. FSAR, Section 6.3.3.

12. Memorandum from R.L. Baer (NRC) to V. Stello, Jr. (NRC),

"Recommended Interim Revisions to LCOs for ECCS Components,"

December 1, 1975.

13. FSAR, Section 6.3.3.3 .

. 14. NEDO 32291-A, "System Analysis for the Elimination of Selected Response Time Testing Requirements, October 1995.

15. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.5-16

Rev. 5 RPV Water Inventory Control B 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control BASES BACKGROUND The RPV contains penetrations below the top of the active fuel (TAF) that have the potential to drain the reactor coolant inventory to below the TAF.

If the water level should drop below the TAF, the ability to remove decay heat is reduced, which could lead to elevated cladding temperatures and clad perforation. Safety Limit 2.1.1.3 requires the RPV water level to be above the top of the active irradiated fuel at all times to prevent such elevated cladding temperatures.

APPLICABLE With the unit in MODE 4 or 5, RPV water inventory control is not required SAFETY to mitigate any events or accidents evaluated in the safety analyses. RPV ANALYSES water inventory control is required in MODES 4 and 5 to protect Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of radioactive material to the environment should an unexpected draining event occur.

A double-ended guillotine break of the Reactor Coolant System (RCS) is not postulated in MODES 4 and 5 due to the reduced RCS pressure, reduced piping stresses, and ductile piping systems. Instead, an event is considered in which single operator error or initiating event allows draining of the RPV water inventory through a single penetration flow path with the highest flow rate, or the sum of the drain rates through multiple penetration flow paths susceptible to a common mode failure (e.g., seismic event, loss of normal power, single human error). It is assumed, based on engineering judgement, that while in MODES 4 and 5, one low pressure ECCS injection/spray subsystem can maintain adequate reactor vessel water level.

As discussed in References 1, 2, 3, 4, and 5, operating experience has shown RPV water inventory to be significant to public health and safety.

Therefore, RPV Water Inventory Control satisfies Criterion 4 of 10 CFR 50.36( c)(2)(ii).

LCO The RPV water level must be controlled in MODES 4 and 5 to ensure that if an unexpected draining event should occur, the reactor coolant water level remains above the top of the active irradiated fuel as required by Safety Limit 2.1.1.3.

(continued)

SUSQUEHANNA - UNIT 2 3.5-17

Rev.5 RPV Water Inventory Control B 3.5.2 BASES LCO The Limiting Condition for Operation (LCO) requires the DRAIN TIME of (continued) RPV water inventory to the TAF to be;,,: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . A DRAIN TIME of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months is considered reasonable to identify and initiate action to mitigate unexpected.draining of reactor coolant. Ari event that could cause loss of RPV water inventory and result in the RPV water level reaching the TAF in greater than 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months does not represent a significant challenge to Safety Limit 2.1.1.3 and can be managed as part of normal plant operation.

One low pressure ECCS injection/spray subsystem is required to be OPERABLE and capable of being manually started to provide defense-in-depth should an unexpected draining event occur. A low pressure ECCS injection/spray subsystem consists of either one Core Spray (CS) subsystem or one Low Pressure Coolant Injection (LPCI) subsystem. Each CS subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool or condensate storage tank (CST) to the RPV. Each LPCI subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool to the RPV. In MODES 4 and 5, the RHR System cross tie valves are not required to be closed.

The LCO is modified by a Note which allows a required LPCI subsystem to be considered OPERABLE during alignment and .operation for decay heat removal if capable of being manually realigned (remote or local) to the LPCI mode and is not otherwise inoperable. Alignment and operation for decay heat removal includes when the required RHR pump is not operating or when the system is realigned from or to the RHR shutdown cooling mode.

This allowance is necessary since the RHR System may be required to operate in the shutdown cooling mode to remove decay heat and sensible heat from the reactor. Because of the restrictions on DRAIN TIME, sufficient time will be available following an unexpected draining event to manually align and initiate LPCI subsystem operation to maintain RPV water inventory prior to the RPV water level reaching the TAF.

APPLICABILITY RPV water inventory control is required in MODES 4 and 5. Requirements on water inventory control in other MODES are contained in LCOs in Section 3.3, Instrumentation, and other LCOs in Section 3.5, ECCS, RCIC, and RPV Water Inventory Control. RPV water inventory control is required to protect Safety Limit 2.1.1.3 which is applicable whenever irradiated fuel is in the reactor vessel.

(continued)

SUSQUEHANNA - UNIT 2 3.5-18

Rev. 5 RPV Water Inventory Control B 3.5.2 Bases ACTIONS A.1 and B.1 If the required low pressure ECCS injection/spray subsystem is inoperable, it must be restored to OPERABLE status within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

In this Condition, the LCO controls on DRAIN TIME minimize the possibility that an unexpected draining event could necessitate the use of the ECCS injection/spray.subsystem, however the defense-in-depth provided oy the ECCS injection/spray subsystem is lost.

The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time for restoring the required low pressure ECCS injection/spray subsystem to OPERABLE status is based on engineering judgment that considers the LCO controls on DRAIN Tl Mc and the low probability of an unexpected draining event that would result in loss of RPV water inventory.

If the inoperable ECCS injection/spray subsystem is not restored to OPERABLE status within the required Completion Time, action must be initiated immediately to establish a method of water injection capable of operating without offsite electrical power. The method of water injection includes the necessary instrumentation and controls, water sources, and pumps and valves needed to add water to the RPV or refueling cavity should an unexpected draining event occur. The method of water injection may be manually initiated and may consist of one or more systems or subsystems, and must be able to access water inventory capable of maintaining the RPV water level above the TAF for .:: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . If recirculation of injected water would occur, it may be credited in determining the necessary water volume.

C.1, C.2, and C.3 With the DRAIN TIME less than 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months but greater than or equal to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , compensatory measures should be taken to ensure the ability to implement mitigating actions should an unexpected draining event occur.

Should a draining event lower the reactor coolant level to below the TAF, there is potential for damage to the reactor fuel cladding and release of radioactive material. Additional actions are taken to ensure that radioactive material will be contained, diluted, and processed prior to being released to the environment.

The sec;ondary containment provides a controlled volume in which fission products can be contained, diluted, and processed prior to release to the environment. Required Action C.1 requires verification of the capability to establish the secondary containment boundary in less than the DRAIN TIME.

(continued)

SUSQUEHANNA - UNIT 2 3.5-,19

Rev.5 RPV Water Inventory Control 83.5.2 BASES ACTIONS C.1, C.2, and C.3 (continued)

(continued)

The required verification confirms actions to establish the secondary containment boundary are preplanned and necessary materials are available. The secondary containment boundary is considered established when one Standby Gas Treatment (SGT) subsystem is capable of maintaining a negative pressure in the secondary containment with respect to the environment. Verification that the secondary containment boundary can be established must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The required verification is an administrative activity and does not require manipulation or testing of equipment. Secondary containment penetration flow paths form a part of the secondary containment boundary. Required Action C.2 requires verification of the capability to isolate each secondary containment penetration flow path in less than the DRAIN TIME. The required verification confirms actions to isolate the secondary containment penetration flow paths are preplanned and necessary materials are available. Power operated valves are not required to receive automatic isolation signals if they can be closed manually w)thin the required time. Verification that the secondary containment penetration flow paths can be isolated must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The required verification is an administrative activity and does not require manipulation or testing of equipment.

One SGT subsystem is capable of maintaining the secondary containment at a negative pressure with respect to the environment and filter gaseous releases. Required Action C.3 requires verification of the capability to place one SGT subsystem in operation in less than the DRAIN TIME. The required verification confirms actions to place a SGT subsystem in operation are preplanned and necessary materials are available. Verification that a SGT subsystem can be placed in operation must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

The required verification is an administrative activity and does not require manipulation or testing of equipment.

D.1, D.2, D.3, and D.4 With the DRAIN TIME less than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , mitigating actions are implemented in case an unexpected draining event should occur. Note that if the DRAIN TIME is less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , Required Action E.1 is also applicable.

Required Action D.1 requires immediate action to establish an additional method of water injection augmenting the ECCS injection/spray subsystem required by the LCO. The additional method of water injection includes the necessary instrumentation and controls, water sources, and pumps and (continued)

SUSQUEHANNA - UNIT 2 3.5-20

Rev.5 RPV Water Inventory Control B 3.5.2 BASES ACTIONS 0.1, 0.2, 0.3, and 0.4 (continued)

(continued) valves needed to add water to the RPV cir refueling cavity should an unexpected draining event occur. The Note to Required Action 0.1 states that either the ECCS injection/spray subsystem or the additional method of water injection must be capable of operating without offsite electrical power.

The additional method of water injection may be manually initiated and may consist of one or more systems or subsystems. The additional method of water injection must be able to access water inventory capable of being injected to maintain the RPV water level above the TAF for ~ 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The additional method of water injection and the ECC,S injection/spray subsystem may share all or part of the same water sources. If recirculation of injected water would occur, it may be credited in determining the required water volume.

Should a draining event lower the reactor coolant level to below the TAF, there is potential for damage to the reactor fuel cladding and release of radioactive material. Additional actions are taken to ensure that radioactive material will be contained, diluted, and processed prior to being released to the environment.

The secondary containment provides a control volume in which fission products can be contained, diluted, and processed prior to release to the environment. Required Action 0.2 requires that actions be immediately initiated to establish the secondary containment boundary. With the secondary containment boundary established, one SGT subsystem is capable of maintaining a negative pressure in the secondary containment with respect to the environment.

The secondary containment penetrations form a part of the secondary containment boundary. Required Action 0.3 requires that actions be immediately initiated to verify that each secondary containment penetration flow path is isolated or to verify that it can be manually isolated from the control room.

One SGT subsystem is capable of maintaining the secondary containment at a negative pressure with respect to the environment and filter gaseous releases. Required Action 0.4 requires that actions be immediately initiated to verify that at least one SGT subsystem is capable of being placed in operation. The required verification is an administrative activity and does not require manipulation or testing of equipment.

(continued)

SUSQUEHANNA - UNIT 2 3.5-21

Rev. 5 RPV Water Inventory Control B 3.5.2 BASES ACTIONS (continued)

If the Required Actions and associated Completion times of Conditions C or Dare not met or if the DRAIN TIME is less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , actions must be initiated immediately to restore the DRAIN TIME to;;;: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . In this condition, there may be insufficient time to respond to an unexpected draining event to prevent the RPV water inventory from reaching the TAF.

Note that Required Actions D.1, D.2, D.3, and D.4 are also applicable when DRAIN TIME is less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

SURVEILLANCE SR 3.5.2.1 REQUIREMENTS This Surveillance verifies that the DRAIN TIME of RPV water inventory to the TAF is ;;;: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The period of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months is considered reasonable to identify and initiate action to mitigate draining of reactor coolant. Loss of RPV water inventory that would result in the RPV water level reaching the TAF in greater than 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months does not represent a significant challenge to Safety Limit 2.1.1.3 and can be managed as part of normal plant operation.

The definition of DRAIN TIME states that realistic cross-sectional areas and drain rates are used in the calculation. A realistic drain rate may be determined using a single, step-wise, or integrated calculation considering the changing RPV water level during a draining event. For a Control Rod RPV penetration flow path with the Control Rod Drive Mechanism removed and not replaced with a blank flange, the realistic cross-sectional area is based on the control rod blade seated in the control rod guide tube. If the control rod blade will be raised from the penetration to adjust or verify seating of the blade, the exposed cross-sectional area of the RPV penetration flow path is used.

The definition of DRAIN TIME excludes from the calculation those penetration flow paths connected to an intact closed system, or isolated by manual or automatic valves that are locked, sealed, or otherwise secured in the closed position, blank flanges, or other devices that prevent flow of reactor coolant through the penetration flow paths. A blank flange or other bolted device must be connected with a sufficient number of bolts to prevent draining in the event of an Operating Basis Earthquake. Normal or expected leakage from closed systems or past isolation devices is permitted.

Determination that a system is intact and closed or isolated must consider the status of branch lines and ongoing plant maintenance and testing activities.

(continued)

SUSQUEHANNA - UNIT 2 3.5-22

Rev.5 RPV Water Inventory Control B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 (continued)

REQUIREMENTS (continued) The Residual Heat Removal (RHR) Shutdown Cooling System is only considered an intact closed system when misalignment issues (Reference 6) have been precluded by functional valve interlocks or by isolation devices, such that redirection of RPV water out of an RHR subsystem is- precluded.

Further, RHR Shutdown Cooling System is only considered an intact closed system if its controls have not been transferred to Remote Shutdown, which disables the interlocks and isolation signals.

The exclusion of penetration flow paths from the determination of DRAIN TIME must consider the potential effects of a single operator error or initiating event on items supporting maintenance and testing (rigging, scaffolding, temporary shielding, piping plugs, snubber removal, freeze seals, etc.). If failure of such items could result and would cause a draining event from a closed system or between the RPV and the isolation device, the penetration flow path may not be excluded from the DRAIN TIME calculation.

Surveillance Requirement 3.0.1 requires SRs to be met between performances. Therefore, any changes in plant conditions that would change the DRAIN TIME requires that a new DRAIN TIME be determined.

The Surveillance Freq\Jency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 and SR 3.5.2.3 The minimum water level of 20 ft. 0 inches required for the suppression pool is periodically verified to ensure that the suppression pool will provide adequate net positive suction head (NPSH) for the CS subsystem or LPCI subsystem pump, recirculation volume, and vortex prevention. With the suppression pool water level less than the required limit, the required ECCS injection/spray subsystem is inoperable unless aligned to an OPERABLE CST.

The required CS System is considered OPERABLE if it can take suction from the CST, and the CST water level is sufficient to provide the required NPSH for the CS pump. Therefore, a verification that either the suppression pool water level is ~ 20 ft. 0 inches or that a required CS subsystem is aligned to take suction from the CST and the CST contains~ 135,000 gallons of water, equivalent to 49% of capacity, ensures that the CS Subsystem can supply at least 135,000 gallons of makeup water to the RPV.

(continued)

SUSQUEHANNA '." UNIT 2 3.5-23

Rev.5

~PV Water Inventory Control B 3.5.2 BASES SURVEILLANCE SR 3.5.2.2 and SR' 3.5.2.3 (continued)

REQUIREMENTS (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.4 The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the required ECCS injection/spray subsystems full of water ensures Jhat the ECCS subsystem will perform properly. This may also prevent a water hammer following an ECCS initiation signal. One acceptable method of ensuring that the lines are full is to vent at the high points.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.5

Verifying the correct alignment for manual, power operated, and automatic valves in the required ECCS subsystem flow paths provides assurance that the proper flow paths will be available for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.6 Verifying that the required ECCS injection/spray subsystem can be manually started and operate for at least 1Ominutes demonstrates that the subsystem is available to mitigate a draining event. Testing the ECCS injection/spray subsystem through the recirculation line is necessary to avoid overfilling the refueling cavity. The minimum operating time of 1O minutes w;:is based on engineering judgment.

(continued)

SUSQUEHANNA - UNIT 2 3.5-24

Rev.5 RPV Water Inventory Control 8 3.5.2 BASES SURVEILLANCE SR 3.5.2.6 (continued)

REQUIREMENTS (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.7 Verifying that each valve credited for automatically isolating a penetration flow path actuates to the isolation position on an actual or simulated RPV water level isolation signal is required to prevent RPV water inventory from dropping below the TAF should an unexpected draining event occur.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.8 The required ECCS subsystem is required to actuate on a manual initiation signal. This Surveillance verifies that a manual initiation signal will cause the required CS subsystem or LPCI subsystem to start and operate as designed, including pump startup and actuation of all automatic valves to their required positions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes vessel injection/spray during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

(continued)

SUSQUEHANNA - UNIT 2 3.5-25

Rev.5 RPV Water Inventory Control B 3.5.2 BASES REFERENCES 1. Information Notice 84-81 "Inadvertent Reduction in Primary Coolant Inventory in Boiling Water Reactors During Shutdown and Startup,"

November 1984.

2. Information Notice 86-74, "Reduction of Reactor Coolant Inventory Because of Misalignment of RHR Valves," August 1986.

3. Generic Letter 92-04, "Resolution of the Issues Related to Reactor Vessel Water Level Instrumentation in BWRs Pursuant to 10 CFR 50.54(f), "August 1992.

4. NRC Bulletin 93-03, "Resolution of Issues Related to Reactor Vessel Water Level Instrumentation in BWRs," May 1993.

5. Information Notice 94-52, "Inadvertent Containment Spray and Reactor Vessel Draindown at Millstone 1," July 1994.

6. General Electric Service Information Letter No. 388, "RHR Valve Misalignment During Shutdown Cooling Operation for BWR 3/4/5/6,"

February 1983.

SUSQUEHANNA - UNIT 2 3.5-26

Rev.6 RCIC System B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE

!SOLATION COOLING (RCIC) SYSTEM B 3.5.3 RCIC System BASES BACKGROUND The RCIC System is not part of the ECCS; however, the RCIC System is included with the ECCS section because of their similar functions. The RCIC System is designed to operate either automatically or manually following reactor pressure vessel (RPV) isolation accompanied by a loss of coolant flow from the feedwater system to provide adequate core cooling and control of the RPV water level. Under these conditions, the High Pressure Coolant Injection (HPCI) and RCIC systems perform similar functions. The RCIC System design requirements ensure that the criteria of Reference 1 are satisfied .

The RCIC System (Ref. 2) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping is provided from the condensate storage tank (CST) and the suppression pool. Pump suction is normally aligned to the CST to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low, an automatic transfer to the suppression pool water source ensures an adequate suction head for the pump and an uninterrupted water supply for continuous operation of the RCIC System. The steam to the turbine is piped from a main steam line upstream of the associated inboard main steam line isolation valve.

The RCIC System is designed to provide core cooling for a wide range of reactor pressures (165 psia to 1225 psia). Upon receipt of an initiation signal, the RCIC turbine accelerates to a specified speed. As the RCIC flow increases, the turbine control valve is automatically adjusted to maintain design flow. Exhaust steam from the RCIC turbine is discharged to the suppression pool. A full flow test line is provided to route water to the CST to allow testing of the RCIC System during normal operation without injecting water into the RPV.

(continued)

SUSQUEHANNA - UNIT 2 3.5-27

Rev. 6 RCIC System B 3.5.3 BASES BACKGROUND The RCIC pump is provided with a minimum flow bypass line, which (continued) discharges to the suppression pool. The valve in this line automatically opens to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, the RCIC System discharge piping is kept full of water. The RCIC System is normally aligned to the CST. The RCIC discharge line is kept full of water using a "keep fill" system supplied by the condensate transfer system.

APPLICABLE The function of the RCIC System is to respond to transient events by SAFETY ANALYSES providing makeup coolant to the reactor. The RCIC System is not an Engineered Safety Feature System and no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system is included in the Technical Specifications, as required by the NRC Policy Statement (Ref. 4).

LCO The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the low pressure ECCS subsystems is not required in the event of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity for maintaining RPV inventory during an isolation event.

APPLICABILITY The RCIC System is required to be OPERABLE during MODE 1, and MODES 2 and 3 with reactor steam dome pressure >150 psig, since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. In MODES 2 and 3 with reactor steam dome pressure :::; 150 psig, the low pressure ECCS injection/spray subsystems can provide sufficient flow to the RPV. In MODES 4 and 5, RCIC is not required to be OPERABLE since RPV water inventory control is required by LCO 3.5.2, "Reactor Pressure Vessel (RPV) Water Inventory Control".

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable RCIC system. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable RCIC system and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

(continued)

SUSQUEHANNA - UNIT 2 3.5-28

Rev. 6 RCIC System B 3.5.3 BASES ACTIONS A.1 and A.2 (continued)

If the RCIC System is inoperable during MODE 1, or MODE 2 or 3 with reactor steam dome pressure >150 psig, and the HPCI System is verified to be OPERABLE, the RCIC System must be restored to OPERABLE status within 14 days. In this Condition, loss of the RCIC System will not affect the overall plant capability to provide makeup inventory at high reactor pressure since the HPCI System is the only high pressure system assumed to function during a loss of coolant accident (LOCA).

OPERABILITY of HPCI is therefore verified immediately when the RCIC System is inoperable. This may be performed as an administrative check, by examining logs or other information, to determine if HPCI is out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the HPCI System. If the OPERABILITY of the HPCI System cannot be verified, however, Condition B must be immediately entered. For transients and certain abnormal events with no LOCA, RCIC (as opposed to HPCI) is the preferred source of makeup coolant because of its relatively small capacity, which allows easier control of the RPV water level. Therefore, a limited time is allowed to restore the inoperable RCIC to OPERABLE status.

The 14 day Completion Time is based on a reliability study (Ref. 3) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (AOTs). Because of similar functions of HPCI and RCIC, the AOTs (i.e., Completion Times) determined for HPCI are also applied to RCIC.

B.1 and 8.2 If the RCIC System cannot be restored to OPERABLE status within the associated Completion Time, or if the HPCI System is simultaneously inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and reactor steam dome pressure reduced to :S: 150 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA- UNIT 2 3.5-29

Rev. 6 RCIC System B3.5.3 BASES SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge line of the RCIC System full of water ensures that the system will perform properly, injecting its full capacity into the Reactor Coolant System upon demand. This will also prevent a water hammer following an initiation signal. One acceptable method of ensuring the line is full is to vent at the high points. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.2 Verifying the correct alignment for manual, power operated, and automatic valves in the RCIC flow path provides assurance that the proper flow path will exist for RCIC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a non-accident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the RCIC System, this SR also includes the steam flow path for the turbine and the flow controller position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.5-30

Rev. 6 RCIC System B 3.5.3 BASES SURVEILLANCE SR 3.5.3.3 and SR 3.5.3.4 REQUIREMENTS (continued) The RCIC pump flow rates ensure that the system can maintain reactor coolant inventory during pressurized conditions with the RPV isolated. The flow tests for the RCIC System are performed at two different pressure ranges such that system capability to provide rated flow is tested both at the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the RCIC System diverts steam flow. Reactor steam pressure is considered adequate when 2 920 psig to perform SR 3.5.3.3 and 2150 psig to perform SR 3.5.3.4. However, the requirements of SR 3.5.3.4 are metby a successful performance at any pressure :s; 165 psig. Adequate steam flow is represented by at least 1.25 turbine bypass valves open. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform those SRs. Reactor startup is allowed prior to performing the low pressure Surveillance because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure Surveillance has been satisfactorily completed and there is no indication or reason to believe that RCIC is inoperable. Therefore, these SRs are modified by Notes that state the Surveillances are not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the reactor steam pressure and flow are adequate to perform the test.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.5 The RCIC System is required to actuate automatically in order to verify its design function satisfactorily. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of the RCIC System will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence; that is, automatic pump startup and actuation of all automatic valves to their required positions. This test also ensures the RCIC System will automatically restart on a n RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.3 overlaps this Surveillance to provide complete testing of the assumed safety function.

(continued)

SUSQUEHANNA - UNIT 2 3.5-31

Rev. 6 RCIC System B 3.5.3 BASES SURVEILLANCE SR 3.5.3.5 (continued)

REQUIREMENTS (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes vessel injection during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 33.

2. FSAR, Section 5.4 ..6.

3. Memorandum from R.L. Baer (NRC) to V. Stello, Jr. (NRC),

"Recommended Interim Revisions to LCOs for ECCS Components,"

December 1, 1975.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.5-32

Rev. 17 PCIVs B 3.6.1.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.3 Primary Containment Isolation Valves (PCIVs)

BASES BACKGROUND The function of the PC IVs, in combination with other accident mitigation systems, including secondary containment bypass valves that are not PCIVs is to limit fission product release during and following postulated Design Basis Accidents (DBAs) to within limits. Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consjstent with the assumptions used in the analyses for a OBA.

The OPERABILITY requirements for PCIVs help ensure that an adequate primary containment boundary is maintained during and after an accident. by minimizing potential paths to the environment. Therefore, the OPERABILITY requirements provide assurance that primary containment function assumed in the safety analyses will be maintained. For PCIVs, the primary containment isolation function is that the valve must be able to close (automatically or manually) and/or remain closed, and maintain leakage within that assumed in the OBA LOCA Dose Analysis. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. The OPERABILITY requirements for closed systems are discussed in Technical Requirements Manual (TRM)

Bases 3.6.4. Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices.

Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system.

For e1=1ch division of H202 Analyzers, the lines, up to and including the first normally closed valves within the H202 Analyzer panels, are extensions of primary containment (i.e., closed system), and are required to be leak rate tested in accordance with the Leakage Rate Test Program. The H202 Analyzer closed system boundary is identified in the Leakage Rate Test Program. The closed system boundary consists of those components, piping, tubing, fittings, and valves, which meet the guidance of Reference 6.

The closed system provides a secondary barrier in the event of a single failure of the PCIVs, as described below. The closed system boundary (continued)

SUSQUEHANNA - UNIT 2 3.6-15

Rev. 17 PCIVs B 3.6.1.3 BASES BACKGROUND between PASS and the H202 Analyzer system ends at the process. sampling (continued) solenoid operated isolation valves between the systems (SV-22361, SV-22365, SV-22366, SV-22368, and SV-22369). These solenoid operated isolation valves do not fully meet the guidance of Reference 6 for closed system boundary valves in that they are not powered from a Class 1E power source. However, based upon a risk determination, operating these valves as closed system boundary valves is not risk significant. These valves also form the end of the Seismic Category I boundary between the systems.

These process sampling solenoid operated isolation valves are normally closed and are required to be leak rate tested in accordance with the Leakage Rate Test Program as part of the*closed system for the H202 Analyzer system. These valves are "closed system boundary valves" and may be opened under administrative control, as delineated in Technical Requirements Manual (TRM) Bases 3.6.4. Opening of these valves to permit testing of PASS in Modes 1, 2, and 3 is permitted in accordan~e with TRO 3.6.4.

Each H202 Analyzer Sampling line penetrating primary containment has two PCIVs, located just outside primary containment. While two PCIVs are provided on each line, a single active failure of a relay in the control circuitry for these valves could result in both valves failing to close or failing to remain closed. Furthermore, a single failure (a hot short in the common raceway to.

all the valves) could simultaneously affect all of the PCIVs within a H202 Analyzer division. Therefore, the containment isolation barriers for these penetrations consist of two PCIVs and a closed system. For situations where one or both PCIVs are inoperable, the ACTIONS to be taken are similar to the ACTIONS for a single PCIV backed by a closed system.

The drywell vent and purge lines are 24 inches in diameter; the suppression chamber vent and purge lines are 18 inches in diameter. The containment purge valves are normally maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. The outboard isolation valves have 2 inch bypass lines around them for use during normal reactor operation.

The RHR Shutdown Cooling return line containment penetrations {X-13A(B)}are provided with a normally closed gate valve {HV-251F015A(B)}

and a normally open globe valve {HV-251F017A(B)} outside containment and a testable check valve {HV-251 F050A(B)} with a normally closed parallel air operated globe valve {HV-251F122A(B)} inside containment. The gate valve is manually opened and automatically isolates upon a containment isolation signal from the Nuclear Steam Supply Shutoff System or RPV low level 3 when the RHR System is operated in the Shutdown Cooling Mode only. The LPCI subsystem is an operational mode of the RHR System and uses the same injection lines to the RPV as the Shutdown Cooling Mode.

(continued)

SUSQUEHANNA - UNIT 2 3.6-15a

Rev. 17 PCIVs B 3.6.1.3 BASES BACKGROUND The design of these containment penetrations is unique in that some valves (continued) are containment isolation valves while others perform the function of pressure isolation valves. In order to meet the 10 CFR 50 Appendix J leakage testing requirements, the HV-251 F015A(B) and the closed system outside containment are the only barriers tested in accordance with the Leakage Rate Test Program. Since these containment penetrations {X-13A and X-13B} include a containment isolation valve outside containment that is tested in accordance with 10 CFR 50 Appendix J requirements and a closed system outside containment that meets the requirements of USNRC Standard Review Plan 6.2.4 (September 1975), paragraph 11.3.e, the containment isolation provisions for these penetrations provide an acceptable alternative to the explicit requirements of 10 CFR 50, Appendix A, GDC 55.

Containment penetrations X-13A(B) are also high/low pressure system interfaces. In order to meet the requirements to have two (2) isolation valves between the high pressure and low pressure systems, the HV-251 F050A(B),

HV-251F122A(B), 251130, and HV-251 F015A(B) valves are used to meet this requirement and are tested in accordance with .the pressure test program.

APPLICABLE The PCIVs LCO was derived from the assumptions related to minimizing the SAFETY loss of reactor coolant inventory, and establishing the primary containment ANALYSES boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO.

The DBAs that result in a release of radioactive material within primary containment are a LOCA and a main steam line break (MSLB). In the analysis for each of these accidents, it is assumed that PC IVs are either closed or close within the required isolation times following event initiation.

This ensures that potential paths to the environment through PCIVs (including primary containment purge valves) and secondary containment bypass valves that are not PCIVs are minimized. The closure time of the main steam isolation valves (MSIVs) for a MSLB outside primary containment is a significant variable from a radiological standpoint. The MSIVs are required to close within 3 to 5 seconds since the 5 second closure time is assumed in the analysis. The safety analyses assume that the purge valves were closed at event initiation. Likewise, it is assumed that the primary containment is isolated such that release of fission products to the environment is controlled.

(continued)

SUSQUEHANNA - UNIT 2 3.6-15b

Rev. 17 PCIVs B 3.6.1.3 BASES APPLICABLE The OBA analysis assumes that within the required isolation time leakage is SAFETY terminated, except for the maximum allowable leakage rate, La.

ANALYSES (continued) The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the primary containment purge valves. Two valves in series on each purge line provide assurance that both the supply and exhaust lines could be isolated even if a single failure occurred.

The primary containment purge valves may be unable to close in the environment following a LOCA. Therefore, each of the purge valves is required to rem~in closed during MODES 1, 2, and 3 except as permitted under the Note of SR 3.6.1.3.1. In this case, the single failure criterion remains applicable to the primary containment purge valve due to failure in the control circuit associated with each valve. The primary containment purge valve design precludes a single failure from compromising the primary containment boundary as long as the system is operated in accordance with this LCO.

Both H202 Analyzer PCIVs may not be able to close given a single failure in the control circuitry of the valves. The single failure is caused by a "hot short" in the cables/raceway to the PCIVs that causes both PCIVs for a given penetration to remain open or to open when required to be closed. This failure is required to be considered in accordance with IEEE-279 as discussed in FSAR Section 7.3.2a. However, the single failure criterion for containment isolation of the H202 Analyzer penetrations is satisfied by virtue of the combination of the associated PCIVs and the closed system formed by the H202 Analyzer piping system as discussed in the BACKGROUND section above.

The closed system boundary between PASS and the H202 Analyzer system ends at the process sampling solenoid operated isolation valves between the systems (SV-22361, SV-22365, SV-22366, SV-22368, and SV-22369). The closed system is not fully qualified to the guidance of Reference 6 in that the closed system boundary valves between the H202 system and PASS are not powered from a Class 1E power source. However, based upon a risk determination, the use of these valves is considered to have no risk significance. This exemption to the requirement of Reference 6 for the closed system boundary is documented in License Amendment No. 170.

PCIVs satisfy Criterion 3 of the NRC Policy Statement. (Ref. 2)

(continued)

SUSQUEHANNA - UNIT 2 3.6-16

Rev. 17 PCIVs B 3.6.1.3 BASES LCO PCIVs form a part of the primary containment boundary, or in the case of SCBL valves limit leakage from the primary containment. The PCIV safety function is related to minimizing the loss of reactor coolant inventory and establishing the primary containment boundary during a OBA.

The power operated, automatic isolation valves are required to have isolation times within limits and actuate on an automatic isolation signal. The valves covered by this LCO are listed.in Table B 3.6.1.3-1 and Table B 3.6.1.3-2.

The normally closed PCIVs, including secondary containment bypass valves listed in Table B 3.6.1.3-2 that are not PCIVs are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic valves are in their closed position,.blind flanges are in place, and closed systems are intact. These passive isolation valves and devices are those listed in Table B 3.6.1.3-1.

Leak rate testing of the secondary containment bypass valves listed in Table 3.6.1.3-2 is permitted in Modes 1, 2 & 3 as described in the Primary Containment Leakage Rate Testing Program.

Purge valves with resilient seals, secondary containment bypass valves, including secondary containment bypass valves listed in Table B 3.6.1.3-2 that are not PCIVs, MSIVs, and hydrostatically tested valves must meet additional leakage rate requirements. Other PCIV leakage rates are addressed by LCO 3.6.1.1, "Primary Containment," as Type B or C testing.

This LCO provides assurance that the PC IVs will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the primary containment boundary during accidents.

APPLICABILITY In MODES 1, 2, and 3, a OBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, PCIVs are not required to be OPERABLE and the primary containment purge valves are not required to be closed in MODES 4 and 5.

(continued)

SUSQUEHANNA - UNIT 2 3.6-17

Rev. 17 PCIVs B 3.6.1.3 BASES ACTIONS The ACTIONS are modified by a Note allowing penetration flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated.

A second Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable PCIV.

Complying with the Required Actions may allow for continued operation, and subsequent inoperable PCIVs are governed by subsequent Condition entry and application of associated Required Actions.

The ACTIONS are modified by Notes 3 and 4. Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable PCIV (e.g., an Emergency Core Cooling System subsystem is inoperable due to a failed open test return valve). Note 4 ensures appropriate remedial actions are taken when the primary containment leakage limits are exceeded. Pursuant to LCO 3.0.6, these actions are not required even when the associated LCO is not met.

Therefore, Notes 3 and 4 are added to require the proper actions be taken.

A.1 and A.2 With one or more penetration flow paths with one PCIV inoperable except for purge valve leakage not within limit, the affected penetration flow paths must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available valve to the primary containment.

The Required Action must be completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time (8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months for main steam lines). The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable considering the time required to isolate the penetration and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. For main steam lines, an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is allowed. The Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months for the main steam lines allows a period of time to restore the MS IVs to OPERABLE status given the fact that MSIV closure will result in isolation of the main steam line(s) and a potential for plant shutdown.

(continued)

SUSQUEHANNA - UNIT 2 3.6-18

Rev. 17 PCIVs B 3.6.1.3 BASES ACTIONS A.1 and A.2 (continued)

(continued)

For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration flow path(s) must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those devices outside containment and capable of potentially being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside primary containment" is appropriate because the devices are operated under administrative controls and the probability of their misalignment is low. For the devices inside primary containment, the time period specified "prior to entering MODE 2 or 3 from MODE 4, if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgment and is considered*

reasonable in view of the inaccessibility of the devices and other administrative controls ensuring that device misalignment is an unlikely possibility.

Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two PC IVs except for the H202

Analyzer penetrations. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. For the H202 Analyzer penetrations, Condition D provides the appropriate Required Actions.

Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas, and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment of these devices, once they have been verified to be in the proper position, is low.

(continued)

SUSQUEHANNA - UNIT 2 3.6-19

Rev. 17 PCIVs B 3.6.1.3 BASES ACTIONS B.1 (continued)

With one or more penetration flow paths with two PCIVs inoperable except for purge valve leakage not within limit, either the inoperable PCIVs must be restored to OPERABLE status or the affected penetration flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1.1.

Condition B is moaified by a Note indicating this Condition is only applicable to penetration flow paths with two PCIVs except for the H202 Analyzer penetrations. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions.* For the H202 Analyzer penetrations, Condition D provides the appropriate Required Actions.

C.1 and C.2 With one or more penetration flow paths with one PCIV inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange.

A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the relative stability of the closed system (hence, reliability) to act as*a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. The closed system must meet the requirements of Reference 6. For conditions where the PCIV and the closed system are inoperable, the Required Actions of TRO 3.6.4, Cor:idition B apply. For the Excess Flow Check Valves (EFCV), the Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable considering the instrument and the small pipe diameter of penetration (hence, reliability) to act as a penetration isolation boundary and the small pipe diameter of the affected penetrations. In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

(continued)

SUSQUEHANNA - UNIT 2 3.6-20

Rev. 17 PCIVs B 3.6.1.3 BASES ACTIONS C.1 and C.2 (continued)

(continued)

Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one PCIV. For penetration flow paths with two PCIVs and the H202 Analyzer penetration, Conditions A, B, and D provide the appropriate Required Actions.

Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low.

D.1 and D.2 With one or more H202 Analyzer penetrations with one or both PCIVs inoperable, the inoperable valve(s) must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action D.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the unique design of the H202 Analyzer penetrations. The containment isolation barriers for these penetrations consist of two PC IVs and a closed system. In addition, the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. In the event the affected penetratio"n flow path is isolated in accordance with Required Action D.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

When an H202 Analyzer penetration PCIV is to be closed and deactivated in accordance with Condition D, this must be accomplished by pulling the fuse for the power supply, and either determinating the power cables at the solenoid valve, or jumpering of the power side of the solenoid to ground.

(continued)

SUSQUEHANNA - UNIT 2 3.6-21

Rev. 17 PCIVs B 3.6.1.3 BASES ACTIONS 0.1 and 0.2 (continued)

(continued)

The OPERABILITY requirements for the closed system are discussed in Technical Requirements Manual (TRM) Bases 3.6.4. In the event that either one or both of the PC IVs and the closed system are inoperable, the Required Actions of TRO 3.6.4, Condition B apply.

Condition D is modified by a Note indicating that this Condition is only applicable to the H202 Analyzer penetrations.

With the secondary containment bypass leakage rate not within limit, the assumptions of the safety analysis may not be met. Therefore, the leakage must be restored to within limit within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Restoration can be accomplished by isolating the penetration that caused the limit to be

.exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated, the leakage rate for the isolated penetration is assumed to be the actual pathway leakage through the isolation device. If two isolation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable considering the time required to restore the leakage by isolating the penetration and the relative importance of secondary containment bypass leakage to the overall containment function.

E1 In the event one or more containment purge valves are not within the purge valve leakage limits, purge valve leakage must be restored to within limits.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable, considering that one containment purge valve remains closed, except as controlled by SR 3.6.1.3.1 so that a gross breach of containment does not exist.

G.1 and G.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does n*ot apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 2 3.6-22

Rev. 17 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.1 REQUIREMENTS This SR ensures that the primary containment purge valves are closed as required or, if open, open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable. If the inoperable valve is not otherwise known to have excessive leakage when closed, it is not considered to have leakage outside of limits. If a LOCA inside primary containment occurs in MODES 1, 2, or 3, the purge valves may not be capable of closing before the pressure pulse affects systems downstream of the purge valves, or the release of radioactive material will exceed limits prior to the purge valves closing. At other times when the purge valves are required to be capable of closing (e.g., during handling of irradiated fuel),

pressurization concerns are not present and the purge valves are allowed to be open. The SR is modified by a Note stating that the SR is not required to be met when the purge valves are open for the stated reasons. The Note states that these valves may be opened for inerting, de-inerting, pressure control, ALARA or air quality considerations for personnel entry, or Surveillances that require the valves to be open. The vent and purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.2 This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits.

This SR does not require any testing or valve manipulation. Rather, it involves verification that those PCIVs outside primary containment, and capable of being mispositioned, are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PC IVs, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that (continued)

SUSQUEHANNA - UNIT 2 3.6-23

Rev. 17 PCIVs 8 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.2 (continued)

REQUIREMENTS (continued) PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. This SR does riot apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

SR 3.6.1.3.3 This SR verifies that each primary containment manual isolation valve and blind flange that is located inside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. For PCIVs inside primary containment, the Frequency defined as "prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is appropriate since these PCIVs are operated under administrative controls and the probability of their misalignment is low. This SR does not apply to valves that are locked, sealed, or otherwi$e secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing. Two Notes have been added to this SR.

The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in their proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open.

SR 3.6.1.3.4 The traversing incore probe (TIP) shear isolation valves are actuated by explosive charges. Surveillance of explosive charge continuity provides assurance that TIP valves will actuate when required. Other administrative controls, such as those that limit the shelf life of the explosive Charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.6-24

Rev. 17 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.5 REQUIREMENTS (continued) Verifying the isolation time of each power operated and each automatic PCIV is within limits is required to demonstrate OPERABILITY. MSIVs may be excluded from this SR since MSIV full closure isolation time is demonstrated by SR 3.6."1.3.7. The isolation time test ensures that the valve will isolate in a time period less than or equal to that assumed in the Final Safety Analyses Report. The isolation time and Frequency of this SR are in accordance with the requirements of the lnservice Testing Program.

SR 3.6.1.3.6 For primary containment purge valves with resilient seals, the Appendix J Leakage Rate Test Interval is sufficient. The acceptance criteria for these valves is defined in the Primary Containment Leakage Rate Testing Program, 5.5.12.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

If a LOCA inside primary containment occurs in MODES 1, 2, or 3, purge valve leakage must be minimized to ensure offsite radiological release is within limits. At other times when the purge valves are required to be capable of closing (e.g., during handling of irradiated fuel), pressurization concerns are not present and the purge valves are not required to meet any specific leakage criteria.

SR 3.6.1.3.7 Verifying that the isolation time of each MSIV is within the specified limits is required to demonstrate OPERABILITY. The isolation time test ensures that the MSIV will isolate in a time period that does not exceed the times assumed in the OBA analyses. This ensures that the calculated radiological consequences of these events remain within regulatory limits.

The Frequency of this SR is in accordance with the requirements of the lnservice Testing Program.

(continued)

SUSQUEHANNA - UNIT 2 3.6-25

Rev. 17 PCIVs 0

B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.8 REQUIREMENTS (continued) Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a OBA.

This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM

. FUNCTiONAL TEST in SR 3.3.6.1.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.9 This SR requires a demonstration that a representative sample of reactor instrumentation line excess flow check valves (EFCV) are OPERABLE by verifying that the valve actuates to check flow on a simulated instrument line break. As defined in FSAR Section 6.2.4.3.5 (Reference 4), the conditions under which an EFCV will isolate, simulated instrument line breaks are at flow rates, which develop a differential pressure of between 3 psid and 1O psid. This SR provides assurance that the instrumentation line EFCVs will perform its design function to check flow. No specific valve leakage limits are specified because no specific leakage limits are defined in the FSAR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The representative sample consists of an approximate equal number of EFCVs such that each EFCV is tested at least once every 1O years (nominal). The nominal 1Oyear interval is based on other performance-based testing programs, such as lnservice Testing (snubbers) and Option B to 10 CFR 50, Appendix J. In addition, the EFCVs in the sample are representative of the various plant configurations, models, sizes and operating environments. This ensures that any potential common problem with a specific type or application of EFCV is detected at the earliest possible time. EFCV failures will be evaluated to determine if additional testing in that test interval is warranted to ensure overall reliability a.nd that failures to isolate are very infrequent. Therefore, testing of a representative sample was concluded to be acceptable from a reliability standpoint (Reference 7).

SR 3.6.1.3.10 The TIP shear isolation valves are actuated by explosive charges. An in place functional test is not possible With this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required. The replacement charge for the explosive squib shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.6-26

Rev. 17 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.11 REQUIREMENTS (continued) This SR ensures that the leakage rate of secondary containment bypass leakage paths is less than the specified leakage rate. This provides assurance that the assumptions in the radiological evaluations of Reference 4 are met. The secondary containment leakage pathways and Frequency are defined by the Primary Containment Leakage Rate Testing Program. This SR simply imposes additional acceptance criteria. In MODES other than 1, 2, or 3, the Reactor Coolant System is not pressurized and specific primary containment leakage limits are not required.

SR 3.6.1.3.12 The analyses in References 1 and 4 are based on the specified leakage rate.

Leakage through each MSIV must be~ 100 scfh for anyone MSIV and~ 300 scfh for total leakage through the MS IVs combined with the Main Steam Line Drain Isolation Valve, HPCI Steam Supply Isolation Valve and the RCIC Steam Supply Isolation Valve. The MSIVs can be tested at either~ Pt (24.3 psig) or Pa (48.6 psig). Main Steam Line Drain Isolation, HPCI and RCIC Steam Supply Line Isolation Valves, are tested at Pa (48.6 psig). In MODES other than 1, 2, or 3, the Reactor Coolant System is not pressurized and specific primary containment leakage limits are not required. The Frequency is required by the Primary Containment Leakage Rate Testing Program.

SR 3.6.1.3.13 Surveillance of hydrostatically tested lines provides assurance that the calculation assumptions of Reference 2 are met. The acceptance criteria for the combined leakage of all hydrostatically tested lines is 3.3 gpm when tested at 1.1 Pa, (53.46 psig). The combined leakage rates must be demonstrated in accordance with the leakage rate test Frequency required by the Primary Containment Leakage Testing Program.

As noted in Table B 3.6.1.3-1, PCIVs associated with this SR are not Type C tested. Containment bypass leakage is prevented since the line terminates below the minimum water level in the suppression chamber. These valves are tested in accordance with the 1ST Program. Therefore, these valves leakage is not included as containment leakage.

(continued)

SUSQUEHANNA - UNIT 2 3.6-27

Rev. 17 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.13 REQUIREMENTS (continued) In some instances, the valves are required to be capable of automatically closing during MODES other than MODES 1, 2, and 3. However, specific leakage limits are not applicable in these other MODES or conditions.

REFERENCES 1. FSAR, Chapter 15.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

3. 10 CFR 50, Appendix J, Option B.

4. FSAR, Section 6.2.

5. NED0-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System," March 1988.

6. Standard Review Plan 6.2.4, Rev. 1, September 1975.

7. NED0-32977-A, "Excess Flow Check Valve Testing Relaxation," June 2000.

SUSQUEHANNA - UNIT 2 3.6-28

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Paqe 1 of 10)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Containment 2-57-199 (d) ILRT Manual NIA Atmospheric 2-57-200 (d) ILRT Manual NIA Control HV-25703 Containment Pun:ie Automatic Valve 2.b, 2.d, 2.e (15)

HV-25704 Containment Puroe Automatic Valve 2.b, 2.d, 2.e (15)

HV-25705 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-25711 Containment Purqe Automatic Valve 2.b, 2.d, 2.e (15)

HV-25713 Containment Pume Automatic Valve 2.b, 2.d, 2.e (15)

HV-25714 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-25721 Containment Purqe Automatic Valve 2.b, 2.d, 2.e (15)

HV-25722 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-25723 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-25724 Containment Puroe Automatic Valve 2.b, 2.d, 2.e (15)

HV-25725 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-25766 (a) Suooression Pool Cleanup Automatic Valve 2.b, 2.d (35)

HV-25768 (a) Suooression Pool Cleanup Automatic Valve 2.b, 2.d (30)

HV-257113 (d) Hardened Containment Vent Power Operated NIA (Air)

HV-257114 (d) Hardened C9ntainment Vent Power Operated NIA (Air)

SV-257100-A Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Syst SV~257100 B Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Syst SV-257101 A Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Svst SV-257101 B Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Svst SV-257102A Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Svst SV-257102 B Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Svst SV-257103A Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Svst SV-257103 B Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Syst SV-257104 Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Svst SV-257105 Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Svst SV-257106 Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Syst SV-257107 Containment Radiation Detection Automatic Valve 2.b, 2.d, 2.f Syst SV-25734 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25734 B (e) Containment Atmosphere Samole Automatic Valve 2.b, 2.d SV-25736 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25736 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25737 Nitroqen Makeup Automatic Valve 2.b, 2.d, 2.e SUSQUEHANNA - UNIT 2 3.6-29

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Paoe 2 of 1O)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Containment SV-25738 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e Atmospheric SV-25740 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d Control SV-25740 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d (continued) SV-25742 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25742 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25750 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25750 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25752 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25752 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25767 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e SV-25774 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25774 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25776 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25776 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25780 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25780 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25782 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d.

SV-25782 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-25789 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e Containment 2-26-072 (d) Containment Instrument Gas Manual Check N/A Instrument Gas 2-26-074 (d) Containment Instrument Gas Manual Check N/A 2-26-152 (d) Containment Instrument Gas Manual Check N/A 2-26-154 (d) Containment Instrument Gas Manual Check N/A 2-26-164 (d) Containment Instrument Gas Manual Check N/A HV-22603 Containment Instrument Gas Automatic Valve 2.c, 2.d (20)

SV-22605 Containment Instrument Gas Automatic Valve 2.c, 2.d SV-22651 Containment Instrument Gas Automatic Valve 2.c, 2.d SV-22654A Containment Instrument Gas Power Operated N/A SV-22654 B Containment Instrument Gas Power Operated N/A SV-22661 Containment Instrument Gas. Automatic Valve 2.b, 2.d SV-22671 Containment Instrument Gas Automatic Valve 2.b, 2.d Core Spray HV-252F001 A (b)(c) CS Suction Power Operated N/A HV-252F001 B (b)(c) CS Suction Power Operated N/A HV-252F005 A CS Injection Power Operated N/A HV-252F005 B CS Injection Power Operated N/A Air Operated HV-252F006 A CS Injection N/A Check Valve Air Operated HV-252F006 B CS Injection N/A Check Valve HV-252F015 A (b)(c) CS Test Automatic Valve 2.c, 2.d (80)

HV-252F015 B (b)(c) CS Test Automatic Valve 2.c, 2.d (80)

HV-252F031 A (b)(c) CS Minimum Recirculation Flow Power Operated N/A HV-252F031 B (b)(c) CS Minimum Recirculation Flow Power Operated N/A SUSQUEHANNA - UNIT 2 3.6-30

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Pa~e 3 of 1Ol Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time /Secondsll Core Spray HV-252F037 A CS Injection Power Operated N/A (continued) (Air)

HV-252F037 B CS Injection Power Operated N/A (Air)

XV-252F018 A Core Spray Excess Flow N/A Check Valve XV-252F018 B Core Spray Excess Flow N/A Check Valve Demin Water 2-41-017 (d) Demineralized Water Manual N/A 2-41-018 (dl Demineralized Water Manual N/A HPCI 2-55-038 (d) HPCI Injection Manual N/A 255F046 (bl (cl (dl HPCI Minimum Recirculation Flow Manual Check N/A 255F049 (a) (d) HPCI Manual Check N/A HV-255F002 HPCI .steam Supply Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g, (50)

HV-255F003 HPCI Steam Supply Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g, (50)

HV-255F006 HPCI Injection Power Operated N/A HV-255F012 (b) (c) HPCI Minimum Recirculation Flow Power Operated N/A HV-255F042 (b) (c) HPCI Suction Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g, (1151 HV-255F066 (al HPCI Turbine Exhaust Power Operated N/A HV-255F075 HPCI Vacuum Breaker Automatic Valve 3.b, 3.d, (15)

HV-255F079 HPCI Vacuum Breaker Automatic Valve 3.b, 3.d, (151 HV-255F100 HPCI Steam Supply Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g, (61 XV-255F024 A HPCI Excess Flow N/A Check Valve XV-255F024 B HPCI Excess Flow N/A Check Valve XV-255F024 C HPCI Excess Flow N/A Check Valve XV-255F024 D HPCI Excess Flow N/A Check Valve Liquid Radwaste HV-26108A1 Liquid Radwaste Automatic Valve 2.b, 2.d (15)

Collection HV-26108A2 Liquid Radwaste Automatic Valve 2.b, 2.d (15)

HV-26116 A1 Liquid Radwaste Automatic Valve 2.b, 2.d (151 HV-26116 A2 Liquid Radwaste Automatic Valve 2.b, 2.d (15)

Nuclear Boiler 241F010A (d) Feedwater Manual Check N/A 241F010 B (d) Feedwater Manual Check N/A 241F039A (dl Feedwater Isolation Valve Manual Check N/A 241F039 B (d) Feedwater Isolation Valve Manual Check N/A 241818A (d) Feedwater Isolation Valve Manual Check N/A 241818 B (d) Feedwater Isolation Valve Manual Check N/A SUSQUEHANNA - UNIT 2 3.6-31

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 4 of 10)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve

_(Maximum Isolation Time (Seconds))

Nuclear Boiler HV-241F016 MSL Drain Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (continued) (10)

HV-241F019 MSL Drain Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (15)

HV-241 F022 A MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241F022 B MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241F022 C MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241F022 D MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241F028 A MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241F028 B MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241 F028 C MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241F028 D MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-241 F032 A Feedwater Isolation Valve Power Operated N/A Check Valves HV-241F032 B Feedwater Isolation Valve Power Operated N/A Check Valves XV-241F009 Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241F070 A Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F070 B Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F070 C Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F070 D Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241F071 A Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241F071 B Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241F071 C Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241F071 D Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F072 A Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F072 B Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F072 C Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F072 D Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F073 A Nuclear Boiler EFCV Excess Flow N/A Check Valve SUSQUEHANNA - UNIT 2 3.6-32

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Paae 5 of 10)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time /Seconds))

Nuclear Boiler XV-241 F073 B Nuclear Boiler EFCV Excess Flow N/A (continued) Check Valve XV-241 F073 C Nuclear Boiler EFCV Excess Flow N/A Check Valve XV-241 F073 D Nuclear Boiler EFCV Excess Flow N/A Check Valve Nuclear Boiler XV-24201 Nuclear Boiler Vessel Instrument Excess Flow N/A Vessel Check Valve Instrumentation XV-24202 Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F041 Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F043 A Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F043 B Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F045 A Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F045 B Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F047 A Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F047B Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F051 A Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F051 B Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F051 C Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F051 D Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F053 A Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F053 B Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F053 C Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F053 D Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F055 Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F057 Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F059 A Nuclear Boiler Vessel Instrument Excess Flow N/A Check Valve XV-242F059 B Nuclear Boiler Vessel* Instrument Excess Flow N/A Check Valve SUSQUEHANNA - UNIT 2 3.6-33

Rev. 17 PCIVs 8 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Paae 6 of 1O)

Isolation Signal LCO Plant System 3.3.6.1 Function No.

Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Nuclear Boiler XV-242F059 C Nuclear Boiler Vessel Instrument Excess Flow NIA Vessel Check Valve Instrumentation XV-242F059 D Nuclear Boiler Vessel Instrument Excess Flow NIA (continued) Check Valve XV-242F059 E Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 F Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 G Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 H Nuclear Boiler Vessel Instrument. Excess Flow NIA Check Valve XV-242F059 L Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 M Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 N Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 P Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 R Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 S Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 T Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F059 U Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve XV-242F061 Nuclear Boiler Vessel Instrument Excess Flow NIA Check Valve RB Chilled Water HV-28781 A1 RB Chilled Water Automatic Valve 2.c, 2.d (40)

System HV-28781 A2 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-28781 B1 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-28781 B2 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-28782A1 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-28782A2 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-28782 B1 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-28782 B2 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-28791 A1 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-28791 A2 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-28791 B1 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-28791 B2 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-28792A1 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-28792A2 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-28792 B1 RB Chilled Water Automatic Valve 2.b, 2.d (8)

SUSQUEHANNA - UNIT 2 3.6-34

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (PaQe 7 of 10)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

RB Chilled Water HV-28792 82 RB Chilled Water Automatic Valve 2.b, 2.d (8)

System (continued)

RBCCW HV-21313 RBCCW Automatic Valve 2.c, 2.d (30)

HV-21314 RBCCW Automatic Valve 2.c, 2.d (30)

HV-21345 RBCCW Automatic Valve 2.c, 2.d (30)

HV-21346 RBCCW Automatic Valve 2.c, 2.d (30)

RCIC 2-49-020 (d) RCIC Injection Manual N/A 249F021 (b) (c) (d) RCIC Minimum Recirculation Flow Manual Check N/A 249F028 (a) (d) RCIC Vacuum Pump Discharae Manual Check N/A 249F040 (a) (d) RCIC Turbine Exhaust Manual Check N/A FV-249F019 (bl (cl RCIC Minimum Recirculation Flow Power Operated N/A HV-249F007 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (20)

HV-249F008 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.Q (20)

HV-249F013 RCIC Injection Power Operated N/A HV-249F031 (b) (c) RCIC Suction Power Operated N/A HV-249F059 (al RCIC Turbine Exhaust Power Operated N/A HV-249F060 (a) RCIC Vacuum Pump DischarQe Power Operated N/A HV-249F062 RCIC Vacuum Breaker Automatic Valve 4.b, 4.d (10)

HV-249F.084 RCIC Vacuum Breaker Automatic Valve 4.b, 4.d (10)

HV-249F088 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (12)

XV-249F044 A RCIC Excess Flow N/A Check Valve XV-249F044 B RCIC Excess Flow N/A Check Valve XV-249F044 C RCIC Excess Flow N/A Check Valve XV-249F044 D RCIC Excess Flow N/A Check Valve Reactor 243F013 A (d) Recirculation Pump Seal Water Manual Check N/A Recirculation 243F013 B (d) Recirculation Pump Seal Water Manual Check N/A HV-243F019 Reactor Coolant Sample Automatic Valve 2.b (9)

HV-243F020 Reactor Coolant Sample Automatic Valve 2.b (2)

XV-243F003 A Reactor Recirculation Excess Flow N/A Check Valve XV-243F003 B Reactor Recirculation Excess Flow N/A Check Valve XV-243F004 A Reactor Recirculation Excess Flow N/A Check Valve XV-243F004 B Reactor Recirculation Excess Flow N/A Check Valve SUSQUEHANNA - UNIT 2 3.6-35

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Paoe 8 of 10)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description. Type of Valve (Maximum Isolation Time (Seconds))

Reactor XV-243F009 A Reactor Recirculation Excess Flow N/A Recirculation Check Valve (continued) XV-243F009 B Reactor Recirculation Excess Flow N/A Check Valve XV-243F009 C Reactor Recirculation Excess Flow N/A Check Valve XV-243F009 D Reactor Recirculation Excess Flow N/A Check Valve XV-243F010 A Reactor Recirculation Excess Flow N/A Check Valve XV-243F010 B Reactor Recirculation Excess Flow N/A Check Valve XV-243F010 C Reactor Recirculation Excess Flow N/A Check Valve XV-243F010 D Reactor Recirculation Excess Flow N/A Check Valve XV-243F011 A Reactor Recirculation Excess Flow N/A Check Valve XV-243F011 B Reactor Recirculation Excess Flow N/A Check Valve XV-243F011 C Reactor Recirculation Excess Flow N/A Check Valve XV-243F011 D Reactor Recirculation Excess Flow N/A Check Valve XV-243F012 A Reactor Recirculation Excess Flow N/A Check Valve XV-243F012 B Reactor Recirculation Excess Flow N/A Check Valve XV-243F012 C Reactor Recirculation Excess Flow N/A Check Valve XV-243F012 D Reactor Recirculation Excess Flow N/A Check Valve XV-243F017 A Recirculation Pump Seal Water Excess Flow N/A Check Valve XV-243F017 B Recirculation Pump Seal Water Excess Flow N/A Check Valve XV-243F040 A Reactor Recirculation Excess Flow N/A Check Valve XV-243F040 B Reactor Recirculation Excess Flow N/A Check Valve XV-243F040 C Reactor Recirculation Excess Flow N/A Check Valve 0 XV-243F040 D Reactor Recirculation Excess Flow N/A Check Valve XV-243F057 A Reactor Recirculation Excess Flow N/A Check Valve XV-243F057 B Reactor Recirculation Excess Flow - N/A Check Valve Residual Heat HV-251F004 A (b) (c) RHR - Suooression Pool Suction Power Ooerated N/A Removal HV-251F004 B (b) (c) RHR - Suppression Pool Suction Power Operated N/A HV-251 F004 C (b) (c) RHR - Suooression Pool Suction Power Operated N/A SUSQUEHANNA - UNIT 2 3.6-36

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Paae 9 of 10)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Residual Heat HV-251F004 D(b) (c) RHR - Suooression Pool Suction Power Operated N/A Removal HV-251F007 A(b) (c) RHR - Minimum Recirculation Power Operated N/A (continued) HV-251 FOO? B (b) (c) RHR- Minimum Recirculation Power Operated N/A HV-251F008 RHR - Shutdown Cooling Suction Automatic Valve 6.a, 6.b, 6.c (52)

HV-251F009 RHR - Shutdown Coolinq Suction Automatic Valve 6.a, 6.b, 6.c (52)

HV-251F011 A(b) (d) RHR - Suppression Pool Cooling Manual N/A HV-251F011 B (b) (d) RHR - Suooression Pool Coolinq Manual N/A HV-251 F015 A (f) RHR - Shutdown Cooling Power Operated N/A Return/LPCI Injection HV-251F015 B (f) RHR - Shutdown Cooling Power Operated N/A Return/LPCI Injection HV-251F016 A (b) RHR - Drvwell Spray Automatic Valve 2.c, 2.d (90)

HV-251F016 B (b) RHR - Drvwell Spray Automatic Valve 2.c, 2.d (90)

HV-251F022 RHR - Reactor Vessel Head Spray Automatic Valve 2.d, 6.a, 6.b, 6.c (30)

HV-251F023 RHR - Reactor Vessel Head Spray Automatic Valve 2.d, 6.a, 6.b, 6.c (20)

HV-251 F028 A (b) RHR - Suppression Pool Automatic Valve 2.c, 2.d (90)

Coolinq/Sprav HV-251F028 B (b) RHR - Suppression Pool Automatic Valve 2.c, 2.d (90)

Coolinq/Sorav HV-251 F050 A (g) RHR - Shutdown Cooling Air Operated N/A Return/LPCI lniection Check Valve HV-251 F050 B (g) RHR - Shutdown Cooling Air Operated N/A Return/LPCI lniection Check Valve HV-251F103 A (b) RHR Heat Exchanger Vent Power Operated N/A HV-251F103 B (b) RHR Heat ExchanqerVent Power Operated N/A HV-251F122A (g) RHR - Shutdown Cooling Power Operated N/A Return/LPCI Injection (Air)

HV-251F122 B (g) RHR - Shutdown Cooling Power Operated N/A Return/LPCI Injection (Air)

PSV-25106 A (b) (d) RHR- Relief Valve Discharge Relief Valve N/A PSV-25106 B (b) (d) RHR- Relief Valve Discharqe Relief Valve N/A PSV-251F126 (d) RHR- Shutdown Coolinq Suction Relief Valve N/A XV-25109A RHR Excess Flow N/A Check Valve XV-25109 B RHR Excess Flow N/A Check Valve XV-25109 C RHR Excess Flow N/A Check Valve XV-25109 D RHR Excess Flow N/A Check Valve RWCU HV-244F001 (a) RWCU Suction Automatic Valve 5.a, 5.b, 5.c, 5.d, 5.f, 5.g (30)

HV-244F004 (a) RWCU Suction Automatic Valve 5.a, 5.b, 5.c, 5.d, 5.e, 5.f, 5.g (30)

XV-24411 A RWCU Excess Flow N/A Check Valve XV-24411 B RWCU Excess Flow N/A Check Valve SUSQUEHANNA - UNIT 2 3.6-37

Rev. 17 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (PaQe 10 of 10)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

RWCU XV-24411 C RWCU Excess Flow N/A (continued) Check Valve XV-24411 D RWCU Excess Flow N/A Check Valve XV-244F046 RWCU Excess Flow N/A -

Check Valve HV-24182A RWCU Return Power Operated N/A HV-24182 B RWCU Return Power Operated N/A SLCS 248F007 (a) (d) SLCS Manual Check NIA HV-248F006 (a) SLCS Power Operated N/A Check Valve TIP System C51-J004 A (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 B (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 C (Ball TIP Ball Valves Automatic Valve . 7.a, 7.b (5)

Valve)

C51-J004 D (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 E (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

TIP System C51-J004 A (Shear TIP Shear Valves Squib Valve N/A (continued) Valve)

C51-J004 B (Shear TIP Shear Valves Squib Valve N/A Valve)

C51-J004 C (Shear TIP Shear Valves Squib Valve N/A Valve)

C51-J004 D (Shear TIP Shear Valves Squib Valve N/A Valve)

C51-J004 E (Shear TIP Shear Valves Squib Valve N/A Valve)

(a) Isolation barrier remains filled or a water seal remains in the line post-LOCA, isolation valve is tested with water.

Isolation valve leakage is not included in 0.60 La total Type B and C tests.

(b) Redundant isolation boundary for this valve is provided by the closed system whose integrity is verified by the Leakage Rate Test Program. This footnote does not apply to valve 255F046 (HPCI) when the associated PCIV, HV255F012 is closed and deactivated. Similarly, this footnote does not apply to valve 249F021 (RCIC) when it's associated PCIV, FV249F019 is closed and deactivated.

(c) Containment Isolation Valves are not Type C tested. Containment bypass leakage is prevented since the line terminates below the minimum water level in the Suppression Chamber. Refer to the 1ST Program.

(d) LCO 3.3.3.1, "PAM Instrumentation," Table 3.3.3.1-1, Function 6, (PCIV Position) does not apply since these are relief valves, check valves, manual valves or deactivated and closed.

(e) The containment isolation barriers for the penetration associated with this valve consists of two PCIVs and a closed system. The closed system provides a redundant isolation boundary for both PCIVs, and its integrity is required to be verified by the Leakage Rate Test Program.

(f) Redundant isolation boundary for this valve is provided by the closed system whose integrity is verified by the Leakage Rate Test Program.

(g) These valves are not required to be 10 CFR 50, Appendix J tested since the HV-251F015A(B) valves and a closed system form the 10 CFR 50, Appendix J boundary. These valves form a high/low pressure interface and are pressure tested in accordance with the pressure test program.

SUSQUEHANNA - UNIT 2 3.6-38

Rev. 17 PCIVs B 3.6.1.3 Table 8 3.6.1.3-2 Secondary Containment Bypass Leakage Isolation Valves (Not PCIVs)

(Page 1 of 1)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Residual Heat HV-251F040 RHR- RADWASTE LINE IB ISO VLV Automatic Valve 2.a, 2.d (45)

Removal HV-251F049 RHR - DISCH TO RADW OB ISO VLV Automatic Valve 2.a, 2.d (20) 2-51-136 RHR - COND TRANSFER OB SCBL Check Valve N/A CHECK VALVE 2-51-137 RHR - COND TRANSFER IB SCBL Check Valve N/A CHECK VALVE SUSQUEHANNA - UNIT 2 3.6-39

Rev. 2 Suppression Pool Water Level

. B 3.6.2.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.2 Suppression Pool_ Water Level BASES BACKGROUND The primary containment Utilizes a Mark II over/under pressure suppression configuration consisting of a drywell and suppression chamber. The drywell is a steel-lined concrete truncated cone located above the steel-lined concrete cylindrical pressure suppression chamber containing a volume of water called the suppression pool. The suppression pool is designed to absorb the energy associated with decay heat and sensible heat released during a reactor blowdown from safety/relief valve (S/RV) discharges or from a Design Basis Accident (OBA). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment, which ensures that the peak containment pressure is maintained below the maximum allowable pressure for containment (53 psig). The suppression pool must also condense steam from the steam exhaust lines in the turbine driven systems (i.e., High Pressure Coolant Injection (HPCI) System and Reactor Core Isolation Cooling (RCIC) System) -

arid provides the main emergency water supply source for the reactor vessel.

The suppression pool volume ranges between 122,41 O ft3 at the low water level limit of 22 ft O inches and 133,540 ft3 at the high water level limit of 24 ft O inches.

If the suppression pool water level is too low, an insufficient amount of water would be available to adequately condense the steam from the S/RV quenchers, downcomers, or HPCI and RCIC turbine exhaust lines. Low suppression pool water level could also result in an inadequate emergency makeup water source to the Emergency Core Cooling System. The lower volume would also absorb less steam energy before heating up excessively.

Therefore, a minimum suppression pool water level is specified.

If the suppression pool water level is too high, it could result in excessive clearing loads from S/RV discharges and excessive pool swell loads during a OBA LOCA. Therefore, a maximum pool water level is specified. This LCO specifies an acceptable range to prevent the suppression pool water level from being either too high or too low.

(continued)

SUSQUEHANNA - UNIT 2 3.6-58

Rev. 2 Suppression Pool Water Level B 3.6.2.2 BASES APPLICABLE Initial suppression pool water level affects suppression pool temperature SAFETY response calculations, calculated drywell pressure during vent clearing for a ANALYSES OBA, calculated pool swell loads for a OBA LOCA, and calculated loads due to S/RV discharges. Suppression pool water level must be maintained within the limits specified so that the safety analysis of Reference 1 remains valid.

Suppression pool water level satisfies Criteria 2 and 3 of the NRC Policy Statement. (Ref. 2)

LCO A limit that suppression pool water level be ~ 22 ft O inches and

s; 24 ft O inches is required to ensure that the primary containment conditions assumed for the safety analyses are met. Either the high or low water level limits were used in the safety analyses, depending upon which is more conservative for a particular calculation.

APPLICABILITY In MODES 1, 2, and 3, a OBA would cause significant loads on the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. The requirements for maintaining suppression pool water level within limits in MODE 4 or 5 is addressed in LCO 3.5.2, "Reactor Pressure Vessel (RPV) Water Inventory Control."

ACTIONS With suppression pool water level outside the limits, the conditions assumed for the safety analyses are not met. If water level is below the minimum level, the pressure suppression function still exists as long as downcomers are covered, HPCI and RCIC turbine exhausts are covered, and S/RV quenchers are covered. If suppression pool water level is above the maximum level, protection against ov_erpressurization still exists due to the margin in the peak containment pressure analysis and the capability of the Drywell Spray System. Therefore, continued operation for a limited time is allowed. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient to restore suppression pool water level to within limits. Also, it takes into account the low probability of an event impacting the suppression pool water level occurring during this interval.

(continued)

SUSQUEHANNA - UNIT 2 3.6-59

Rev.2 Suppression Pool Water Level B 3.6.2.2

BASES ACTIONS 8.1 and 8.2 (continued)

If suppression pool water level cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.2.1 REQUIREMENTS Verification of the suppression pool water level by at least one water level indicator is to ensure that the required limits are satisfied. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.2.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.6-60

Rev. 16 Secondary Containment B 3.6.4.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.1 Secondary Containment BASES BACKGROUND The secondary containment structure completely encloses the primary containment structure such that a dual-containment design is utilized to limit the spread of radioactivity to the environment to within limits. The function of the secondary containment is to contain, dilute, and hold up fission products that may leak from primary containment into secondary containment following a Design Basis Accident (OBA). In conjunction with operation of the Standby Gas Treatment (SGT) System and closure of certain valves whose lines penetrate the secondary containment, the secondary containment is designed to reduce the activity level of the fission products prior to release to the environment and to isolate and contain fission products that are released during certain operations that take place inside primary containment, when primary containment is not required to be OPERABLE, or that take place outside primary containment (Ref. 1).

The secondary containment is a structure that completely encloses the primary containment and reactor coolant pressure boundary components.

This structure forms a control volume that serves to hold up and dilute the fission products. It is possible for the pressure in the control volume to rise relative to the environmental pressure (e.g., due to pump and motor heat load additions).

The secondary containment boundary consists of the reactor building structure and associated removable walls and panels, hatches, doors, dampers, seal~d penetrations and valves. Certain plant piping systems (e.g., Service Water, RHR Service Water, Emergency Service Water, Feedwater, etc.) penetrate the secondary containment boundary. The intact piping within secondary containment provides a passive barrier which maintains secondary containment requirements. Breaches of these piping systems within secondary containment will be controlled to maintain secondary containment requirements. The secondary containment is divided into Zone I, Zone II and Zone Ill, each of which must be OPERABLE depending on plant status and the alignment of the secondary containment boundary. Specifically, the Unit 1 secondary containment boundary can be modified to exclude Zone II. Similarly, the Unit 2 secondary containment boundary can be modified to exclude Zone I. Secondary containment may consist of only Zone Ill when in MODE 4 or 5 during CORE ALTERATIONS, or during handling of irradiated fuel within the Zone Ill secondary containment boundary.

(continued)

SUSQUEHANNA - UNIT 2 3.6-83

Rev. 16 Secondary Containment B 3.6.4.1 BASES BACKGROUND To prevent ground level exfiltration while allowing the secondary containment (continued) to be designed as a conventional structure, the secondary containment requires support systems to maintain the control volume pressure at less than the external pressure. Requirements for the safety related systems are specified separately in LCO 3.6.4.2, *"Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System."

When one or more zones are excluded from secondary containment, the specific requirements for support systems will also change (e.g., required secondary containment isolation valves).

APPLICABLE There are two prin.cipal accidents for which credit is taken for secondary SAFETY containment OPERABILITY. These are a loss of coolant accident (LOCA)

ANALYSES (Ref. 2) and a fuel handling accident inside secondary containment (Ref. 3).

The secondary containment performs no active function in response to either of these limiting events; however, its leak tightness is required to ensure that the release of radioactive materials from the primary containment is restricted to those leakage paths and associated leakage rates assumed in the accident analysis and that fission products entrapped within the secondary containment structure will be treated by the SGT System prior to discharge to the environment.

Secondary containment satisfies Criterion 3 of the NRC Policy Statement (Ref. 4).

LCO An OPERABLE secondary containment provides a control volume into which fission products that bypass or leak from primary containment, or are released from the reactor coolant pressure boundary components located in secondary containment, can be diluted and processed prior to release to the environment. For the secondary containment to be considered OPERABLE, it must have adequate leak tightness to ensure that the required vacuum can be establish,ed and maintained. The leak tightness of secondary containment must also ensure that the release of radioactive materials to the environment is restricted to those leakage paths and associated leakage rates*assumed in the accident analysis. For example, secondary containment bypass leakage must be restricted to the leakage rate required by LCO 3.6.1.3. The secondary containment boundary required to be OPERABLE is dependent on the operating status of both units, as well as the configuration of walls, doors, hatches, SCIVs, and available flow paths to the SGT System.

(continued)

SUSQUEHANNA - UNIT 2 3.6-84

Rev. 16 Secondary Containment 8 3.6.4.1 BASES APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, secondary containment OPERABILITY is required during the same operating conditions that require primary containment OPERABILITY.

In MODES 4 and 5, the probability and consequences ofthe LOCA are reduced due to the pressure and temperature limitations in these MODES.

Therefore, maintaining secondary containment OPERABLE is not required in MODE 4 or 5 to ensure a control volume, except for other situations for which significant releases of radioactive material can be postulated, such as during CORE ALTERATIONS or during movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 If secondary containment is inoperable, it must be restored to OPERABLE status within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring secondary containment OPERABILITY) occurring during periods where secondary containment is inoperable is minimal.

B.1 and 8.2 If secondary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 Movement of irradiated fuel assemblies in the secondary containment and COR.E ALTERATIONS can be postulated to cause fission product release to the secondary containment. In such cases, the secondary containment is the only barrier to release of fission products to the environment. CORE ALTERATIONS and movement of irradiated fuel assemblies must be immediately suspended if the secondary containment is inoperable.

(continued)

SUSQUEHANNA - UNIT 2 3.6-85

Rev. 16 Secondary Containment B 3.6.4.1 BASES ACTIONS C.1 and C.2 (continued)

(continued)

Suspension of these activities shall not preclude completing an action that involves moving a component to a safe position.

Required Action C.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.1.1 REQUIREMENTS This SR ensures that the secondary containment boundary is sufficiently leak tight to preclude exfiltration under expected wind conditions.

The SR is modified by a Note which states the SR is not required to be met for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months if an analysis demonstrates that one SGT subsystem remains capable of establishing the required secondary containment vacuum. Use of the Note is expected to be infrequent but may be necessitated by situations in which secondary containment vacuum may be less than the required containment vacuum, such as, but not limited to, wind gusts or failure or change of operating normal ventilation subsystems. These conditions do not indicate any change in the leak tightness of the secondary containment boundary.

The analysis should consider the actual conditions (equipment configuration, temperature, atmospheric pressure, wind conditions, measured secondary containment vacuum, etc.) to determine whether, if an accident requiring secondary containment to be OPERABLE were to occur, one train of SGT could establish the assumed secondary containment vacuum within the time assumed in the accident analysis. If so, the SR may be considered met for a period up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months limit is based on the expected should duration of the situation when the Note would be applied.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.6-86

Rev. 16 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.2 and SR 3.6.4.1.3 REQUIREMENTS (continued) Verifying that secondary containment equipment hatches, removable walls and one access door in each access opening required to be closed are close.d ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur.

Verifying that all such openings are closed also provides adequate a~surance that exfiltration from the secondary containment will not occur.

In this application, the term "sealed" has no connotation of leak tightness.

An access opening typically contains one inner and one outer door.

. Maintaining secondary co*ntainment OPERABILITY requires verifying one door in each access opening to secondary containment zones is closed.

In some cases (e.g., railroad bay), secondary containment access openings are shared such that a secondary containment barrier.may have multiple inner or multiple outer doors. The intent is to maintain the secondary containment barrier intact, which is achieved by maintaining the inner or outer portion of the barrier closed at all times. However, brief, inadvertent, simultaneous opening of the inner and outer secondary containment doors for personnel entry and exit is allowed. Intentional or extended opening of both doors simultaneously, even for personnel entry and exit, is not permitted and will result in Secondary Containment being declared INOPERABLE. All secondary containment access doors are normally kept closed, except when the access opening is being used for entry and exit or when maintenance is being performed on an access opening.

When the railroad bay door (No. 101) is closed; all Zone I and Ill hatches, removable walls, dampers, and one door in each access opening connected to the railroad access bay are closed; or, only Zone I removable walls and/or doors are open to the railroad access shaft; or, only Zone Ill hatches and/or dampers are open to the railroad access shaft. When the railroad bay door (No. 101) is open; all Zone I and *111 hatches, removable walls, dampers, and one door in each access opening connected to the railroad access bay are closed. The truck bay hatch is closed and the truck bay door (No. 102) is closed unless Zone II is isolated from Zones I and Ill.

(continued)

SUSQUEHANNA - UNIT 2 3.6-87

Rev. 16 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR* 3.6.4.1.2 and SR 3.6.4.1.3 (continued)

REQUIREMENTS (continued) The access openings between secondary containment zones which are not provided with two doors are administratively controlled to maintain secondary containment integrity during exit and entry. This Surveillance is modified by a Note that allows access openings with a single door (i.e., no airlock) within the secondary containment boundary (i.e., between required secondary containment zones) to be opened for entry and exit. Opening of an access door for entry and exit allows sufficient administrative control by individual personnel making the entries and exits to assure the secondary containment function is not degraded. When one of the zones is not a zone required for secondary containment OPERABILITY, the Note allowance would not apply.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.4.1.4 and SR 3.6.4.1.5 The SGT System exhausts the secondary containment atmosphere to the environment through appropriate treatment equipment. To ensure that all fission products are treated, SR 3.6.4.1.4 verifies that the SGT System will rapidly establish and maintain a pressure in the secondary containment that is less than the pressure external to the secondary containment boundary.

This is confirmed by demonstrating that one SGT subsystem will draw down the secondary containment to ~ 0.25 inches of vacuum water gauge in less than or equal to the maximum time allowed. This cannot be accomplished if the secondary containment boundary is not intact. SR 3.6.4.1.5 demonstrates that one SGT subsystem can maintain ~ 0.25 inches of vacuum water gauge for at least 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months at less than or equal to the maximum flow rate permitted for the secondary containment configuration that is operable. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months test period allows secondary containment to be in thermal equilibrium at steady state conditions. As noted, both SR 3.6.4.1.4 and SR 3.6.4.1.5 acceptance limits are dependent upon the secondary containment configuration when testing is being performed. The acceptance criteria for the SRs based on secondary containment configuration is defined as follows:

(continued)

SUSQUEHANNA - UNIT 2 3.6-88

Rev. 16 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.4 and SR 3.6.4:1.5 (continued)

REQUIREMENTS (continued)

SECONDARY MAXIMUM DRAWDOWN TIME(SEC) MAXIMUM FLOW RATE (CFM)

CONTAINMENT (SR 3.6.4.1.4 (SR 3.6.4.1.5 TEST CONFIGURATION ACCEPTANCE CRITERIA) ACCEPTANCE CRITERIA)

Group 1 Zones I, II and Ill (Unit 1 :,; 300 Seconds ::;;5400 CFM Railroad Bay aligned to (Zones I, II, and 111) (From Zones I, II, and Ill)

Secondary Containment).

Zones II and III (Unit 1 :,; 300 Seconds ::;;4000 CFM Railroad Bay aligned to (Zones II and Ill) (From Zones II and Ill)

Zone Ill).

Group 2 Zones I, II and Ill (Unit 1 :,; 300 Seconds :,;5300 CFM Railroad Bay not aligned to (Zones I, II, and Ill) (From Zones I, II, and Ill)

Secondary Containment).

Zones II and Ill (Unit 1 :,; 300 Seconds ::;;3900 CFM Railroad Bay not aligned to (Zones II and Ill) (From Zones II and III)

Secondary Containment).

Only one of the above listed configurations needs to be tested to confirm secondary containment OPERABILITY.

The secondary containment testing configurations are discussed in further detail to ensure the appropriate configurations are tested. Three zone testing (Zones, I, II and Ill aligned to the recirculation plenum) should be performed with the Railroad Bay aligned to secondary containment and another test with the Railroad Bay not aligned to secondary containment.

Each test should be performed with each division on a STAGGERED TEST BASIS.

Two zone testing (Zones II and Ill aligned to the recirculation plenum) should be performed with the Railroad Bay aligned to secondary containment and another test with the Railroad Bay not aligned to secondary containment.

Each test should be performed with each division on a STAGGERED TEST BASIS. The normal operating fans of the non-tested HVAC zone (Zone I fans 1V202A&B, 1V205A&B and 1V206A&B) should not be in operation.

Additionally, a controlled opening of adequate size should be maintained in Zone I Secondary Containment during testing to assure that atmospheric conditions are maintained in that zone.

(continued)

SUSQUEHANNA - UNIT 2 3.6-89

Rev. 16 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.4 and SR 3.6.4.1.5 (continued)

REQUIREMENTS (continued) The Unit 1 Railroad Bay can be aligned as a No Zone (isolated from secondary containment) or as part of secondary containment (Zone I or Ill).

Due to the different leakage pathways that exist in the Railroad Bay, the Railroad Bay should be tested when aligned to secondary containment and also not aligned to secondary containment. It is preferred to align the Railroad Bay to Zone Ill when testing with the Railroad Bay aligned to secondary containment since Zone Ill is included in all possible secondary containment isolation alignments. Note that when performing the three zone testing (Zones I, II and Ill aligned to the recirculation plenum) aligning the Railroad Bay to either Zone I or Ill is acceptable since either zone is part of secondary containment. When performing the Zone II & Ill testing with the Railroad Bay aligned to secondary containment, the Unit 1 Railroad Bay must be aligned to Zone 111.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.2.3.

2. FSAR, Section 15.6.

3. FSAR, Section 15.7.4.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3'.6-90

Rev. 14 SCIVs B 3.6.4.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs)

BASES BACKGROUND The function of the SC IVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that fission products that leak from primary containment into secondary containment following a OBA, or that are released during certain operations when primary containment is not required to be OPERABLE or take place outside primary containment, are maintained within the secondary containment boundary.

The OPERABILITY requirements for SCIVs help ensure that an adequate secondary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. These isolation devices consist of either passive devices or active (automatic) devices. Manual valves or dampers, de-activated automatic valves or dampers secured in their closed position (including check valves with flow through the valve secured), and blind flanges are considered passive devices.

Automatic SCIVs close on a secondary containment isolation signal to establish a boundary for untreated radioactive material within secondary containment following a OBA or other accidents.

Other non-sealed penetrations which cross a secondary containment boundary are isolated by the use of valves in the closed position or blind flanges.

APPLICABLE The SCIVs must be OPERABLE to ensure the secondary containment SAFETY barrier to fission product releases is established. The principal accidents for ANALYSES which the secondary containment boundary is required are a loss of coolant accident (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to either of these limiting events, but the boundary established by SCIVs is required to ensure that leakage from the primary containment is processed by the Standby Gas Treatment (SGT) System before being released to the environment.

(continued)

SUSQUEHANNA - UNIT 2 3.6-91

Rev. 14 SCIVs B 3.6.4.2 BASES APPLICABLE Maintaining SCIVs OPERABLE with isolation times within limits ensures that SAFETY fission products will remain trapped inside secondary containment so that ANALYSES they can be treated by the SGT System prior to discharge to the (continued) environment.

SCIVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 3).

LCO SCIVs that form a part of the secondary.containment boundary are required to be OPERABLE. Depending on the configuration of the secondary containment only specific SCIVs are required. The SCIV safety function is related to control of offsite radiation releases resulting from DBAs.

The automatic isolation valves are *considered OPERABLE when their isolation times are within limits and the valves actuate on an automatic isolation signal. The valves covered by this LCO, along with their associated stroke times, are listed in Table B 3.6.4.2-1.

The normally closed isolation valves or blind flanges are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic SCIVs are deactivated and secured in their closed position, or blind flanges are in place. These passive isolation valves or devices are listed in Table 83.6.4.2-2. Penetrations closed with sealants are considered part of the secondary containment boundary and are not considered penetration flow paths.

Certain plant piping systems (e.g., Service Water, RHR Service Water, Emergency Service Water, Feedwater, etc.) penetrate the secondary containment boundary. The intact piping within secondary containment provides a passive barrier which maintains secondary containment requirements. When the SOHR and temporary chiller system piping is connected and full of water, the piping forms the secondary containment boundary and the passive devices in TS Bases Table B3.6.4.2.,.2 are no longer required for these systems since the piping forms the barrier. During certain plant evolutions, piping systems may be drained and breached within secondary containment. During the pipe breach, system isolation valves can be used to provide secondary containment isolation. The isolation valve ,

alignment will be controlled when the piping system is breached.

/

(continued)

SUSQUEHANNA - UNIT 2 3.6-92

Rev. 14 SCIVs B 3.6.4.2 BASES APPLICABILITY In MODES 1, 2, and 3, a OBA could lead to a fission product release to the primary containment that leaks to the secondary containment. Therefore, the OPERABILITY of SCIVs is required.

In MODES 4 and 5, the probability and consequences of these events are reduced due to pressure and temperature limitations in these MODES.

Therefore, maintaining S_CIVs OPERABLE is not required in MODE 4 or 5, except for other situations under which significant radioactive releases can be postulated, such as during CORE ALTERATIONS or during movement of irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3.

ACTIONS The ACTIONS are modified by three Notes. The first Note allows penetration flow paths to be unisolated intermittently under administrative controls.

These controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.

The second Note provides clarification that for the purpose of this LCO separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SCIVs are governed by subsequent Condition entry and application of associated Required Actions.

The third Note ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable SCIV.

A.1 and A.2 In the event that there are one or more required penetration flow paths with one required SCIV inoperable, the affected penetration flow path(s) must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic SCIV, a closed manual valve, and a blind flange. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available device to secondary containment.

(continued)

SUSQUEHANNA - UNIT 2 3.6-93

Rev. 14 SCIVs B 3.6.4.2 BASES ACTIONS A.1 and A.2 (continued)

(continued)

The Required Action must be completed within the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time.

The specified time period is reasonable considering the time required to isolate the penetration, and the probability of a OBA, which requires the SCIVs to close, occurring during this short time is very low.

For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment penetrations.required to be isolated following an accident, but no longer capable of being automatically isolated, will be in the isolation position should an event occur. The Completion Time of once per 31 days is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low. This Required Action does not require any testing or device manipulation. Rather, it involves verification that the affected penetration remains isolated.

Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two SCIVs. For penetration flow paths with one SCIV, Condition C provides the appropriate Required Actions.

Required Action A.2 is modified by a Note that applies to devices located in high radiation areas and allows them to be verified closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment, once they have been verified to be .in the proper position, is low.

With two SCIVs in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable considering the time required to isolate the penetration and the probaqility of a OBA, which requires the SCIVs to close, occurring during this short time, is very low.

(continued)

SUSQUEHANNA - UNIT 2 3.6-94

Rev. 14 SCIVs B 3.6.4.2 BASES ACTIONS B.1 (continued)

(continued)

The Condition has been. modified by a Note stating that Condition B is only applicable to penetration flow paths with two isolation valves. For 0 penetration flow paths with one SCIV, Condition C provides the appropriate Required Actions.

C.1 and C.2 With one or more required penetration flow paths with one required SCIV inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time. The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable considering the relative stability of the system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting secondary containment OPERABILITY during MODES 1, 2, and 3.

In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment

penetrations required to be isolated following an accident are isolated.

The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one SCIV. For penetration flow paths with two SCIVs, Conditions A and B provide the appropriate Required Actions.

Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low.

(continued)

SUSQUEHANNA - UNIT 2 3.6-95

Rev. 14 SCIVs B 3.6.4.2 BASES ACTIONS D.1 and D.2 (continued)

If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner ano without challenging plant systems.

E.1 and E.2 I If any Required Action and associated Completion Time are not met, the plant must be placed in a condition in which the LCO does not apply. If applicable, CORE ALTERATIONS and the movement of irradiated fuel assemblies in the secondary containment must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

Required Action E.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving fuel while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.2.1 REQUIREMENTS This SR verifies that each secondary containment manual isolation valve and blind flange that is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the secondary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification (typically visual) that those required SCIVs in secondary containment that are capable of being mispositioned are in the correct position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

0 (continued)

SUSQUEHANNA - UNIT 2 3.6-96

Rev. 14 SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.1 (continued)

REQUIREMENTS (continued) Two Notes have been added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these SCIVs, once they have been verified to be in the proper position, is low.

A second Note has been included to clarify that SCIVs that are open under administrative controls are not required to meet the SR during the time the SCIVs are open.

SR 3.6.4.2.2 SCIVs with maximum isolation times specified in Table B 3.6.2.4-1 are tested to verify that the isolation time is within limits to demonstrate OPERABILITY. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Automatic SCIVs without maximum isolation times specified in Table B 3.6.4.2-1 are tested under the requirements of SR 3.6.4.2.3. The isolation time test ensures that the SCIV will isolate in a time period less than or equal to that assumed in the safety analyses.

SR 3.6.4.2.3 Verifying that each automatic required SCIV closes on a secondary containment isolation signal is required to prevent leakage of radioactive material from secondary containment following a OBA or other accidents.

This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.2.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.6-97

Rev. 14 SCIVs B 3.6.4.2 BASES REFERENCES 1. FSAR, Section 6.2.

2. FSAR, Section 15.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.6-98

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2-1 Secondary Containment Ventilation System Automatic Isolation Dampers (Page 1 of 1)

Maximum Reactor Valve Number Valve Description Type of Valve Isolation Building Time Zone (Seconds)

I HD-17586 A&B Supply System Dampers Automatic Isolation Damper 10.0 I HD-17524 A&B Filtered Exhaust System Dampers Automatic Isolation Damper 10.0 I HD-17576A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 10.0 II HD-27586 A&B Supply System Dampers Automatic Isolation Damper 10.0 II HD-27524 A&B Filtered Exhaust System Dampers Automatic Isolation Damper 10.0 II HD-27576 A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 10.0 Ill HD-17564 A&B Supply System Dampers Automatic Isolation Damper 14.0 Ill HD-17514A&B Filtered Exhaust System Dampers Automatic Isolation Damper 6.5 Ill HD-17502 A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 6.0 Ill HD-27564 A&B Supply System Dampers Automatic Isolation Damper 14.0 Ill HD-27514 A&B Filtered Exhaust System Dampers Automatic Isolation Damper 6.5 Ill HD-27502 A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 6.0 NIA HD-17534A Zone 3 Airlock 1-606 Automatic Isolation Damper NIA NIA HD-175348 Zone 3 Airlock 1-611 Automatic Isolation Damper NIA NIA HD-17534D Zone 3 Airlock 1-803 Automatic Isolation Damper NIA NIA HD-17534E Zone 3 Airlock 1-805 Automatic Isolation Damper NIA NIA HD-17534F Zone 3 Airlock 1-617 Automatic Isolation Damper NIA NIA HD-17534H Zone 3 Airlock 1-618 Automatic Isolation Damper NIA NIA HD-27534A Zone 3 Airlock 11-606 Automatic Isolation Damper NIA NIA HD-27534D Zone 3 Airlock 11-803 Automatic Isolation Damper NIA NIA HD-27534E Zone 3 Airlock 11-805 Automatic Isolation Damper NIA NIA HD-27534G Zone 3 Airlock C-806 Automatic Isolation Damper NIA NIA HD-27534H Zone 3 Airlock 11-618 Automatic Isolation Damper NIA NIA HD-275341 Zone 3 Airlock 11-609 Automatic Isolation Damper NIA SUSQUEHANNA - UNIT 2 3.6-99

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2-2 Secondary *containment Ventilation System Passive Isolation Valves or Devices (Page 1 of 4)

Device Number Device Description Area/Elev. Required Position / Notes X-29-2-44 SOHR System to Fuel Pool Cooling Yard/670 Blind Flanged I Note 1 X-29-2-45 SOHR Svstem to Fuel Pool Coolina Yard/670 Blind Flanaed / Note 1 110176 SOHR Supply Drain Viv 29/670 Closed Manual Isa Valve/ Note 1 110186 SOHR Discharge Drain Viv 29/670 Closed Manual Isa Valve/ Note 1 110180 SOHR Supply Vent Viv 29/749 Closed Manual Isa Valve / Note 1 110181 SOHR Discharge Fill Viv 27n49 Closed Manual Isa Valve / Note 1 110182 SOHR Discharae Vent Viv 27n49 Closed Manual Isa Valve/ Note 1 110187 SOHR Supply Fill Viv 29/749 Closed Manual Isa Valve / Note 1 210186 SOHR Supply Drain Viv 33/749 Closed Manual Isa Valve / Note 1 210187 SOHR Supply Vent Viv 33/749 Closed Manual Isa Valve/ Note 1 210191 SOHR Discharge Vent Viv 30/749 Closed Manual lso Valve / Note 1 210192 SOHR Discharae Drain Viv 30/749 Closed Manual lso Valve / Note 1 210193 SOHR Discharge Vent Viv 33/749 Closed Manual Isa Valve / Note 1 X-29-2-46 Temporary Chiller to RBCW Yard/670 Blind Flanged / Note 2 X-29-2-47 Temporarv Chiller to RBCW Yard/670 Blind Flanged / Note 2 X-29-5-95 Temporary Chiller to Unit 1 RBCW 29/749 Blind Flanged / Note 2 X-29-5-96 Temporarv Chiller to Unit 1 RBCW 29/749 Blind Flanaed I Note 2 X-29-5-91 Temporarv Chiller to Unit 2 RBCW 33/749 Blind Flanged/ Note 2 X-29-5-92 Temporarv Chiller to Unit 2 RBCW 33/749 Blind Flanaed I Note 2 187388 RBCWTemp Chiller Discharge lso Viv 29/670 Closed Manual lso Valve/ Note.2 187389 RBCWTemp Chiller Supply Isa Viv 29/670 Closed Manual lso Valve/ Note 2 187390 RBCW Temp Chiller Supply Drain Viv 29/670 Closed Manual lso Valve/ Note 2 187391 RBCWTemp Chiller Discharae Drain Viv 29/670 Closed Manual lso Valve/ Note 2 X-28-2-3000 Utility Penetration to Unit 1 East Stairwell Yard/670

Blind Flanged / Note 3 X-29-2-48 Utilitv Penetration to Unit 1 RR Bav Yard/670 Capped / Note 5 X-33-2-3000 Utility Penetration to Unit 2 East Stairwell Yard/670 Blind Flanged / Note 4 X-28-2-3000 Utility Penetration to Unit 1 East Stairwell 28/670 Blind Flanged / Note 3 X-29-2-48 Utility Penetration to Unit 1 RR Bay 29/670 Capped / Note 5 X-33-2-3000 Utility Penetration to Unit 2 East Stairwell 33/670 Blind Flanged / Note 4 X-29-3-54 Utility Penetration to Unit 1 RBCCW Hx Area 27/683 Blind Flanged/ Note 6 X-29-3-55 Utility Penetration to Unit 1 RBCCW Hx Area 27/683 Blind Flanged / Note 6 Utility Penetration from Unit 1 RR Bay to Unit 2 X-29-5-97 33/749 Capped Elev. 749 X-27-6-92 Instrument Tubing Stubs 27/779' Capped X-29-7-4 1" Spare Conduit Threaded Plug 29/818' Installed X-30-6-72 Instrument Tubing Stubs 30/779' Capped X-30-6-1002 Stairwell #214 Rupture Disc 30/779' Installed Intact X-30-6-1003 Airlock 11-609 Rupture Disc 30/779' Installed Intact X-25-6-1008 Airlock 1-606 Rupture Disc 25/779' Installed Intact X-29-4-D1-B Penetration at Door 4330 29/719' Blind Flange Installed X-29-4-D1-A Penetration at Door 4330 29/719' Blind Flange Installed X-29-4-D1-B Penetration at Door 404 33/719' Blind Flange Installed X-29-4-D1-A Penetration at Door 404 33/719' Blind Flange Installed SUSQUEHANNA - UNIT 2 3.6-100

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2-2 Secondary Containment Ventilation System Passive Isolation Valves or Devices (Page 2 of 4)

Device Number Device Description Area/Elev. Required Position / Notes HD17534C Airlock 1-707 Blind Flanqe 28/799' Blind Flanae Installed HD27534C Airlock 11-707 Blind Flanae 33/799' Blind Flanae Installed XD-17513 Isolation damper for Railroad Bay Zone Ill HVAC I 29/799' Position is dependent on Railroad Supply Bay alianment XD-17514 Isolation damper for Railroad Bay Zone Ill HVAC 29/719' Position is dependent on Railroad Exhaust Bay aliqnment

-. XD-12301 PASS Air Flow Damper 11/729' Closed Damper XD-22301 PASS Air Flow Damper 22/729' Closed Damper 161827 HPCI Blowout Steam Vent Drain Valve 25/645' Closed Manual lso Valve / Note 3 161828 RCIC Blowout Steam Vent Drain Valve 28/645' Closed Manual lso Valve/ Note 3 161829 'A' RHR Blowout Steam Vent Drain Valve 29/645' Closed Manual lso Valve/ Note 3 161830 'B' RHR Blowout Steam Vent Drain Valve 28/645' Closed Manual lso Valve/ Note 3 261820 RCIC Blowout Steam Vent Drain Valve 33/645' Closed Manual lso Valve/ Note 4 261821 'A' RHR Blowout Steam Vent Drain Valve 34/645' Closed Manual lso Valve / Note 4 261822 'B' RHR Blowout Steam Vent Drain Valve 33/645' Closed Manual lso Valve / Note 4 2LRWl810L Zone Ill Floor Drain 34-818 Pluaaed / Note 7 2LRWl810M Zone Ill Floor Drain 34-818 Pluqqed / Note 7 2LRWl810N Zone Ill Floor Drain 34-818 Pluaaed / Note 7 2LRWl810R Zone Ill Floor Drain 34-818 Pluqqed / Note 7 2LRWl810S Zone Ill Floor Drain 34-818 Pluaaed / Note 7 2LRWl703A Zone II Floor Drain 34-799 Pluqqed / Note 7 2LRWl615A Zone I Floor Drain 34-779 Pluaaed / Note 7 2LRWl100A Zone Floor Drain 34-670 Pluqqed / Note 7 2LRWl100B Zone Floor Drain 34-670 Pluaaed / Note 7 2LRWl100C Zone Floor Drain 34-670 Pluqqed / Note 7 2LRWl100D Zone Floor Drain 34-670 Pluaaed / Note 7 2LRWl100E Zone Floor Drain 34-670 Pluqqed / Note 7 2LRWl100F Zone Floor Drain 34-670 Pluaaed / Note 7 2LRWl100G Zone II Floor Drain 34-670 Pluqqed / Note 7 SUSQUEHANNA - UNIT 2 3.6-101

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2-2 Secondary Containment Ventilation System Passive Isolation Valves or Devices (Page 3 of 4)

Device Number Device Description Area/Elev. Required Position / Notes 1LRWl810U Zone Ill Floor Drain 29-818 Pluaaed I Note 7 1LRWl1810V Zone Ill Floor Drain 29-818 Plugged / Note 7 1LRWl1810W Zone Ill Floor Drain 29-818 Pluaaed I Note 7 1LRWl810X Zone Ill Floor Drain 29-818 Plugged / Note 7 1LRWl810Y Zone Ill Floor Drain 29-818 Pluaaed I Note 7 1LRWl810Z Zone Ill Floor Drain 29-818 Pluqqed / Note 7 1LRWl810FF Zone Ill Floor Drain 29-818 Pluaaed I Note 7 1LRWl810GG Zone Ill Floor Drain 29-818 Pluqqed / Note 7 1LRWl810HH Zone Ill Floor Drain 29-818 Plugged/ Note 7 1LRWl810JJ Zone Ill Floor Drain 29-818 Pluqqed / Note 7 1LRWl810KK Zone Ill Floor Drain 29-818 Plugged/ Note 7 1LRWl615A Zone I, Zone Ill, or No Zone Floor Drain 29-779 Pluaaed I Note 7 1LRWl100A Zone I, Zone Ill, or No Zone Floor Drain 29-670 Plugged / Note 7 1LRWl100B Zone I, Zone Ill, or No Zone Floor Drain 29-670 Pluaaed I Note 7 1LRWl100C Zone I, Zorie Ill, or No Zone Floor Drain 29-670 Plugged / Note 7 1LRWl100D Zone I, Zone Ill, or No Zone Floor Drain 29-670 Pluaaed I Note 7 1LRWl100E Zone I, Zone Ill, or No Zone Floor Drain 29-670 Plugged / Note 7 1LRWl100F Zone I, Zone Ill, or No Zone Floor Drain 29-670 Pluaaed I Note 7 1LRWl100G Zone I, Zone Ill, or No Zone Floor Drain 29-670 Plugged/ Note 7 HCVS Rupture Disc Burst Connection Isolation 257328 OR 257336 21/686' Closed Manual Isa Valve/ Note 4 Valves HCVS Rupture Disc Burst Connection Isolation 157328 OR 157336 21/686' Closed Manual Isa Valve / Note 3 Valves SUSQUEHANNA - UNIT 2 3.6-102

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2-2 Secondary Containment Ventilation System Passive Isolation Valves or Devices (Page 4 of 4)

Note 1: The two blind flanges on the SOHR penetrations (blind flanges for device number X-29-2-44 and X-29-2-45) and all the closed manual valves for the SOHR system (110176, 110186, 110180, 110181, 110182, 110187, 210186, 210187, 210191, 210192, 210193) can each be considered as a separate secondary containment isolation device for the SOHR penetrations. If one or both of the blind flanges is removed and all the above identified manual valves for the SOHR system are closed, the appropriate LCO should be entered for one inoperable SCIV in a penetration flow path with two SCIVs. With the blind flange removed, the manual valves could be opened intermittently under administrative controls per the Technical Specification Note. When both SOHR blind flanges are installed, opening of the manual valves for the SOHR system will be controlled to prevent cross connecting ventilation zones. When the manual valves for the SOHR system are open in this condition, the appropriate LCO should be entered for one inoperable SCIV in a penetration flow path with two SC IVs. When the SOHR system piping is connected and full of water, the piping forms the secondary containment boundary and the above listed SC IVs in Table 83.6.4.2-2 are no longer required for this system since the piping forms the barrier.

Note 2: Due to the multiple alignments of the RBCW temporary chiller, different devices will perform the SCIV function depending on the RBCW configuration. There are three devices/equipment that can perform the SCIV function for the RBCW temporary chiller supply penetration. The first SCIV for the RBCW temporary chiller supply penetration is the installed blind flange on penetration X-29-2-47. The second SCIV for the RBCW temporary chiller supply penetration is isolation valve 187389. The third SCIV for the temporary RBCW chiller supply penetration is closed drain valve 187390 and an installed blind flange on penetrations X-29-5-92 and/or X-29-5-96. Since there are effectively three SCIVs, any two can be used to define the SCIV for the penetration. Removal of one of the two required SCIVs requires entry into the appropriate LCO for one inoperable SCIV in a penetration flow path with two SCIVs. Opening of drain valve 187390 and operation of blank flanges X-29-5-96 and X-29-5-92 will be controlled to prevent cross connecting ventilation zones. These three SC IVs prevent air inleakage into secondary containment. The isolation of the penetration per the Technical Specification _requirement is to assure that one of the above SC IVs is closed so that there is no air inleakage into secondary containment.

There are three devices/equipment that can perform the SCIV function for the RBCW temporary chiller return penetration. The first SCIV for the RBCW temporary chiller return penetration is the installed blind flange on penetration X-29-2-46. The second SCIV for the RBCW temporary chiller return penetration is isolation valve 187388. The third SCIV for the temporary RBCW chiller return penetration is closed drain valve 187391 and an installed blind flange on penetrations X-29-5-91 and/or X-29-5-95. Since there are effectively three SC IVs, any two can be used to define the SCIV for the penetration. Removal of one of the two required SC IVs requires entry into the appropriate LCO for one inoperable SCIV in a penetration flow path with two SC IVs. Opening of drain valve 187391 and operation of blank flanges X-29-5-91 and X-29-5-95 will be controlled to prevent cross connecting ventilation zones.

These three SC IVs prevent air inleakage into secondary containment. The isolation of the penetration per the Technical Specification requirement is to assure that one of the above SC IVs is closed so that there is no air inleakage into secondary containment.

When the RBCW temporary chiller piping is connected and full of water, the piping inside secondary containment forms the secondary containment boundary and the above listed SC IVs in Table 83.6.4.2-2 are no longer required for this system.

Note 3: These penetrations connect Secondary Containment Zone I to a No-Zone. When Secondary Containment Zone I is isolated from the recirculation plenum, the above listed SCIVs in Table 83.6.4.2-2 are no longer required.

Note 4: These penetrations connect Secondary Containment Zone II to a No-Zone. When Secondary Containment Zone II is isolated from the recirculation plenum, the above listed SCIVs in Table 83.6.4.2-2 are no longer required.

Note 5: These penetrations connect the Railroad Bay to a No-Zone. When the Railroad Bay is a No-Zone, the above listed SCIVs in Table 83.!3.4.2-2 are no longer required.

Note 6: These penetrations connect Secondary Containment Zone I to the Railroad Bay. The above listed SCIVs in Table 83.6.4.2-2 are not required if the Railroad Bay is a No-Zone and Zone I is isolated from the recirculation plenum OR if the Railroad Bay is aligned to Zone I.

Note 7: Due to drain header containing multiple floor drains in different ventilation zones, drain plugs were installed in all of the drain header floor drains. To provide the passive Secondary Containment boundary, only drain plugs in one ventilation zone are required to be installed.

SUSQUEHANNA - UNIT 2 3.6-103

Rev. 7 SGT System B 3.6.4.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.3 Standby Gas Treatment (SGT) System BASES BACKGROUND The SGT System is required by 10 CFR 50, Appendix A, GDC 41, "Containment Atmosphere Cleanup" (Ref. 1). The safety function of the SGT System is to ensure that radioactive materials that leak from the primary containment into the secondary containment following a Design Basis Accident (OBA) are filtered and adsorbed prior to exhausting to the environment.

The SGT System consists of two redundant subsystems, each with its own set of dampers, filter train, and a reactor building recirculation fan and associated dampers and controls.

Each filter train consists of (components listed in order of the direction of the air flow):

a. A demister;

b. An electric heater;

c. A prefilter;

d. A high efficiency particulate air (HEPA) filter;

e. A charcoal adsorber;

f. A second HEPA filter; and

g. A centrifugal fan.

The sizing of the SGT System equipment and components is based on handling an incoming air mixture at a maximum of 125°F. The internal pressure of the secondary containment is maintained at a negative pressure of 0.25 inches water gauge when the system is in operation. Maintenance of a negative pressure precludes direct outleakage.

The demister is provided to remove entrained water in the air, while the electric heater reduces the relative humidity of the airstream to less than 70%

(Ref. 2). The prefilter removes large particulate matter, while the HEPA filter removes fine particulate matter and protects the charcoal from fouling.

(continued)

SUSQUEHANNA - UNIT 2 3.6-104

Rev. 7 SGT System B 3.6.4.3 BASES BACKGROUND The charcoal adsorber removes gaseous elemental iodine and organic (continued) iodides, and the final HEPA filter collects any carbon fines exhausted from the charcoal adsorber.

The SGT System automatically starts and operates in response to actuation signals indicative of conditions or an accident that could require operation of the system. Following initiation in each division, the associated filter train fan starts. Upon verification that both subsystems are operating, the redundant subsystem may be shut down.

The SGT System also contains a cooling function to remove heat generated by fission product decay on the HEPA filters and charcoal adsorbers during shutdown of an SGT subsystem. The cooling function consists of two separate and independent filter cooling modes per SGT subsystem. The two cooling modes are:

1) Outside air damper and the filter cooling bypass damper open, allowing outside air to flow through the shutdown SGT subsystem's filter train and exit via the opposite SGT subsytem's exhaust fan.

2) Outside air damper opens and the SGT exhaust fan of the shutdown SGT subsystem starts. This configurations draws outside air through the shutdown SGT subsystem's filter train and exits via the associated SGT subsystem's exhaust fan.

APPLICABLE The design basis for the SGT System is to mitigate the consequences of a SAFETY loss of coolant accident and fuel handling accidents (Ref. 2). For all events ANALYSES analyzed, the SGT System is shown to be automatically initiated to reduce, via filtration and adsorption, the radioactive material released to the environment.

The SGT System satisfies Criterion 3 of the NRC Policy Statement (Ref. 3).

LCO Following a OBA, a minimum of one SGT subsystem is required to maintain the secondary containment at a negative pressure with respect to the environment and to process gaseous releases. Meeting the LCO requirements for two OPERABLE subsystems ensures operation of at least one SGT subsystem in the event of a single active failure. A SGT subsystem is considered OPERABLE when it has an OPERABLE set of dampers, filter train, one reactor building recirculation fan and associated dampers, and (continued)

SUSQUEHANNA - UNIT 2 3.6-105

Rev. 7 SGT System B 3.6.4.3 BASES LCO associated controls, including instrumentation. (The reactor building (continued) recirculation fans and associated dampers are not dedicated to either SGT subsystem. As a result, when any one reactor building recirculation division is not OPERABLE, one arbitrarily determined SGT subsystem is not operable. This interpretation only applies if both divisions of Secondary Containment Isolation logic are operable). This includes the components required for at least one of the two SGTS filter cooling modes.

APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, SGT System OPERABILITY is required during these MODES.

In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES.

Therefore, maintaining the SGT System in OPERABLE status is not required in MODE 4 or 5, except for other situations under which significant releases of radioactive material can be postulated, such as during CORE ALTERATIONS or during movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 With one SGT subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status in 7 days. In this Condition, the remaining OPERABLE SGT subsystem is adequate to perform the required radioactivity release control function. However, the overall system reliability is reduced because a single failure in the OPERABLE subsystem could result in the radioactivity release control function not being adequately performed. The 7 day Completion Time is based on consideration of such factors as the availability of the OPERABLE redundant SGT System and the low probability of a DBA occurring during this period.

8.1 and 8.2 If the SGT subsystem cannot be restored to OPERABLE status within the required Completion Time in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 2 3.6-106

Rev. 7 SGT System B 3.6.4.3 BASES ACTIONS C.1, C.2.1 and C.2.2 (continued)

During movement of irradiated fuel assemblies, in the secondary containment or during CORE ALTERATIONS, when Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE SGT filter train should immediately be placed in operation. This action ensures that the remaining filter train is OPERABLE, that no failures that could prevent automatic actuation have occurred, and that any other failure would be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that represent a potential for re.leasing radioactive material to the secondary containment, thus placing the plant in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies must immediately be suspended. Suspension of these activities must not preclude completion of movement of a component to a safe position.

The Required Actions of Condition C have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent

of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

If both SGT subsystems *are inoperable in MODE 1, 2, or 3, the SGT system may not be capable of supporting the required radioactivity release control function. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintairiing the SGT System contribution to secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring SGT OPERABILITY) occurring during periods where SGT is inoperable is minimal.

(continued)

SUSQUEHANNA - UNIT 2 3.6-107

Rev. 7 SGT System B 3.6.4.3 BASES ACTIONS E.1 and E.2 (continued)

If at least one SGT subsystem cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 and F.2 When two SGT subsystems are inoperable, if applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in secondary containment must immediately be suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

I Required Action F.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficie.nt reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.3.1 REQUIREMENTS Operating each SGT filter train for 2 15 continuous minutes with heaters on ensures that both filter trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.6-108

Rev. 7 SGT System B 3.6.4.3 BASES SURVEILLANCE SR 3.6.4.3.2 REQUIREMENTS (continued) This SR verifies that the required SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP.

SR 3.6.4.3.3 This SR verifies that each SGT subsystem starts on receipt of an actual or simulated initiation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.4.3.4 This SR verifies that both cooling modes for each SGT subsystem are available. Although both cooling modes are tested, only one cooling mode for each SGT subsystem is required for an SGT subsystem to be considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 41.

2. FSAR, Section 6.5.1

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

4. Regulatory Guide 1.52, Rev. 1.

SUSQUEHANNA - UNIT 2 3.6-109

Rev.4 CREOAS System B 3.7.3 B 3. 7 PLANT SYSTEMS B 3. 7.3 Control Room Emergency Outside Air Supply (CREOAS) System BASES BACKGROUND The CREOAS System provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke. This radiologically controlled environment is termed the Control Room Envelope (CRE) and is comprised of Control Structure floor elevations 697'-0" through 783'-0" including the stairwells as described in FSAR Section 6.4 (Ref. 5).

The safety related function of the CREOAS System includes two independent and redundant high efficiency air filtration subsystems for emergency treatment of outside supply air and a CRE boundary that limits the inleakage of unfiltered air. Each CREOAS subsystem consists of an electric heater, a prefilter, an upstream high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section, a downstream HEPA filter, a CREOAS fan, a control structure heating and ventilation fan, a control room floor cooling fan, a computer room floor cooling fan, and the associated ductwork, valves or dampers, doors, barriers, and instrumentation. Prefilters and HEPA filters remove particulate matter, which may be radioactive. The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay. With the exception of the CREOAS fan, all other CREOAS subsystem fans operate continuously to maintain the affected compartments environment. These other ventilation fans operate independently of the CREOAS fans and are required to operate to ensure a positive pressure in the control structure is maintained utilizing filtered outside air supplied by the CREOAS fans.

The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (OBA) consequences to CRE occupants.

The CRE and its boundary are defined in the Control Room Envelope Habitability Program.

(continued)

SUSQUEHANNA - UNIT 2 3.7-12

Rev. 4 CREOAS System B 3.7.3 BASES BACKGROUND Upon receipt of the initiation signal(s) (indicative of conditions that could (continued) result in radiation exposure to CRE occupants), the CREOAS System automatically switches to the pressurization/filtration mode of operation to minimize infiltration of contaminated air into the CRE. A system of dampers aligns the outside air intake to the CREOAS fan suction and filter train. Outside air is taken in at the normal ventilation intake and passed through one of the charcoal adsorber filter subsystems. The filtered air leaving the CREOAS filtration train is routed to the inlet of the other ventilation fans for distribution.

One of the CREOAS System design requirements is to maintain a habitable environment in the CRE for a 30 day continuous occupancy after a OBA without exceeding 5 rem whole body dose or its equivalent to any part of the body. A single CREOAS subsystem operating at a flow rate of:;; 581 O cfm with an intact CRE will pressurize the CRE (which includes the control room) to greater than or equal to 0.125 inches water gauge relative to external areas adjacent to the CRE boundary to minimize infiltration of air from all surrounding areas adjacent to the CRE boundary. CREOAS System operation in maintaining CRE habitability is discussed in the FSAR, Chapters 6 and 9, (Refs. 1 and 2, respectively).

APPLICABLE . The ability of the CREOAS System to maintain the habitability of the CRE SAFETY ANALYSIS is an explicit assumption for the safety analyses presented in the FSAR, Chapters 6 and 15 (Refs. 1 and 3, respectively). The pressurization/

filtration mode of the CREOAS System is assumed to operate following a OBA as discussed in the FSAR, Section 6.4.1 (Ref. 4). The radiological doses to the CRE occupants as a result of the various DBAs are summarized in Reference 3. No single active failure will cause the loss of outside or recirculated air from the CRE.

The CREOAS System provides protection from smoke and hazardous chemicals to the CRE occupants. The analysis of hazardous chemical releases demonstrates that the toxicity limits are not exceeded in the CRE following a hazardous chemical release (Ref. 5). The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels (Ref. 6).

The CREOAS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

(continued)

SUSQUEHANNA - UNIT 2 3.7-13

Rev. 4 CREOAS System B 3.7.3 BASES LCO Two redundant subsystems of the CREOAS System are required to be OPERABLE to ensure that at least one is available, if a single active failure disables the other subsystem. Total CREOAS System failure, such as from a loss of both ventilations subsystems or from an inoperable CRE boundary, could result in exceeding a dose of 5 rem whole body or equivalent to the CRE occupants in the event of a OBA.

Each CREOAS subsystem is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE.

Both subsystems are considered OPERABLE when:

a. Both filter trains each consisting of a CREOAS fan, heater, a HEPA filter, and charcoal adsorber which is not excessively restricting flow is OPERABLE; and

b. Both Control Structure Heating and Ventilation fans, Computer Room Floor Cooling fans, and Control Room Floor Cooling fans are OPERABLE; and

c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

d. Neither Smoke Removal Fan (OV104A/B) is in operation.

One subsystem is considered OPERABLE when:

a. One filter train consisting of a CREOAS fan, heater, a HEPA filter, and charcoal adsorber which is not excessively restricting flow is OPERABLE; and

b. The 'A' Control Structure Heating and Ventilationfan (OV103A) and the 'A' Computer Room Floor Cooling fan (OV115A) and the 'A' Control Room Floor Cooli~g fan (OV117A) are OPERABLE OR The 'B' Control Structure Heating and Ventilation fan (OV103B) and the 'B' Computer Room Floor Cooling fan (OV115B) and the 'B' Control Room Floor Cooling fan (OV117B) are OPERABLE (These fans are not dedicated to either CREOAS subsystem. As a result when any one set of fans is not OPERABLE, one arbitrarily determined CREOAS subsystem is not OPERABLE); and (continued)

SUSQUEHANNA - UNIT 2 3.7-14

Rev.4 CREOAS System B 3.7.3 BASES LCO c. Ductwork, valves, and dampers are OPERABLE,_ and air circulation (continued) can be maintained.

d. Neither Smoke Removal Fan (OV104NB) is in operation.

In order for the CREAOS subsystems to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke. Note the CRE can not be maintained with a smoke removal fan (OV104A or OV1048) in operation.

The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

APPLICABILITY In MODES 1, 2, and 3, the CREOAS System must be OPERABLE to ensure that the CRE will remain habitable during and following a OBA, since the OBA could lead to a fission product release.

In MODES 4 and 5, the probability and consequences of a OBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the CREOAS System OPERABLE is not required in MODE 4 or 5, exce*pt during CORE ALTERATIONS and during movement of irradiated fuel assemblies in the secondary containment.

(continued)

SUSQUEHANNA - UNIT 2 3.7-15

Rev. 4 CREOAS System B 3.7.3 BASES ACTIONS With one CREOAS subsystem inoperable, for reasons other than an inoperable CRE boundary, the inoperable CREOAS subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE CREOAS subsystem is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE subsystem could result in loss of the CREOAS System function. The 7 day Completion Time is based on the low probability of a OBA occurring during this time period, and that the remaining subsystem can provide the required capabilities.

B.1. B.2. and B.3 If the unfiltered inleakage of potentially contaminated air" past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of OBA consequences (allowed to be up to 5 rem whole body or its equivalent to any part of the body), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.

During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to verify that in the event of a OBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of OBA consequences, and that CRE occupants are protected from hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on the low probability of a OBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a OBA (continued)

SUSQUEHANNA - UNIT 2 3.7-16

Rev.4 CREOAS System B 3.7.3 BASES ACTIONS B.1, B.2, and B.3 (continued)

(continued)

In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary.

C.1 and C.2 In MODE 1, 2, or 3, if the inoperable CREOAS subsystem or the CRE boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1, D.2.1, and D.2.2 The Required Actions of Condition D are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require either an entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, if the inoperable CREOAS subsystem cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE CREOAS subsystem may be placed in the pressurization/filtration mode. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent automatic actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action 0.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the CRE. This places the unit in a condition that minimizes the accident risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

(continued)

SUSQUEHANNA - UNIT 2 3.7-17

Rev. 4 CREOAS System B 3.7.3 BASES ACTIONS (continued)

If both CREOAS subsystems are inoperable in MODE 1, 2, or 3, for reasons other than an inoperable CRE boundary (i.e., Condition B) the CREOAS System may not be capable of performing the intended function and the unit is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

F.1 and F.2 The Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3; the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require either an entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, with two CREOAS subsystems inoperable or with one or more CREOAS subsystems inoperable due to an inoperable CRE boundary, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require pressurization of the CRE. This places the unit in a condition that minimizes the accident risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that a CREOAS fan in a standby mode starts on demand from the control room and continues to operate with flow through the HEPA filters and charcoal adsorbers. Standby systems should be checked periodically fo ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every month provides an adequate check on this system. Systems with heaters must be operated for~ 15 continuous minutes with the heaters energized. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.7-18

Rev.4 CREOAS System B 3.7.3 BASES SURVEILLANCE SR 3.7.3.2 REQUIREMENTS (continued) This SR verifies that the required CREOAS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.3.3 This SR verifies that on an actual or simulated initiation signal, each CREOAS subsystem starts and operates. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.7.1.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.3.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program.

The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of OBA consequences is no more than 5 rem whole body or its equivalent to any part of the body and the CRE occupants are protected from hazardous chemicals and smoke. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of OBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condition B must be entered.

Required Action B.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains withiri the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2. 7.3, (Ref. 7) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 8). These compensatory measures may also be used as mitigating actions as required by Required Action B.2.

(continued)

SUSQUEHANNA - UNIT 2 3.7-19

Rev. 4 CREOAS System

B 3.7.3 BASES SURVEILLANCE SR 3.7.3.4 (continued)

REQUIREMENTS (continued) Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 9). Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis OBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 9.

3. FSAR, Chapter 15.

4. FSAR, Section 6.4.1.

5. FSAR, Section 6.4.

6. FSAR, Section 9.5.

7. Regulatory Guide 1.196.

8. NEI 99-03, "Control Room Habitability Assessment," June 2001.

9. Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No. ML040300694).

SUSQUEHANNA - UNIT 2 3.7-19a

Rev. 2 Control Room Floor Cooling System B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Control Room Floor Cooling System BASES BACKGROUND The Control Room Floor Cooling System provides temperature control for the control room. The control room floor cooling fans are also needed for pressure control of the habitability envelope.

The Control Room Floor Cooling System consists of two independent, redundant subsystems that provide cooling of recirculated control room air. Each subsystem consists of cooling coils, fans, chillers, compressors, ductwork, dampers, and instrumentation and controls to provide for control room temperature control.

The Control Room Floor Cooling System is designed to provide a controlled environment under both normal and accident conditions. A single subsystem provides the required temperature control to maintain a suitable control room environment. The design conditions for the control room environment are 75 (+/- 5)°F and 50 (+/- 5)% relative humidity. The Control Room Floor Cooling System operation in maintaining the control room temperature is discussed in the FSAR, Section 6.4 (Ref. 1)

APPLICABLE The design basis of the Control Room Floor Cooling System is to SAFETY ANALYSES maintain the control room temperature for a 30 day continuous occupancy. The control room floor cooling fans are also needed for pressure control of the habitability envelope.

The Control Room Floor Cooling System components are arranged in redundant safety related subsystems. During emergency operation, the Control Room Floor Cooling System maintains a habitable environment and ensures the OPERABILITY of components in the control room. A single failure of a component of the Control Room Floor Cooling System, assuming a loss of offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control. The Control Room Floor Cooling System is designed in accordance with Seismic Category I requirements. The Control Room Floor Cooling System is capable of removing sensible and latent heat loads from the control room, including consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY.

The Control Room Floor Cooling System satisfies Criterion 3 of the NRC Policy Statement. (Ref. 2)

(continued)

SUSQUEHANNA - UNIT 2

Rev.2 Control Room Floor Cooling System B 3.7.4 BASES LCO Two independent and redundant subsystems of the Control Room Floor Cooling System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other subsystem.

Total system failure could result in the equipment operating temperature exceeding limits.

The Control Room Floor Cooling System is considered OPERABLE when the individual components necessary to maintain the control room temperature are OPERABLE in both subsystems. These components include the cooling coils, fans, chillers, compressors, ductwork, dampers, and associated instrumentation and controls. The Control Room Floor Cooling System fans, ductwork, and dampers are also addressed by LCO 3.7.3, "Control Room Emergency Outside Air Supply System".

APPLICABILITY In MODE 1, 2, or 3, the Control Room Floor Cooling System must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY limits following habitability envelope isolation.

In MODES 4 and 5, the probability and consequences of a Design Basis Accident are reduced due to the pressure and temperature limitations in these MODES. Tnerefore, maintaining the Control Room Floor Cooling System OPERABLE is not required in MODE 4 or 5, except during CORE ALTERATIONS and during movement of irradiated fuel assemblies in the secondary containment.

ACTIONS With one control room floor cooling subsystem inoperable, the inoperable control room floor cooling subsystem must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE control room floor cooling subsystem is adequate to perform the control room air conditioning function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in loss of the control room air conditioning function. The 30 day Completion Time is based on the low probability of an event occur.ring requiring habitability envelope isolation, the consideration that the remaining subsystem can provide the required protection, and the availability of alternate safety and nonsafety cooling methods. Since nonsafety alternate cooling methods are available, this Action is less restrictive than 3.7.3, where an alternate method of maintaining the habitability envelope at a positive pressure is not available.

(continued)

SUSQUEHANNA - UNIT 2 3.7-21

Rev. 2 Control Room Floor Cooling System B 3.7.4 BASES ACTIONS B.1 and B.2 (continued)

In MODE 1, 2, or 3, if the inoperable control room floor cooling subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1, C.2.1, and C.2.2 The Required Actions of Condition C are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel as~emblies in the secondary containment or during CORE ALTERATIONS, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE control room floor cooling subsystem may* be placed immediately in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the habitability envelope. This places the unit in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

If both control room floor cooling subsystems are inoperable in MODE 1, 2, or 3, the Control Room Floor Cooling System may not be capable of performing the intended function. Therefore, LCO 3.0.3 must be entered immediately.

(continued)

SUSQUEHANNA - UNIT 2 3.7-22

Rev. 2 Control Room Floor Cooling System B 3.7.4 BASES ACTIONS E.1 and E.2 (continued)

The Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while

in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, with two control room floor cooling subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the habitability envelope. This places the unit in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and handling of irradiated fuel in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR verities that the heat removal capability of the system is sufficient to remove the control room heat load assumed in the safety analyses.

The SR consists of a combination of testing and calculation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.4

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.7-23

Rev. 12 AC Sources-Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources-Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of two offsite power sources (preferred power sources, normal and alternate), and the onsite standby power sources (diesel generators (DGs) A, B, C and D). A fifth diesel generator, DG E, can be used as a substitute for any one of the four DGs A, B, C or D. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed. Each load group has connections to two preferred offsite power supplies and a single DG.

The two qualified circuits between the offsite tr:ansmission network and the onsite Class 1E AC Electrical Power Distribution System are supported by two independent offsite power sources. A 230 kV line from the Susquehanna T10 230 kV switching station feeds start-up transformer No. 1O; and, a 230 kV tap from the 500-230 kV tie line feeds the startup transformer No. 20. The term "qualified circuits", as used within TS 3.8.1, is synonymous with the term "physically independent".

The two independent offsite power sources are supplied to and are shared by both units. These two electrically and physically separated circuits provide AC power, through startup transformers (ST) No. 1O and ST No. 20, to the four 4.16 kV Engineered Safeguards System (ESS) buses (A, B, C and D) for both Unit 1 and Unit 2. A detailed description of the offsite power network and circuits to the onsite Class 1E ESS buses is found in the FSAR, Section 8.2 (Ref. 2).

An offsite circuit consists of all breakers, transformers, switches, automatic tap changers, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESS bus or buses.

(continued)

SUSQUEHANNA - UNIT 2 3.8-1

Rev. 12 AC Sources-Operating B 3.8.1 BASES BACKGROUND ST No. 1O and ST No. 20 each provide the normal source of power to (continued) two of the four 4.16 kV ESS buses in each Unit and the alternate source of power to the remaining two 4.16 kV ESS buses in each Unit. If any 4.16 kV ESS bus loses power, an automatic transfer from the normal to the alternate occurs after the normal supply breaker trips.

When off-site power is available to the 4.16 kV ESS Buses following a LOCA signal, the required ESS loads will be sequenced onto the 4.16 kV ESS Buses in order to compensate for voltage drops in the onsite power system when starting large ESS motors.

The onsite standby power source for 4.16 kV ESS buses A, B, C and D consists of five DGs. DGs A, B, C and D are dedicated to ESS buses A, B, C and D, respectively. DG E can be used as a substitute for any one of the four DGs (A, B, C or D) to supply the associated ESS bus. Each DG provides standby power to two 4.16 kV ESS buses-one associated with Unit 1 and one associated with Unit 2. The four "required" DGs are those aligned to a 4.16 kV ESS bus to provide onsite standby power for both Unit 1 and Unit 2.

A DG, when aligned to an ESS bus, starts automatically on a loss of coolant accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) or on an ESS bus degraded voltage or undervoltage signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of ESS bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the ESS bus on a LOCA signal alone. Following the trip of offsite power, non-permanent loads are stripped from the 4.16 kV ESS Buses. When a DG is tied to the ESS Bus, loads are then sequentially connected to their respective ESS Bus by individual load timers. The individual load timers control the starting permissive signal to motor breakers to prevent overloading. the associated DG.

In the event of loss of normal and alternate offsite power supplies, the 4.16 kV ESS buses will shed all loads except the 480 V load centers and the standby diesel generators will connect to the ESS busses. When a DG is tied to its respective ESS bus, loads are then sequentially connected to the ESS bus by individual load timers which control the permissive and starting signals to motor breakers to prevent overloading the DG.

(continued)

SUSQUEHANNA - UNIT 2 3.8-2

Rev. 12 AC Sources-Operating B 3.8.1 BASES BACKGROUND In the event of a loss of normal and alternate offsite power supplies, the (continued) ESS electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (OBA) such as a LOCA.

Certain required plant loads are returned to service in a predetermined sequence in order to prevent overloading of the DGs in the process.

Within 286 seconds after the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service. Ratings for the DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3).

DGs A, B, C and D have the following ratings:

a. 4000 kW-continuous,

b. 4700 kW-2000 hours, DG E has the following ratings:

a. 5000 kW-continuous,

b. 5500 kW-2000 hours.

APPLICABLE The initial conditions of OBA and transient analyses in the FSAR, SAFETY ANALYSES Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);

and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit and supporting safe shutdown of the other unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of an assumed loss of all offsite power or all onsite AC power; and a worst case single failure.

AC sources satisfy Criterion 3 of the NRG Policy Statement (Ref. 6).

(continued)

SUSQUEHANNA - UNIT 2 3.8-3

Rev. 12 AC Sources-Operating B 3.8.1 BASES LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Distribution System and four separate and independent DGs (A, B, C and D) ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated OBA. DG E can be used as a substitute for any one of the four DGs A, B, C or D.

Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. In addition, the required automatic load timers for each ESF bus shall be OPERABLE.

The Safety Analysis for Unit 2 assumes the OPERABILITY of some equipment that receives power from Unit 1 AC Sources. Therefore, Unit 2 Technical Specifications establish requirements for the OPERABILITY of the DG(s) and qualified offsite circuits needed to support the Unit 1 onsite Class 1E AC electrical power distribution subsystem(s) required by LCO 3.8.7, Distribution Systems-Operating.

Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESS buses.

One OPERABLE offsite circuit exists when all of the following conditions are met:

1. An energized ST. No. 1Otransformer with the load tap changer (LTC) in automatic operation.

2. The respective circuit path including energized ESS transformers 101 and 111 and feeder breakers capable of supplying three of the four 4.16kV ESS Buses.

3.

Acceptable offsite grid voltage, defined as a voltage that is within the grid voltage requirements established for SSES. The grid voltage requirements include both a minimum grid voltage and an allowable grid voltage drop during normal operation, and for a predicted voltage for a trip of the unit.

The Regional Transmission Operator (PJM), and/or the Transmission Power System Dispatcher, PPL EU, determine, monitor and report actual and/or contingency voltage (Predicted voltage) violations that occur for the SSES monitored offsite 230kV and 500kV buses.

(continued)

SUSQUEHANNA - UNIT 2 3.8-4

Rev. 12 AC Sources-Operating B 3.8.1 BASES LCO The offsite circuit is inoperable for any actual voltage violation, (continued) or a contingency voltage violation that occurs for a trip of a SSES unit, as reported by the transmission RTO or Transmission Power System Dispatcher.

The offsite circuit is operable for any other predicted grid event (i.e., loss of the most critical transmission line or the largest supply) that does not result from the generator trip of a SSES unit. These conditions do not represent an impact on SSES operation that has been caused by a LOCA and subsequent generator trip. The design basis does not require entry into LCOs for predicted grid conditions that cannot result in a LOCA, delayed LOOP.

The other offsite circuit is Operable when all the following conditions are met:

1. An energized ST. No. 20 transformer with the load tap changer (LTC) in automatic operation.

2. The respective circuit path including energized ESS transformers 201 and 211 and feeder breakers capable of supplying three of the four 4.16kV ESS Buses.

3. Acceptable offsite grid voltage, defined as a voltage that is within the grid voltage requirements established for SSES.

The grid voltage requirements include both a minimum grid voltage and an allowable grid voltage drop during normal operation, and for a predicted voltage for a trip of the unit.

The Regional Transmission Operator (PJM), and/or the Transmission Power*System Dispatcher, PPL EU, determine, monitor and report actual and/or contingency voltage (Predicted voltage) violations that occur for the SSES monitored offsite 230kV and 500kV buses.

The offsite circuit is inoperable for any actual voltage violation, or a contingency voltage violation that occurs for a trip of a SSES unit, as reported by the transmission RTO or Transmission Power System Dispatcher.

(continued)

SUSQUEHANNA - UNIT 2 3.8-5

Rev. 12 AC Sources-Operating B 3.8.1 BASES LCO The offsite circuit is operable for any other predicted grid (continued)

event (i.e., loss of the most critical transmission fine or the largest supply) that does not result from the generator trip of a SSES unit. These conditions do not represent an impact on SSES operation that has been caused by a LOCA and subsequent generator trip. The design basis does not require entry into LCOs for predicted grid conditions that cannot result in a LOCA, delayed LOOP.

Both offsite circuits are OPERABLE provided each meets the criteria described above and provided that no 4.16kV ESS Bus has less than one OPERABLE offsite circuit capable of supplying the required loads. If no OPERABLE offsite circuit is capable of supplying any of the 4.16 kV ESS Buses, one offsite source shall be declared inoperable. Unit 2 also requires Unit 1 offsite circuits to be OPERABLE.

If a Unit 1 4.16 kV bus is de-energized solely for the purpose of performing maintenance, it is not required to declare an offsite source or diesel generator inoperable.

four of the five DGs are required to be Operable to satisfy the initial assumptions of the accident analyses. Each required DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESS bus on detection of bus undervoltage after the normal and alternate supply breakers open. This sequence must be accomplished within 1O seconds. If a Unit 1 4.16 kV bus is isolated from its DG solely for the performance of bus maintenance, the DG is not required to be declared inoperable. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESS buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in normal standby conditions. Normal standby conditions for a DG mean that the diesel engine oil is being continuously circulated and engine coolant is circulated as necessary to maintain temperature consistent with manufacturer recommendations. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g.,

capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

Although not normally aligned as a required DG, DG Eis normally maintained OPERABLE (i.e., Surveillance Testing completed) so that it can be used as a substitute for any one of the four DGs A, B, C or D.

(continued)

SUSQUEHANNA - UNIT 2 3.8-6

Rev. 12 AC Sources-Operating B 3.8.1 BASES LCO Proper sequencing of loads, including tripping of nonessential loads, is a (continued) required*function for DG OPERABILITY.

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one ESS bus, with automatic transfer capability to the other circuit OPERABLE, and not violate separation criteria. A circuit that is not connected to an ESS bus is required to have OPERABLE automatic transfer interlock mechanisms to each ESS bus to support OPERABILITY of that offsite circuit. If a Unit 1 - 4.16 kV bus is de-energized solely for the purpose of performing maintenance, automatic transfer interlock mechanisms for the de-energized bus are not required to be operable.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated OBA.

The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.

There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

(continued)

SUSQUEHANNA - UNIT 2 3.8-7

Rev. 12 AC Sources-Operating B 3.8.1

BASES ACTIONS The ACTIONS are modified by a Note which allows entry into associated (continued) Conditions and Required Actions to be delayed for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months when an OPERABLE: diesel generator is placed in an inoperable status for the alignment of diesel generator E to or from the Class 1E distribution system. Use of this allowance requires both offsite circuits to be OPERABLE. Entry into the appropriate Conditions and Required Actions shall be made immediately upon the determination that supstitution of a required diesel generator will not or can not be completed.

When Note 3 is in effect, the following restrictions (Reference 14) shall occur:

1.) No maintenance or testing that affects the reliability of the remaining OPERABLE Unit 1 and Unit 2 4160 V subsystems shall be scheduled. If any testing or maintenance activities must be performed during this time, an evaluation shall be performed in accordance with Title 10 to the Code of Federal Regulations (10 CFR) Section 50.65(a)(4).

2.) The required systems, subsystems, trains, components, and devices that depend on the remaining 4160 V buses shall be verified OPERABLE.

3.) The Unit 2 safety-related HPCI and RCIC pumps shall be controlled as "protected equipment" and not taken out of service for planned maintenance while a Unit 1 4160 V bus is out of service for extended maintenance.

Note 3 modifies the ACTIONS by allowing a Unit 1 4160 V subsystem (4.16 kV bus) to be de-energized for bus maintenance when Unit 1 is in Modes 4 or 5 and Unit 2 is in Modes 1, 2, or 3 without requiring either offsite circuit or the associated diesel generator to be declared inoperable. Only entry into LCO 3.8.7 Condition C is required for this maintenance activity. While in this configuration, immediate entry into LCO 3.8.1 is required for any offsite circuit or DG that becomes inoperable. Note 3 no* longer applies.

(continued)

SUSQUEHANNA - UNIT 2 3.8-8

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

Required Action A.2, which only applies if one 4.16 kV ESS bus cannot be powered from any offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features (e.g., system, subsystem, division, component, or device) are designed to be powered from redundant safety related 4.16 kV ESS buses. Redundant required features failures consist of inoperable features associated with an emergency bus redundant to the emergency bus that has no offsite power. The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. A 4.16 kV ESS bus has no offsite power supplying its loads; and

b. A redundant required feature on another 4.16 kV ESS bus is inoperable.

If, at any time during the existence of this Condition (one offsite circuit inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering no offsite power to one 4.16 kV ESS bus on the onsite Class 1E Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with any other emergency bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.

(continued)

SUSQUEHANNA...., UNIT 2 3.8-9

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS A.2 (continued)

(continued)

The remaining OPERABLE offsite circuits and DGs are adequate to supply _electrical power to the onsite Class 1E Distribution System. Thus!

on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature.

Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a OBA occurring during this period.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a OBA occurring during this period.

The second Completion Time for Required Action A.2 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 72.hours. This situation could lead to a total of 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months , since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 9 days) allowed prior to complete restoration of the LCO. The 6 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 6 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive

Completion Time must be met.

(continued)

SUSQUEHANNA - UNIT 2 3.8-10

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS A.3 (continued)

(continued)

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

To ensure a highly reliable power source remains with one required DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.

Required Action 8.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A required feature powered from another diesel generator (Division 1 or 2) is inoperable.

If, at any time during the existence of this Condition (one required DG inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

(continued)

SUSQUEHANNA - UNIT 2 3.8-11

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS B.2 (continued)

(continued)

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hour$ from the discovery of these events existing concurrently is acceptable becaus~ it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a OBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.7 does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition E of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be determined not to exist on the remaining DG(s), performance of SR 3.8.1.7 suffices to provide assurance of continued OPERABILITY of those DGs. However, the second Completion Time for Required Action B.3.2 allows a performance of SR 3.8.1. 7 completed up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months prior to entering Condition B to be accepted as demonstration that a DG is not inoperable due to a common cause failure.

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B.

(continued)

SUSQUEHANNA - UNIT 2 3.8-12

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS B.3.1 and B.3.2 (continued)

. (continued)

According to Generic Letter 84-15 (Ref. 8), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition B for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a OBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition Bis entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This situ*ation could lead to a total of 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months , since initial failure of the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 9 days) allowed prior to complete restoration of the LCO. The 6 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 6 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed

.outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

SUSQUEHANNA - UNIT 2 3.8-13

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

Required Action C.1 addresses actions to be taken in the event of concurrent inoperability of two offsite circuits. The Completion Time for Required Action C.1 is intended to* allow the operator time to evaluate and repair any discovered inoperabilities.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a OBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Regulatory Guide 1.93 (Ref. 7), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A.

(continued)

SUSQUEHANNA - UNIT 2 3.8-14

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS D.1 and D.2 (continued)

Pursuant to LCO 3.0.6, the Distribution System Actions would not be entered even if all AC sources to. it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition Dare modified by a Note to indicate that when Condition D is entered with no

AC source to any ESS bus, Actions for LCO 3.8.7, "Distribution Systems-Operating," must be immediately entered. This allows Gondition D to provide requirements for the loss of the offsite circuit and one DG without regard to whether a division is de-energized. Leo 3.8.7provides the appropriate restrictions for a de-energized bus.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a OBA occurring during this period.

With two or more DGs inoperable and an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an.

immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Regulatory Guide 1.93 (Ref. 7), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . * *

(continued)

SUSQUEHANNA - UNIT 2 3.8-15

Rev. 12 AC Sources-Operating B 3.8.1 BASES ACTIONS F.1 and F.2 (continued)

If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit m_ust be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, GDC 18 (Ref. 9). Periodic .

component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3), and Regulatory Guide 1.137 (Ref. 11 ), as addressed in the FSAR.

The Safety Analysis for Unit 2 assumes the OPERABILITY of some equipment that receives power from Unit 1 AC Sources. Therefore, Surveillance requirements are established for the Unit 1 onsite Class 1E

. AC electrical power distribution subsystem(s) required to support Unit 2 by LCO 3.8.7, Distribution Systems-Operating. As Noted at the beginning of the SRs, SR 3.8.1.1 through SR 3.8.1.20 are applicable to the Unit 2 AC sources and SR 3.8.1.21 is applicable to the Unit 1 AC sources.

(continued)

SUSQUEHANNA - UNIT 2 3.8-16

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE Where the SRs discussed herein specify voltage and frequency REQUIREMENTS tolerances, the following summary is applicable. The minimum steady (continued) state output voltage of 4000 V represents the value that will allow the

degraded voltage relays to reset after actuation. This value is based on the upper value of the degraded voltage relay reset voltage of 3938 V, representing 94.68% of 4160 V, plus the worst-case voltage drop from the DG to an associated 4.16 kV switchgear bus. The Specified maximum steady state output voltage of 4400 V is equal to the maximum operating voltage specified for 4000 V. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages.

The minimum frequency value is derived from the recommendations found in Regulatory Guide 1.9 (Ref. 3). The allowable steady state frequency for all DGs is 60 Hz +/-2%. DG E is also required to maintain a frequency of not less than 57 Hz during transient conditions. To provide additional margin for DG E to meet the 57 Hz criteria, the 2%

margin allowed for steady state frequency is further reduced to 1%, or 0.6 Hz. This value, added to the tolerance allowed for the DG's electronic governor (0.1 Hz) provides the 59.3 Hz minimum frequency value applicable for all DGs.

The maximum frequency is derived from analysis based on an iterative approach using voltage and frequency variations of the DG to determine the maximum continuous loading on the DG such that the DG loading does not exceed .its continuous rating and still performs its design function. Through a qualitative estimation and a dynamic transient simulation, the maximum frequency meeting the iterative approach is 60.5 Hz.

The Surveillance Table has been modified by a Note, to clarify the testing requirements associated with DG E. The Note is necessary to define the intent of the Surveillance Requirements associated with the integration of DG E. Specifically, the Note defines that a DG is only considered OPERABLE and required when it is aligned to the Class 1E distribution system. For example, if DG A does not meet the requirements of a specific SR, but DG E is substituted for DG A and aligned to the Class 1E distribution system, DG Eis required to be OPERABLE to satisfy the LCO requirement of 4 DGs and DG A is not required to be OPERABLE because it is not aligned to the Class 1E distribution system. This is acceptable because only 4 DGs are assumed in the event analysis.

Furthermore, the Note identifies when the Surveillance Requirements, as modified by SR Notes, have been met and performed, DG E can be (continued)

SUSQUEHANNA - UNIT 2

3.8-17

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE substituted for any other DG and declared OPERABLE after performance REQUIREMENTS of two SRs which verify switch alignment. This is acceptable because (continued) the testing regimen defined in the Surveillance Requirement Table ensures DG E is fully capable of performing all DG requirements.

SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to an Operable offsite power source and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.2 Not Used.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing and accepting greater than or equal to the equivalent of the maximum expected. accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8' lagging and 1.0.

The 0.8 value is the design rating of the machine, while 1.0 is an .

operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

Note 1 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the Cooper Bessemer Service Bulletin 728, so that mechanical stress and wear on the diesel engine are minimized.

( continued)

SUSQUEHANNA - UNIT 2 3.8-18

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 (continued)

REQUIREMENTS (continued) Note 2 modifies this Surveillance by stating that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients do not invalidate the test.

Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.

Note 4 stipulates a prerequisite requirement for performance of this SR.

A successful DG start must precede this test to credit satisfactory performance.

Note 5 provides the allowance that DG E, when not aligned as substitute for DG A, B, C and D but being maintained available, may use the test facility to satisfy loading requirements in lieu of synchronization with an ESS bus.

Note 6 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, with the DG synchronized to the 4.16 kV ESS bus of Unit 1 for one periodic test and synchronized to the 4.16 kV ESS bus of Unit 2 during the next periodic test. This is acceptable because the purpose of the test is to demonstrate the ability of the DG to operate at its continuous rating (with the exception of DG E which is only required to be tested at the continuous rating of DGs A thru D) and this attribute is tested at the required Frequency. Each unit's circuit breakers and breaker control circuitry, which are only being tested every second test (due to the staggering of the tests), historically have a very low failure rate. If a DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit. In addition, if the test is scheduled to be performed on the other Unit, and the other Unit's TS allowance that provides an exception to performing the test is used (i.e., the Note to SR 3.8.2.1 for the other Unit provides an exception to performing this test when the other Unit is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment), or it is not possible to perform the test due to equipment availability, then the test shall be performed synchronized to this Unit's 4.16 kV ESS bus. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.8-19

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 REQUIREMENTS (continued) This SR verifies the level of fuel oil in the engine mounted day tank is at or above the level at which fuel oil is automatically added. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of 55 minutes of DG A-D and 62 minutes of DG E operation at DG continuous rated load conditions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the engine-mounted day tanks periodically eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. It is required to support continuous operation of standby power sources. This Surveillance provides assurance_that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.8-20

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.7 REQUIREMENTS (continued) This SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition.

To minimize the wear on moving parts that do not get lubricated when the engine is not running, this SR has been modified by Note 1 to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubicated to prevent undo wear and tear).

For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.

The DG starts from standby conditions and achieves the minimum required voltage and frequency within 1O seconds and maintains the required voltage and frequency when steady state conditions are reached. The ten second start requirement support the assumptions in the design bases LOCA analysis of FSAR Section 6.3 (Ref. 12).

To minimize testing of the DGs, Note 2 allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to one unit.

The time for the DG to reach steady state operation is periodically monitored and the trend evaluated to identify degradation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.8 Transfer of each 4.16 kV ESS bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.8-21

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.8 (continued)

REQUIREMENTS (continued) This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of the automatic transfer of unit power supply could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. The manual transfer of unit power supply should not result in any perturbation to the electrical distribution system, therefore, no mode restriction is specified. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in Unit 1 Technical Specifications tests the applicable logic associated with Unit 1. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 1. The NOTE only applies to Unit 2, thus the Unit 2 Surveillance shall not be performed with Unit 2 in MODE 1 or 2.

SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each a DG is a residual heat removal (RHR) pump (1425 kW).

This Surveillance may be accomplished by:

a. Tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus; or

b. Tripping its associated single largest post-accident load with the DG solely supplying the bus.

As recommended by Regulatory Guide 1.9 (Ref. 3), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower. For DGs A, B, C, D and E, this represents 64.5 Hz, equivalent to 75% of the difference between nominal speed and the overspeed trip setpoint.

( continued)

SUSQUEHANNA - UNIT 2 3.8-22

Rev. 12 AC Sources-Operating

' B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued)

REQUIREMENTS (continued) The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals. The 4.5 seconds specified is equal to 60% of the 7.5 second load sequence interval between loading of the RHR and core spray pumps during an undervoltage on the bus concurrent with a LOCA. The 6 seconds specified is equal to 80% of that load sequence interval. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG.

SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c specify the steady state voltage and frequency values to which the system must recover following load rejection.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

To minimize testing of the DGs, a Note allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unle~s the cause of the failure can be directly related to only one unit.

SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions.

This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event, and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.

(continued)

SUSQUEHANNA - UNIT 2 3.8-23

Rev. 12 AC Sources-Operating i3 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS (continued) To minimize testing of the DGs, a Note allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This

. is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3), this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the ESS buses and respective 4.16 kV loads from the DG. It further demonstrates the capability of the DG to automatically achieve and maintain the required voltage and frequency within the specified time.

The DG auto-start time of 1O seconds is derived from requirements of the licensed accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period {which for DG's A through D includes operation of the lube oil system to ensure the DGs turbo charger is sufficiently prelubricated). For the purpose of this testing, the DGs shall be started from standby conditions that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

( continued)

SUSQUEHANNA - UNIT 2 3.8-24

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS (continued) The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with Unit 1. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 1. The Note only applies to Unit 2, thus the Unit 2 Surveillances shall not be performed with Unit 2 in MODES 1, 2 or 3.

This SR is also modified by Note 3. The Note specifies when this SR is required to be performed for the DGs and the 4.16 kV ESS Buses. The Note is necessary because this SR involves an integrated test between the DGs and the 4.16 kV ESS Buses and the need for the testing regimen to include DG E being tested (substituted for all DGs for both units) with all 4.16 kV ESS Buses. To ensure the necessary testing is performed, two rotational testing regimens have been established; one for components that are required to be tested every 24 months and one for components that have had their test frequency extended to 48.

months in accordance with the Surveillance Frequency Control Program.

The two rotational testing regimens are given below:

24 Month Testing Regimen UNIT IN OUTAGE DIESEL E SUBSTITUTED FOR 2 DG E not tested 1 Diesel Generator D 2 Diesel Generator A 1 DG E not tested 2 Diesel Generator B 1 Diesel Generator A 2 Diesel Generator C 1 Diesel Generator B 2 Diesel Generator D 1 Diesel Generator C (continued)

SUSQUEHANNA - UNIT 2 3.8-25

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS (continued) 48 Month Testing Regimen UNIT IN OUTAGE DIESEL E SUBSTITUTED FOR 2 DG E not tested 1 Diesel Generator A 2 DG E not tested 1 DG E not tested 2 Diesel Generator B 1 Diesel Generator C 2 DG E not tested 1 DG E not tested 2 Diesel Generator D 1 DG E not tested 2 DG E not tested 1 Diesel Generator B 2 DG E not tested 1 DG E not tested 2 Diesel Generator A 1 Diesel Generator D 2 DG E not tested 1 DG E not tested 2 Diesel Generator C 1 DG E not tested The specified rotational testing regimens can be altered to facilitate unanticipated events which render the testing regimens impractical to implement, but any alternative testing regimen must provide an equivalent level of testing.

This SR does not have to be performed with the normally aligned DG when the associated 4.16 kV ESS bus is tested using DG E and DG E does not need to be tested when not substituted or aligned to the Class 1E distribution system. The allowances specified in the Note are acceptable because the tested attributes of each of the five DGs and each unit's four 4.16 kV ESS buses are verified at the specified Frequency (i.e., each DG and each 4.16 kV ESS bus is tested at a frequency controlled under the Surveillance Frequency Control Program). The testing allowances do result in some circuit pathways which do not need to change state (i.e., cabling) not being tested at the (continued)

SUSQUEHANNA - UNIT 2 3.8-26

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS (continued) frequency established in accordance with the Surveillance Frequency Control Program. This is acceptable because these components are not required to change state to perform their safety function and when substituted--normal operation of DG E will ensure continuity of most of the cabling not tested.

SR 3.8.1.12 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operate~ for :2::: 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on a LOCA signal without loss of offsite power.

The requirement to verify the connection and power supply of permanent and auto connected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the

connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

SR 3.8.1.12.a through SR 3.8.1.12.d are performed with the DG running.

SR 3.8.1.12.e can be performed when the DG is not running.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.8-27

Rev. 12 AC Sources-Operating

B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS (continued) This SR is modffied by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated). For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

The reason for Note 2 is to allow DG E, when not aligned as substitute for DG A, B, C or D, to use the test.facility to satisfy loading requirements in lieu of aligning with the Class 1E distribution system. When tested in this configuration, DG E satisfies the requirements of this test by completion of SR 3.8.1.12.a, b and c only. SR 3.8.1.12.d and 3.8.1.12.e may be performed by any DG aligned with the Class 1E distribution system or by any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

SR 3.8.1.13 This Surveillance demonstrates that DG non-critical protective functions (e.g., high jacket water temperature) are bypassed on an ECCS.initiation test signal. The non-critical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the OBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by two Notes. To minimize testing of the DGs, Note 1 to SR 3.8.1.13 allows a single test (instead *of two tests, one for each unit) to satisfy the requirements for both units. This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

(continued)

SUSQUEHANNA - UNIT 2 3.8-28

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS (continued) Note 2 provides the allowance that DG E, when not aligned as a substitute for DG A, B, C, and D but being maintained available, may use a simulated ECCS initiation signal.

SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3), requires demonstration periodically that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .:...._22 hours of which is at a load equivalent to 90%

to 100% of the continuous rating of the DG, and _2 hours of which is at a load equivalent to 105% to 110% of the continuous duty rating of the DG.

SSES has taken exception to this requirement and performs the two hour run at the 2000 hour0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months rating for each DG. The requirement to perform the two hour overload test can be performed in any order provided it is performed during a single.continuous time period.

The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube discussed in SR 3.8.1.7, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

A load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This Surveillance has been modified by four Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test.

To minimize testing of the DGs, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units.

This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units,

unless the cause of the failure can be directly related to only one unit.

( continued)

SUSQUEHANNA - UNIT 2 3.8-29

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS (continued)

Note 3 stipulates that DG E, when not aligned as substitute for DG A, B, C or D but being maintained available may use the test facility to satisfy the specified loading requirements in lieu of synchronization with an ESS bus.

SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from full load temperatures and achieve the required voltage and frequency within 10 seconds. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months at full load conditions prior to performance of this Surveillance is bal:led on manufacturer recommendations for achieving hot conditions. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Momentary transients due to changing bus loads do not invalidate this test.

Note 2 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbocharger is sufficiently prelubricated) to minimize wear and tear on the diesel during testing.

To minimize testing of the DGs, Note 3 allows a single test to satisfy the requirements for both units (instead of two tests, one for each unlt). This is acceptable beca.use this test i$ intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

(continued)

SUSQUEHANNA - UNIT 2 3.8-30

Rev. 12 AC Sources-Operating 8 3.8.1 BASES 0

SURVEILLANCE SR 3.8.1.16 REQUIREMENTS (continued) As required by Regulatory Guide 1.9 (Ref. 3), this Surveillance ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that

the auto-start logic is reset.to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the DG controls are in isochronous and the output breaker is open.

In order to meet this Surveillance Requirement, the Operators must have the capability to manually transfer loads from the D/Gs to the offsite sources. Therefore, in order to accomplish this transfer and meet this Surveillance Requirement, the synchronizing selector switch must be functional. (See ACT-1723538).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a note to accommodate the testing regimen necessary for DG E. See SR 3.8.1.11 for the Bases of the Note.

SR 3.8.1.17 Demonstration of the test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing.

Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if an ECCS initiation signal is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage, the DG controls in isochronous, and the DG output breaker open. These provisions for automatic switchover are required by IEEE-308 (Ref. 10),

paragraph 6.2.6(2).

The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirements associated with SR 3.8.1.17.b is to show that the emergency loading is not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This test is performed by verifying that (continued)

SUSQUEHANNA - UNIT 2 3.8-31

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.17 (continued)

REQUIREMENTS (continued) after the DG is tripped, the offsite source originally in parallel with the DG, remains connected to the affected 4.16 kV ESS Bus. SR 3.8.1.12 is performed separately to verify the proper offsite loading sequence.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a note to accommodate the testing regimen necessary for DG E. See SR 3.8.1.11 for the Bases of the Note.

SR 3.8.1.18 Under accident conditions, loads are sequentially connected to the bus by individual load timers which control the permissive and starting signals to motor breakers to prevent overloading of the AC Sources due to high motor starting currents. The load sequence time interval tolerance ensures that sufficient time exists for the AC Source to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated.

Reference 2 provides a summary of the automatic loading of ESS buses.

A list of the required timers and the associated setpoints are included in the Bases as Table B 3.8.1-1, Unit 1 and Unit 2 Load Timers. Failure of a timer identified as an offsite power timer may result in both offsite sources inoperable. Failure of any other timer may result in the associated DG being inoperable. A timer is considered failed for this SR if it will not ensure that the associated load will energize within the Allowable Value specified in Table B 3.8.1-1. These conditions will require entry into applicable Condition of this specification. With a load timer inoperable, the load can be rendered inoperable to restore OPERABILITY to the associated AC sources. In this condition, the Conditions and Required Actions of the associated specification shall be entered for the equipment rendered inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that specifies that load timers associated with equipment that has automatic initiation capability disabled are not required to be Operable. This is acceptable because if the load does not start automatically, the adverse effects of an improper loading sequence are eliminated. Furthermore, load timers are associated with individual timers such that a single timer only affects a single load.

(continued)

SUSQUEHANNA - UNIT 2 3.8-32

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.19 REQUIREMENTS (continued) In the event of a OBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is

acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. To simulate the non-LOCA unit 4.16 kV ESS Bus loads on the DG, bounding loads are energized on the tested 4.16 kV ESS Bus after all auto connected emergency loads are energized.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated). For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations Note 2 is necessary to accommodate the testing regimen associated with DG E. See SR 3.8.1.11 for the Bases of the Note.

The reason for Note 3 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 2. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with Unit 1. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2 or 3 does not have applicability to Unit 1. The Note only applies to Unit 2, thus the Unit 2 Surveillances shall not be performed with Unit 2 in MODE 1, 2 or 3.

(continued)

SUSQUEHANNA - UNIT 2 3.8-33

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.20 REQUIREMENTS (continued) This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear on the DG during testing. The Note allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated.) For the purpose of this testing, the DG's must be started from standby conditions, that is, with the engine oil continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with n:ianufacturer recommendations.

Note 2 is necessary to identify that this test does not have to be performed with DG E substituted for any DG. The allowance is acceptable based on the design of the DG E transfer switches. The transfer of control, protection, indication, and alarms is by switches at two separate locations. These switches provide a double break between DG E and the redundant system within the transfer switch panel. The transfer of power is through circuit breakers at two separate locations for each redundant system. There are four normally empty switchgear positions at DG E facility, associated with each of the four existing DGs.

Only one circuit breaker is available at this location to be inserted into one of the four positions. At each of the existing DGs, there are two switchgear positions with only one circuit breaker available. This design provides two open circuits between redundant power sources.

Therefore, based on the described design, it can be concluded that DG redundancy and independence is maintained regardless of whether DG E is substituted for any other DG.

(continued)

SUSQUEHANNA - UNIT 2 3.8-34

Rev. 12 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.21 REQUIREMENTS (continued) This Surveillance is provided to direct that the appropriate Surveillances for Unit 1 AC sources required to support Unit 2 are governed by the Unit 2 Technical Specifications. With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.1.1 through SR 3.8.1.20) are applicable to the Unit 2 AC sources only. Meeting the SR requirements of Unit 1 LCO 3.8.1 will satisfy all Unit 2 requirements for Unit 1 AC sources. However, six Unit 1 LCO 3.8.1 SRs, if not required to support Unit 1 OPERABILITY requirements, are not required when demonstrating Unit 1 sources are capable of supporting Unit 2.

SR 3.8.1.8 is not required if only one Unit 1 offsite circuit is required by the Unit 2 Specification. SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.17, *and SR 3.8.1.19 are not required since these SRs test the Unit 2 ECCS initiation signal, which is not needed for the AC sources to be OPERABLE on Unit 2. SR 3.8.1.20 is not required since starting independence is not required with the DG(s) not required to be OPERABLE.

The Frequency required by the applicable Unit 1 SR also governs perforn:iance of that SR for Unit 2.

As Noted, if Unit 1 is in MODE 4 or 5, the Note to Unit 1 SR 3.8.2.1 is applicable. This ensures that a Unit 2 SR will not require a Unit 1 SR to be performed, when the Unit 1 Technical Specifications do not require performance of a Unit 1 SR. (However, as stated in the Unit 2 SR 3.8.2.1 Note, while performance of an SR is not required, the SR still must be met).

(continued)

SUSQUEHANNA - UNIT 2 3.8-35

Rev. 12 AC Sources-Operating B 3.8.1 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. FSAR, Section 8.2.

3. Regulatory Guide 1.9.

4. FSAR, Chapter 6.

5. FSAR, Chapter 15.

6. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

7. Regulatory Guide 1.93.

8. Generic Letter 84-15.

9.. 10 CFR 50, Appendix A, GDC 18.

10. IEEE Standard 308.

11. Regulatory Guide 1.137.

12. FSAR, Section 6.3.

13. ASME Boiler and Pressure Vessel Code, Section XI.

14. Letter from R. V. Guzman (USNRC) to B. T. McKinney (PPL)

"Susquehanna Steam Electric Station, Unit 2 - Issuance of Amendment Re: Electrical Power Systems Technical Specification 3.8.1 (T.A.C. MD4766)", dated February 19, 2008.

SUSQUEHANNA - UNIT 2 3.8-36

Rev. 12 AC Sources-Operating B 3.8.1 TABLE B 3.8.1-1 (page 1 of 2)

UNIT 1 AND UNIT 2 LOAD TIMERS NOMINAL DEVICE SETTING ALLOWABLE TAG NO. SYSTEM LOADING TIMER LOCATION (seconds) VALUE (seconds) 62A-20102

RHR Pump 1A 1A201 3 .: 2.7 and:,; 3.6 62A-20202 RHR Pump 18 1A202 3 .: 2.7 and:,; 3.6 62A-20302 RHR Pump 1C 1A203 3 .: 2.7 and:,; 3.6 62A-20402 RHR Pump 1D 1A204 3 .: 2.7 ands 3.6 62A-20102 RHR Pump2A 2A201 3 .: 2.7 and:,; 3.6 62A-20202 RHR Pump 28 2A202 3 > 2.7 and:,; 3.6 62A-20302 RHR Pump2C 2A203 3 .: 2.7 ands 3.6 62A-20402 RHR Pump2D 2A204 3 > 2.7 and< 3.6 E11A-K2028 RHR Pump 1C (Offsite Power Timer) 1C618 7.0 *;;: 6.5 and :,; 7.5 E11A-K120A RHR Pump 1C (Offsite Power Timer) 1C617 7.0 > 6.5 and < 7.5 E11A-K1208 RHR Pump 1O (Offsite Power Timer) 1C618 7.0 .: 6.5 and s 7.5 E11A-K202A RHR Pump 1O (Offsite Power Timer) 1C617 7.0 .: 6.5 ands 7.5 E11A-K120A RHR Pump 2C (Offsite Power Timer) 2C617 7.0 .: 6.5 and:,; 7.5 E11A-K2028 RHR Pump 2C (Offsite Power Timer) 2C618 7.0 .: 6.5 and:,; 7.5 E11A-K1208 RHR Pump 20 (Offsite Power Timer) 2C618 7.0 .: 6.5 and:,; 7.5 E11A-K202A RHR Pump 20 (Offsite Power Timer) 2C617 7.0 .: 6.5 ands 7.5 E21A-K116A CS Pump 1A 1C626 10.5 .: 9.4 ands 11.6 E21A-K1168 CS Pump 18 1C627 10.5 .: 9.4 and s 11.6 E21A-K125A CS Pump 1C 1C626 10.5 > 9.4 and < 11.6 E21A-K1258 CS Pump 10 1C627 10.5 .: 9.4 and :,; 11.6 E21A-K116A CS Pump2A 2C626 10.5 .: 9.4 and:,; 11.6 E21A-K1168 CS Pump28 2C627 10.5 .: 9.4 and :,; 11.6 E21A-K125A CS Pump2C 2C626 10.5 .: 9.4 and:,; 11.6 E21A-K1258 CS Pump20 2C627 10.5 .: 9.4 and:,; 11.6 E21A-K16A CS Pump 1A (Offsite Power Timer) 1C626 15 ;;: 14.0 ands 16.0 E21A-K168 CS Pump 18 (Offsite Power Timer) 1C627 15 .: 14.0 and:,; 16.0 E21A-K25A CS Pump 1C (Offsite Power Timer) 1C626 15 .: 14.0 ands 16.0 E21A-K258 CS Pump 1O (Offsite Power Timer) 1C627 15 > 14.0 and< 16.0 E21A-K16A CS Pump 2A (Offsite Power Timer) 2C626 15 ;;: 14.0 ands 16.0 E21A-K168 CS Pump 28 (Offsite Power Timer) 2C627 15 .: 14.0 ands 16.0 E21A-K25A CS Pump 2C (Offsite Power Timer) 2C626 15 .: 14.0 ands 16.0 E21A-K258 CS Pump 20 (Offsite Power Timer) 2C627 15 .: 14.0 ands 16.0 62AX2-20108 Emeraencv Service Water 1A201 40 .: 36 ands 44 62AX2-20208 Emerqencv Service Water 1A202 40 .: 36 and:,; 44 62AX2-20303 Emeraencv Service Water 1A203 44 .: 39.6 and s 48.4 62AX2-20403 Emeraencv Service Water 1A204 48 ;;: 43.2 and :,; 52.8 62X3-20404 Control Structure Chilled Water Svstem OC8778* 60 > 54 62X3-20304 Control Structure Chilled Water System OC877A 60 .: 54 Emergency Switchgear Rm Cooler A & RHR 62X-20104 OC877A 60 .: 54 SW Pump H&V Fan A Emergency Switchgear Rm Cooler 8 & RHR 62X-20204- OC8778 60 .: 54 SW Pump H&V Fan 8 62X-5653A . OG Room Exhaust Fan E3 08565 60 .: 54 62X-5652A OG Room Exhausts Fan E4 08565 60 .: 54 262X-20204 Emerqencv Switchqear Rm Cooler 8 OC8778 120 .: 54 262X-20104 Emerqencv Switchqear Rm Cooler A OC877A 120 .: 54 62X-546 OG Rm Exh Fan 0 08546 120 > 54 SUSQUEHANNA - UNIT 2 3.8-37

Rev. 12 AC Sources-Operating B 3.8.1 TABLE B 3.8.1-1 (page 2 of 2)

UNIT 1 AND UNIT 2 LOAD TIMERS NOMINAL DEVICE SETTING ALLOWABLE TAG NO. SYSTEM LOADING TIMER LOCATION (seconds) VALUE (seconds) 62X-536 DG Rm Exh Fan C OB536 120 ;;;:54 62X-526 DG Rm Exh Fan B OB526 120 >54 62X-516 DG Rm Exh Fan A OB516 120 ;;;:54 CRX-5652A DG Room Supply Fans E1 and E2 OB565 120 > 54 62X2-20410 Control Structure Chilled Water System OC876B 180 ;;;: 54 62X1-20304 Control Structure Chilled Water System OC877A 180 >54 62X2-20310 Control Structure Chilled Water System OC876A 180 ;;;:54 62X1-20404 Control Structure Chilled Water System OC877B 180 >54 62X2-20304 Control Structure Chilled Water System OC877A 210 ;;;:54 62X2-20404 Control Structure Chilled Water System OC877B 210 ;;;:54 Emergency Switchgear Rm Cooling 62X-K11BB 2CB250B 260 ;;;:54 Comoressor B Emergency Switchgear Rm Cooling 62X-K11AB 2CB250A 260 ;;;:54 Compressor A SUSQUEHANNA - UNIT 2 3.8-38

Rev. 1 AC Source-Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources-Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources-Operating."

APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 and 5 SAFETY ANALYSES and during movement of irradiated fuel assemblies ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shut down the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and corresponding stresses result in the probabilities of occurrences significantly reduced or eliminated, and minimal consequences. These deviations from OBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

The Safety Analysis for Unit 2 assumes the OPERABILITY of some equipment that receives power from Unit 1 AC Sources.

(continued)

SUSQUEHANNA - UNIT 2 3.8-39

Rev. 1 AC Source-Shutdown B 3.8.2 BASES APPLICABLE Therefore, Unit 2 Technical Specifications establish requirements for the SAFETY ANALYSES OPERABILITY of the DG(s) and qualified offsite circuits needed to (continued) support the Unit 1 onsite Class 1E AC electrical power distribution subsystem(s) required by Unit 2 LCO 3.8.8, Distribution Systems-Shutdown.

During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS.

This allowance is in recognition that certain testing and maintenance activities must be conducted, provided an acceptable level of risk is not exceeded. During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally planned and administratively controlled. Relaxations from typical MODES 1, 2, and 3 LCO requirements are acceptable during shutdown MODES, based on:

a.

The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (diesel generator (DG)) power.

The AC sources satisfy Criterion 3 of the NRC Policy Statement (Ref.

1).

(continued)

SUSQUEHANNA - UNIT 2 3.8-40

Rev.1 AC Source-Shutdown B 3.8.2 BASES LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems-Shutdown," ensures that all required loads are powered from offsite power. An OPERABLE DG, associated with a Distribution System Engineered Safeguards System (ESS) bus required OPERABLE by LCO 3.8.8, ensures that a diverse power source is available for providing electrical power support assuming a loss of the offsite circuit. Together, OPERABILITY of the require~ offsite circuit and DG ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown

(e.g., fuel handling accidents).

The qualified offsite circuit(s) must be capable of maintaining rated frequency and voltage while connected to their respective ESS bus(es),

and*of accepting required loads during an accident. Qualified offsite circuits are those that are described in the FSAR and are part of the licensing basis for the unit. An offsite circuit includes all breakers, transformers, switches, automatic tap changers, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESS bus or buses. The offsite circuit consists of the incoming breaker and disconnect to startup transformers (SD No. 1O and ST No. 20 and the respective circuit path including feeder breakers to the four 4.16 kV ESS buses. (A, B, C and D) for both Unit 1 and Unit 2. A detailed description of the offsite power network and circuits to the onsite Class 1E ESS buses is found in the FSAR, Section 8.2.

The required DG must be capable of starting, accelerating to rated speed and voltage, connecting to its respective ESS bus on detection of bus undervoltage, and capable of accepting required loads. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESS buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with engine hot. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

( continued)

SUSQUEHANNA - UNIT 2 3.8-41

Rev. 1 AC Source-Shutdown B 3.8.2 BASES LCO Proper sequencing of loads, including tripping of nonessential loads, is a (continued) required function for DG OPERABILITY. In addition, proper sequence operation is an integral part of offsite circuit OPERABILITY since its inoperability impacts the ability to start and maintain energized loads required OPERABLE by LCO 3.8.8.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that:

a. Systems that provide core cooling are available;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1.

ACTIONS The ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

With one or more required AC Sources (DGs or 4.16 kV ESS buses) inoperable, the remaining required sources may be capable of supporting

sufficient required features (e.g., system, subsystem, divisions, component or device), to allow continuation of CORE ALTERATIONS and fl.lei movement. For example, if two or more 4 kV emergency buses are required per LCO 3.8.8, one 4.16 kV emergency bus with offsite (continued)

SUSQUEHANNA - UNIT 2 3.8-42

Rev.1 AC Source-Shutdown B 3.8.2 BASES ACTIONS A.1 (continued)

(continued) power available may be capable of supporting sufficient required features. Therefore, the option provided by Required Action A.1 to declare required features inoperable when not powered from an offsite source or not capable of being powered by the required DG recognizes that appropriate restrictions will be required by ACTIONS in the LCO for the affected feature(s).

If a DG is credited with meeting both Unit 2 LCO 3.8.2.b and Unit 2 LCO 3.8.2.d or an offsite circuit is credited with meeting both Unit 2 LCO 3.8.2.a and Unit 2 LCO 3.8.2.c, the AC Source may considered OPERABLE for meeting one of the requirements even if is considered inoperable for meeting the other.

A.2.1, and A.2.2, and A.2.3 With one or more required AC Sources inoperable, the option exists in ACTION A.1 to declare all affected features inoperable. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With one or more required AC Sources inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

(continued)

SUSQUEHANNA - UNIT 2 3.8-43

Rev. 1 AC Source-Shutdown B 3.8.2 BASES ACTIONS A.2.1, and A.2.2, and A.2.3 (continued)

(continued)

Because of the allowance provided by LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power.to any required ESS bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit whether or not a 4.16 kV ESS bus is de-energized. LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized 4.16 kV ESS bus.

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, and 3. SR 3.8.1.8 is not required to be met since only one offsite circuit is required to be OPERABLE. SR 3.8.1.17 is not required to be met because the required OPERABLE DG(s) is not required to undergo periods of being synchronized to the offsite circuit. SR 3.8.1.20 _is excepted because starting independence is not required with the DGs that are not required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.

This SR is modified by a Note that specified SRs must be met but are not required to be performed. The reason for the Note is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4160 V ESS bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG.

It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit is required to be OPERABLE.

(continued)

SUSQUEHANNA - UNIT 2 3.8-44

Rev. 1 AC Source-Shutdown B 3.8.2 BASES SURVEILLANCE SR 3.8.2.2 REQUIREMENTS (continued) This Surveillance is provided to direct that the appropriate Surveillances for Unit 1 AC sources required to support Unit 2 are governed by the Unit 2 Technical Specifications. With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.1.1 through SR 3.8.1.20) are applicable to the Unit 2 AC sources only. Meeting the SR requirements of Unit 1 LCO 3.8.1 will satisfy all Unit 2 requirements for Unit 1 AC sources. However, six Unit 1 LCO 3.8.1 SRs, if not required to support Unit 1 OPERABILITY requirements, are not required when demonstrating Unit 1 sources are capable of supporting Unit 2.

SR 3.8.1.8 is not required if only one Unit 1 offsite circuit is required by the Unit 2 Specification. SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.17, and SR 3.8.1.19 are not required since these SRs test the Unit 1 ECCS initiation signal, which is not needed for the AC sources to be OPERABLE on Unit 2. SR 3.8.1.20 is not required since starting independence is not required with the DG(s) not required to be OPERABLE.

The Frequency required by the applicable Unit 1 SR also governs performance of that SR for Unit 2.

As Noted, if Unit 1 is in MQDE 4 or 5, the Note to Unit 1 SR 3.8.2.1 is applicable. This ensures that a Unit 2 SR will not require a Unit 1 SR to be performed, when the Unit 1 Technical Specifications do not require performance of a Unit 1 SR. (However, as stated in the Unit 2 SR 3.8.2.1 Note, while performance of an SR is not required, the SR still must be met).

REFERENCES 1. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.8-45

Rev. 1 AC Source-Shutdown B 3.8.2

. BASES THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 2 3.8-46

Rev.2 DC Sources-Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5

DC Sources-Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses in the SAFETY FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered ANALYSES Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the .

supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

LCO 3.8.5 is normally satisfied by maintaining the OPERABILITY of all Division I or all Division II DC sources listed in Table 3.8.4-1 and the Diesel Generator E battery bank. However, any combination of DC sources that maintain OPERABILITY of equipment required by Technical Specifications may be used to satisfy this LCO. The DC sources satisfy Criterion 3 of the NRG Policy Statement (Ref. 3).

(continued)

SUSQUEHANNA - UNIT 2 3.8-70

Rev. 2 DC Sources-Shutdown B 3.8.5 BASES LCO The DC electrical power subsystems are required to be OPERABLE as needed to support required DC distribution subsystems required OPERABLE by LCO 3.8.8, "Distribution Systems-Shutdown." This requirement ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents).

The DC electrical power subsystems consist of the following:

a. each Unit 2 and Unit 1 DC electrical power subsystem identified in Table 3.8.4-1 including a 125 volt or 250 volt DC battery bank in parallel with a battery charger and the corresponding ~antral equipment and interconnecting cabling supplying power to the associated bus; and,

b. the Diesel Generator E DC electrical power subsystem identified in Table 3.8.4-1 including a 125 volt DC battery bank in parallel with a battery charger and the corresponding control equipment and interconnecting cabling supplying power to the associated bus.

APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Required features to provide core cooling are available;

b. Required features needed to mitigate a fuel handling accident are available;

c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and

maintaining the unit in a cold shutdown condition or refueling condition.

The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4.

(continued)

SUSQUEHANNA - UNIT 2 3.8-71

Rev. 2 DC Sources-Shutdown B 3.8.5 BASES ACTIONS The ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. This is acceptable because LCO 3.0.3 would not specify any additional actions while in MODE 4 or 5 and moving irradiated fuel assemblies.

A.1, A.2.1, A.2.2, and A.2.3 If more than one Unit 2 DC distribution subsystem is required according to LCO 3.8.8, the remaining operable Unit 2 DC subsystems may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. Therefore, the option is proviqed to declare required features with associated DC power sources inoperable which ensures that appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS.

In many instances, this option may inyolve undesired administrative efforts.

Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS and movement of irradiated fuel assemblies). Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required Unit 2 DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

Condition A is modified by a Note that states that Condition A is not applicable to the DG E DC electrical power subsystem. Conditions B and C are applicable to an inoperable DG E DC electrical power subsystem.

(continued)

SUSQUEHANNA - UNIT 2 3.8-72

Rev. 2 DC Sources-Shutdown B 3.8.5 BASES ACTIONS 8.1 (continued)

If Diesel Generator E is not aligned to the class 1E distribution system, the only supported safety function is for the ESW system. Therefore, under this condition, if Diesel Generator E DC power subsystem is not OPERABLE, to ensure the OPERABILITY of the ESW system, actions are taken to restore the battery to OPERABLE status. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other inoperable DC sources that result in a loss of safety function and provides sufficient time to evaluate the condition of the battery and take the corrective actions.

If the Diesel Generator E is aligned to the class 1E distribution system, the loss of Diesel Generator E DC power subsystem will result in the loss of a on-site Class 1E power source. Therefore, under this condition, if Diesel Generator E DC power subsystem is not OPERABLE actions are taken to either restore the battery to OPERABLE status or declare Diesel Generator E inoperable and take Actions of LCO 3.8.2. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other DC sources that result in a loss of safety function and provides sufficient time to evaluate the condition of the battery and take the necessary corrective actions.

The Unit 1 DC subsystems supporting Unit 2 that remain OPERABLE with one or more Unit 1 DC power sources inoperable may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. Therefore, the option is provided to declare required features with associated DC power sources inoperable which ensures that appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS.

Condition D is modified by a Note that states that Condition D is not applicable to the DG E DC electrical power subsystem. Condition B or C is applicable to an inoperable DG E DC electrical power subsystem.

(continued)

SUSQUEHANNA - UNIT 2 3.8-73

Rev. 2 DC Sources-Shutdown B 3.8.5 BASES ACTIONS D.2.1 and D.2.2 and D.2.3 (continued)

In many instances, the option of declaring individual supported equipment inoperable may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS and movement of irradiated fuel assemblies).

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required Unit 1 DC electrical power subsystems and to continue this action until restoration is accomplished in prder to provide the necessary DC electrical power to the plant safety systems.

D.3.1. 3.2.1. and D.3.2.2 The option to transfer required common loads to an OPERABLE Unit 2 DC electrical power subsystem ensures required power will be restored.

However, although the corresponding Unit 2 DC electrical power subsystems are evaluated for this condition, this violates a design commitment to maintain DC power separation between units. To minimize the time this condition exists, Required Action D.3.2 directs that power supply be restored to the corresponding Unit 1 DC electrical power subsystem, which restores power to the common loads, or requires that the Unit 1 and common loads are declared inoperable. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months provides sufficient time to restore power and acknowledges the fact that the condition, although not consistent with design requirements, maintains all required safety systems available.

D.1. D.2.1. D.2.2. D.2.3. D.2.4. D.3.1. D.3.2.1. and D.3.2.2 The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

(continued)

SUSQUEHANNA - UNIT 2 3.8-74

Rev. 2 DC Sources-Shutdown B 3.8.5 BASES SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.3. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.

This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.

SR 3.8.5.2 This Surveillance is provided to direct that Surveillances for the Unit 1 DC sources required to support Unit 2 are governed by the Unit 2 Technical Specifications. When Unit 1 DC Sources are required to be Operable to support Unit 2, the Unit 1 Surveillances must be met. Performance of a Unit 1 Surveillance that satisfies Unit 1 requirements will satisfy Unit 2 requirements. Performance of Unit 1 Surveillances at the specified Frequency satisfies Unit 2 requirements.

When a Unit is in MODE 4 or 5, a Note to SR 3.8.5.1 specifies that some SRs are required to be met but do not have to be performed. The Note to Unit 2 SR 3.8.5.2 states that the Note to Unit 1 SR 3.8.2.1 is applicable if Unit 1 is in MODE 4 or 5. This ensures that a Unit 2 SR will not require a Unit 1 SR to be performed, when the Unit 1 Technical Specifications does not require performance of a Unit 1 SR.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.8-75

Rev. 2 DC Sources-Shutdown B 3.8.5 THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 2 3.8-76

Rev. 2 Distribution Systems-Shutdown B18.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems-Shutdown BASES BACKGROUND A description of the AC and DC electrical power distribution system is provided in the Bases for LCO 3.8.7, "Distribution Systems-Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses in SAFETY ANALYSES the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems and the DG E DC electrical power distribution subsystem are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC and DC electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC and DC electrical power sources and associated power distribution subsystems during MODES 4 and 5, and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

LCO 3.8.8 is normally satisfied by maintaining the OPERABILITY of all Division I or all Divisior:, II DC distribution subsystems listed in Table 3.8.7-1 and the diesel generator E distribution subsystem. However, any combination of DC distribution subsystems that maintain OPERABILITY of equipment required by Technical Specifications may be used to satisfy this LCO.

(continued)

SUSQUEHANNA - UNIT 2 3.8-94

Rev.2 Distribution Systems-Shutdown B 3.8.8 BASES APPLICABLE The AC and DC electrical power distribution systems satisfy Criterion 3 of SAFETY ANALYSES the NRC Policy Statement (Ref. 3).

(continued)

LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the electrical distribution system necessary to support OPERABILITY of Technical Specifications required systems, equipment, and components-both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents). The AC and DC electrical distribution subsystem is only considered Inoperable when the subsystem is not energized to its proper voltage.

APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Systems that provide core cooling are available;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The AC, DC and DG E electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7.

(continued)

SUSQUEHANNA - UNIT 2 3.8-95

Rev. 2 Distribution Systems-Shutdown B 3.8.8 BASES ACTIONS The ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. This is acceptable because LCO 3.0.3 would not specify any additional Actions in MODE 4 or 5 moving irradiated Fuel assemblies.

The Unit 2 AC and DC subsystems remaining OPERABLE with one or more Unit 2 AC and DC power sources inoperable may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. Therefore, the option is provided to declare required features with associated power sources inoperable which ensures that appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS.

Condition A is modified by a Note that states that Condition A is not applicable to the DG E DC electrical power subsystem. Conditions B and C are applicable to an inoperable DG E DC electrical power subsystem.

A.2.1, A.2.2, A.2.3, and A.2.4 In many instances the option above may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made, (i.e., to suspend CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment).

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems.

Required Actions A.2.1 through A.2.3 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.4 is provided to direct declaring RHR-SDC inoperable and not in operation, which results in taking all appropriate RHR-SDC ACTIONS.

(continued)

SUSQUEHANNA - UNIT 2 3.8-96

Rev. 2 Distribution Systems-Shutdown B 3.8.8 BASES ACTIONS A.2.1. A.2.2. A.2.3, and A.2.4 (continued)

(continued)

Required Action A.2 is modified by a Note. The Note ensures that appropriate remedial actions are taken, if necessary, if a required ECCS subsystem is rendered inoperable by the lnoperability of the electrical distribution subsystem. Pursuant to LCO 3.0.6, these actions are not required even when the associated LCO is not met. Therefore, the Note is added to require the proper actions be taken.

A.3.1. A.3.2, A.3.3.1 and A.3.3.2 The option to transfer required common loads to an OPERABLE Unit 2 electrical power subsystem ensures power will be restored to required loads. To ensure any loads which are not transferred to the Unit 2 power distribution subsystem are compensated for, Required Action A.3.2, requires the required features to be declared inoperable. Although the corresponding Unit 2 ~lectrical power subsystem is evaluated for this condition, this violates a design commitment to maintain power separation between units. To minimize the time this condition exists, Required Action A.3.3 directs that power supply be restored to the correspo'nding Unit 1 electrical power subsystem, which restores power to the common loads, or requires that the Unit 1 and common loads are declared inoperable. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months provides sufficient time to restore power and acknowledges the fact that the condition, although not consistent with design requirements, maintains all required safety systems available.

A.1, A.2.1, A.2.2, A.2.3, A.2.4, A.3.1, A.3.2 A.3.3.1, and A.3.3.2 The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power.

(continued)

SUSQUEHANNA - UNIT 2 3.8-97

Rev. 2 Distribution Systems-Shutdown B 3.8.8 BASES ACTIONS B.1 (continued)

If Diesel Generator E is not aligned to the class 1E distribution system, the only supported safety function is the ESW system. Therefore, if Diesel Generator E DC power distribution subsystem is not OPERABLE, actions are taken to either restore the battery to OPERABLE status or shutdown Diesel Generator E and close the associated E~W valves to ensure the OPERABILITY of the ESW system. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other inoperable DC sources and provides sufficient time to evaluate the condition of the battery and take the corrective actions.

If Diesel Generator E is aligned to the class 1E distribution system, the loss of Diesel Generator E DC power distribution subsystem will result in the loss of a on-site Class 1E subsystem source. Therefore, if Diesel Generator E DC power subsystem is not OPERABLE actions are taken to either restore the battery to OPERABLE status or declare Diesel Generator E inoperable and take Actions of LCO 3.8.2. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other DC sources and provides sufficient time to evaluate the condition of the battery and take the necessary corrective actions.

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution subsystems are functioning properly, with the buses energized. The verification of proper voltage or indicated power availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 2 3.8-98

Rev. 2 Distribution Systems-Shutdown B 3.8.8 BASES REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 2 3.8-99

Rev. 2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 B 3.10 SPECIAL OPERATIONS B 3.10.1 lnservice Leak and Hydrostatic Testing Operation BASES BACKGROUND The purpose of this Special Operations LCO is to allow certain reactor coolant pressure tests to be performed in MODE 4 with temperatures as high as 212°F when operational conditions or the metallurgical characteristics of the reactor pressure vessel (RPV) require the pressure testing at temperatures > 200°F (normally corresponding to MODE 3) or to allow completing these reactor coolant pressure tests when the initial conditions do not require temperatures> 200°F. Furthermore, the purpose is to allow continued performance of control rod scram time testing required by SR 3.1.4.1, SR 3.1.4.3 or SR 3.1.4.4 if reactor coolant temperatures exceed 200°F when the control rod scram time testing is initiated in conjunction with an inservice leak or hydrostatic test. These control rod scram time tests would be performed in accordance with LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown," during MODE 4 operation.

lnservice hydrostatic testing and system leakage pressure tests required by*

Section XI of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Ref. 1) are performed prior to the reactor going critical after a refueling outage. Recirculation pump operation and a water solid RPV (except for an air bubble for pressure control) are used to achieve the necessary temperatures and pressures required for these tests. The minimum temperatures (at the required pressures) allowed for these tests are determined from the RPV pressure and temperature (PIT) limits required by LCO 3.4.10, "Reactor Coolant System (RCS) Pressure and Temperature (PIT) Limits." These limits are conservatively based on the fracture toughness of the reactor vessel, taking into account anticipated vessel neutron fluence.

With increased reactor vessel fluence over time, the minimum allowable vessel temperature increases at a given pressure. Periodic updates to the RPV PIT limit curves are performed as necessary, based upon the results of analyses of irradiated surveillance specimens removed from the vessel.

Hydrostatic and leak testing may eventually be required with minimum reactor coolant temperatures> 200°F. However, even with required minimum reactor coolant temperatures< 200°F, maintaining RCS (continued)

SUSQUEHANNA - UNIT 2 3.10-1

Rev.2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES BACKGROUND temperatures within a small band during the test can be impractical.

(continued) Removal of heat addition from recirculation pump operation and reactor core decay heat is coarsely controlled by control rod drive hydraulic system flow and reactor water cleanup system non-regenerative heat exchanger operation. Test conditions are focused on maintaining a steady state pressure, and tightly limited temperature control poses an unnecessary burden on the operator and may not be achievable in certain instances.

The hydrostatic and RCS system leakage tests require increasing pressure to 1035 (+10, -0) psig. Scram time testing required by SR 3.1.4.1 and SR 3.1.4.4 requires reactor pressures > 800 psig.

Other testing may be performed in conjunction with the allowances for inservice leak or hydrostatic tests and control rod scram time tests.

APPLICABLE Allowing the reactor to be considered in MODE 4 when the reactor coolant SAFETY temperature is> 200°F but~ 212°F, during, or as a consequence of ANALYSES hydrostatic or leak testing, or as a consequence of control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test, effectively provides an exception to MODE 3 requirements, including OPERABILITY of primary containment and the full complement of redundant Emergency Core Cooling Systems. Since the tests are performed nearly water solid, at low decay heat values, and near MODE 4 conditions, the stored energy in the reactor core will be very low. Under these conditions, the potential for failed fuel and a subsequent increase in coolant activity above the LCO 3.4. 7, "RCS Specific Activity," limits are minimized. In addition, the secondary containment will be OPERABLE, in accordance with this Special Operations LCO, and will be capable of handling any airborne radioactivity or steam leaks that could occur during the performance of hydrostatic or leak testing. The required pressure testing conditions provide adequate assurance that the consequences of a steam leak will be conservatively bounded by the consequences of the postulated main steam line break outside of primary containment described in Reference 2. Therefore, these requirements will conservatively limit radiation releases to the environment.

(continued)

SUSQUEHANNA - UNIT 2 3.10-2

Rev.2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES APPLICABLE In the unlikely event of any primary system leak that could result in draining SAFETY the RPV, the reactor vessel would rapidly depressurize. The make-up ANALYSES capability required_ in MODE 4 by LCO 3.5.2, "Reactor Pressure Vessel (continued) (RPV)-Water Inventory Control," would be more than adequate to keep the RPV water level above the TAF under this low decay heat load condition.

Small system leaks would be detected by leakage inspections before significant inventory loss occurred.

For the purposes of this test, the protection provided by normally required MODE 4 applicable LCOs, in addition to the secondary containment requirements required to be met by this Special Operations LCO, will ensure acceptable consequences during normal hydrostatic test conditions and during postulated accident conditions.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRG Policy Statement apply.

Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation at reactor coolant temperatures > 200°F but~ 212°F can be in accordance with Table 1.1-1 for MODE 3 operation without meeting this Special Operations LCO or its ACTIONS. This option may be required due to plant conditions or PIT limits, however, which require testing at temperatures > 200°F, while the ASME inservice test itself requires the safety/relief valves to be gagged, preventing their OPERABILITY. Additionally, even with required minimum reactor coolant temperatures< 200°F, RCS temperatures may drift above 200°F during the performance of inservice leak and hydrostatic testing or during subsequent control rod scram time testing, which is typically performed in conjunction with inservice leak and hydrostatic testing. While this Special Operations LCO is provided for inservice leak and hydrostatic testing, and for scram time testing initiated in conjunction with an inservice leak or hydrostatic test, parallel performance of other tests and inspections is not precluded.

(continued)

SUSQUEHANNA- UNIT 2 3.10-3

Rev. 2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES LCO If ,it is desired to perform these tests while complying with this Special (continued) Operations LCO, then the MODE 4 applicable LCOs and specified LCOs must be met. This Special Operations LCO allows changing Table 1.1-1 temperature limits for MODE 4 to".::: 212" and suspending the requirements of LCO 3.4.9, "Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown." The additional requirements for secondary containment LCOs to be met will provide sufficient protection for operations at reactor coolant temperatures > 200°F for the purpose of performing an inservice leak or hydrostatic test, and for control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test.

This LCO allows primary containment to be open for frequent unobstructed access to* perform inspections, and for outage activities on various systems to continue consistent with the MODE 4 applicable requirements.

APPLICABILITY The MODE 4 requirements may only be modified for the performance of, or as a consequence of inservice leak or hydrostatic tests, or as a consequence of control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test, so that these operations can be considered as in MODE 4, even though the reactor coolant temperature is

> 200°F. The additional requirement for secondary containment OPERABILITY according to the imposed MODE 3 requirements provides conservatism in the response of the unit to any event that may occur.

Operations in all other MODES are unaffected by this LCO.

ACTIONS A Note has been provided to modify the ACTIONS related to inservice leak and hydrostatic testing operation. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

(continued)

SUSQUEHANNA - UNIT 2 3.10-4

Rev.2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES ACTIONS A.1 (continued)

If an LCO specified in LCO 3.10.1 is not met, the ACTIONS applicable to the stated requirements are entered immediately and complied with.

Required Action A.1 has been modified by a Note that clarifies the intent of another LCO's Required Action to be in MODE 4 includes reducing the average reactor coolant temperature to .:s. 200°F.

A.2.1 and A.2.2 Required Action A.2.1 and Required Action A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 4 requirements, and thereby exit this Special Operation LCO's Applicability. Activities that could further increase reactor coolant temperature or pressure are suspended immediately, in accordance with Required Action A.2.1, and the reactor coolant temperature is reduced to establish normal MODE 4 requirements. The allowed Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Required Action A.2.2 is based on engineering judgment and provides sufficient time to reduce the average reactor coolant temperature from the highest expected value to .:s. 200°F with normal cooldown procedures. The Completion Time is also consistent with the time provided in LCO 3.0.3 to reach MODE 4 from MODE 3.

SURVEILLANCE SR 3.10.1.1 REQUIREMENTS The LCOs made applicable are required to have their Surveillances met to establish that this LCO is being met. A discussion of the applicable SRs is provided in their respective Bases.

REFERENCES 1. American Society of Mechanical Engineers, Boiler and Pressure Vessel Code, Section XI.

2. FSAR, Section 15.6.4 SUSQUEHANNA - UNIT 2 3.10-5

ML19078A211

Text

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title: