Text

Cycle 12 Technical Specification Bases Page Updates
	ML032120094
Person / Time
Site:	San Onofre
Issue date:	07/28/2003
From:	Scherer A; Southern California Edison Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML032120094 (204)
	v • d • e

SOUTHERN CALIFORNIA A. Edward Scherer

_n EDISON Manager of Nuclear Regulatory Affairs An EDISON INTERNATIONAL'a Company July 28, 2003 U.S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, D.C. 20555-0001

Subject:

Docket Nos. 50-361 and 50-362 Cycle 12 Technical Specification Bases Page Updates San Onofre Nuclear Generating Station, Units 2 & 3 Gentlemen:

Enclosed is the Cycle 12 update to the San Onofre Units 2 and 3 Technical Specification (TS) Bases. As required by TS 5.4.4, changes to the TS Bases implemented without prior NRC approval are provided to the NRC on a frequency consistent with 10 CFR 50.71(e).

Included in this update are all TS Bases pages that have been revised between February 4, 2001, and April 30, 2003. The pages are marked with change bars in the right hand margin to show where changes have been made.

Pages that are supplied without any change bars reflect text rollover from one page to the next as the result of additions or deletions.

If you have any questions on this subject, please call me or Mr. J. L. Rainsberry (949) 368-7420.

Sincerely, Enclosure cc: T. P. Gwynn, Acting Regional Administrator, NRC Region IV B. M. Pham, NRC Project Manager, San Onofre Units 2, and 3 C. C. Osterholtz, NRC Senior Resident Inspector, San Onofre Units 2 & 3 P.O. Box 128 San Clemente, CA 92674-0128 949-368-7501 DID Fax 949-368-7575

ENCLOSURE PART 1: SAN ONOFRE UNIT 2 REVISED BASES PAGES PART 2: SAN ONOFRE UNIT 3 REVISED BASES PAGES Bases Change Package Numbers BOO-016 B02-009 BOO-019 B02-010 BOO-028 B02-012 BOO-029 B02-013 BOO-030 B03-002 B00-032 B03-003 B0-034 B03-004 BOI-001 BOI-002 BOI-003 B01-004 B01-005 BOI-006 B01-007 B01-008 B01-009 B01-010 B01-012 B01-013 B01-014 B01-015 B02-002 B02-003 B02-004 B02-005 B02-006 B02-007 B02-008

LCO Applicability B 3.0 BASES (continued)

LCO 3.0.3 Voluntary entry into LCO 3.0.3 is permissible but requires (continued) prior approval (approval may be verbal) from either the Operations Manager, Station Manager or Vice President, Nuclear Generation. The approval must subsequently be documented in written retrievable manner. Inadvertent entry still allows for the one hour preparation period before Actions to change MODES must begin.

A unit shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:

a. The LCO is now met.

b. A Condition exists for which the Required Actions have now been performed.

c. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

The time limits of Specification 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is reached in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the time allowed for reaching MODE 4 is the next 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months , because the total time for reaching MODE 4 is not reduced from the allowable limit of 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.

In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3.

The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individual Specifications (continued)

SAN ONOFRE--UNIT 2 B 3.0-4 Amendment No. 127 12/19/02 1

SR Applicability B 3.0 BASES (continued)

SR 3.0.3 been completed within the specified Frequency. A delay (continued) period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified frequency , whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

This delay period provides an adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10CFR50 Appendix J, as modified by approved exemptions. etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance.

However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

(continued)

SAN ONOFRE--UNIT 2 B 3.0-13 Amendment No. 186 5/8/02 Re-issued 10/25/02 I

SR Applicability B 3.0 BASES (continued)

SR 3.0.3 Failure to comply with specified Frequencies for SRs is (continued) expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillances as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10CFR50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182,

'Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants.' This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component.

Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

(continued)

SAN ONOFRE--UNIT 2 B 3.0-14 Amendment No. 186 5/8/02

SR Applicability B 3.0 BASES (continued)

SR 3.0.3 Completion of the Surveillance within the delay period (continued) allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified Condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. This Specification applies to changes in MODES or other specified conditions in the Applicability associated with unit shutdown as well as startup.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency.

SAN ONOFRE--UNIT 2 B 3.0-15 Amendment No. 186 5/8/02

MTC B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Moderator Temperature Coefficient (MTC)

BASES BACKGROUND According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.

The MTC relates a change in core reactivity to a change in reactor coolant temperature. A positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature. The reactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self limiting, and stable power operation will result.

MTC values are predicted at selected burnups during the reload design process and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the beginning of cycle (BOC) MTC is less positive than that allowed by the LCO. The actual value of the MTC is dependent on core characteristics such as fuel loading and reactor coolant soluble boron concentration. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit.

The core design may require additional fixed distributed poisons (lumped burnable poison assemblies) to yield an MTC at the BOC within the range analyzed in the plant accident analysis.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-19 Amendment No. 127 01/03/02 1

MTC B 3.1.4 BASES (continued)

APPLICABLE The reload analyses assume conservative MTC values at BOC SAFETY ANALYSES and EOC under steady state conditions. The MTC is verified (continued) to be within these limits within +/-14 EFPD of the predicted peak boron concentration and again within +/-30 EFPD of 3/4 of I.

expected core burnup. Verification that the EOC MTC will remain within limits is accomplished by extrapolating the measured MTC values to the EOC. The measured MTC values may be compensated to RTP for direct comparison with the BOC an EOC limits. The MTC measurement and extrapolation may be repeated within the required surveillance FREQUENCY of +/-30 EFPD of 3/43 of the expected core burnup to ensure an accurate prediction EOC MTC.

The MTC satisfies Criterion 2 of the NRC Policy Statement.

LCO LCO 3.1.4 requires the MTC to be within the specified limits of the COLR to ensure the core operates within the assumptions of the accident analysis. During the reload design process, the MTC is analyzed to determine that its I values remain within the bounds of the reference accident analysis during operation. The limit on a positive MTC ensures that core overheating accidents will not violate the accident analysis assumptions. The negative MTC limit for EOC specified in the COLR ensures that core overcooling accidents will not violate the accident analysis assumptions.

MTC is a core physics parameter determined by the fuel and fuel cycle design and cannot be easily controlled once the core design is fixed. During operation, therefore, the LCO can only be ensured through measurement. The surveillance checks at BOC and MOC on an MTC provide confirmation that the MTC is behaving as anticipated, so that the acceptance criteria are met.

APPLICABILITY In MODE 1, the limits on the MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate the design assumptions of the accident analysis. In MODE 2, the limits must also be maintained to ensure startup and subcritical accidents, such as the uncontrolled CEA assembly or group withdrawal, will not violate the assumptions of the accident analysis. In (continued)

SAN ONOFRE--UNIT 2 B 3.1-21 Amendment No. 127 01/03/02 1

Boration Systems - Operating B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEM B 3.1.9 Boration Systems - Operating BASES BACKGROUND The Chemical and Volume Control System (CVCS) functions to provide a means for reactivity control and maintaining reactor coolant inventory, activity, and chemistry. The CVCS includes the letdown and boron injection subsystems.

The boron injection subsystem is required to establish and maintain a safe shutdown condition for the reactor. The letdown portion of the CVCS is used for normal plant operation, however, it is not required for safety. Although automatic boron injection via the charging pumps is not required for any design basis event, a Safety Injection Actuation Signal (SIAS) starts all three charging pumps and opens the associated boric acid flow path valves.

Two OPERABLE trains of boron injection flow paths are required while operating in Modes 1, 2. 3, and 4. Each train consists of two flow paths from borated water sources to the RCS via charging pumps and/or HPSI pumps. A charging pump boron injection flow path is a suction path from a borated water supply to the charging pumps and through a common discharge path from the charging pumps to the RCS. A HPSI boron injection flow path is a suction path from the RWST to the HPSI pump and through the HPSI cold leg discharge header to the RCS.

There are two borated water sources for the charging pumps suction flow paths. One source is the Boric Acid Makeup I (BAMU) tanks with their individual or combined contents in accordance with the LCS, and through the Train A BAMU pump(s), or the Train B associated gravity feed valves, and onto the Train A and B charging pumps. Another source includes the RWST (TS 3.5.4), through the Train B gravity feed valve, and the Train B charging pumps. Power is provided by the OPERABLE onsite emergency power supply specified by TS 3.8.1.

The system contains an alternate discharge flow path to permit borating should the common charging line become unavailable. The specific HELB events requiring use of the alternate discharge flow path for boron injection are identified in UFSAR Sections 3.6A.2.13, 3.6A.2.15, 3.6A.3.1.2, and 3.6A.3.2.2. Use of the alternate discharge flow path is limited as stated in UFSAR Section 3.6.2.1.2.1, High Energy Piping.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-54 Amendment No. 127 08/03/01 l

Boration Systems - Operating B 3.1.9 BASES (continued)

BACKGROUND The boron concentration is controlled to provide shutdown (continued) margin (SDM) for maintenance, refueling and emergencies.

Boron concentration is adjusted to obtain optimum CEA positioning and compensate for normal reactivity changes associated with changes in reactor coolant temperature, core burnup, and xenon concentration. The boration capability is sufficient to provide the required SDM assuming the highest I worth CEA is stuck out after xenon decay and cooldown to 200'F in accordance with GDC 26 and 27 (Ref. 1 and 2). I APPLICABLE The charging pumps inject borated water into the RCS to SAFETY ANALYSES provide reactivity control. There are three installed charging pumps with one normally in operation balancing the letdown purification flow and the reactor coolant pump controlled bleed-off flow. I The purpose of the required borated water sources and flow paths to the RCS is to ensure that sufficient borated water is available to maintain the reactor subcritical and provide makeup water to account for RCS shrinkage during cooldown to cold shutdown conditions. The range of volumes and concentrations (approximately 2.25 to 3.5 wt% boric acid),

to be maintained in either or both BAMU tanks depend on the concentration in the RWST since both water sources are required to provide boration during plant cooldown.

The capacity of the charging pumps and the required amount of borated water stored in the RWST and BAMUs is sufficient to maintain shutdown margin during a plant cooldown to MODE 5 with a shutdown margin in accordance with TS 3.1.1 and 3.1.2 at any time during plant life. The maximum expected boration capability requirement occurs at the end of core life from full power equilibrium xenon conditions. During this condition the required boric acid solution is supplied to the RCS by the charging pumps from the BAMU tanks with the contents in accordance with the LCS, plus approximately 13,000 gallons of 2350 ppm borated water from the OPERABLE RWST.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-55 Amendment No. 127 08/03/01 l

Boration Systems - Operating B 3.1.9 BASES (continued)

APPLICABLE The design of the CVCS boration subsystems incorporates a I SAFETY ANALYSES high degree of functional reliability by providing redundant (continued) components, an alternate path for charging and either offsite or onsite power supplies. Gravity feed lines from each Boric Acid Makeup (BAMU) tank and the RWST assure that I a source of borated water is available to the charging pump suction header. All charging header discharge valves are in their safe shutdown positions or locked open, and the power operated valve in the common charging discharge line is open with power removed in accordance with NRC Branch Technical Position ICSB-18 to preclude single failure. Although the CVCS boron injection subsystem has a single discharge line from the charging pumps to the RCS, should the charging line inside containment be inoperable, (e.g., due to postulated pipe ruptures as described in UFSAR Sections 3.6A.2.13 and 3.6A.2.15) the line may be isolated outside containment and flow redirected through the alternate discharge path via the high pressure safety injection headers to assure boron injection capability. If the RWST gravity feed path to the I charging pump suction were unavailable, sufficient borated water is available from the BAMU tanks (one or both in combination) to provide makeup to allow for plant cooldown to the point where the plant is depressurized sufficiently to allow injection of borated water into the RCS from the RWST using the HPSI pumps. If the normal power supply system should fail, the charging pumps, boric acid makeup pumps, and all related automatic control valves are powered from an emergency bus. Therefore, the malfunction or I failure of one active component would not reduce the ability to borate the RCS since an alternate flow path is always available for emergency boration.

The Boration Systems satisfy Criterion 3 of the NRC Policy Statement.

LCO Two operable boron injection flow paths are required while operating in Modes 1, 2, 3, and 4. These two boration flow paths will ensure that a means of controlling RCS boron I

concentration is available.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-56 Amendment No. 127 08/03/01 1

Boration Systems - Operating B,3.1.9 BASES (continued)

APPLICABILITY In MODES 1, 2, 3, and 4, boron injection flow paths are required to maintain RCS boron concentration and Shutdown Margin (SDM) requirements for maintenance, refueling and emergencies. When hot leg injection is not required to satisfy TS 3.5.2, the discharge path from the charging pumps to the RCS can be redirected through the alternate discharge path via the high pressure safety injection headers. A change in boron concentration may be required to obtain optimum CEA positioning and compensate for normal reactivity changes associated with changes in reactor coolant temperature, core burnup, and xenon concentration. The boration capability is sufficient to provide the required SDM assuming the highest worth CEA is stuck out after xenon decay and cooldown to 200'F.

I In MODES 1, 2, 3, and 4, two boron injection flow paths (Train A and Train B powered per the offsite or onsite I emergency power supply specified by TS 3.8.1) shall be OPERABLE. The Train A flow path is composed of the requirements of paragraph I and II. The Train B flow path is composed of the requirements of paragraph III and IV. I I. One of these combinations provide a Train A flow path from the Boric Acid tanks: I A.1 One Boric Acid Makeup (BAMU) tank (with the tank contents in accordance with the LCS 3.1.104) via the associated BAMU pump to the charging pumps, I OR A.2 Both BAMU tanks (with the combined contents of each tank in accordance with the LCS 3.1.104) via the associated BAMU pumps to the charging pumps. I II. A Train A flow path from the Refueling Water Storage Tank (RWST), with the contents as specified in TS 3.5.4, via the HPSI pumps and at least one discharge flow path as specified in TS 3.5.2 or 3.5.3 when the plant depressurizes.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-57 Amendment No. 127 08/03/01 l

Boration Systems - Operating B 3.1.9 BASES (continued)

APPLICABILITY III. One of these combinations provide a Train B flow path (continued) from the Boric Acid tanks:

A.1 One Boric Acid Makeup (BAMU) tank (with the tank contents in accordance with the LCS 3.1.104) via the associated gravity feed valve to the charging pumps, OR A.2 Both BAMU tanks (with the combined contents of each tank in accordance with the LCS 3.1.104) via the associated gravity feed valves to the charging pumps.

IV. A Train B flow path from the RWST, with the contents as specified in TS 3.5.4 via:

A.1 The associated gravity feed valve to the charging pumps.

OR A.2 The HPSI pumps via at least one discharge flow path as specified in TS 3.5.2 or 3.5.3 when the plant depressurizes.

ACTIONS A.1. B.1. B.2. and C.1 With less than two boron injection flow paths to the reactor coolant System OPERABLE, the required boron injection flow paths shall be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

A boron injection flow path is not OPERABLE if it is not capable of performing its boron injection function in response to a SIAS. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time allows minor component or corrective action without undue risk to plant safety from injection failures.

If the inoperable Boron injection flow path cannot be restored to an OPERABLE status within the allowed Completion Time the plant shall be brought to at least MODE 3, with the Shutdown Margin within TS 3.1.1 limits, within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . In addition, if an inoperable BAMU tank contributed to the boron injection system inoperability, some combination of the BAMU tanks, as described in the LCO Bases, shall be restored to OPERABLE within the next 7 days.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-58 Amendment No. 127 08/03/01 l

Boration Systems - Operating B 3.1.9 BASES (continued)

ACTIONS If the required BAMU tanks cannot be restored to an OPERABLE (continued) status within the 7 day Completion Time, the plant must be brought to at least MODE 5 within the next 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

Based on operating experience, the Completion Times and required unit conditions are reasonably achievable in an orderly manner and without unnecessarily challenging unit systems from full power operation.

SURVEILLANCE SR 3.1.9.1 and 3.1.9.2 REQUIREMENTS SR 3.1.9.1 verifies that the boron concentration of the available boric acid solution in the BAMU tanks is sufficient for reactivity control. SR 3.1.9.2 verifies that a sufficient volume of borated water is available for RCS makeup. The minimum required volume and concentration of stored boric acid in the BAMU tank(s) is dependent upon the RWST boron concentration and is specified in a Licensee Controlled Specification. The 7 day Surveillance Frequency ensures that an adequate initial water supply is available for boron injection.

SR 3.1.9.3 and 3.1.9.4 These SRs demonstrate that each automatic boration system pump and valve is operable and actuates as required. In response to an actual or simulated SIAS the charging pumps start, the VCT is isolated, and the charging pumps take suction from the OPERABLE BAMU tank(s) and RWST.

Verification of the correct alignment for manual, power operated, and automatic valves in the Boration System Flow paths provides assurance that proper boration flow paths are available. These SRs do not apply to valves that are locked, sealed, or otherwise secured in position, because these valves were previously verified to be in the correct position.

SR 3.1.9.5 This SR verifies charging pump operability in accordance with the Inservice Testing Program. Such inservice inspections detect component degradation and incipient failures.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-58a Amendment No. 127 08/03/01 1

Boration Systems - Operating B 3.1.9 BASES (continued)

REFERENCES 1. 10 CFR 50. Appendix A, GDC 26.

2. 10 CFR 50, Appendix A, GDC 21.

3. UFSAR Section 7.2.1.1.1.6, Low Pressurizer Pressure.

4. UFSAR Section 3.6.2.1.2.1, High Energy Piping.

5. UFSAR Section 3.6.A.2.13, Cold Leg Safety Injection Lines

6. UFSAR Section 3.6.A.2.15, Charging Lines

7. UFSAR Section 15.10, Transient Analyses.

SAN ONOFRE--UNIT 2 B 3.1-58b Amendment No. 127 08/03/01 l

Boration Systems - Shutdown B 3.1.10 BASES (continued)

SURVEILLANCE SR 3.1.10.1. SR 3.1.10.2. and SR 3.1.10.3 (continued)

REQUIREMENTS specified relative to the top of the highest suction connection to the tank and considers vortexing, internal structures and instrument errors. The 7 day Surveillance Frequency ensures that a sufficient initial water supply is available for boron injection.

SR 3.1.10.4 This SR demonstrates that each boration system pump and valve is operable. Upon manual actuation, the charging pumps start, the VCT is isolated, and the charging pumps take suction from the OPERABLE BAMU tank(s) and RWST.

Verification of the correct alignment for manual, power operated, and automatic valves in the Boration System Flow paths provides assurance that proper boration flow paths are available. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, because these valves were previously verified to be in the correct position.

1. A flow path from either boric acid makeup tank with a minimum boron concentration of 2350 ppm and a minimum borated water volume of 4150 gallons, via either one of the boric acid makeup pumps, the blending tee or the gravity feed connection and any charging pump to the RCS, or;

2. The flow path from the RWST with a minimum borated water level of 15.5%1 (includes TLU and Design Basis Document margin), a minimum boron concentration of 2350 ppm, and a solution temperature 2 40'F and <

1000F via either a charging pump or a high pressure safety injection pump to the RCS.

15.5% level with tanks T005 and T006 cross connected (Reference 4, CCN-1). 17.0% level with tanks T005 (Reference 6) and T006 (Reference 4, CCN-3) isolated.

(continued)

SAN ONOFRE--UNIT 2 B 3.1-63 Amendment No. +24.175 05/21/02 1

RPS Instrumentation -Shutdown B 3.3.2 BASES (continued)

SURVEILLANCE SR 3.3.2.4 (continued)

REQUIREMENTS because of the difficulty of simulating a meaningful signal.

Slow changes in leakage of neutrons with core burnup are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4).

SR 3.3.2.5 This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on a 24 month STAGGERED TEST BASIS. This results in the interval between successive tests of a given channel of n x 24 months, where n is the number of channels in the Function. The 24 month Frequency is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Also, response times cannot be determined at power, since equipment operation is required. Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

REFERENCES 1. 10 CFR 20.

2. 10 CFR 100.

3. SONGS Units 2 and 3 UFSAR, Section 7.2.

4. PPS Setpoint Calculation CE-NPSD-570.

5. NRC Safety Evaluation Report.

6. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.

7. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, Calculation Number 09/010-AS93-C-002, November 1993.

SAN ONOFRE--UNIT 2 B 3.3-51 Amendment No. 127 02/11/02

ESFAS Instrumentation B 3.3.5 BASES (continued)

ACTIONS B.1 and B.2 (continued) close, the electrical interlock and administrative controls are implemented meeting the requirement to have an inoperable channel in Bypass. This prevents any other channel from being put into Bypass, preserving the function's ability to trip with any other single channel failed.

C.1 The Required Action is modified by a Note stating that LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a one-out-of-two logic, which is adequate to ensure that no random failure wi 1 prevent protection system operation.

Condition C applies to the failure of two channels of one or more input parameters in the following ESFAS automatic trip Functions:

1. Safety Injection Actuation Signal Containment Pressure - High Pressurizer Pressure - Low

2. Containment Spray Actuation Signal Containment Pressure -High High Automatic SIAS

3. Containment Isolation Actuation Signal Containment Pressure - High

4. Main Steam Isolation Signal Steam Generator Pressure -Low

5. Emergency Feedwater Actuation Signal SG #1 (EFAS-1)

Steam Generator Level - Low

6. Emergency Feedwater Actuation Signal SG #2 (EFAS-2)

Steam Generator Level - Low With two inoperable channels, power operation may continue, provided one inoperable channel is Placed in bypass and the other channel is placed in trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . With one channel of protective instrumentation bypassed, the ESFAS Function is in two-out-of-three logic in the bypassed input (continued)

SAN ONOFRE--UNIT 2 B 3.3-98 Amendment No. 127 07/18/01 1

CRIS B 3.3.9 BASES (continued)

SURVEILLANCE SR 3.3.9.5 REQUIREMENTS (continued) Every 18 months, a CHANNEL FUNCTIONAL TEST is performed on the manual CRIS actuation circuitry.

This test verifies that the trip push buttons are capable of opening contacts in the Actuation Logic as designed, de-energizing the initiation relays and providing Manual Trip of the function. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Survei lance when performed at a Frequency of once every 18 months.

SR 3.3.9.6 This Surveillance ensures that the train actuation response times are less than or equal to the maximum times assumed in the analyses. A time limit to isolate the control room is needed to ensure compliance with 10 CFR 50 Appendix A General Design Criterion 19. The 18 month frequency is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. The response time is tested from the module input; i.e., the radiation detector response is not measured. Testing of the final actuating devices is included in the Surveillance. Response time testing acceptance criteria are included in Reference 4.

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Chapter 15.

2. SCE Calculation A-92-NF-003.

3. 10 CFR 50, Appendix A, GDC 19.

4. Licensee Controlled Specification 3.3.100, "RPS/ESFAS Response Times."

SAN ONOFRE--UNIT 2 B 3.3-150 Amendment No. 127 12/02/99 Re-issued on 08/20/01 I

FHIS B 3.3.10 BASES (continued)

SURVELLANCE SR 3.3.10.4 REQUIREMENTS (continued) Every 18 months, a CHANNEL FUNCTIONAL TEST is performed on the FHIS Manual Trip channel.

This Surveillance verifies that the trip push buttons are capable of opening contacts in the Actuation Logic as designed, de-energizing the initiation relays and providing Manual Trip of the Function. Operating experience has shown these components usually pass the Surveillance when performed at a Frequency of once every 18 months.

SR 3.3.10.5 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.

As found and as left channel calibration values are recorded. If the as found calibration is outside its Allowable Value, the plant specific setpoint analysis may be revised as appropriate, if the history of this setpoint and all other pertinent information indicate a need for setpoint revision. The setpoint analysis shall be revised before the next time this channel is calibrated.

The Frequency is based upon the assumption of an 18 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis.

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Chapter 9.

2. SONGS Unit 2 Technical Specification Amendment No. 56.

3. Combustion Engineering Owners' Group Standard Technical Specifications, NUREG-1432.

SAN ONOFRE--UNIT 2 B 3.3-157 Amendment No. 127 03/26/01 1

PAM Instrumentation B 3.3.11 BASES (continued)

ACTIONS E.1 When the required channel of Function 18, 21, 24, or 25 becomes inoperable, Required Action E.1 requires the channel to be restored to OPERABLE status within 7 days. Continuous operation with the required channel inoperable is not acceptable because alternate indications are not available.

F.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.11-1. The applicable Condition referenced in the Table is Function dependent.

Each time Required Action C.1, D.1, or E.1 is not met, and the associated Completion Time has expired, Condition F is entered for that channel and provides for transfer to the appropriate subsequent Condition.

G.1 and G.2 If the Required Action and associated Completion Time of Condition C, D, or E are not met and Table 3.3.11-1 directs entry into Condition G. the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

H.1 Alternate means of monitoring Reactor Vessel Water Level and Containment Area Radiation have been developed and tested.

These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.7.2. The report provided to the NRC should discuss whether the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

(continued)

SAN ONOFRE--UNIT 2 B 3.3-172 Amendment No. 127 02/26/03 1

PAM Instrumentation B 3.3.11 BASES (continued)

SURVEILLANCE SR 3W3.11.4 REQUIREMENTS A CHANNEL CALIBRATION is performed every 18 months. CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies the channel responds to the measured parameter within the necessary range and accuracy.

The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an 18 month calibration interval for the determination of the magnitude of equipment drift.

SR 3.3W11.5 A CHANNEL CALIBRATION is performed every 24 months. The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an 24 month calibration interval for the determination of the magnitude of equipment drift.

REFERENCES 1. SONGS Units 2 and 3 Regulatory Guide 1.97 Instrumentation Report #90010A, Rev. 49, dated October 22, 1999. I

2. Regulatory Guide 1.97, Revision 2.

3. NUREG-0737, Attachment 1.

4. UFSAR, Section 7.5.1.7.

SAN ONOFRE--UNIT 2 B 3.3-175 ' ATAmendment No. 127 07/26/01 l

Remote Shutdown System B 3.3.12 BASES (continued)

ACTIONS A.1 (continued) operating experience and the low probability of an event that would require evacuation of the control room.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.12.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK for normally energized instrumentation is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized.

(continued)

SAN ONOFRE--UNIT 2 B 3.3-179 Amendment No. 127 04/24/01

Remote Shutdown System B 3.3.12 BASES (continued)

SURVEILLANCE SR 3.3.12.1 (continued)

REQUIREMENTS (continued) The Frequency is based on plant operating experience that I demonstrates channel failure is rare.

SR 3.3.12.2 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to the measured parameter within the necessary range and accuracy.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

REFERENCES 1. 10 CFR 50, Appendix A. GDC 19.

2. NUREG-0712 NRC Safety Evaluation Report (SER), dated February 1981.

3. UFSAR Table 7.5-1, Safety-Related Display Instrumentation SAN ONOFRE--UNIT 2 B 3.3-180 Amendment No. 127 04/24/01

RCS Loops -MODES 1 and 2 B 3.4.4 BASES (continued)

APPLICABLE aspect for this LCO is the reactor coolant forced flow rate, SAFETY ANALYSES which is represented by the number of RCS loops in service.

(continued)

Both transient and steady state analyses have been performed to establish the effect of flow on DNB. The transient or accident analysis for the plant has been performed assuming four RCPs are in operation. The majority of the plant safety analyses are based on initial conditions at high core power or zero power. The accident analyses that are of most importance to RCP operation are the four pump coastdown, single pump locked rotor, single pump (broken shaft or coastdown), and rod withdrawal events (Ref. 1).

I RCS loops -MODES 1 and 2 satisfy Criterion 3 of the NRC Policy Statement.

LCO The purpose of this LCO is to require adequate forced flow for core heat removal. Flow is represented by having both RCS loops with both RCPs in each loop in operation for removal of heat by the two SGs. To meet safety analysis acceptance criteria for DNB, four pumps are required to be at rated power.

Each OPERABLE loop consists of two RCPs providing forced flow for heat transport to an SG that is OPERABLE in accordance with the Steam Generator Tube Surveillance Program. SG. and hence RCS loop, OPERABILITY with regard to SG water level is ensured by the Reactor Protection System (RPS) in MODES 1 and 2. A reactor trip places the plant in (continued)

SAN ONOFRE--UNIT 2 B 3.4-24 Amendment No. 127 09/02/02 1

Pressurizer B 3.4.9 BASES (continued)

APPLICABLE period after a loss of offsite power. While loss of offsite SAFETY ANALYSES power is a coincident occurrence assumed in the accident (continued) analyses, maintaining hot, high pressure conditions over an extended time period is not evaluated in the accident analyses.

The pressurizer satisfies Criterion 3 of the NRC Policy Statement.

LCO The LCO requirement for the pressurizer to be OPERABLE with water level

57% ensures that a steam bubble exists.

Limiting the maximum operating water volume preserves the steam space for pressure control. The LCO has been established to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity 2 150 kW. The heaters are powered from buses 2B04 and 2B06. Each heater group requires 4 heaters to ensure at least 150 kW when powered by the diesel generators. The amount needed to maintain pressure is dependent on the ambient heat losses. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide subcooling margin to saturation can be obtained in the loops.

APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, Applicability has been designated for MODES 1 and 2. The Applicability is also provided for MODE 3. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational perturbation, such as reactor coolant pump startup. The LCO does not apply to MODE 5 (Loops Filled) because LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System," applies.

The LCO does not apply to MODES 5 and 6 with partial loop operation.

(continued)

SAN ONOFRE--UNIT 2 B 3.4-48 Amendment No. 161 05/15/02

Pressurizer Safety Valves B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The purpose of the two spring loaded pressurizer safety valves is to provide RCS overpressure protection. Operating in conjunction with the Reactor Protection System, two valves are used to ensure that the Safety Limit (SL) of 2750 psia is not exceeded for analyzed transients during operation in MODES 1, 2 and 3. During MODE 4, MODE 5, and MODE 6 with the reactor pressure vessel head on, overpressure protection is provided by operating procedures and LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System." For these conditions, American Society of Mechanical Engineers (ASME) requirements are satisfied with one safety valve.

The self actuated pressurizer safety valves are designed in accordance with the requirements set forth in the ASME, Boiler and Pressure Vessel Code,Section III (Ref. 1). The as-found lift pressure is 2500 psia, +3% or -2% (Ref. 4).

Following testing, pressurizer safety valves shall be set within +/-1% of the specified setpoint. The safety valves discharge steam from the pressurizer to a quench tank located in the containment (Ref. 2). The discharge flow is indicated by an increase in temperature downstream of the safety valves and by an increase in the quench tank temperature and level.

The as-found upper pressure tolerance limit of +3% is based on limiting the RCS pressure to 120% of design pressure for the feedwater system pipe break event, and 110% of design pressure for all other design basis events. The as-found lower pressure tolerance limit of -2% is based on ensuring a reactor trip occurs on high pressurizer pressure prior to safety valve actuation (Ref. 4). The lift setting is for the ambient conditions associated with MODES 1, 2, and 3.

This requires either that the valves be set hot or that a correlation between hot and cold settings be established.

The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 120% of design pressure for the feedwater system pipe break event and 110% of design pressure for all other design basis events. The consequences of exceeding the ASME pressure limit (Ref. 1) could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.

(continued)

SAN ONOFRE--UNIT 2 B 3.4-51 Amendment No. 42'*156 3/22/01

Pressurizer Safety Valves B 3.4.10 BASES (continued)

APPLICABLE All accident analyses in the UFSAR that require safety valve SAFETY ANALYSES actuation assume operation of both pressurizer safety valves to limit increasing reactor coolant pressure (2500 psia system design pressure plus 3% for the as-found condition)

(Ref. 3). The overpressure protection analysis is also based on operation of both safety valves and assumes that the valves open at the high range of the setting (2500-psia system design pressure plus 1% for the as-set condition).

These valves must accommodate pressurizer insurges that could occur during a startup, rod withdrawal, ejected rod, loss of main feedwater, or main feedwater line break accident. The combined relief capacity of these valves is sufficient to limit the System pressure to within its Safety Limit of 2750 psia following a complete loss of turbine generator load while operating at RATED THERMAL POWER and assuming no reactor trip until the first Reactor Protective System trip setpoint (Pressurizer Pressure-High) is reached (i.e., no credit is taken for a direct reactor trip on the loss of turbine) and also assuming no operation of the steam dump valves. The startup accident establishes the minimum safety valve capacity. The startup accident is assumed to occur at < 15% power. Single failure of a safety valve is neither assumed in the accident analysis nor required to be addressed by the ASME Code. Compliance with this specification is required to ensure that the accident analysis and design basis calculations remain valid.

The pressurizer safety valves satisfy Criterion 3 of the NRC Policy Statement.

LCO The two pressurizer safety valves are set to open at the RCS design pressure (2500 psia) and within the ASME specified tolerance to avoid exceeding the maximum RCS design pressure SL, to maintain accident analysis assumptions, and to comply with ASME Code requirements. The as-found upper pressure tolerance limit of +3% is based on limiting the RCS pressure to 120% of design pressure for the feedwater system pipe break event, and 110% of design pressure for all other design basis events. The as-found lower pressure tolerance limit of -2% is based on ensuring a reactor trip occurs on high pressurizer pressure prior to safety valve actuation (Ref. 4). The limit protected by this specification is the reactor coolant pressure boundary (RCPB) SL of 110% or 120%

of design pressure. Inoperability of one or both valves could result in exceeding the SL if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.

(continued)

SAN ONOFRE--UNIT 2 B 3.4-52 Amendment No. +2-T156 3/22/01

Pressurizer Safety Valves B 3.4.10 BASES (continued)

APPLICABILITY In MODES 1, 2, and 3, OPERABILITY of two valves is required because the combined capacity is required to keep reactor coolant pressure below 120% of design pressure for the feedwater system pipe break event and 110% of design pressure for all other design basis events. The relief capacity of a single safety valve is adequate to relieve any overpressure condition which might occur during MODE 4 with RCS cold leg temperature greater than the enable temperature specified in the Pressure/Temperature Limits.

The Note allows entry into MODE 3 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition. Only one valve at a time will be removed from service for testing. The 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months exception is based on 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months outage time for each of the two valves.

The 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months period is derived from operating experience that hot testing can be performed within this timeframe.

ACTIONS A.1 With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS overpressure protection system. An inoperable safety valve coincident with an RCS overpressure event could challenge the integrity of the RCPB.

B.1 and B.2 If the Required Action cannot be met within the required Completion Time, or if two safety valves are inoperable, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

(continued)

SAN ONOFRE--UNIT 2 B 3.4-53 Amendment No. +27156 3/22/01 1

Pressurizer Safety Valves B 3.4.10 BASES (continued)

ACTIONS B.1 and B.2 (continued)

The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowed is reasonable, based on operating experience, to reach MODE 3 from full power without challenging plant systems. Similarly, the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed is reasonable, based on operating experience, to reach MODE 4 without challenging plant systems. The change from MODE 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by two pressurizer safety valves.

SURVEILLANCE SR 3.4.10.1 REQUIREMENTS SRs are specified in the inservice testing program.

Pressurizer safety valves are to be tested one at a time and in accordance with the requirements of Section XI of the ASME Code (Ref. 1), which provides the activities and the Frequency necessary to satisfy the SRs.

The as-found pressurizer safety valve tolerance is +3% or

-2% for OPERABILITY. The as-found setpoints include instrument uncertainty (e.g., if instrument uncertainty is

+/- .25%, then the required as-found setpoint requirements would be + 2.75%/-1.75%). Following as-found testing, pressurizer safety valves shall be set within +/-1% of the specified setpoint.

REFERENCES 1. ASME, Boiler and Pressure Vessel Code,Section III, Section XI (OM 1987 Part 1).

2. UFSAR, Section 5.4

3. UFSAR, Section 15.

4. ABB Letter No. ST-96-623 dated December 19, 1996; subject: Transmittal and Completion of the SCE SONGS 2/3 PSV Tolerance Study.

SAN ONOFRE--UNIT 2 B 3.4-54 Amendment No. 12+'156 3/22/01

RCS Specific Activity B 3.4.16 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.16 RCS Specific Activity BASES BACKGROUND The Code of Federal Regulations, 10 CFR 100 (Ref. 1) specifies the maximum dose to the whole body and the thyroid an individual at the site boundary can receive for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months during an accident. The limits on specific activity ensure that the doses are held within Acceptance Criteria deemed allowable by design basis, UFSAR, or the 10 CFR 50.59 Program. I The RCS specific activity LCO limits the allowable concentration level of radionuclides in the reactor coolant.

The LCO limits are established to minimize the offsite radioactivity dose consequences in the event of a steam generator tube rupture (SGTR) accident.

The LCO contains specific activity limits for both DOSE EQUIVALENT I-131 and gross specific activity. The allowable levels are intended to limit the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months dose at the site boundary to within Acceptance Criteria deemed allowable by design basis, UFSAR, or the 10 CFR 50.59 Program. The I limits in the LCO are standardized based on generic parametric evaluations of offsite radioactivity dose consequences for typical site locations.

The parametric evaluations showed the potential offsite dose levels for a generic SGTR accident were an appropriately small fraction of the 10 CFR 100 dose guideline limits.

Each evaluation assumed a broad range of site applicable atmospheric dispersion factors in a parametric evaluation.

APPLICABLE The LCO limits on the specific activity of the reactor SAFETY ANALYSES coolant ensure that the resulting 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months doses at the site boundary will not exceed the 10 CFR 100 dose guideline limits within Acceptance Criteria deemed allowable by design basis, UFSAR. or the 10 CFR 50.59 Program following an SGTR I accident. The SGTR safety analysis (Ref. 2) assumes the specific activity of the reactor coolant is at the LCO limits and an existing reactor coolant steam generator (SG) tube leakage rate of 0.5 gpm per steam generator (1 gpm total).

(continued)

SAN ONOFRE--UNIT 2 B 3.4-88 Amendment No. 127 05/13/02

RCS Specific Activity B 3.4.16 BASES (continued)

APPLICABLE The analysis for the SGTR accident establishes the SAFETY ANALYSES acceptance limits for RCS specific activity. Reference to (continued) this analysis is used to assess changes to the facility that could affect RCS specific activity as they relate to the acceptance limits.

The rise in pressure in the ruptured SG causes radioactively contaminated steam to discharge to the atmosphere through the atmospheric dump valves or the main steam safety valves.

The atmospheric discharge stops when the turbine bypass to the condenser removes the excess energy to rapidly reduce the SG pressure and close the valves. The unaffected SG removes core decay heat by venting steam until the cooldown ends.

The safety analysis shows the radiological consequences of a SGTR accident are within Acceptance Criteria deemed allowable by design basis, UFSAR, or the 10 CFR 50.59 Program. Operation with iodine specific activity levels greater than the LCO limit is permissible, if the activity levels do not exceed the limits shown in Figure 3.4.16-1 for more than 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

The remainder of the above limit permissible iodine levels shown in Figure 3.4.16-1 are acceptable because of the low probability of an SGTR accident occurring during the established 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months time limit. The occurrence of an SGTR accident at these permissible levels could increase the site boundary dose levels, but still be within 10 CFR 100 dose guideline limits.

RCS specific activity satisfies Criterion 2 of the NRC Policy Statement.

LCO The specific iodine activity in the primary coolant is limited to 1.0 pCi/gm DOSE EQUIVALENT I-131, and the gross specific activity of radionuclides other than iodine in the primary coolant is limited to the number of pCi/gm equal to 100 divided by E (average disintegration energy of the sum of the average beta and gamma energies of the coolant nuclides). The limit on DOSE EQUIVALENT I-131 ensures the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months thyroid dose to an individual at the site boundary during the Design Basis Accident (DBA) will be within the allowed thyroid dose criterion. The limit on gross specific activity ensures the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months whole body dose to an individual at the site boundary during the DBA will be within the allowed whole body dose criterion.

(continued)

SAN ONOFRE--UNIT 2 B 3.4-89 Amendment No. 127 05/13/02

ECCS - Operating B 3.5.2 BASES (continued)

SURVEILLANCE SR 3.5.2.1 and 3.5.2.2 REQUIREMENTS SR 3.5.2.1 verification of proper valve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves could render both ECCS trains inoperable. Securing these valves in position by removing power or by key locking the control in the correct position ensures that the valves cannot be inadvertently misaligned or change position as the result of an active failure. These valves (with the exception of HV-8162 and HV-8163) are of the type described in Reference 5, which can disable the function of both ECCS trains and invalidate the accident analysis. (NOTE: A failure to open LPSI miniflow isolation valve HV-8162 or HV-8163 makes only the corresponding LPSI train inoperable.

Misalignment of one of these two valves could not render both ECCS trains inoperable.) SDC Standby Flow Control Valve HV-0396 may be temporarily powered up for stroking, providing one block valve upstream or downstream of this valve (MU-081 or MU-082) is closed. The closure of either of these two block valves will serve the same function as the closure of HV-0396. However, the stroke test of HV-0396 will render SR 3.5.2.1 not satisfied and Condition B of LCO 3.5.2 is entered for both ECCS trains. After completion of stroking HV-0396 should be closed and power locked-out. The block valve, which was temporarily closed, is left open.

SR 3.5.2.2 verification of the proper positions of the Containment Emergency Sump isolation valves and ECCS pumps/containment spray pumps miniflow valves ensures that ECCS operability and containment integrity are maintained.

Securing these valves in position with power available will provide additional assurance that these valves will operate on a RAS. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered reasonable in.

view of other administrative controls ensuring that a mispositioned valve is an unlikely possibility.

SR 3.5.2.3 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This Surveillance does not require any testing or valve (continued)

SAN ONOFRE--UNIT 2 8 3.5-18 Amendment No. 127 03/14/02 l

ECCS - Operating B 3.5.2 BASES (continued)

SURVEILLANCE '.SR 3.5.2.3 (continued)

REQUIREMENTS manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The 31 day Frequency is appropriate because the valves are operated under procedural control and an improper valve position would only affect a single train. This Frequency has been shown to be acceptable through operating experience.

SR 3.5.2.4 The ECCS pumps are normally in a standby, nonoperating mode.

As such, flow path piping has the potential to develop voids and pockets of entrained gases. Maintaining the piping from the ECCS pumps to the RCS full of water ensures that the system will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent water hammer, pump cavitation, and pumping of noncondensible gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel following an SIAS or during SDC. The 31 day Frequency takes into consideration the gradual nature of gas accumulation in the ECCS piping and the adequacy of the procedural controls governing system operation.

SR 3.5.2.5 Periodic surveillance testing of ECCS pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by Section XI of the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the performance assumed in the unit safety analysis. SRs are specified in the Inservice Testing Program, which encompassesSection XI of the ASME Code.Section XI of the ASME Code provides the activities and Frequencies necessary to satisfy the requirements.

SR 3.5.2.6 Deleted (continued)

SAN ONOFRE--UNIT 2 B 3.5-19 Amendment No. 127 03/14/02 l

ECCS -Operating B 3.5.2 BASES (continued)

SURVEILLANCE SR 3.5.2.7. SR 3.5.2.8. and SR 3.5.2.9 REQUIREMENTS (continued) These SRs demonstrate that each automatic ECCS valve actuates to the required position on an actual or simulated SIAS and/or an actual or simulated RAS as appropriate to each valve, that each ECCS pump starts on receipt of an -

actual or simulated SIAS, and that the LPSI pumps stop on receipt of an actual or simulated RAS. As a part of SR 3.5.2.8, subgroup relay K108 starts the pumps on a safety injection actuation signal. I The 24 month Frequency is based on the need to perform these Surveillances under the conditions that apply during a plant outage and the potential for unplanned transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability (and confirming operating experience) of the equipment. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

SR 3.5.2.

Periodic inspection of the containment sump ensures that it is unrestricted and stays in proper operating condition.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during an outage, on the need to have access to the location. This Frequency is sufficient to detect abnormal degradation and is confirmed by operating experience.

(continued)

SAN ONOFRE--UNIT 2 B 3.5-20 Amendment No. 127 07/17/01 1

Containment B 3.6.1 BASES (continued)

BACKGROUND 2. closed by manual valves, blind flanges, or (continued) de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.3,

'Containment Isolation Valves."

b. Each air lock is OPERABLE, except as provided in LCO 3.6.2, "Containment Air Locks."

APPLICABLE The safety design basis for the containment is that the SAFETY ANALYSES containment must withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.

The DBAs that result in a release of radioactive material within containment are a loss of coolant accident, a main steam line break (MSLB), and a control element assembly ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.10% of containment air weight per day (Ref. 2). This I leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as La: the maximum allowable containment leakage rate at the calculated maximum peak containment internal pressure related to the design basis loss-of-coolant accident, P , at 45.9 psig (Ref. 4). P. will conservatively I be assumed to be equal to the calculated peak containment internal pressure resulting from the design basis Main Steam Line Break, 56.5 psig (Ref. 4), for the purpose of I containment testing in accordance with this Technical Specification.

Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of the NRC Policy Statement.

LCO Containment OPERABILITY is maintained by limiting leakage to

1.0 L,, except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, the applicable leakage limits must be met.

Compliance with this LCO will ensure a containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-2 Amendment No. 182 04/29/03 l

Containment B 3.6.1 BASES (continued)

SURVEILLANCE SR 3.6.1.1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Failure to meet air lock and purge valve with resilient seal leakage limits specified in LCO 3.6.2 and LCO 3.6.3 does not invalidate the acceptability of these overall leakage determinations unless their contribution to overall Type A, B. and C leakage causes that to exceed limits. As left leakage prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test is required to be

0.6 La for combined Type B and C leakage following an outage or shutdown that included Type B and C testing only, and

0.75 L.for overall Type A leakage following an outage or shutdown that included Type A testing. At all other times between required leakage rate tests, the acceptance criteria is based on an overall Type A leakage limit of

1.0 La. At

1.0 La the offsite dose consequences are bounded by the assumptions of the safety analysis. SR Frequencies are as specified in the Containment Leakage Rate Testing Program.

Thus, SR 3.0.2 (which allows Frequency extensions) does not apply. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.

SR 3.6.1.2 For ungrouted, post tensioned tendons, this SR ensures that the structural integrity of the containment will be maintained in accordance with the provisions of the Containment Tendon Surveillance Program. Testing and Frequency are consistent with the recommendations of Regulatory Guide 1.35 (Ref. 3).

REFERENCES 1. 10 CFR 50, Appendix J. Option B.

2. SONGS Units 2 and 3 UFSAR, Section 15 I

3. Regulatory Guide 1.35, Revision 3

4. SONGS Units 2 and 3 UFSAR, Section 6.2 SAN ONOFRE--UNIT 2 B 3.6-4 Amendment No. 127 04/29/03 l

Containment Air Locks B 3.6.2 BASES (continued)

APPLICABLE For atmospheric containment, the DBAs that result in a SAFETY ANALYSES release of radioactive material within containment are a loss of coolant accident (LOCA), a main steam line break (MSLB) and a control element assembly (CEA) ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.10% of containment air weight per day (Ref. 2). This leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as L.: the maximum allowable containment leakage rate at the calculated maximum peak containment internal pressure related to the design basis loss-of-coolant accident, P,, at 45.9 psig (Ref. 3). P. will conservatively be assumed to be equal to the calculated peak containment internal pressure resulting from the design basis Main Steam I Line Break, 56.5 psig (Ref. 3), for the purpose of containment testing in accordance with this Technical Specification. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock.

The containment air locks satisfy Criterion 3 of the NRC Policy Statement.

LCO Each containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The door seals and sealing surface are considered a part of the air lock. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into or exit from containment.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-6 Amendment No. 182 02/11/02 l

Containment Air Locks B 3.6.2 BASES (continued)

SURVEILLANCE SR 3.6.2.2 (continued)

REQUIREMENTS considered adequate in view of other indications of door and interlock mechanism status available to operations personnel.

REFERENCES 1. 10 CFR 50, Appendix J. Option B.

2. UFSAR, Section 15. I

3. UFSAR, Section 6.2.

SAN ONOFRE--UNIT 2 B 3.6-12 Amendment No. 127 04/29/03 l

Containment Isolation Valves B 3.6.3 BASES (continued)

LCO Containment isolation valves form a part of the containment boundary. The containment isolation valve safety function is related to control of containment leakage rates during a DBA.

The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The purge valves must be maintained sealed closed. The valves covered by this LCO are listed with their associated stroke times in the SONGS Units 2 and 3 UFSAR (Ref. 1).

The normally closed isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges are in place, and closed systems are intact. These passive isolation valves or devices are those listed in Reference 1. I Purge valves with resilient seals must meet additional leakage rate requirements. The other containment isolation valve leakage rates are addressed by LCO 3.6.1, "Containment," as Type C testing.

This LCO provides assurance that the containment isolation valves and purge valves will perform their designed safety functions to control leakage from the containment during accidents.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Therefore, the containment isolation valves are not required to be OPERABLE in MODE 5. The requirements for containment isolation valves during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

ACTIONS The ACTIONS are modified by a Note allowing penetration flow paths, except for 42 inch purge valve penetration flow paths, to be unisolated intermittently under administrative (continued)

SAN ONOFRE--UNIT 2 B 3.6-16 Amendment No. 127 04/29/03 l

Containment Isolation Valves B 3.6.3 BASES (continued)

ACTIONS D.1. D.2. and D.3 (continued)

In the event one or more containment purge valves in one or more penetration flow paths are not within the purge valve leakage limits, purge valve leakage must be restored to within limits, or the affected penetration must be isolated.

The method of isolation must be by the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve with resilient seals, a closed manual valve with resilient seals, or a blind flange. A purge valve with resilient seals utilized to satisfy Required Action D.1 must have been demonstrated to meet the leakage requirements of SR 3.6.3.6.

The specified Completion Time is reasonable, considering that one containment purge valve remains closed so that a gross breach of containment does not exist.

In accordance with Required Action D.2, this penetration flow path must be verified to be isolated on a periodic basis. The periodic verification is necessary to ensure that containment penetrations required to be isolated following an accident, which are no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or valve manipulation. Rather, it involves verification, that those isolation devices outside Containment capable of being mispositioned are in the correct position. For the isolation devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility.

For the containment purge valve with resilient seal that is isolated in accordance with Required Action D.1, SR 3.6.3.6 must be performed at least once every 184 days. This assures that degradation of the resilient seal is detected and confirms that the leakage rate of the containment purge valve does not increase during the time the penetration is isolated. The normal Frequency for SR 3.6.3.6, 184 days, is based on an NRC initiative, Generic Issue B-20 (Ref. 2).

(continued)

SAN ONOFRE--UNIT 2 B 3.6-21 Amendment No. 127 04/29/03 1

Containment Isolation Valves B 3.6.3 BASES (continued)

ACTIONS D.1. D.2. and D.3 (continued)

Since more reliance is placed on a single valve while in this Condition, it is prudent to perform the SR more often.

Therefore, a Frequency of once per 184 days was chosen and has been shown to be acceptable based on operating experience.

E.1. E.2. F.1. and F.2 These Actions require certain containment isolation valves to be secured in their ESFAS actuated position and restore the inoperable valve to OPERABLE status. Section D.2 valves HV9200, HV0352A, HV0352B, HV0352C, and HV0352D receive no ESFAS signal. The ESFAS actuated position for these normally locked open valves is understood to be open.

The completion time (CT) for Section D.1 and D.2 valves is based on restoring the ESF System to OPERABLE status.

Therefore, the appropriate completion time is based on the specific ESF System Requirements.

The second completion times for Section D.1 and D.2 Valves are different based on the results of specific risk evaluations for valves that may be secured open. The second completion times are for restoring complete (open and close) operability of the valves.

Section D.1 and D.2 valves may be placed into the required action condition to allow periodic testing and testing following maintenance.

Section D.1 and D.2 valves which are closed and de-activated are OPERABLE for fulfilling their containment isolation function. Such valves are inoperable for purposes of fulfilling the safety function of their ESF system, and the applicable LCO must be entered for the affected system.

G.1 and G.2 If the Required Actions and associated Completion Times are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-22 Amendment No. 127 10/24/01 l

Containment Isolation Valves B 3.6.3 BASES (continued)

SURVEILLANCE SR 3.6.3.1 REQUIREMENTS Each 42 inch containment purge valve is required to be verified sealed closed at 31 day intervals. This Surveillance is designed to ensure that a gross breach of containment is not caused by an inadvertent or spurious opening of a containment purge valve. Detailed analysis of the purge valves failed to conclusively demonstrate their ability to close during a LOCA in time to limit offsite doses. Therefore, these valves are required to be in the sealed closed position during MODES 1, 2, 3, and 4. A containment purge valve that is sealed closed must have motive power to the valve operator removed. This can be accomplished by de-energizing the source of electric power or by removing the air supply to the valve operator. In this application, the term sealed" has no connotation of leak tightness. The Frequency is a result of an NRC initiative, Generic Issue B-24 (Ref. 3), related to containment purge valve use during unit operations. This SR is not required to be met while in Condition D of this LCO.

This is reasonable since the penetration flow path would be isolated.

SR 3.6.3.2 This SR ensures that the minipurge valves are closed as required or, if open, open for an allowable reason. The SR is not required to be met when the purge valves are open for pressure control, ALARA or air quality considerations for personnel entry, or for Surveillances that require the valves to be open. The minipurge valves are capable ofclosing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The 31 day Frequency is consistent with other containment isolation valve requirements discussed in SR 3.6.3.3.

SR 3.6.3.3 This SR requires verification that each containment isolation manual valve and blind flange located outside containment and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification, that those valves outside containment and capable of being mispositioned are in the correct position. Since (continued)

SAN ONOFRE--UNIT 2 B 3.6-23 Amendment No. 127 06/09/00 Re-issued 08/01/01 I

Containment Isolation Valves B 3.6.3 BASES (continued)

SURVEILLANCE SR 3.6.3.5 REQUIREMENTS (continued) Verifying that the isolation time of each power operated and automatic containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analysis. The isolation time and Frequency of this SR are in accordance with the Inservice Testing Program.

SR 3.6.3.6 For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10 CFR 50, Appendix J, Option B. (Ref. 4), is required to ensure OPERABILITY. Operating experience has demonstrated that this type of seal has the potential to degrade in a shorter time period than do other seal types.

Based on this observation and the importance of maintaining this penetration leak tight (due to the direct path between containment and the environment), a Frequency of 184 days was established as part of the NRC resolution of Generic Issue B-20, "Containment Leakage Due to Seal Deterioration" (Ref. 2).

Additionally, this SR must be performed within 92 days after opening the valve. The 92 day Frequency was chosen recognizing that cycling the valve could introduce additional seal degradation (beyond that occurring to a valve that has not been opened). Thus, decreasing the interval (from 184 days) is a prudent measure after a valve has been opened.

A Note to this SR requires the results to be evaluated against the acceptance criteria of SR 3.6.1.1. This ensures that excessive containment purge valve leakage is properly accounted for in determining the overall containment leakage rate to verify containment OPERABILITY.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-25 Amendment No. 127 04/29/03 l

Containment Isolation Valves B 3.6.3 BASES (continued)

SURVEILLANCE SR 3.6.3.7 REQUIREMENTS (continued) The containment isolation valves covered by this SR are required to be demonstrated OPERABLE at the indicated frequency.This SR is modified by two notes. Note 1 specifies that the provisions of the Inservice Testing Program are not applicable when the valves are secured open.

The second note indicates that SR 3.0.4 is not applicable.

SR 3.6.3.8 Automatic containment isolation valves close on an actuation signal to prevent leakage of radioactive material from containment following a DBA. This SR ensures each automatic containment isolation valve will actuate to its isolation position on an actuation signal. The 24 month Frequency was developed considering it is prudent that this SR be performed only during a unit outage, since isolation of penetrations would eliminate cooling water flow and disrupt normal operation of many critical components. Operating experience has shown that these components usually pass this SR when performed on the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 6.2.

2. Generic Issue B-20.

3. Generic Issue B-24.

4. 10 CFR 50, Appendix J. Option B.

SAN ONOFRE--UNIT 2 B 3.6-26 Amendment No. 127 04/29/03 l

Containment Pressure B 3.6.4 B 3.6 CONTAINMENT SYSTEMS B 3.6.4 Containment Pressure BASES BACKGROUND The containment pressure is limited during normal operation to preserve the initial conditions assumed in the accident anal yses for a loss of coolant accident (LOCA) or main steam line break (MSLB). These limits also prevent the containment pressure from exceeding the containment design negative pressure differential with respect to the outside atmosphere in the event of inadvertent actuation of the Containment Spray System.

Containment pressure is a process variable that is monitored and controlled. The containment pressure limits are derived from the input conditions used in the containment functional analyses and the containment structure external pressure analysis. Should operation occur outside these limits coincident with a Design Basis Accident (DBA), post accident containment pressures could exceed calculated values.

APPLICABLE Containment internal pressure is an initial condition used SAFETY ANALYSES in the DBA analyses to establish the maximum peak containment internal pressure. The limiting DBAs considered for determining the maximum containment internal pressure (Pa) are the LOCA and MSLB. An MSLB at 3458 MWt power with a single failure of one main steam isolation valve (MSIV) to close results in the highest calculated internal containment pressure of 56.5 psig, which is below the internal design pressure of 60 psig. The postulated DBAs are also analyzed assuming degraded containment Engineering Safety Feature II I

(ESF) systems (i.e., assuming the loss of one ESF bus, or in the case of a LOCA, a failure of one diesel generator to start, resulting in one train of the Containment Spray System and one train of the Containment Cooling System being I

rendered inoperable). The ESF bus single failure is more limiting for the LOCA event but not for the MSLB event. It is the maximum containment pressure that is used to ensure that the licensing basis dose limitations are met (Reference 1).

The initial pressure condition used in the containment analysis was the LCO limit of 1.5 psig plus 0.6 psig effective instrumentation total loop uncertainty. This resulted in a maximum peak pressure from an MSLB of 56.5 psig.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-27 Amendment No. 182 07/11/02 l

Containment Pressure B 3.6.4 BASES (continued)

APPLICABLE This value is below the design value of 60 psig. The SAFETY ANALYSES containment was also designed for an internal pressure equal (continued) to 5.0 psig below external pressure in order to withstand the resultant pressure drop from an accidental actuation of the Containment Spray System. The LCO limit of -0.3 psig ensures that operation within the design limit of -5.0 psig is maintained. The maximum calculated external pressure that would occur as a result of an inadvertent actuation of the Containment Spray System is 4.2 psig.

Containment pressure satisfies Criterion 2 of the NRC Policy Statement.

LCO Maintaining containment pressure less than or equal to the LCO upper pressure limit ensures that, in the event of a DBA, the resultant peak containment accident pressure will remain below the containment design pressure. Maintaining containment pressure greater than or equal to the LCO lower pressure limit ensures that the containment will not exceed the design negative pressure differential following the inadvertent actuation of the Containment Spray System.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. Since maintaining containment pressure within limits is essential to ensure initial conditions assumed in the accident analysis are maintained, the LCO is applicable in MODES 1. 2, 3, and 4.

In MODES 5 and 6. the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment pressure within the limits of the LCO is not required in MODE 5 or 6.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-28 Amendment No. 182 02/11/02 l

Containment Air Temperature B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Containment Air Temperature BASES BACKGROUND The containment structure serves to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA). The containment average air temperature is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a loss of coolant accident (LOCA) or main steam line break (MSLB).

The containment average air temperature limit is derived from the input conditions used in the containment functional analyses and the containment structure external pressure analyses. This LCO ensures that initial conditions assumed in the analysis of containment response to a DBA are not violated during unit operations. The total amount of energy to be removed from containment by the Containment Spray and Cooling systems during post accident conditions is dependent on the energy released to the containment due to the event, as well as the initial containment temperature and pressure.

The higher the initial temperature, the more energy that must be removed, resulting in a higher peak containment pressure and temperature. Exceeding containment design pressure may result in leakage greater than that assumed in the accident analysis (Ref. 2). Operation with containment I temperature in excess of the LCO limit violates an initial condition assumed in the accident analysis.

APPLICABLE Containment average air temperature is an initial condition SAFETY ANALYSES used in the DBA analyses that establishes the containment environmental qualification operating envelope for both pressure and temperature. The limit for containment average air temperature ensures that operation is maintained within the assumptions used in the DBA analysis for containment.

The accident analyses and evaluations considered both LOCAs and MSLBs for determining the maximum peak containment pressures and temperatures. The worst case MSLB generates larger mass and energy releases than the worst case LOCA.

Thus, the MSLB event bounds the LOCA event from the containment peak pressure and temperature standpoint. The (continued)

SAN ONOFRE--UNIT 2 B 3.6-30 Amendment No. 127 04/29/03 1

Containment Air Temperature B 3.6.5 BASES (continued)

APPLICABLE initial pre-accident temperature inside containment was SAFETY ANALYSES assumed to be 1200F (Ref. 1).

(continued)

The initial containment average air temperature condition of 1200F resulted in a maximum vapor temperature in containment of 409'F. The containment average air temperature limit of 1200F ensures that, in the event of an accident, the I

temperature of the containment steel liner and concrete structure do not exceed the maximum design temperature of 300 0F for containment. The consequence of exceeding this design temperature may be the potential for degradation of the containment structure under accident loads.

Containment average air temperature satisfies Criterion 2 of the NRC Policy Statement.

LCO During a DBA, with an initial containment average air temperature less than or equal to the LCO temperature limit, the resultant accident temperature profile assures that the containment structural temperature is maintained below its design temperature and that required safety related equipment will continue to perform its function.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Therefore, maintaining containment average air temperature within the limit is not required in MODE 5 or 6.

ACTIONS A.1 When containment average air temperature is not within the limit of the LCO, it must be restored to within limit within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This Required Action is necessary to return operation to within the bounds of the containment analysis.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is acceptable considering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-31 Amendment No. 182 05/02/02 1

Containment Spray and Cooling Systems B 3.6.6.1 BASES (continued)

BACKGROUND Containment Sprav System (continued) operator in accordance with the emergency operating procedures.

Containment Cooling System Two trains of containment cooling, each of sufficient capacity to supply 50% of the design cooling requirement, are provided. Two trains with two fan units each are supplied with cooling water from the Component Cooling Water System. All four fans are required to furnish the design cooling capacity. Air is drawn into the coolers through the fans and discharged to the steam generator compartments and pressurizer compartment.

In post accident operation following a containment cooling actuation signal (CCAS), all four Containment Cooling System fans are designed to start automatically. Cooling is from the Component Cooling Water (CCW) System. The temperature of the CCW System water is an important factor in the heat removal capability of the fan units.

APPLICABLE The Containment Spray System and Containment Cooling System SAFETY ANALYSES limit the temperature and pressure that could be experienced following a DBA. The limiting DBAs considered relative to containment temperature and pressure are the loss of coolant accident (LOCA) and the main steam line break (MSLB). The DBA LOCA and MSLB are analyzed using computer codes designed to predict the resultant containment pressure and temperature transients. No DBAs are assumed to occur simultaneously or consecutively. The postulated DBAs are analyzed with regard to various single active failures of containment ESF systems, including the loss of one ESF bus, resulting in one train of the containment spray system and one train of the Containment Cooling System being rendered inoperable.

The analysis and evaluation show that under the worst case scenario, the highest peak containment pressure is 56.5 psig (experienced during an MSLB with a single active failure of one main steam isolation valve (MSIV) to close). The analysis shows that the peak containment vapor temperature is 409'F (experienced during the same MSLB).

(continued)

SAN ONOFRE--UNIT 2 B 3.6-35 Amendment No. 182 02/11/02

Containment Spray and Cooling Systems B 3.6.6.1 BASES (continued)

APPLICABLE Both results are within the design. (See the Bases for SAFETY ANALYSES Specifications 3.6.4, "Containment Pressure," and 3.6.5, (continued) Containment Air Temperature," for a detailed discussion.)

The analyses and evaluations assume a power level of 102% of 3390 MWt (100% + 2% for instrument error of the original RTP of 3390 MWt. Increased instrument accuracy has allowed an increase to the Licensed RTP to the current level of 3438 MWt), and initial (pre-accident) conditions of 1200 F and the LCO 3.6.4 limit of 1.5 psig plus 0.6 psig effective instrumentation total loop uncertainty. The analyses also assume a response time delayed initiation in order to provide a conservative calculation of peak containment pressure and temperature responses.

The effect of an inadvertent containment spray actuation has been analyzed. An inadvertent spray actuation reduces the containment pressure to -4.2 psig due to the sudden cooling effect in the interior of the air tight containment.

Additional discussion is provided in the Bases for Specification 3.6.4.

The modeled Containment Spray System actuation from the containment analysis is based upon a response time associated with exceeding the containment High-High pressure setpoint coincident with an SIAS to achieve full flow through the containment spray nozzles. The Containment Spray System total response time includes diesel generator startup (for loss of offsite power), block loading of equipment, containment spray pump startup, and spray line filling (Ref. 2).

The performance of the containment cooling train for post accident conditions is given in Reference 2. The result of the analysis is that each train can provide 50% of the required peak cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions, required to perform the accident analyses, is also shown in Reference 2.

The modeled Containment Cooling System actuation from the containment analysis is based upon the unit specific response time associated with exceeding the CCAS to achieve full Containment Cooling System air and CCW System water flow.

The Containment Spray System and the Containment Cooling System satisfy Criterion 3 of the NRC Policy Statement.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-36 Amendment No. 182 02/11/02 l

Containment Spray and Cooling Systems B 3.6.6.1 BASES (continued)

LCO During a DBA, a minimum of two containment cooling trains or two containment spray trains, or one of each, is required to maintain the containment peak pressure and temperature below the design limits (Ref. 2). Additionally, one containment spray train is also required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two containment spray trains and two containment cooling units must be OPERABLE. Therefore, in the event of an accident, the minimum requirements are met, assuming that the worst case single active failure occurs.

Each Containment Spray System includes a spray pump, spray headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST upon an ESF actuation signal and automatically transferring suction to the containment sump.

Each Containment Cooling System includes demisters, cooling coils, dampers, fans, instruments, and controls to ensure an OPERABLE flow path.

APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the containment spray trains and containment cooling trains.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Thus, the Containment Spray and Containment Cooling systems are not required to be OPERABLE in MODES 5 and 6.

ACTIONS A.1 With one containment spray train inoperable, the inoperable containment spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. A Configuration Risk Management (CRMP) defined in the Administrative Controls Section 5.5.2.14 is implemented in the event of (continued)

SAN ONOFRE--UNIT 2 B 3.6-37 Amendment No. 127 04/29/03

Containment Spray and Cooling Systems B 3.6.6.1 BASES (continued)

ACTIONS A.1 (continued)

Condition A. The 7-day Completion Time is based on the findings of the deterministic and probabilistic analysis that was reviewed and approved in Reference 3. Seven days is a reasonable amount of time to perform many corrective and preventive maintenance items on the affected Containment Spray Train.

The 14 day portion of the Completion Time is based upon engineering judgement. It takes into account the low probability of coincident entry into two conditions in this Specification coupled with the low probability of an accident occurring during this time. Refer to Section 1.3, "Completion Times," for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

B.1 and B.2 If the inoperable containment spray train cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. The extended interval to reach MODE 4 allows additional time for the restoration of the containment spray train and is reasonable when considering that the driving force for a release of radioactive material from the Reactor Coolant System is reduced in MODE 3.

C.1 With one required containment cooling train inoperable, the inoperable containment cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Containment Spray System and Containment Cooling System and the low probability of a DBA occurring during this period.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-38 Amendment No. 127 04/29/03 l

Containment Spray and Cooling Systems B 3.6.6.1 BASES (continued)

SURVEILLANCE SR 3.6.6.1.7 REQUIREMENTS (continued) This SR verifies that each containment cooling train actuates upon receipt of an actual or simulated actuation signal. The 24 month Frequency is based on engineering judgment and has been shown to be acceptable through operating experience. See SR 3.6.6.1.6 and SR 3.6.6.1.7, above, for further discussion of the basis for the 24 month Frequency.

SR 3.6.6.1.8 With the containment spray inlet valves closed and the spray header drained of any solution, low pressure air or smoke can be blown through test connections. Performance of this SR demonstrates that each spray nozzle is unobstructed and provides assurance that spray coverage of the containment during an accident is not degraded. Due to the passive design of the nozzle, a test at 10 year intervals is considered adequate to detect obstruction of the spray nozzles.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 38, GDC 39, GDC 40, GDC 41, GDC 42, and GDC 43.

2. SONGS Units 2 and 3 UFSAR, Section 6.2.

3. CE-NPSD-1045, "Joint Applications Report, Modifications to the Containment Spray System, and the Low Pressure Safety Injection System Technical Specifications," March 1998.

SAN ONOFRE--UNIT 2 B 3.6-42 Amendment No. 127 04/29/03 l

MSSVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Safety Valves (MSSVs)

BASES BACKGROUND The primary purpose of the MSSVs is to provide overpressure protection for the secondary system. The MSSVs also provide protection against overpressurizing the reactor coolant pressure boundary by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not available.

Nine MSSVs are located on each main steam header, outside containment, upstream of the main steam isolation valves, as described in the UFSAR, Section 5.2 (Ref. 1). The MSSVs' rated capacity passes the full steam flow at 102% of 3390 MWt (100% + 2% for instrument error of the original RATED THERMAL POWER [RTP] of 3390 MWt. Increased instrument accuracy has allowed an increase to the Licensed RTP to the current level of 3438 MWt) with the valves full open. This meets the requirements of Section III of the ASME Code (Ref. 2).

The ASME requirement that MSSVs lift settings should be within 1% of the specified setpoint reflects two separate objectives: the objective to maintain lift setpoints within the bounds of the Safety Analysis and an objective to minimize the number of valves which operate to mitigate an event by staggering the valve setpoints.

This second requirement to stagger setpoints reflects good engineering design, but not safety requirements. The objective to stagger valve setpoints constrains the less restrictive Safety Analysis requirement as a condition of Operability.

The radiological release assumptions used in the Steam Generator Tube Rupture dose assessment bound the source terms which are based on a low MSSV setpoint of 1100 psia with 15% MSSV blowdown, and considering the appropriate setpoint tolerance.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-1 Amendment No. 127 08/13/01

AFW System B 3.7.5 BASES (continued)

APPLICABLE steam turbine driven AFW pump. In such a case, the EFAS SAFETY ANALYSES logic might not detect the affected steam generator if the (continued) backflow check valve to the affected MFW header worked properly. Sufficient flow would be delivered to the intact I steam generator by the redundant AFW pump.

The AFW System satisfies Criterion 3 of the NRC Policy Statement.

LCO This LCO requires that three AFW trains be OPERABLE to ensure that the AFW System will perform the design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three independent AFW pumps, in two diverse trains, ensure availability of residual heat removal capability for all events accompanied by a loss of offsite power and a single failure. This is accomplished by powering two pumps from independent emergency buses. The third AFW pump is powered by a diverse means, a steam driven turbine supplied with steam from a source not isolated by the closure of the MSIVs.

The AFW System is considered to be OPERABLE when the components and flow paths required to provide AFW flow to the steam generators are OPERABLE. This requires that the two motor driven AFW pumps be OPERABLE in two diverse paths, each supplying AFW to a separate steam generator. The turbine driven AFW pump shall be OPERABLE with redundant steam supplies from each of the two main steam lines upstream of the MSIVs and capable of supplying AFW flow to either of the two steam generators. The piping, valves, instrumentation, and controls in the required flow paths shall also be OPERABLE.

The LCO is modified by a Note indicating that only one AFW train, which includes a motor driven pump, is required to be OPERABLE in MODE 4. This is because of reduced heat removal requirements, the short period of time in MODE 4 during which AFW is required, and the insufficient steam supply available in MODE 4 to power the turbine driven AFW pump.

The LCO Note 2 indicating that the steam driven AFW pump is OPERABLE when running and controlled manually to support plant start-ups, plant shut-downs, and AFW pump and valve testing is necessary because: If a Main Steam Line Break (continued)

SAN ONOFRE--UNIT 2 B 3.7-26 Amendment No. 127 02/28/01 l

AFW System B 3.7.5 BASES (continued)

LCO (MSLB) occurs, causing MSIS initiation followed by EFAS I (continued) initiation, while the turbine driven AFW pump is operating, the steam driven AFW pump turbine can trip on overspeed.

However, the best estimate is that by operating the steam driven AFW Pump in manual, the cumulative core damage frequency CDF decreases by approximately 2E-10/yr. The value of 2E-10/yr is based on the assumption that the steam driven AFW pump is operated in the manual mode approximately 500 minutes per year. This decrease in CDF is a result of the steam driven AFW Pump being available for all other required uses while operating in manual.

APPLICABILITY In MODES 1, 2, and 3, the AFW System is required to be OPERABLE and to function in the event that the MFW is lost.

In addition, the AFW System is required to supply enough makeup water to replace steam generator secondary inventory, lost as the unit cools to MODE 4 conditions.

In MODE 4, the AFW System may be used for heat removal via the steam generator.

In MODES 5 and 6, the steam generators are not normally used for decay heat removal, and the AFW System is not required.

ACTIONS A.1 If one of the two steam supplies to the turbine driven AFW pumps is inoperable, action must be taken to restore OPERABLE status within 7 days. The 7 day Completion Time is reasonable based on the following reasons:

a. The redundant OPERABLE steam supply to the turbine driven AFW pump;

b. The availability of redundant OPERABLE motor driven AFW pumps; and

c. The low probability of an event requiring the inoperable steam supply to the turbine driven AFW pump.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-27 Amendment No. 127 02/28/01 l

AFW System B 3.7.5 BASES (continued)

SURVEILLANCE SR 3.7.5.2 (continued)

REQUIREMENTS LCO 3.7.5 permits plant operation in MODE 4 with one motor driven AFW pump and/or the turbine driven AFW pump inoperable. During plant operation in MODE 4, the turbine driven AFW pump does not have to be surveilled because steam generator pressure is less than 800 psig (NOTE for SR 3.7.5.2). During plant operation in MODE 4 with one motor driven AFW pump inoperable, SR 3.7.5.2 does not have to be performed on the inoperable motor driven pump (SR 3.0.1), and n remains at 3, where n is the total number of designated components in the definition of STAGGERED TEST BASIS. Therefore, performance of SR 3.7.5.2 on the OPERABLE motor driven AFW pump is only required every 3 Surveillance Frequency intervals. Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established.

This deferral is required because there is an insufficient steam pressure to perform the test.

SR 3.7.5.3 This SR ensures that AFW can be delivered to the appropriate steam generator or that the AFW system is isolated, in the event of any accident or transient that generates an EFAS or MSIS signal, respectively, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal.

Although testing of some of the components of this circuit may be accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-32 Amendment No. 127 03/28/02 1

CST T-121 and T-120 B 3.7.6 BASES (continued)

LCO To satisfy accident analysis assumptions, the CST must contain sufficient cooling water to remove decay heat for 30 minutes following a reactor trip from 102% of 3390 MWt (100% + 2% for instrument error of the original RTP of 3390 MWt. Increased instrument accuracy has allowed an increase to the Licensed RTP to the current level of 3438 MWt), and then cool down the RCS to SDC entry conditions, assuming a coincident loss of offsite power and the most adverse single failure. In doing this it must retain sufficient water to ensure adequate net positive suction head for the AFW pumps during the cooldown, as well as to account for any losses from the steam driven AFW pump turbine, or before isolating AFW to a broken line.

The combined volume of CST ensures that sufficient water is available to maintain the unit in MODE 3 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months including cooldown to shutdown cooling initiation.

OPERABILITY of the CST is determined by maintaining the tank volume at or above the minimum required volume.

APPLICABILITY In MODES 1, 2, and 3, and in MODE 4, when steam generator is being relied upon for heat removal, the CST is required to be OPERABLE.

In MODES 5 and 6, the CST is not required because the AFW System is not required.

ACTIONS A.1 and A.2 If the CST volume is not within the limit, the OPERABILITY of the backup water supply must be verified by administrative means within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

OPERABILITY of the backup feedwater supply must include verification of the OPERABILITY of flow paths from the backup supply to the AFW pumps, and availability of the required volume of water in the backup supply. The CST volume must be returned to OPERABLE status within 7 days, as the backup supply may be performing this function in addition to its normal functions. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable, based on operating experience, to verify the OPERABILITY of the backup water supply. The 7 day Completion Time is reasonable, based on an OPERABLE backup water supply being available, and the low probability of an event requiring the use of the water from the CST occurring during this period.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-37 Amendment No. 127 08/13/01

CST T-121 and T-120 B 3.7.6 BASES (continued)

ACTIONS B.1 and B.2 If the CST cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4, without reliance onsteam generator for heat removal, within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.6.1 REQUIREMENTS This SR verifies that the CST contains the required volume of cooling water. The required volume of cooling water in CST T-121 is 144,000 gallons. The required volume of cooling water in CST T-120 is 360,000 gallons above the tank's zero datum. That corresponds to approximately 81% of useable volume above the zero datum. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is based on operating experience, and the need for operator awareness of unit evolutions that may affect the CST inventory between checks. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered adequate in view of other indications in the control room, including alarms, to alert the operator to abnormal CST level deviations.

REFERENCES 1. UFSAR, Section 9.2.6.

2. UFSAR, Chapter 3

3. UFSAR, Chapter 6.

4. UFSAR, Chapter 15.

SAN ONOFRE--UNIT 2 B 3.7-38 Amendment No. 127 03/03/00 Re-issued 08/01/01

ECW System B 3.7.10 B 3.7 PLANT SYSTEMS B 3.7.10 Emergency Chilled Water (ECW) System BASES BACKGROUND The ECW System provides a heat sink for the removal of process and operating heat from selected safety related air handling systems during a Design Basis Accident (DBA) or transient.

The ECW System is a closed loop system consisting of two independent trains. Each 100% capacity train includes a heat exchanger, compression tank, pump, chemical addition tank, piping, valves, controls, and instrumentation. An independent 100% capacity emergency chiller cools each train. The ECW System is actuated on a safety injection actuation signal (SIAS), toxic gas isolation signal (TGIS),

control room isolation signal (CRIS), or fuel handling isolation signal (FHIS), and supplies chilled water to the heating, ventilation, and air conditioning (HVAC) units in Engineered Safety Feature (ESF) equipment areas (e.g., the main control room, electrical equipment room, and safety injection pump area).

The flow path for the ECW System includes the closed loop of piping to all serviced equipment. During normal operation, the normal HVAC System performs the cooling function of the ECW System. Additional information about the design and operation of the system, along with a list of components served, can be found in the UFSAR, Section 9.4.2 (Ref. 1).

General Requirements for ECWS OPERABILITY An Emergency Chilled Water (ECW) train is considered OPERABLE when the components required to perform the safety related function are all operable, as follows: chilled water pump, compression tank, piping, valves, heat exchanger, emergency chiller, instrumentation and controls.

If while implementing LCO 3.7.10 Action A due to the inoperability of an ECWS component, a subsequent component failure occurs on the affected Unit(s) in the same ECW train, do not start a second 14 day clock. The entire ECW train must be returned to OPERABLE status within the time constraint of the original 14 day clock.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-49 Amendment No. 127 10/17/01

ECW System B 3.7.10 BASES (continued)

BACKGROUND If while implementing LCO 3.7.10 Action A for an inoperable (continued) ECW train, the opposite ECW train for the affected Unit s) becomes inoperable, enter LCO 3.0.3 on the applicable Unit(s).

TS 3.7.10 allows 14 days for restoring operability of one ECWS train. The 14 day AOT is based on a probabilistic risk assessment that was done in accordance with the guidance of Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk Informed Decisionmaking: Technical Specifications."

The 14 day AOT is im lemented in the three-tiered approach.

First, the risk of the 14 day AOT is acceptable based on the single AOT risk. Second, administrative controls must be established to ensure that planned maintenance on the normal chilled water system does not coincide with planned maintenance on the ECW system. Third, the SONGS Configuration Risk Management Program (CRMP) program is employed to ensure that risk-significant configurations are identified and managed appropriately per the Maintenance Rule (a)(4). Allowing only one 14 day clock even in the case of multiple single train component failures is conservative. This approach prohibits exceeding the intent of the LCO, which is to ensure an ECWS train remains out of service for no more than 14 days, regardless of circumstances.

LCO 3.7.10 allows only one ECW train to be inoperable.

Therefore, with both trains inoperable, a LCO 3.0.3 entry is required.

An emergency chiller is considered OPERABLE when it is or can be aligned to either Unit's operating or standby OPERABLE Component Cooling Water (CCW) critical loop, provided that the OPERABLE CCW critical loop can be placed in operation within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after a design basis event is detected in the Control Room. (Reference 2) Thus, an emergency chiller, under normal circumstances, remains OPERABLE during a transfer operation between OPERABLE CCW critical loops completed in less than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

Likewise, an emergency chiller is considered OPERABLE when it is aligned to either Unit's energized 4 kV bus. Under normal circumstances, the emergency chiller remains OPERABLE during a transfer operation between 4 kV buses, provided the transfer operation is completed in less than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

Room Coolers OPERABILITY. General If one or more required individual room coolers for a Unit are inoperable and the backup cooling listed in Table 1 for the affected room(s) is also inoperable, OR if the temperature in the affected room(s) increases above its design temperature, declare the safety related equipment in the cooled room(s) inoperable and enter the LCO action (continued)

SAN ONOFRE--UNIT 2 B 3.7-50 Amendment No. 127 10/17/01

ECW System B 3.7.10 BASES (continued)

BACKGROUND TABLE 1 (continued) Individual Room Coolers 1E COOLER BACKUP COOLER EOUIPMENT IN ROOM ME417 ME414 P017, P015, P012 ME416 ME413 P019, P016, P013 ME517 ME445 (1E) P018 ME445 ME517 (1E) P018 ME455 ME448 P026 ME454 ME450 (NON-1E) or ME518 P025 ME518 ME450 (NON-1E) or ME454 P025 ME453 ME449 P024 ME439 RADWASTE FANS: P174 ME433 or ME434 (supply)

-AND-MA192 or MA193 (exhaust)

ME440 Same as above for ME439 P175 ME438 Same as above for ME439 P190 ME435 Same as above for ME439 P192 ME436 ME437 (1E) or Same as above for ME439 P191 ME437 ME436 (1E) or Same as above for ME439 P191 ME255 ME430 and MA165, or alternate method 50 ft. swgr ME257 ME430 and MA165, or alternate method 50 ft. swgr ME441 ME442 (1E) or P009 FUEL HANDLING BUILDING FANS:

MA359 or MA360 (supply)

-AND-MA316 or MA317 (exhaust)

(continued)

SAN ONOFRE--UNIT 2 B 3.7-51 Amendment No. 127 04/12/01

ECW System B 3.7.10 BASES (continued)

BACKGROUND TABLE 1 (continued) Individual Room Coolers (continued)

ME442 ME441 (1E) or Polo FUEL HANDLING BUILDING FANS:

as above for ME441 statement(s) for the inoperable equipment in the cooled room(s). See details for specific rooms, below.

If one or more required individual room cooler(s) for a Unit are inoperable, the ECW train for that Unit remains OPERABLE. OPERABILITY of the safety related equipment in the cooled room(s) remains unaffected provided that the backup room cooling listed in Table 1 remains OPERABLE AND provided that the temperature in the affected room(s) remains below its design temperature. Return the individual room cooler(s) to OPERABLE status within 14 days while maintaining the temperature in the affected room(s) below its design temperature or enter the applicable action statement for the equipment in the room. Separate entry is allowed for each inoperable emergency room cooler.

For equipment in rooms cooled by only emergency cooling with no normal cooling, redundant emergency coolers are 100%

capacity, and are adequate for maintaining the cooled equipment OPERABLE for up to 14 days.

It is not prudent to rely on backup cooling for periods longer than the allowed outage time for an ECW train itself.

Therefore it is conservative to require restoration of an inoperable room cooler within 14 days.

With both emergency and backup room cooling inoperable, safety related equipment does not have the cooling required by the LCO 1.1 definition of OPERABLE.

Table 1 permits normal Radwaste Building ventilation to provide backup cooling for the boric acid makeup pump rooms and the charging pump rooms. This is reasonable because these pumps can be running normally and have no normal room coolers. The same is true for the normal Fuel Handling Building ventilation and the spent fuel pool cooling pumps.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-52 Amendment No. 127 10/17/01 l

ECW System B 3.7.10 BASES (continued)

BACKGROUND CREACUS Coolers OPERABILITY (continued)

Inability of the ECWS to supply cooling water to CREACUS cooler ME418 or ME419 forces entry into TS 3.7.11 for both Units. Inability to supply Unit 2 cabinet area coolers ME423 or ME424 forces entry into TS 3.7.11 for Unit 2.

Inability to supply Unit 3 cabinet area coolers ME426 or ME427 forces entry into TS 3.7.11 for Unit 3.

LCO 3.7.10 does not specifically address individual room coolers. The identification of the Unit applicability for CREACUS coolers is consistent with the function that the coolers provide. The coolers associated with the control room emergency HVAC are covered by TS 3.7.11, and it is not necessary to also apply TS 3.7.10.

Switchcear Room Coolers OPERABILITY The Unit 2 ESF switchgear emergency room coolers impact both Units because MCCs BQ and BS are physically located inside the respective train ESF switchgear rooms on Unit 2. MCCs BQ and BS provide power to the chilled water pumps and provide chiller control power and can be powered from either Unit.

The applicability of the Unit 3 ESF switchgear emergency room coolers depends on alignment of the associated train power sources for Units 2 and 3 common systems. If the source of power is from Unit 3 then the Unit 3 ESF switchgear cooler impacts common power systems on that train. Therefore, the Unit 3 ESF switchgear emergency room cooler can impact both Units. If all of the common system power sources are from Unit 2. there are no common systems that could be impacted by the inoperable Unit 3 cooler.

Therefore, only Unit 3 would be impacted in this case.

The Unit applicability of inoperable Unit 3 ESF switchgear emergency cooler 3ME255 or 3ME257 depends on the Unit providing the power source for common components. The inoperability of either Unit 3 ESF switchgear emergency cooler 3ME255 or 3ME257 affects both Unit 2 and Unit 3 only when emergency chiller(s), Motor Control Center (MCC) BQ, or MCC BS are powered from Unit 3. If Unit 3 does not provide power to any of these components, only Unit 3 is affected.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-53 Amendment No. 127 04/12/01

ECW System B 3.7.10 BASES (continued)

BACKGROUND The inoperability of either Unit 2 Engineered Safety Feature I (continued) (ESF) switchgear emergency cooler 2ME255 or 2ME257 affects both Units 2 and 3.

APPLICABLE The design basis of the ECW System is to remove the post SAFETY ANALYSES accident heat load from ESF spaces following a DBA coincident with a loss of offsite power. Each train provides chilled water to the HVAC units at the design temperature and flow rate.

The maximum heat load in the ESF pump room area occurs during the recirculation phase following a loss of coolant accident. During recirculation, hot fluid from the containment sump is supplied to the high pressure safety injection and containment spray pumps. This heat load to the area atmosphere must be removed by the ECW System to ensure that these pumps remain OPERABLE.

The ECW satisfies Criterion 3 of the NRC Policy Statement.

LCO Two ECW trains are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst single failure.

An ECW train is considered OPERABLE when:

a. The associated pump and compression tank are OPERABLE; and

b. The associated piping, valves, heat exchanger, emergency chiller, and instrumentation and controls required to perform the safety related function are OPERABLE.

The isolation of the ECW from other components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the ECW System.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-54 Amendment No. 127 04/12/01

ECW System B 3.7.10 BASES (continued)

APPLICABILITY In MODES 1, 2, 3, and 4, the ECW System is required to be OPERABLE when a LOCA or other accident would require ESF operation.

In MODES 5 and 6, potential heat loads are smaller and the probability of accidents requiring the ECW System is low.

ACTIONS ACTION statements are modified by a Note: "Each Unit shall enter applicable ACTIONS separately." Because the ECW System is shared between Unit 2 and Unit 3, this note clarifies what Action should be taken when the Units are in different MODES.

A.1 If one ECW train is inoperable, action must be taken to restore OPERABLE status within 14 days. The 14 day AOT is based on a probabilistic risk assessment that requires administrative controls be implemented to ensure that planned maintenance on the normal chilled water system does not coincide with planned maintenance on the ECW system. In this condition, one OPERABLE ECW train is adequate to perform the cooling function. The 14 day Completion Time is reasonable, based on the low probability of an event occurring during this time, the 100% capacity OPERABLE ECW train, and the redundant availability of the normal HVAC System.

B.1 and B.2 If the ECW train cannot be restored to OPERABLE status within the associated Completion Time, or two ECW trains are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.10.1 REQU IREMENTS R371.

Verifying the correct alignment for manual, power operated, and automatic valves in the ECW flow path provides assurance that the proper flow paths exist for ECW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This (continued)

SAN ONOFRE--UNIT 2 B 3.7-55 Amendment No. 127 10/17/01 l

ECW System B 3.7.10 BASES (continued)

SURVEILLANCE SR 3.7.10.1 (continued)

REQUIREMENTS Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.10.2 This SR verifies proper automatic operation of the ECW System components and that the ECW pumps and chillers will start in the event of any accident or transient that generates an SIAS, TGIS, CRIS, or FHIS. The 24 month Frequency is based on operating experience and design reliability of the equipment.

REFERENCES 1. UFSAR, Section 9.4.2.

2. Memorandum from V. Barone (NEDO) to T. Vogt (OPS),

Revision 1, dated 12-22-94 (CDM document HVAC-352). I SAN ONOFRE--UNIT 2 B 3.7-55a Amendment No. 127 08/15/01

CREACUS B 3.7.11 BASES (continued)

LCO In addition, the control room boundary must be maintained, (continued) including the integrity of the walls, floors, ceilings, ductwork, and access doors.

The LCO is modified by a Note allowing the control room boundary to be opened intermittently under administrative controls. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls consist of stationing a dedicated individual at the opening who is in continuous communication with the control room. This individual will have a method to rapidly close the opening when a need for control room isolation is indicated.

APPLICABILITY In MODES 1, 2, 3, and 4, the CREACUS must be OPERABLE to limit operator exposure during and following a DBA.

In MODES 5 and 6, the CREACUS is required to cope with the release from a rupture of a waste gas tank.

During movement of irradiated fuel assemblies, the CREACUS must be OPERABLE to cope with the release from a fuel handling accident.

ACTIONS ACTION statements are modified by two NOTES. NOTE 1 says:

"The provisions of LCO 3.0.4 are not applicable when entering MODES 5, 6, or defueled configuration."

Specification 3.0.4 establishes that entry into an operational mode or other specified condition shall not be made unless the conditions of the LCO are met.

Applicability statement "During movement of irradiated fuel assemblies' ensures the OPERABILITY of both CREACUS trains prior to the start of movement of irradiated fuel assemblies.

NOTE 2 says: "Each Unit shall enter applicable ACTIONS separately." CREACUS is a shared system between Unit 2 and Unit 3. LCO doesn't address the operational situation when the Units are in different operational MODES. Without this NOTE it may not be clear what ACTIONS should be taken.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-59 Amendment No.+24,128 2/05/01

CREACUS B 3.7.11 BASES (continued)

ACTIONS A.1 (continued)-

With one CREACUS train inoperable, action must be taken to restore OPERABLE status within 14 days. The 14 day AOT is based on a probabilistic risk assessment that does not require administrative controls to be implemented when a CREACUS train is taken out of service. In this Condition, the remaining OPERABLE CREACUS subsystem is adequate to perform control room radiation protection function.

However, the overall reliability is reduced because a single failure in the OPERABLE CREACUS train could result in loss of CREACUS function. The 14 day Completion Time is based on the low probability of a DBA occurring during this time period, and the ability of the remaining train to provide the required capability.

B.1 If the control room boundary is inoperable in MODES 1, 2, 3, or 4, the CREACUS trains cannot perform their intended functions. Actions must be taken to restore an OPERABLE control room boundary within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . During the period that the control room boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC19) should be utilized to protect control room operators from potential hazards such as radioactive contamination, toxic chemicals, smoke, temperature and relative humidity, and physical security. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is a typically reasonable time to diagnose, plan and possibly repair, and test most problems with the control room boundary.

C.1 and C.2 If the inoperable CREACUS or control room boundary cannot be restored to OPERABLE status within the associated Completion Time in MODE 1, 2, 3, or 4, the unit must be placed in a MODE that minimizes the accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-60 Amendment No.+24,128 10/17/01

CREACUS B 3.7.11 BASES (continued)

ACTIONS D.1. D.2.1. and D.2.2 (continued)

In MODE 5 or 6, or during movement of irradiated fuel assemblies, if Required Action D.1 cannot be completed within the required Completion Time, the OPERABLE CREACUS train must be immediately placed in the emergency mode of operation. This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action D.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel assemblies to a safe position.

E.1 and E.2 When in MODES 5 or 6, or during movement of irradiated fuel assemblies with two trains inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might enter the control room.

This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.

F.1 If both CREACUS trains are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable control room boundary (i.e., Condition B), the CREACUS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-61 Amendment No.+2-7,128 2/05/01

CREACUS B 3.7.11 BASES (continued)

SURVEILLANCE SR 3.7.11.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. Since the environment and normal operating conditions on this system are not severe, testing each train once every month provides an adequate check on this system.

Cumulative operation of the system for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months over a 31 day period is sufficient to reduce the buildup of moisture on the adsorbers and HEPA filtes. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months time frame is based on a conservative engineering evaluation which calculated the time required to evaporate the moisture contained in the air trapped inside the CREACUS duct upstream of charcoal beds. The 31 day Frequency is based on the known reliability of the equipment, and the two train redundancy available.

SR 3.7.11.2 This SR verifies that the required CREACUS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The CREACUS filter tests are based on Regulatory Guide 1.52 (Ref. 3). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of theactivated charcoal (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP.

The filtration efficiency only apply to the emergency recirculation air conditioning units E418 and E419.

Therefore, testing for filtration efficiency is not required for the emergency ventilation supply units A206 and A207.

However, the specified air flow from the emergency ventilation units is required during the filtration efficiency testing of the emergency recirculation air conditioning units. Also, the air flow requirements which are specified in the VFTP apply to the emergency ventilation and emergency air conditioning units.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-62 Amendment No.+27,128 2/05/01

CREACUS B 3.7.11 BASES (continued)

SURVEILLANCE SR 3.7.11.3 REQUIREMENTS (continued) This SR verifies each CREACUS train starts and operates on an acutual or simulated actuation signal. The Frequency of 24 months is consistent with that specified in Reference 3.

SR 3.7.11.4 This SR verifies the integrity of the control room enclosure and the assumed inleakage rates of potentially contaminated air. The control room positive pressure, with respect to potentially contaminated atmosphere, is periodically tested to verify proper function of the CREACUS. During the emergency radiation state of the emergency mode of operation, the CREACUS is designed to pressurize the control room 2 0.125 inches water gauge positive pressure with respect to the atmosphere in order to prevent unfiltered inleakage. The CREACUS is designed to maintain this positive pressure with one train.

REFERENCES 1. UFSAR, Section 9.4.

2. UFSAR, Chapter 15.

3. Regulatory Guide 1.52 (Rev. 2).

SAN ONOFRE--UNIT 2 B 3.7-62a Amendment No.42-7,128 2/05/01 1

Fuel Storage Pool Boron Concentration B 3.7.17 B 3.7 PLANT SYSTEMS B 3.7.17 Fuel Storage Pool Boron Concentration BASES BACKGROUND As described in LCO 3.7.18, "Spent Fuel Assembly Storage,"

fuel assemblies are stored in the spent fuel racks in accordance with criteria based on initial enrichment and discharge burnup. Although the water in the spent fuel pool is normally borated to 2 1850 ppm, the criteria that limit the storage of a fuel assembly to specific rack locations is conservatively developed without taking credit for boron.

APPLICABLE A fuel assembly could be inadvertently loaded into a spent SAFETY ANALYSES fuel rack location not allowed by LCO 3.7.18 (e.g., an un-irradiated fuel assembly or an insufficiently depleted fuel I assembly). This accident is analyzed assuming loading the Region II fuel pool racks with nine (3x3 array in the worst case) un-irradiated assemblies of an enrichment which bounds 4.8 w/o. Another type of postulated accident is associated with a fuel assembly that is dropped onto the fully loaded fuel pool storage rack. Either incident could have a positive reactivity effect, decreasing the margin to criticality. However, the negative reactivity effect of the soluble boron compensates for the increased reactivity caused by either one of the two postulated accident scenarios.

The concentration of dissolved boron in the fuel pool satisfies Criterion 2 of the NRC Policy Statement.

LCO The specified concentration of dissolved boron in the fuel pool preserves the assumptions used in the analyses of the potential accident scenarios described above. This concentration of dissolved boron is the minimum required concentration for fuel assembly storage and movement within the fuel pool.

APPLICABILITY This LCO applies whenever fuel assemblies are stored in the spent fuel pool until a complete spent fuel pool (continued)

SAN ONOFRE--UNIT 2 B 3.7-71 Amendment No. 127 04/29/03 1

Spent Fuel Assembly Storage B 3.7.18 B 3.7 PLANT SYSTEMS B 3.7.18 Spent Fuel Assembly Storage BASES BACKGROUND The spent fuel storage facility is designed to store either new (nonirradiated) nuclear fuel assemblies, or burned (irradiated) fuel assemblies in a vertical configuration underwater. The storage pool is sized to store 1542 fuel assemblies. Two types/sizes of spent fuel storage racks are used (Region I and Region II). The two Region I racks each contain 156 storage locations each spaced 10.40 inches on center in a 12x13 array. Four Region II storage racks each contain 210 storage locations in a 14x15 array. The remaining two Region II racks each contain 195 locations in a 13x15 array. All locations are spaced 8.85 inches on center. This spacing and "flux trap" construction, whereby the fuel assemblies are inserted into neutron absorbing stainless steel cans, is sufficient to maintain a ke~f of

0.95 for spent fuel of original enrichment of up to 4.8%. I However, as higher initial enrichment fuel assemblies are stored in the spent fuel pool, they must be stored in a checkerboard pattern taking into account fuel burnup to maintain a keff of 0.95 or less.

APPLICABLE The spent fuel storage facility is designed for SAFETY ANALYSES noncriticality by use of adequate spacing, and "flux trap" construction whereby the fuel assemblies are inserted into neutron absorbing stainless steel cans.

The spent fuel assembly storage satisfies Criterion 2 of the NRC Policy Statement.

LCO The restrictions on the placement of fuel assemblies within the spent fuel pool, in the accompanying LCO, ensures that I the keff of the spent fuel pool will always remain < 0.95 assuming the pool to be flooded with unborated water. The restrictions are consistent with the criticality safety analysis performed for the spent fuel pool according to the LCO. I (continued)

SAN ONOFRE--UNIT 2 B 3.7-74 Amendment No. 127 04/29/03 l

Spent Fuel Assembly Storage B 3.7.18 BASES (continued)

LCO Fuel assemblies not meeting the LCO shall be stored in (continued) accordance with Specification 4.3.1.1.

APPLICABILITY This LCO applies whenever any fuel assembly is stored in Region II of the spent fuel pool.

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.

When the configuration of fuel assemblies stored in Region II of the spent fuel pool is not in accordance with Figure 3.7.18-1 and Figure 3.7.18-2, immediate action must be taken to make the necessary fuel assembly movement(s) to bring the configuration into compliance with the LCO.

If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation.

Therefore, in either case, inability to move fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.18.1 REQUIREMENTS This SR verifies by administrative means that the initial enrichment and burnup of the fuel assembly is in accordance with the accompanying LCO. For fuel assemblies in the unacceptable range of the LCO, performance of this SR will ensure compliance with Specification 4.3.1.1.

REFERENCES UFSAR, Section 9.1.2.2.

SAN ONOFRE--UNIT 2 B 3.7-75 Amendment No. 127 04/29/03 1

Secondary Specific Activity B 3.7.19 B 3.7 PLANT SYSTEMS B 3.7.19 Secondary Specific Activity BASES BACKGROUND Activity in the secondary coolant results from steam generator tube outleakage from the Reactor Coolant System (RCS). Under steady state conditions, the activity is primarily iodines with relatively short half lives, and thus is indication of current conditions. During transients, I-131 spikes have been observed as well as increased releases of some noble gases. Other fission product isotopes, as well as activated corrosion products in lesser amounts, may also be found in the secondary coolant.

A limit on secondary coolant specific activity during power operation minimizes releases to the environment because of normal operation, anticipated operational occurrences, and accidents.

This limit is lower than the activity value that might be expected from a 0.5 gpm per steam generator (1 gpm total) tube leak (LCO 3.4.13, "RCS Operational LEAKAGE") of primary coolant at the limit of 1.0 pCi/gm (LCO 3.4.16, "RCS Specific Activity"). The steam line failure is assumed to result in the release of the noble gas and iodine activity contained in the steam generator inventory, the feedwater, and reactor coolant LEAKAGE. Most of the iodine isotopes have short half lives (i.e., < 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months ). I-131, with a half life of 8.04 days, concentrates faster than it decays, but does not reach equilibrium because of blowdown and other losses.

With the specified activity level, the resultant 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months thyroid dose to a person at the exclusion area boundary (EAB) would be about 4.5 rem should a steam generator atmospheric dump valve inadvertently open.

Therefore, operating a unit at the allowable limits could result in a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months EAB exposure within Acceptance Criteria deemed allowable by design basis, UFSAR, or the 10 CFR 50.59 Program limits (300 rem for thyroid dose to a person).

(continued)

SAN ONOFRE--UNIT 2 B 3.7-76 Amendment No. 127 05/13/02

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued)

REQUIJIREMENTS The normal 31 day Frequency for SR 3.8.1.2 (see Table 3.8.1-1, "Diesel Generator Test Schedule," in the accompanying LCO) and the 184 day Frequency for SR 3.8.1.7 are consistent with Regulatory Guide 1.9 (Ref. 3). These frequencies provide adequate assurance of DG OPERABILITY, whiTe minimizing degradation resulting from testing.

Note 4 - This note discusses operability of the diesel enerator subcomponent Automatic Voltage Regulator (AVR).

The AVR is an integral part of the DG, however, each DG has 2 AVRS that are 100% redundant to each other. Only one AVR may be inservice at any one time. To ensure operability of each AVR, the AVRs must have been in service during the erformance of SR 3.8.1.2 and SR 3.8.1.3 within the last 90 days plus any allowance per SR 3.0.2. SR 3.8.1.2 is modified by NOTE 1 to indicate that SR 3.8.1.7 satisfies all of the requirements of SR 3.8.1.2. This note is applicable for AVR operability. Also, each AVR must have been in service for either SR 3.8.1.9, SR 3.8.1.10, or SR 3.8.1.19 within the last 24 months plus any allowance per SR 3.0.2.

During the 24 month test dynamic performance of the AVR is measured to confirm it is acceptable for all required AVR transients. Based on the design of the AVR its intended function and the maintenance history, the above specified surveillance schedule will assure the AVRs are capable of performing their intended function.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads listed in Reference 2.

This capability is verified by performing a load test between 90 to 100% of rated load, for an interval of not less than 60 minutes, consistent with the requirements of Regulatory Guide 1.9 (Ref. 3). The lower load limit of 4450 kW is 94.7% of the DG continuous rating (4700 kW). The 94.7% limit is based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the upper load limit. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR the surveillance is performed with DG kVAR output that offsite power system conditions permit during testing without exceeding equipment ratings (i.e., without creating an overvoltage condition on the ESF buses, over excitation condition on the ESF buses, over excitation condition in the generator, or overloading the DG main feeder). The kVAR loading requirement during this test ismet, and the equipment ratings are not exceeded, when the DG kVAR output is increased such that:

(continued)

SAN ONOFRE--UNIT 2 B 3.8-16 Amendment No. 127 06/18/01 1

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.3 (continued)

REQUIREMENTS

a. kVAR is 2 3000 and

3200 or

b. the excitation current is 2 3.8 A and

4.0 A or

c. the ESF bus voltage is 2 4530 V and

4550 V or

d. DG feeder current is 2 730 A and

750 A This method of establishing kVAR loading ensures that, in addition to verifying the load carrying ca pability (kW) of the diesel engine the reactive power kkYAR) and voltage regulation capability of the generator is verified to the extent practicable, consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 (Ref. 16).

The normal 31 day Frequency for this Surveillance (Table 3.8.1-1) is consistent with Regulatory Guide 1.9 (Ref. 3).

This SR is modified by five Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary DG load transients do not invalidate this test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates that a successful DG start must recede this test to credit satisfactory performance. Note 9 - This note discusses operability of the diesel generator subcomponent Automatic Voltage Regulator (AVR). The AVR is an integral part of the DG, however, each DG has 2 AVRS that are 100% redundant to each other. Only one AVR may be inservice at any one time.

To ensure operability of each AVR, the AVRs must have been in service during the Performance of SR 3.8.1.2 and SR 3.8.1.3 within the last 60 days plus any allowance per SR 3.0.2. SR 3.8.1.2 is modified by NOTE 1 to indicate that SR 3.8.1.7 satisfies all of the requirements of SR 3.8.1.2.

This note is applicable for AVR operability. Also, each AVR must have been in service for either SR 3.8.1.9, SR 3.8.1.10, or SR 3.8.1.19 within the last 24 months plus any allowance per SR 3.0.2. During the 24 month test dynamic performance of the AVR is measured to confirm it is acceptable for all required AVR transients. Based on the design of the AVR, its intended function and the maintenance history, the above specified surveillance schedule will assure the AVRs are capable of performing their intended function.

SR 3.8.1.4 This SR provides verification that the level of fuel oil in the day tank is at or above the level selected to ensure adequate fuel oil for a minimum of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of DG operation at (continued)

SAN ONOFRE--UNIT 2 B 3.8-17 Amendment No. 127 06/18/01 l

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.4 (continued)

REQUIREMENTS full load plus 10%. The level is expressed as an equivalent volume in inches. The 30 inch level includes instrument uncertainties and corresponds to the minimum requirement of 355.1 gallons of fuel oil.

The 31 day Frequency is adequate to assure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous microorganisms that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for microbial survival in the day tanks. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by microorganisms. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system.

The Surveillance Frequencies are established by Regulatory Guide 1.137 (Ref. 10). This SR is for preventive maintenance. The presence of water does not necessarily represent failure of this SR provided the accumulated water is removed during the performance of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that for each OPERABLE DG at least one fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of the standby power source. This Surveillance provides assurance that at least one fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for the fuel transfer system are OPERABLE.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-18 Amendment No. 127 06/18/01 11

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.6 (continued)

REQUIREMENTS The design of the fuel transfer system is such that one pump will operate automatically, while the other pump can be started manually. Either pump will maintain an adequate volume of fuel oil in the day tank. In such a case, a 31 day Frequency is appropriate.

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Verification of the capability to transfer each 4.16 kV ESF bus power supply from the normal preferred power source (offsite circuit) to each required alternate preferred power source (offsite circuit), via the train-aligned 4.16 kV crosstie between Unit 2 and Unit 3, demonstrates the OPERABILITY of the alternate preferred power distribution network to power the post-accident and shutdown loads. For 2A04 the normal offsite power source is 2XR1, and the alternate offsite power source is 3XR1 or 3XU1. For 2A06 the normal offsite power source is 2XR2, and the alternate offsite power source is 3XR2 or 3XU1. A required alternate offsite power source is the source that is credited as the alternate source of offsite power in LCO 3.8.1. Therefore, the alignment of the ESF buses in Unit 3 determines which alternate offsite circuit is the required circuit at any point in time.

For each 4.16 kV ESF bus (2A04 or 2A06) this surveillance requirement may be satisfied by performing both a manual transfer and an auto-transfer from the normal offsite power source to at least one of the alternate offsite power sources. The tested source may then be credited as the -

required alternate offsite power source per LCO 3.8.1. This surveillance may be satisfied for the remaining power source by performing a circuit functional test in addition to the transfer test above. This functional test shall be performed such that all components that are required to function for a successful manual or auto-transfer that were not included in the transfer tests above, are tested. This testing may include any series of sequential, overlapping, or total steps so that the entire manual and auto-transfer capability of the source is verified. This is explained in a note to this SR.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-19 Amendment No. 127 06/18/01 l

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.8 (continued)

REQUIREMENTS The 24 month Frequency of the Surveillance is based on engineering judgment, taking into consideration the unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency.

herefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single post-accident load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. For this unit, the largest single post-accident load for each DG is the Auxiliary Feedwater pump which has a nameplate rating of 800 HP. As required by IEEE-308 (Ref. 13), the load rejection test is acceptable if the DG frequency does not exceed 66.75 Hz, which is 75% of the difference between synchronous speed (60 Hz) and the overspeed trip setpoint (69 Hz).

The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequencing and load rejection. The 4 seconds specified is equal to 80% of the 5 second load sequence interval associated with sequencing of the largest load. Since SONGS specific analyses demonstrate the acceptability of overlapping load groups (i.e., adjacent load groups that start at the same time due to load sequence timer tolerance), the use of 80% of load sequence interval for voltage recovery is consistent with the requirements of Regulatory Guide 1.9 (Ref. 3). The voltage and frequency specified are consistent with the design range of the equipment powered by the DG.

SR 3.8.1.9.a corresponds to the maximum frequency excursion, (continued)

SAN ONOFRE--UNIT 2 B 3.8-20 Amendment No. 127 06/18/01 l

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.9 (continued)

REQUIREMENTS while SR 3.8.1.9.b and SR 3.8.1.9.c are steady state voltage and frequency values to which the system must recover following load rejection. The 24 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref. 3).

In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is performed by rejecting an inductive oad with kW and kVAR greater than or equal to the single largest post-accident load (683 kW9 369 kVAR). These test conditions are consistent with the power factor requirements of Regulatory Guide 1.9 (Ref. 3) and the recommendations of Information Notice 91-13 (Ref. 16).

This SR is modified by two Notes. Note 1 acknowledges that credit may be taken for unplanned events that satisfy this SR. Note 2 - This note discusses operability of the diesel generator subcomponent Automatic Voltage Regulator (AVR).

The AVR is an integral part of the DG, however, each DG has 2 AVRS that are 100% redundant to each other. Only one AVR may be inservice at any one time. To ensure operability of each AVR, the AVRs must have been in service during the performance of SR 3.8.1.2 and SR 3.8.1.3 within the last 60 days plus any allowance per SR 3.0.2. SR 3.8.1.2 is modified by NOTE 1 to indicate that SR 3.8.1.7 satisfies all of the requirements of SR 3.8.1.2. This note is applicable for AVR operability. Also, each AVR must have been in service for either SR 3.8.1.9, SR 3.8.1.10, or SR 3.8.1.19 within the last 24 months plus any allowance per SR 3.0.2.

During the 24 month test dynamic performance of the AVR is measured to confirm it is acceptable for all required AVR transients. Based on the design of the AVR, its intended function and the maintenance history, the above specified surveillance schedule will assure the AVRs are capable of performing their intended function.

SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a load equal to 90% to 100% of its continuous rating without overspeed tripping or exceeding the predetermined voltage limits. The lower load limit of 4450 kW is 94.7% of the DG continuous rating (4700 kW). The 94.7% limit is based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the upper load limit.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-21 Amendment No. 127 06/18/01 l

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS The DG full load rejection may occur because of a system fault, inadvertent breaker tripping or a SIAS received during surveillance testing. This Surveillance ensures proper engine and generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG will not trip upon loss of the load. The voltage transient limit of 5450 V is 125% of rated voltage (4360 V). These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event and continues to be available, this response ensures that the DG is not degraded for future application (e.g., reconnection to the bus if the trip initiator can be corrected or isolated). These loads and limits are consistent with Regulatory Guide 1.9 (Ref. 3).

The DG is tested under inductive load conditions that are as close to design basis conditions as possible. Testing is performed with DG kVAR output that offsite power system conditions permit during testing without exceeding equipment ratings (i.e., without creating an overvoltage condition on the ESF buses, over excitation condition in the generator, or overloading the DG main feeder). The kVAR loading requirement during this test is met, and the equipment ratings are not exceeded, when the DG kVAR output is increased such that:

a. kVAR is 2 3000 and 5 3200 or

b. the excitation current is 2 3.8 A and

4.0 A or

c. the ESF bus voltage is 2 4530 V and

4550 V or

d. DG feeder current is 2 730 A and s 750 A This method of establishing kVAR loading ensures that, in addition to verifying the full load rejection capability (kW) of the diesel engine, the reactive power rejection capability (kVAR) of the generator is verified to the extent practicable, consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 (Ref. 16).

The 24 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref. 3) and is intended to be consistent with expected fuel cycle lengths.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-22 Amendment No. 127 06/18/01 l

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS This SR is modified by two Notes. Note 1 acknowledges that credit may be taken for unplanned events that satisfy this SR. Note 2 - This note discusses operability of the diesel generator subcomponent Automatic Vol tage Regulator (AVR).

The AVR is an integral part of the DG, however, each DG has 2 AVRS that are 100% redundant to each other. Only one AVR may be inservice at any one time. To ensure operability of each AVR, the AVRs must have been in service during the Eerformance of SR 3.8.1.2 and SR 3.8.1.3 within the last 0 days plus any allowance per SR 3.0.2. SR 3.8.1.2 is modified by NOTE 1 to indicate that SR 3.8.1.7 satisfies all of the requirements of SR 3.8.1.2. This note is applicable for AVR operability. Also, each AVR must have been in service for either SR 3.8.1.9, SR 3.8.1.10, or SR 3.8.1.19 within the last 24 months plus any allowance per SR 3.0.2.

During the 24 month test dynamic performance of the AVR is measured to confirm it is acceptable for all required AVR transients. Based on the design of the AVR, its intended function and the maintenance history, the above specified surveillance schedule will assure the AVRs are capable of performing their intended function.

SR 3.8.1.11 As reguired by Regulatory Guide 1.9 (Ref. 3), this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source.

This test verifies all actions encountered from the loss of offsite power, including shedding of selected loads and energization of the permanently connected loads from the DG.

The permanently connected loads are the Class 1E 480 V Loadcenters and MCCs. It is recognized that certain consequential loads may also start following a loss of offsite power and therefore it is important to demonstrate that the DG operates properly with these loads. The consequential loads are sequenced on the DG following a LOVS with the same time delays as for a LOVS with a SIAS.

Therefore, the ability of the DG to operate with the consequential loads is appropriately demonstrated by the existing Surveillance Requirement simulating a loss of offsite power in combination with a SIAS (Surveillance Requirement 3.8.1.19). Since there are no auto-connected shutdown loads, the Regulatory Guide 1.9 (Ref. 3) requirements for sequencing of auto-connected shutdown loads do not apply (Ref. 17). This surveillance further demonstrates the capability of the DG to automatically achieve the required voltage and frequency, to close the DG output breaker and connect to the ESF bus, and to reset the 4.16 kV bus undervoltage relay logic within the specified time.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-23 Amendment No. 127 06/18/01 1

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS The DG auto-start and undervoltage relay logic reset time of 10 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The frequency should be restored to within the specified range following energization of the permanently connected loads.

The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The requirement to verify the connection and power supply of permanent loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or shutdown cooling (SDC) systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation.

In lieu of actual demonstration of shedding, connection, and loading of loads, overlap testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire sequence of load shedding and reenergization of permanently connected loads is verified.

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-24 Amendment No. 127 06/18/01 l

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.12 REQUIREMENTS (continued) This Surveillance demonstrates that after a SIAS, the DG automatically starts and achieves the required voltage and frequency within the specified time and operates for 2 5 minutes. The 9.4 second start requirement ensures that the DG meets the design basis LOCA analysis assumption, that the DG starts, accelerates to within the specified frequency and voltage limits, connects to the 4.16 k ESF bus, and resets the ESF bus undervoltage relay logic within 10 seconds of a SIAS. The 5 minute period provides sufficient time to demonstrate stability.

In addition to the SR requirements, the time for the DG to reach steady state operation, unless the modified DG start method is employed, is periodically monitored and is evaluated to identify degradation of governor and voltage regulator performance.

The Frequency of 24 months is consistent with Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.13 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature) are bypassed on a SIAS in accordance with Regulatory Guide 1.9 (Ref. 3). The critical protective functions (engine overspeed, generator differential current, and low-low lube oil pressure), which trip the DG to avert substantial damage to the DG unit, are not bypassed. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately to prevent damage to the DG. The DG availability to mitigate the DBA is more critical thanprotecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-25 Amendment No. 127 06/18/01

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS Testing to satisfy this surveillance requirement may include any series of sequential, overlapping, or total steps so that the entire noncritical trip bypass function is verified.

The 24 month Frequency is based on engineering judgment, taking into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. The SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3), requires demonstration once per refueling outage that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , 2 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of which is at load equivalent to 105% to 110% of the continuous duty rating and the remainder of the time at a load equivalent to 90% to 100% of the continuous duty rating of the DG. For the 22 hour2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months duration, the lower load limit of 4450 kW is 94.7% of the DG continuous rating (4700 kW). The 94.7% limit is based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the 100%. 105% or 110% load limits.

This test is performed with the DG connected to the offsite power supply. In this alignment DG frequency is controlled by the offsite power supply, and the operator has minimal control over DG output voltage. Therefore, specific DG voltage and frequency requirements as recommended by Regulatory Guide 1.9 (Ref. 3) do not apply.

The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-26 Amendment No. 127 06/18/01 l

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS The DG is tested under inductive load conditions that are as close to design conditions as possible. Testing is' performed with DG kVAR output that offsite power system conditions permit during testing without exceeding equipment ratings (i.e., without creating an overvoltage condition on the ESF buses, over excitation condition in the generator, or overloading the DG main feeder). The kVAR loading requirement during this test is met, and the equipment ratings are not exceeded, when the DG kVAR output is increased such that:

a. kVAR is 2 3000 and

3200 or

b. the excitation current is 2 3.8 A and

4.0 A or

c. the ESF bus voltage is 2 4530 V and s 4550 V or

d. DG feeder current is 2 730 A and

750 A This method of establishing kVAR loading ensures that, in addition to verifying the load carrying capability (kW) of the diesel engine, the reactive power (kVAR) and voltage regulation capability of the generator is verified to the extent practicable, consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 (Ref. 16).

The kW load band in the SR is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.9. (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. Note 1 states that momentary DG load transients do not invalidate this test. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 9.4 seconds. The 9.4 second time is (continued)

SAN ONOFRE--UNIT 2 B 3.8-27 Amendment No. 127 06/18/01 l

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.15 (continued)

REQU IREMENTS derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The LOCA analysis assumes that the DG starts, accelerates to within the specified frequency and voltage limits, connects to the 4.16 kV ESF bus, and resets the ES F bus undervoltage relay logic within 10 seconds of a SIAS.

In addition to the SR requirements, the time for the DG to reach steady state operation, unless the modified DG start method is employed, is periodically monitored and is evaluated to identify degradation of governor and voltage regulator performance.

The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary DG load transients do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.

SR 3.8.1.16 As required by Regulatory Guide 1.9 (Ref. 3). this Surveillance ensures manual synchronization and load transfer from the DG to the offsite source can be made and that the DG can be returned to ready to load operation when offsite power is restored. Ready to load operation is defined as the DG running within the specified frequency and voltage limits, with the DG output breaker open. If this test is performed with a SIAS present, the load transfer occurs when the offsite power breaker is manually closed, and the SIAS causes the DG output breaker to open. If this test is performed without a SIAS present, the load transfer occurs when the offsite power breaker is manually closed, and the DG output breaker is manually opened. By design, the LOVS/SDVS/DGVSS logic will have been previously reset thus allowing the DG to reload if a subsequent loss of offsite power or degraded voltage condition occurs. The LOVS/SDVS/DGVSS signal will strip the bus, reset the load sequence timers, close the DG output breaker, and permit (continued)

SAN ONOFRE--UNIT 2 B 3.8-28 Amendment No. 127 06/18/01 l

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.16 (continued)

REQUIREMENTS resequencing of the ESF loads if an ESF actuation signal is present.

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.17 For this Surveillance, the DG is in test mode when it is running, connected to its bus, and in parallel with offsite power. Demonstration of the test mode override ensures that:

1) the DG availability under accident conditions will not be compromised as the result of testing with the DG connected to its bus in parallel with offsite power, and

2) the DG will automatically return to ready to load operation, if a SIAS is received during operation in the test mode.

Ready to load operation is defined as the DG running within the specified frequency and voltage limits, with the DG output breaker open. These provisions are required by IEEE-308 (Ref. 13), paragraph 6.2.6(2) and Regulatory Guide 1.9 (Ref. 3).

The intent in the requirement to automatically energize the emergency loads with offsite power associated with SR 3.8.1.17.b is to show that the emergency loading was not affected by DG operation in the test mode in parallel with offsite power. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential overlapping, or total steps so that the entire connection and loading sequence is verified.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-29 Amendment No. 127 06/18/01 1

AC Sources - Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.17 (continued)

REQUIREMENTS The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.18 Under accident conditions, electrical loads are sequentially connected to a DG bus by the programmed time interval load sequence. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DG due to high motor starting currents. The load sequence start time tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated.

Reference 2 provides a summary of the automatic loading of ESF buses. Table B 3.8.1-1 provides a matrix of loads sequenced by the ESF timing logic. The timer as-left setting requirement and the as-found acceptance criteria are provided in Table B 3.8.1-1.

For the Containment Emergency Cooling Units only, the sequenced time is the actual start time of the Component Cooling Water pumps plus 5 + 2.5/-0.5 seconds. The tolerance is based on a design interval of 5 seconds.

This testing may include any series of sequential, overlapping, or total steps so that all load sequence timers are verified.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-29a Amendment No. +S&-169 06/18/01 l

AC Sources -Operating B 3.8.1 BASES (continued)

TABLE B 3.8.1-1: DG LOAD SEOUENCING TIMER ACCEPTANCE CRITERIA Nominal Setting Start (As Left) As-Found Time Tolerance Tolerance (Sec) (Sec) (Sec)

1. LPSI Pumps P015, P016 5.00 +/-0.5 -0.5

+2.5

2. Dome Air Circulating Fans 5.00 +/-0.5 -0.5 A071, A072, A073, A074 +2.5

3. Control Room AC Units 5.00 +/-0.5 -0.5 E418, E419 +2.5

4. Containment Spray Pumps P012, 10.00 +/-0.5 +/-2.5 P013

5. Diesel Generator Radiator Fans 10.00 +/-0.5 +/-2.5 E546, E547, E549, E550

6. Component Cooling Water Pumps 15.00 +/-0.5 +/-2.5 P024, P025, P026 6A. Containment Emergency Cooling CCW Pump +/-0.5* -0.5*

Units E399, E400, E401, E402 Breaker +2.5*

Closure

+5 secs

7. Diesel Generator Building 15.00 +/-0.5 +/-2.5 Emergency Fans A274, A275, A276, A277

8. Salt Water Cooling Pumps P112, 20.00 +/-0.5 +/-2.5 P307, P113, P114

9. Auxiliary Feed Water Pumps 30.00 +/-0.5 +/-3.0 P141, P504

10. Emergency Chillers E335, E336 35.00 +/-0.5 +/-3.5

Emergency Cooling Unit time delay as measured from closure of the CCW pump breaker position switch 152-1.

(continued)

SAN 2 ONOFRE--UNIT B 3.8-29b Amendment No. 4-5&-169 06/18/01 I~~~~~~~~~~~~~

SAN ONOFRE--UNIT 2 B 3.8-29b Amendment No. 4.58-,169 06/18/01 1

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.18 (continued)

REQUIREMENTS (continued) As required by Regulatory Guide 1.108 (Ref. 9),

paragraph 2.a.(2), each DG is required to demonstrate proper operation for the DBA loading sequence to ensure that voltage and frequency are maintained within the required limits. This surveillance is performed in SR 3.8.1.19. The sequence relays tested under SR 3.8.1.18 are required to support proper DG loading sequence.

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9),

paragraph 2.a.(2); takes into consideration unit conditions required to perform the Surveillance; and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the DG operation, as discussed in the Bases for SR 3.8.1.11, during an actual or simulated loss of offsite power signal (LOVS/DGVSS/SDVS) in conjunction with actual or simulated ESF actuation signals (SIAS, CCAS, CSAS, EFAS-1, and EFAS-2). Multiple ESF actuation signals are initiated to simulate worst case DG load sequencing conditions.

In lieu of actual demonstration of shedding, connection, and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire load shedding, connection, and loading sequence is verified.

The Frequency of 24 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months.

This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs.

Note 2 acknowledges that credit may be taken for (continued)

SAN ONOFRE--UNIT 2 B 3.8-29c Amendment No. i-8-169 06/18/01

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.19 (continued)

REQUIREMENTS (continued) unplanned events that satisfy this SR. Note 3 - This note discusses operability of the diesel generator subcomponent Automatic Voltage Regulator (AVR). The AVR is an integral part of the DG, however, each DG has 2 AVRS that are 100%

redundant to each other. Only one AVR may be inservice at any one time. To ensure operability of each AVR, the AVRs must have been in service during the performance of SR 3.8.1.2 and SR 3.8.1.3 within the last 60 days plus any allowance per SR 3.0.2. SR 3.8.1.2 is modified by NOTE 1 to indicate that SR 3.8.1.7 satisfies all of the requirements of SR 3.8.1.2. This note is applicable for AVR operability.

Also, each AVR must have been in service for either SR 3.8.1.9, SR 3.8.1.10, or SR 3.8.1.19 within the last 24 months plus any allowance per SR 3.0.2. During the 24 month test dynamic performance of the AVR is measured to confirm it is acceptable for all required AVR transients.

Based on the design of the AVR, its intended function and the maintenance history, the above specified surveillance schedule will assure the AVRs are capable of performing their intended function.

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. This Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9), paragraph 2.b, Regulatory Guide 1.137 (Ref. 10), paragraph C.2.f, and Regulatory Guide 1.9 (Ref. 3).

This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated, and temperature maintained consistent with manufacturer recommendations.

Diesel Generator Test Schedule The DG test schedule (Table 3.8.1-1) implements the recommendations of Revision 3 to Regulatory Guide 1.9 (Ref. 3). The purpose of this test schedule is to provide timely test data to establish a confidence level associated with the goal to maintain DG reliability above 0.95 per demand.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-29d Amendment No. +4587169 06/18/01 l

AC Sources -Operating B 3.8.1 BASES (continued)

SURVEILLANCE SR 3.8.1.20 (continued)

REQUIREMENTS (continued) According to Regulatory Guide 1.9, Revision 3 (Ref. 3). each DG unit should be tested at least once every 31 days.

According to Draft Regulatory Guide DG-1021 (Ref. 14) and 10 CFR 50.63(a) (3)(ii) (Ref. 15), whenever a DG has experienced 4 or more valid failures in the last 25 valid tests, the maximum time between tests is reduced to 7 days.

Four failures in 25 valid tests is a failure rate of 0.16, or the threshold of acceptable DG performance, and hence may be an early indication of the degradation of DG reliability.

When considered in the light of a long history of tests, 4 failures in the last 25 valid tests may only be a statistically probable distribution of random events.

Increasing the test Frequency will allow for a more timely accumulation of additional test data upon which to base judgment of the reliability of the DG. The increased test Frequency must be maintained until seven consecutive.

failure free tests have been performed.

The Frequency for accelerated testing is 7 days, but no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Therefore, the interval between tests should be no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and no more than 7 days. A successful test at an interval of less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months should be considered an invalid test and not count towards the seven consecutive failure free starts. A test interval in excess of 7 days constitutes a failure to meet the Srs.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. UFSAR, Chapter 8.

3. Regulatory Guide 1.9, Rev. 3.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 15.

6. Regulatory Guide 1.93, Rev. 0.

7. Generic Letter 84-15.

8. 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.108, Rev. 1.

10. Regulatory Guide 1.137, Rev. 1.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-29e Amendment No. +58-,169 06/18/01 1

AC Sources - Operating B 3.8.1 BASES (continued)

REFERENCES 11. ANSI C84.1-1982.

(continued)

12. ASME, Boiler and Pressure Vessel Code,Section XI.

13. IEEE Standard 308-1978.

14. Draft Regulatory Guide DG-1021, April 1992.

15. 10 CFR 50.63(a)(3)(ii) as published in Federal Register Vol. 57, No. 77 page 14517, April 21, 1992.

16. Information Notice 91-13, "INADEQUATE TESTING OF EMERGENCY DIESEL GENERATORS (EGDs)," 09/16/91.

17. Letter from SCE to the NRC dated May 5, 1995, subject Docket Nos. 50-361 and 50-362, Diesel Generator Loading San Onofre Nuclear Generating Station Units 2 and 3.

18. Letter from the NRC to SCE dated May 12, 1999, subject Technical Specification Interpretation (TAC Nos. MA0232 and MA0233).

SAN ONOFRE--UNIT 2 B 3.8-29f Amendment No. +58--169 06/18/01 l

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES (continued)

APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA. Since stored diesel fuel oil, lube oil, and starting air subsystems support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil and starting air are required to be within limits when the associated DG is required to be OPERABLE.

ACTIONS A.l In this Condition, the 7 day fuel oil supply (45,662 gallons) for a DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (39,468 gallons). These circumstances may be caused by events such as full load operation required after an inadvertent start while at minimum required level; or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

B.1 With lube oil inventory less than the TSmin marking in the dipstick, sufficient lubricating oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply (continued)

SAN ONOFRE--UNIT 2 B 3.8-38 Amendment No. 127 03/25/02 l

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES (continued)

ACTIONS B.1 (continued) greater than or equal to the TSinop marking in the dipstick). This restriction allows sufficient time to obtain the requisite replacement volume. The TSmin mark corresponds to 369.4 gals for the 16 cylinder DG and 412.1 gals for the 20 cylinder DG. The TSinop mark corresponds to 347.5 gals for the 16 cylinder DG and 386.2 gals for the 20 cylinder DG. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

C.1 In this Condition the 7 day fuel oil supply (41,691 gallons) for a DG during Mode 5 or 6 is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (35,735 gallons). These circumstances may be caused by events such as full load operations required after an inadvertent start while at minimum required level; or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable.

This period is acceptable based on the remaining capacity

(> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

D.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of (continued)

SAN ONOFRE--UNIT 2 B 3.8-39 Amendment No. 127 03/25/02

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES (continued)

ACTIONS F.1 (continued) are accomplished on the first attempt, and the low probability of an event during this brief period.

G.1 With a Required Action and associated Completion Time not met, or one or more DGs with diesel fuel oil or lube oil not within limits for reasons other than addressed by Conditions A through F. the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil (2 45,662 gallons in Mode 1, 2, 3, or 4 and 2 41,691 gallons in Mode 5 or 6) in the storage tanks to support each DG's operation for 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.

SR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The TS min (412.1 gal for the 20 cylinder engine and 369.4 gal for the 16 cylinder engine) requirements are based on the DG manufacturer consumption values for the run time of the DG.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-41 Amendment No. 127 03/25/02

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES (continued)

SURVEILLANCE SR 3.8.3.2 (continued)

REQUIREMENTS A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since DG starts and run time are closely monitored by the unit staff.

SR 3.8.3.3 The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:

a. Sample the new fuel oil in accordance with ASTM D4057-81 (Ref. 6);

b. Verify in accordance with the tests specified in ASTM D975-81 (Ref. 6) that the sample has a kinematic viscosity at 400 C of 2 1.9 centistokes and

4.1 centistokes, a water and sediment content of

0.05% by volume, and a flash point of 2 125 0 F; and

c. Verify in accordance with ASTM D287-82 that the sample has an API gravity at 60'F of 2 300 and

420.

Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.

Within 31 days following the initial new fuel oil delivery, the fuel oil is analyzed to establish that the other properties specified in table 1 of ASTM D975-81 (Ref. 6) are met when tested in accordance with ASTM D975-81, except that (continued)

SAN ONOFRE--UNIT 2 B 3.8-42 Amendment No. 127 03/25/02

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES (continued)

SURVEILLANCE SR 3.8.3.4 (continued)

REQUIREMENTS alarms, to alert the operator to below normal air start pressure.

SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous microorganisms that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates the necessary environment for microbial survival in the storage tanks. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, and contaminated fuel oil, and from breakdown of the fuel oil by microorganisms. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system.

The Surveillance Frequencies are established by Regulatory Guide 1.137 (Ref. 2). This SR is for preventative maintenance. The presence of water does not necessarily represent failure of this SR provided the accumulated water is removed during performance of the Surveillance.

SR 3.8.3.6 Draining of the fuel oil stored in the supply tanks, removal of accumulated sediment, and tank cleaning are required at 10 year intervals by Regulatory Guide 1.137 (Ref. 2),

paragraph 2.f. This also requires the performance of the ASME Code,Section XI (Ref. 7), examinations of the tanks.

To preclude the introduction of surfactants in the fuel oil system, the cleaning should be accomplished using sodium hypochlorite solutions, or their equivalent, rather than soap or detergents. This SR is for preventative maintenance. The presence of sediment does not necessarily represent a failure of this SR, provided that accumulated sediment is removed during performance of the Surveillance.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-44 Amendment No. 127 03/25/02 [

SAN ONOFRE UNIT 3 REVISED BASES PAGES LCO Applicability B 3.0 BASES (continued)

LCO 3.0.3 Voluntary entry into LCO 3.0.3 is permissible but requires (continued) prior approval (approval may be verbal) from either the Operations Manager, Station Manager or Vice President, I Nuclear Generation. The approval must subsequently be documented in written retrievable manner. Inadvertent entry still allows for the one hour preparation period before Actions to change MODES must begin.

A unit shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:

a. The LCO is now met.

b. A Condition exists for which the Required Actions have now been performed.

c. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

The time limits of Specification 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is reached in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the time allowed for reaching MODE 4 is the next 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months , because the total time for reaching MODE 4 is not reduced from the allowable limit of 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.

In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3.

The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individual Specifications (continued)

SAN ONOFRE--UNIT 3 B 3.0-4 Amendment No. 116 12/19/02 1

SR Applicability B 3.0 BASES (continued)

SR 3.0.3 been completed within the specified Frequency. A delay (continued) period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified frequency , whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

This delay period provides an adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10CFR50, Appendix J. as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance.

However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

(continued)

SAN ONOFRE--UNIT 3 B 3.0-13 Amendment No. 177 5/8/02 Re-issued 10/25/02 I

SR Applicability B 3.0 BASES (continued)

SR 3.0.3 Failure to comply with specified Frequencies for SRs is (continued) expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillances as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10CFR50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182,

'Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants.' This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component.

Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

(continued)

SAN ONOFRE--UNIT 3 B 3.0-14 Amendment No. 177 5/8/02

SR Applicability B 3.0 BASES (continued)

SR 3.0.3 Completion of the Surveillance within the delay period (continued) allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified Condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. This Specification applies to changes in MODES or other specified conditions in the Applicability associated with unit shutdown as well as startup.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs annotation is found in Section 1.4, Frequency.

SAN ONOFRE--UNIT 3 B 3.0-15 Amendment No. 177 5/8/02

MTC B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Moderator Temperature Coefficient (MTC)

BASES BACKGROUND According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.

The MTC relates a change in core reactivity to a change in reactor coolant temperature. A positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature. The reactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self limiting, and stable power operation will result.

MTC values are predicted at selected burnups during the reload design process and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the beginning of cycle (BOC) MTC is less positive than that allowed by the LCO. The actual value of the MTC is dependent on core characteristics such as fuel loading and reactor coolant soluble boron concentration. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit.

The core design may require additional fixed distributed poisons (lumped burnable poison assemblies) to yield an MTC at the BOC within the range analyzed in the plant accident analysis.

(continued)

SAN ONOFRE--UNIT 3 B 3.1-19 Amendment No. 116 01/03/02

MTC B 3.1.4 BASES (continued)

APPLICABLE The reload analyses assume conservative MTC values at BOC SAFETY ANALYSES and EOC under steady state conditions. The MTC is verified (continued) to be within these limits within +/-14 EFPD of the predicted peak boron concentration and again within t30 EFPD of 2/3 of expected core burnup. Verification that the EOC MTC will remain within limits is accomplished by extrapolating the measured MTC values to the EOC. The measured MTC values may be compensated to RTP for direct comparison with the BOC an EOC limits. The MTC measurement and extrapolation may be repeated within the required surveillance FREQUENCY of +/-30 EFPD of 3/43 of the expected core burnup to ensure an accurate prediction EOC MTC.

The MTC satisfies Criterion 2 of the NRC Policy Statement.

LCO LCO 3.1.4 requires the MTC to be within the specified limits of the COLR to ensure the core operates within the assumptions of the accident analysis. During the reload design process, the MTC is analyzed to determine that its values remain within the bounds of the reference accident analysis during operation. The limit on a positive MTC ensures that core overheating accidents will not violate the accident analysis assumptions. The negative MTC limit for EOC specified in the COLR ensures that core overcooling accidents will not violate the accident analysis assumptions.

MTC is a core physics parameter determined by the fuel and fuel cycle design and cannot be easily controlled once the core design is fixed. During operation, therefore, the LCO can only be ensured through measurement. The surveillance checks at BOC and MOC on an MTC provide confirmation that the MTC is behaving as anticipated, so that the acceptance criteria are met.

APPLICABILITY In MODE 1, the limits on the MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate the design assumptions of the accident analysis. In MODE 2, the limits must also be maintained to ensure startup and subcritical accidents, such as the uncontrolled CEA assembly or group withdrawal, will not violate the assumptions of the accident analysis. In (continued)

SAN ONOFRE--UNIT 3 B 3.1-21 Amendment No. 116 01/03/02 l

Boration Systems - Operating B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEM B 3.1.9 Boration Systems - Operating BASES BACKGROUND The Chemical and Volume Control System (CVCS) functions to provide a means for reactivity control and maintaining reactor coolant inventory, activity, and chemistry. The CYCS includes the letdown and boron injection subsystems.

The boron injection subsystem is required to establish and maintain a safe shutdown condition for the reactor. The letdown portion of the CVCS is used for normal plant operation, however, it is not required for safety. Although automatic boron injection via the charging pumps is not required for any design basis event, a Safety Injection Actuation Signal (SIAS) starts all three charging pumps and opens the associated boric acid flow path valves.

Two OPERABLE trains of boron injection flow paths are required while operating in Modes 1, 2, 3, and 4. Each train consists of two flow paths from borated water sources to the RCS via charging pumps and/or HPSI pumps. A charging pump boron injection flow path is a suction path from a Eorated water supply to the charging pumps and through a common discharge path from the charging pumps to the RCS. A HPSI boron injection flow path is a suction path from the RWST to the HPSI pump and through the HPSI cold leg discharge header to the RCS.

There are two borated water sources for the charging pumps suction flow paths. One source is the Boric Acid Makeup I (BAMU) tanks with their individual or combined contents in accordance with the LCS, and through the Train A BAMU pump(s), or the Train B associated gravity feed valves, and onto the Train A and B charging pumps. Another source includes the RWST (TS 3.5.4), through the Train B gravity feed valve, and the Train B charging pumps. Power is provided by the OPERABLE onsite emergency power supply specified by TS 3.8.1.

The system contains an alternate discharge flow path to permit borating should the common charging line become unavailable. The specific HELB events requiring use of the alternate discharge flow path for boron injection are identified in UFSAR Sections 3.6A.2.13, 3.6A.2.15, 3.6A.3.1.2, and 3.6A.3.2.2. Use of the alternate discharge flow path is limited as stated in UFSAR Section 3.6.2.1.2.1, High Energy Piping.

(continued)

SAN ONOFRE--UNIT 3 B 3.1-54 Amendment No. 116 08/03/01

Boration Systems - Operating B 3.1.9 BASES (continued)

BACKGROUND The boron concentration is controlled to provide shutdown (continued) margin (SDM) for maintenance, refueling and emergencies.

Boron concentration is adjusted to obtain optimum CEA positioning and compensate for normal reactivity changes associated with changes in reactor coolant temperature, core burnup, and xenon concentration. The boration capability is sufficient to provide the required SDM assuming the highest I worth CEA is stuck out after xenon decay and cooldown to 200'F in accordance with GDC 26 and 27 (Ref. 1 and 2). I APPLICABLE The charging pumps inject borated water into the RCS to SAFETY ANALYSES provide reactivity control. There are three installed charging pumps with one normally in operation balancing the letdown purification flow and the reactor coolant pump controlled bleed-off flow. I The purpose of the required borated water sources and flow paths to the RCS is to ensure that sufficient borated water is available to maintain the reactor subcritical and provide makeup water to account for RCS shrinkage during cooldown to cold shutdown conditions. The range of volumes and concentrations (approximately 2.25 to 3.5 wt% boric acid),

to be maintained in either or both BAMU tanks depend on the concentration in the RWST since both water sources are required to provide boration during plant cooldown.

The capacity of the charging pumps and the required amount of borated water stored in the RWST and BAMUs is sufficient to maintain shutdown margin during a plant cooldown to MODE 5 with a shutdown margin in accordance with TS 3.1.1 and 3.1.2 at any time during plant life. The maximum expected boration capability requirement occurs at the end of core life from full power equilibrium xenon conditions. During this condition the required boric acid solution is supplied to the RCS by the charging pumps from the BAMU tanks with the contents in accordance with the LCS, plus approximately 13,000 gallons of 2350 ppm borated water from the OPERABLE I

RWST.

(continued)

SAN ONOFRE--UNIT 3 B 3.1-55 Amendment No. 116 08/03/01 l

Boration Systems - Operating B 3.1.9 BASES (continued)

APPLICABLE The design of the CVCS boration subsystems incorporates a I SAFETY ANALYSES high degree of functional reliability by providing redundant (continued) components, an alternate path for charging and either offsite or onsite power supplies. Gravity feed lines from each Boric Acid Makeup (BAMU) tank and the RWST assure that I a source of borated water is available to the charging pump suction header. All charging header discharge valves are in their safe shutdown positions or locked open, and the power operated valve in the common charging discharge line is open with power removed in accordance with NRC Branch Technical Position ICSB-18) to preclude single failure. Although the CVCS boron injection subsystem has a single discharge line from the charging pumps to the RCS, should the charging line inside containment be inoperable, (e.g., due to postulated pipe ruptures as described in UFSAR Sections 3.6A.2.13 and 3.6A.2.15) the line may be isolated outside containment and flow redirected through the alternate discharge path via the high pressure safety injection headers to assure boron injection capability. If the RWST gravity feed path to the I charging pump suction were unavailable, sufficient borated water is available from the BAMU tanks (one or both in combination) to provide makeup to allow for plant cooldown to the point where the plant is depressurized sufficiently to allow injection of borated water into the RCS from the RWST using the HPSI pumps. If the normal power supply system should fail, the charging pumps, boric acid makeup pumps, and all related automatic control valves are powered from an emergency bus. Therefore, the malfunction or I failure of one active component would not reduce the ability to borate the RCS since an alternate flow path is always available for emergency boration.

The Boration Systems satisfy Criterion 3 of the NRC Policy Statement.

LCO Two operable boron injection flow paths are required while operating in Modes 1, 2, 3, and 4. These two boration flow paths will ensure that a means of controlling RCS boron I

concentration is available.

(continued)

SAN ONOFRE--UNIT 3 B 3.1-56 Amendment No. 116 08/03/01 1

Boration Systems - Operating B 3.1.9 BASES (continued)

APPLICABILITY In MODES 1, 2, 3, and 4, boron injection flow paths are required to maintain RCS boron concentration and Shutdown Margin (SDM) requirements for maintenance, refueling and emergencies. When hot leg injection is not required to satisfy TS 3.5.2, the discharge path from the charging pumps to the RCS can be redirected through the alternate discharge path via the high pressure safety injection headers. A change in boron concentration may be required to obtain optimum CEA positioning and compensate for normal reactivity changes associated with changes in reactor coolant temperature, core burnup, and xenon concentration. The boration capability is sufficient to provide the required SDM assuming the highest worth CEA is stuck out after xenon decay and cooldown to 200 0F.

In MODES 1, 2, 3, and 4, two boron injection flow paths (Train A and Train B powered per the offsite or onsite I emergency power supply specified by TS 3.8.1) shall be OPERABLE. The Train A flow path is composed of the requirements of paragraph I and II. The Train B flow path is composed of the requirements of paragraph III and IV.

I. One of these combinations provide a Train A flow path from the Boric Acid tanks: I A.1 One Boric Acid Makeup (BAMU) tank (with the tank contents in accordance with the LCS 3.1.104) via the associated BAMU pump to the charging pumps, I OR A.2 Both BAMU tanks (with the combined contents of each tank in accordance with the LCS 3.1.104) via the associated BAMU pumps to the charging pumps. I II. A Train A flow path from the Refueling Water Storage Tank (RWST), with the contents as specified in TS 3.5.4, via the HPSI pumps and at least one discharge flow path as specified in TS 3.5.2 or 3.5.3 when the plant depressurizes.

(continued)

SAN ONOFRE--UNIT 3 B 3.1-57 Amendment No. 116 08/03/01