ML051790253

From kanterella
Jump to navigation Jump to search
Cycle 13 Technical Specification Bases Page Updates
ML051790253
Person / Time
Site: San Onofre  Southern California Edison icon.png
Issue date: 06/23/2005
From: Scherer A
Southern California Edison Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML051790253 (69)
v  d  e


Text

J SOUTHERN CALIFORNIA A. Edward Scherer ED ISO IN Manager of Nuclear Regulatory Affairs An EDISON INTERNA TIONALI9 Comipany June 23, 2005 U.S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, D.C. 20555

SUBJECT:

Docket Nos. 50-361 and 50-362 Cycle 13 Technical Specification Bases Page Updates San Onofre Nuclear Generating Station, Units 2 & 3 Gentlemen:

Enclosed is the Cycle 13 update to the San Onofre Units 2 and 3 Technical Specification (TS) Bases. As required by TS 5.4.4, changes to the TS Bases implemented without prior NRC approval are provided to the NRC on a frequency consistent with 10 CFR 50.71 (e).

Included in this update are all TS Bases pages that have been revised between May 1, 2003, and June 15, 2005. The pages are marked with change bars in the right hand margin to show where changes have been made.

Pages that are supplied without any change bars reflect text rollover from one page to the next as the result of additions or deletions.

If you have any questions on this subject, please contact Mr. J. L. Rainsberry (949/368-7420).

Sincerely, Enclosure cc: B. S. Mallett, Regional Administrator, NRC Region IV C. C. Osterholtz, NRC Senior Resident Inspector, San Onofre Units 2 & 3 B. M. Pham, NRC Project Manager, San Onofre Units 2 and 3 P.O. Box 128 San Clemente, CA 92674-0128 949-368-7501 Fax 949-368-7575 0

ENCLOSURE PART 1: SAN ONOFRE UNIT 2 REVISED BASES PAGES PART 2: SAN ONOFRE UNIT 3 REVISED BASES PAGES Bases Change Package Numbers B03-001 B03-007 B03-008 B03-01 0 B03-011 B04-001 B04-002 B04-003 B05-001 B05-003 B05-004

SAN ONOFRE UNIT 2 REVISED BASES PAGES Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core SLs BASES BACKGROUND GDC 10 (Ref. 1) requires and SLs ensure that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (95/95 DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature.

The restrictions of this SL prevent overheating of the fuel and cladding and possible cladding perforation that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state, peak Centerline Temperature below the melting point. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.

Fuel centerline melting occurs when the local peak linear heat rate (LOR), or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.

Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in the heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.

(continued)

SAN ONOFRE--UNIT 2 B 2.0-1 Amendment No. 192 07/19/04 1

Reactor Core SLs B 2.1.1 BASES APPLICABLE h. Local Power Density- High trip; SAFETY ANALYSES (continued) i. DNBR-Low trip;

j. Reactor Coolant Flow- Low trip; and
k. Steam Generator Safety Valves.

The SL represents a design requirement for establishing the protection system trip setpoint allowable values identified previously. LCO 3.2.1, "Linear Heat Rate (LHR)," and LCO 3.2.4, "Departure From Nucleate Boiling Ratio (DNBR),"

or the assumed initial conditions of the safety analyses (as indicated in the UFSAR, Ref. 2) provide more restrictive limits to ensure that the SLs are not exceeded.

SAFETY LIMITS SL 2.1.1.1 and SL 2.1.1.2 ensure that the minimum DNBR is not less than the safety analyses limit and that fuel centerline temperature remains below melting.

The minimum value of the DNBR during normal operation and design basis AO0s is limited to 1.31, based on a statistical combination of CE-1 CHF correlation and engineering factor uncertainties, and is established as an SL. Additional factors such as rod bow and spacer grid size and placement will determine the limiting safety system settings required to ensure that the SL is maintained.

A steady state peak linear heat rate of 21 KW/ft has been established as the Limiting Safety System Setting to prevent fuel centerline melting during normal steady state operation. Following design basis anticipated operational occurrences, the transient linear heat rate may exceed 21 KW/ft provided the fuel centerline melt temperature is not exceeded.

The design melting point of new fuel with no burnable poison is 5080 0F. The melting point is adjusted downward from this temperature depending on the amount of burnup and amount and type of burnable poison in the fuel. The 580 F per 10,000 MWD/MTU adjustment for burnup was accepted by the NRC in Topical Report CEN-386-P-A, Reference 5. Adjustments for burnable poisons are established based on NRC approved Topical Report CENPD-382-P-A, Reference 6.

(continued)

SAN ONOFRE--UNIT 2 B 2.0-3 Amendment No. 192 07/19/04 I

Reactor Core SLs B 2.1.1 BASES APPLICABILITY SL 2.1.1.1 and SL 2.1.1.2 only apply in MODES 1 and 2 because these are the only MODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES 1 and 2 to ensure operation within the reactor core SLs. The steam generator safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function, which forces the unit into MODE 3.

In MODES 3, 4, 5, and 6, Applicability is not required, since the reactor is not generating significant fraction of rated thermal power (RTP).

(continued)

SAN ONOFRE--UNIT 2 B 2.0-3a Amendment No. 192 07/19/04 1

Reactor Core SLs B 2.1.1 BASES SAFETY LIMIT 2.2.6 (continued)

VIOLATIONS analyses, and actions are completed before the unit begins its restart to normal operation.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. UFSAR, Section 15.0.3.2, "Initial Conditions."
3. 10 CFR 50.72.
4. 10 CFR 50.73.
5. CEN-386-P-A, "Verification of the Acceptability of a 1-Pin Burnup Limit of 60 MWD/MTU for Combustion Engineering 16x16 PWR Fuel," August 1992.
6. CENPD-382-P-A, "Methodology for Core Designs Containing Erbium Burnable Absorbers," August 1993.-

SAN ONOFRE--UNIT 2 R 2.0-5 Amendment No. 192 07/19/04 1

LHR B 3.2.1 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 1);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (GDC 27, Ref. 4).

The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in determining the power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate so that the peak cladding temperature does not exceed 22000 F (Ref. 5). Peak cladding temperatures exceeding 22000 F cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing the LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the T, limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core.

Operation within the limits for these variables ensures that their actual values are within the ranges used in the accident analyses.

Fuel cladding damage does not occur from conditions outside the limits of these LCOs during normal operation. However, fuel cladding damage could result if an accident occurs from initial conditions outside the limits of these LCOs. This (continued)

SAN ONOFRE--UNIT 2 B 3.2-4 Amendment No. 192 07/19/04

Fxy B 3.2.2 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 1);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (GDC 26, Ref. 4).

The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This result is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured '

quantities, the power distribution, and the uncertainties in the determination of power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate so that the peak cladding temperature does not exceed 22000 F (Ref. 5). Peak cladding temperatures exceeding 2200 0 F cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the T, limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the ranges used in the accident analyses.

Fuel cladding damage does not occur because of conditions outside the limits of these LCOs for ASI, Fy, and T, during normal operation. However, fuel cladding damage may result if an accident occurs with initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can (continued)

SAN ONOFRE--UNIT 2 B 3.2-12 Amendment No. 192 07/19/04

Tq B 3.2.3 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During a CEA ejection accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 5);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 6).

The power density at any point in the core must be limited to maintain the fuel design criteria (Ref. 1). This result is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analysis (Ref. 2) with due regard for the correlations between measured quantities, thepower distribution, and uncertainties in the determination-of power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate (LHGR) so that the peak cladding temperature does not exceed 2200 0 F (Ref. 1). Peak cladding temperatures exceeding 22000 F cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the T, limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits of these variables ensures that their actual values are within the range used in the accident analyses.

Fuel cladding damage does not occur from conditions outside the limits of these LCOs during normal operation. However, fuel cladding damage could result if an accident occurs due to initial conditions outside the limits of these LCOs. The potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and correspondingly increased local LHRs.

T, satisfies Criterion 2 of the NRC Policy Statement.

(continued)

SAN ONOFRE--UNIT 2 B 3.2-19 Amendment No. 192 07/19/04

DNBR B 3.2.4 BASES (continued)

APPLICABLE a. During a LOCA, peak cladding temperature must not SAFETY ANALYSES exceed 2200 0 F (Ref. 5);

(conti nued)

b. During a loss of flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);
c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 1);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 6).

The power density at any point in the core must be limited to maintain the fuel design criteria (Ref. 4). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in the determination of power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate so that the peak cladding temperature does not exceed 22000 F (Ref. 4). Peak cladding temperatures exceeding 2200F may cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the T, limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the range used in the accident analyses (Ref. 1).

Fuel cladding damage does not occur from conditions outside the limits of these LCOs during normal operation. However, fuel cladding damage could result if an accident occurs from initial conditions outside the limits of these LCOs. This (continued)

SAN ONOFRE--UNIT 2 B 3.2-29 Amendment No. 192 07/19/04

ASI B 3.2.5 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 6);
d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 7).

The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations among measured quantities, the power distribution, and uncertainties in the determinationiof power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum so that the peak cladding temperature does not exceed 22000 F (Ref. 5). Peak cladding temperatures exceeding 2200 0 F may cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the range used in the accident analysis.

Fuel cladding damage does not occur from conditions outside these LCOs during normal operation. However, fuel cladding damage results when an accident occurs due to initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and correspondingly increased local LHRs.

(continued)

SAN ONOFRE--UNIT 2 B 3.2-38 Amendment No. 192 07/19/04

RPS Instrumentation - Operating B 3.3.1 BASES (continued)

LCO inoperable and reduces the reliability of the affected (continued) Functions.

Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. A channel is inoperable if its actual trip setpoint is-not within its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function.

These uncertainties are defined in CE NPSD-570-P (Ref. 6).

The Bases for the individual Function requirements are as follows:

1. Linear Power Level - High This LCO requires all four channels of Linear Power Level- High to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Linear Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur.

2. Logarithmic Power Level - High This LCO requires all four channels of Logarithmic Power Level - High to be OPERABLE in MODE 2, and in (continued)

SAN ONOFRE--UNIT 2 B 3.3-17 Amendment No. 127 09/16/03

RPS Instrumentation - Operating B 3.3.1 BASES (continued)

REFERENCES 1. 10 CFR 20.

2. 10 CFR 100.
3. IEEE Standard 279-1971, April 5, 1972.
4. SONGS Units 2 and 3 UFSAR, Chapter 15.
5. 10 CFR 50.49.
6. PPS Setpoint Calculation CE NPSD-570-P (SONGS document number S023-944-C50).
7. UFSAR, Section 7.2.
8. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.
9. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, Calculation Number 09/010-AS93-C-002, November 1993.
10. Methodology for Developing Risk-Based Surveillance Programs for Safety-Related Equipment at San Onofre Nuclear Generating Station Units 2 and 3, PLG-0575, April 1992.
11. NRC Safety Evaluation Report for SONGS Unit 2 Operating License Amendment No. 150 dated February 12, 1999.
12. NRC Safety Evaluation Report for SONGS Unit 2 Operating License Amendment No. 142 dated September 25, 1998.
13. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements."

SAN ONOFRE--UNIT 2 B 3.3-37a Amendment No. 188 09/16/03

ESFAS Instrumentation B 3.3.5 BASES (continued)

SURVEILLANCE based upon plant operating experience,which shows that REQUIREMENTS random failures of instrumentation components causing (continued) serious response time degradation, but not channel failure, are infrequent occurrences.

SR 3.3.5.7 SR 3.3.5.7 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2 and SR 3.3.5.3, except SR 3.3.5.7 is performed within 120 days prior to startup and is only applicable to bypass functions. Since the Pressurizer Pressure -Low bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13.

The CHANNEL FUNCTIONAL TEST for proper operation of the bypass permissives is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function. Consequently, Just prior to startup is the appropriate time to verify bypass function OPERABILITY. Once the bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by SR 3.3.5.2. The allowance to conduct this test once within 120 days prior to each reactor startup is based on a plant specific report based on the reliability analysis presented in topical report CEN-327, "RPS/ ESFAS Extended Test Interval Evaluation" (Refs. 8 and 10).

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 7.3.

2. 10 CFR 50, Appendix A.
3. IEEE Standard 279-1971.
4. SONGS Units 2 and 3 UFSAR, Chapter 15.
5. 10 CFR 50.49.
6. PPS Setpoint Calculation CE NPSD-570-P (SONGS document number S023-944-C50).
7. SONGS Units 2 and 3 UFSAR, Section 7.2.
8. CEN-327, May 1986, including Supplement 1, March 1989.

(continued)

SAN ONOFRE--UNIT 2 B 3.3-103b Amendment No. 157 09/16/03 1

PAM Instrumentation B 3.3.11 BASES (continued)

LCO 10. Deleted (continued)

11. Pressurizer Level Pressurizer Level is used to determine whether to terminate safety injection (SI), if still in progress, or to reinitiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the plant conditions necessary to establish natural circulation in the RCS and to verify that the plant is maintained in a safe shutdown condition.
12. Steam Generator Water Level Steam Generator Water Level is provided to monitor operation of decay heat removal via the steam generators. The Category I indication of steam generator level is the wide range level instrumentation. Temperature compensation of this indication is performed manually by the operator.

Redundant monitoring capability is provided by two trains of instrumentation.

Operator action is based on the control room indication of Steam Generator Water Level. The RCS response during a design basis small break LOCA is dependent on the break size. For a certain range of break sizes, the boiler condenser mode of heat transfer is necessary to remove decay heat. Wide range level is a Type A variable because the operator must manually raise and control the steam generator level to establish steaming. Operator action is initiated on a loss of subcooled margin. Feedwater flow is increased until the indicated wide range level reaches the minimum required level.

(continued)

SAN ONOFRE--UNIT 2 B 3.3-166 Amendment No. 27--,194 04/25/05

PAM Instrumentation B 3.3.11 BASES (continued)

ACTIONS B.1 (conti nued)

This Required Action specifies initiation of actions in accordance with Specification 5.7.2 (Special Reports), which requires a written report to be submitted to the Nuclear Regulatory Commission. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative Required Actions. This Required Action is appropriate in lieu of a shutdown requirement, given the likelihood of plant conditions that would require information provided by this instrumentation.

Also, alternative Required Actions are identified before a loss of functional capability condition occurs.

C.1 When one or more Functions have two required channels inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time 6f 7 days is based on the relatively low probability of an event requiring PAMI operation and the availability of alternate means to obtain the required information.

Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAMI. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

(continued)

SAN ONOFRE--UNIT 2 B 3.3-171 Amendment No. +21-,194 04/25/05

PAM Instrumentation B 3.3.11 BASES (continued)

ACTIONS D.1 When the required channel of Function 18, 21, 24, or 25 becomes inoperable, Required Action E.1 requires the channel to be restored to OPERABLE status within 7 days. Continuous operation with the required channel inoperable is not acceptable because alternate indications are not available.

E.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.11-1. The applicable Condition referenced in the Table is Function dependent.

Each time Required Action C.1 or D.1 is not met, and the associated Completion Time has expired, Condition E is entered for that channel and provides for transfer to .the appropriate subsequent Condition.

F.1 and F.2 If the Required Action and associated Completion Time of Condition C or D are not met and Table 3.3.11-1 directs entry into Condition F, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

G.1 Alternate means of monitoring Reactor Vessel Water Level and Containment Area Radiation have been developed and tested.

These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.7.2. The report provided to the NRC should discuss whether the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

(continued)

SAN ONOFRF--UNIT 2 B 3.3-172 Amendment No. 4-7-,194 04/25/05

Pressurizer Safety Valves B 3.4.10 BASES (continued)

ACTIONS B.1 and B.2 (continued)

The 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowed is reasonable, based on operating experience, to reach MODE 3 from full power without challenging plant systems. Similarly, the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed is reasonable, based on operating experience, to reach MODE 4 without challenging plant systems. The change from MODE 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by two pressurizer safety valves.

SURVEILLANCE SR 3.4.10.1 REQUIREMENTS SRs are specified in the inservice testing program.

Pressurizer safety valves are to be tested one at a time and in accordance with the requirements of Section XI of the ASME Code (Ref. 1), which provides the activities and-xthe Frequency necessary to satisfy the SRs.

The as-found pressurizer safety valve tolerance is +3% or

-2% for OPERABILITY. The as-found setpoints include instrument uncertainty (e.g., if instrument uncertainty is

+/- .25%, then the required as-found setpoint requirements would be + 2.75%/-1.75%). Following as-found testing, pressurizer safety valves shall be set within i+/-% of the specified setpoint.

REFERENCES 1. ASME, Boiler and Pressure Vessel Code,Section III, Section XI.

2. UFSAR, Section 5.4
3. UFSAR, Section 15.
4. ABB Letter No. ST-96-623 dated December 19, 1996; subject: Transmittal and Completion of the SCE SONGS 2/3 PSV Tolerance Study.

SAN ONOFRE--UNIT 2 B 3.4-54 Amendment No. +2-7-156 4/27/05

SITs B 3.5.1 BASES (continued)

APPLICABLE failure proof; therefore, whenever the SIT isolation valves SAFETY ANALYSES are open, power is removed from their operators and the (continued) switch is key locked open. In addition, whenever the SITs are required to be operable, power is removed from the SIT vent valves by removing the vent valve fuses or placing the disconnect switch in the open position.

These precautions ensure that the SITs are available during an accident (Ref. 4). With power supplied to the valves, a single active failure could result in a valve closure, which would render one SIT unavailable for injection. If a second SIT is lost through the break, only two SITs would reach the core. An active failure that could affect the SITs would be the closure of a motor operated outlet valve or opening of a SIT vent valve. The requirement to remove power from these valves eliminates these failure modes. The surveillance requirement to ensure power is removed from the SIT vent valves is controlled by the Licensee Controlled Specification (LCS).

The minimum volume requirement for the SITs ensures that three SITs can provide adequate inventory to reflood the core and downcomer following a LOCA. The downcomer then remains flooded until the HPSI and LPSI systems start to deliver flow.

The maximum volume limit is based on maintaining an adequate gas volume to ensure proper injection and the ability of the SITs to fully discharge, as well as limiting the maximum amount of boron inventory in the SITs.

A minimum of 1680 cubic feet of borated water, and a maximum of 1807 cubic feet of borated water, are used in the safety analyses as the volume in the SITs.

The minimum nitrogen cover pressure requirement ensures that the contained gas volume will generate discharge flow rates during injection that are consistent with those assumed in the safety analyses.

(continued)

SAN ONOFRE--UNIT 2 B 3.5-4 Amendment No. 127 05/05/03

ADVs B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Atmospheric Dump Valves (ADVs)

BASES BACKGROUND The ADVs provide a safety grade method for cooling the unit to Shutdown Cooling (SDC) System entry conditions, should the preferred heat sink via the Steam Bypass System to the condenser not be available, as discussed in the UFSAR, Section 10.3 (Ref. 1). This is done in conjunction with the Auxiliary Feedwater System providing cooling water from the condensate storage tank (CST). The ADVs may also be required to meet the design cooldown rate during a normal cooldown when steam pressure drops too low for maintenance of a vacuum in the condenser to permit use of the Steam Bypass System.

The ADVs are used during normal plant startups and cooldowns when either a vacuum in the condenser or the Steam Bypass Control System is not available. The ADVs are capable of being operated remotely from either the Control Room or the Remote Shutdown Panel (L-042), and locally with manual handwheels. However, controlling the ADVs from the Remote Shutdown Panel is not credited in the Safety Analyses.

Operating the ADVs during design bases events from the Remote Shutdown Panel is not a criteria for determining ADV operability.

Two ADV lines are provided. Each ADV line consists of one ADV and an associated block valve. The ADVs are provided with upstream block valves to permit their being tested at power, and to provide an alternate means of isolation. The ADVs are equipped with pneumatic controllers to permit control of the cooldown rate.

The ADVs are normally operated from the plant non-safety instrument air supply. A Seismic Category I Pressurized Gas Supply, which consists of nitrogen stored in accumulators, is provided to the ADVs on loss of instrument air. The nitrogen accumulator pressure is read locally, and is alarmed in the control room on low pressure. The nitrogen accumulator pressure is used to determine if there is enough backup nitrogen gas for each ADV to have at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of pneumatic operation. This is based on the time needed to reach shutdown cooling (SDC) conditions during a small break (continued)

SAN ONOFRE--UNIT 2 B 3.7-17 Amendment No. 127 06/02/04

ADVs B 3.7.4 BASES (continued)

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.4 does not apply.

With one required ADV inoperable, action must be taken to restore the OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

B.1 With two ADVs inoperable, action must be taken to restore one of the ADVs to OPERABLE status. As the block valve can be closed to isolate an ADV, some repairs may be possible with the unit at power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable to repair inoperable ADVs, based on the availability of the Steam Bypass System and MSSVs, and the low probability of an event occurring during this period that requires the ADVs.

C.1 If backup nitrogen gas supply system capacity for one or more required ADV is less than or equal to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, action should be taken to restore nitrogen gas supply system capacity in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The backup nitrogen capacity is controlled to a minimum accumulator pressure of 1018 psig

[1060 psig including total loop uncertainty (Ref. 2)]. This pressure represents enough backup nitrogen gas system capacity for each ADV to have up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of pneumatic operation. This time period is consistent and conservative relative to the SONGS Units 2 and 3 emergency operating instructions.

The completion time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on operating experience and on the fact that normal operating instrument air supply system is still available.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-20 Amendment No. 127 06/02/04

ADVs B 3.7.4 BASES (continued)

ACTIONS D.1 and D.2 (continued)

If the ADVs cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4, without reliance upon the steam generator for heat removal, within 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 If the nitrogen backup gas supply system can not be restored to OPERABLE status in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> the ADV will be declared inoperable immediately. This Action will place the unit in the condition of operation when only one ADV is available.

In this situation the CONDITION A of this LCO becomes; applicable. The COMPLETION TIME for that CONDITION gives 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore one inoperable ADV to OPERABLE status.

SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR ensures there is sufficient backup nitrogen to reach shutdown cooling following a Small Break Loss of Coolant Accident (SBLOCA) or natural circulation cooldown. A minimum accumulator pressure of 1018 psig is used to ensure sufficient backup nitrogen capacity. This pressure includes allowances for seven days worth of leakage and uncertainty in the nitrogen consumption rates and subsequent 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of operation.

The 7 days FREQUENCY is based on operating experience and on the fact that normal operating instrument air supply system is still available.

SR 3.7.4.2 To perform a controlled cooldown of the RCS, the ADVs must be able to be opened and throttled through their full range.

Although use of an ADV during a unit cooldown may satisfy this requirement, the required Inservice Testing program ensures these valves are capable of performing their design function.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-21 Amendment No. 127 06/02/04 1

ADVs B 3.7.4 BASES (continued)

SURVEILLANCE SR 3.7.4.2 (continued)

REQUIREMENTS The Inservice Testing program requires an ADV partial stroke test on a quarterly frequency and a full stroke test on a cold shutdown frequency.

Operating experience has shown that the Frequency, "In accordance with the IST program," is acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 10.3.

2. Calculation J-ABB-031, "ADV Nitrogen Supply Pressure Indicator Uncertainty" SAN ONOFRE--UNIT 2 B 3.7-22 Amendment No. 127 06/02/04

AFW System B 3.7.5 BASES (continued)

ACTIONS H.1 (continued)

CONDITION H specifies the requirements for any automatic valve in any AFW flow path upon receipt of a Main Steam Isolation Signal (MSIS). ACTION H.1 requires the automatic valve or its block valve be closed when this automatic valve is incapable of closing upon receipt of a MSIS. REQUIRED ACTION H.2 requires entering appropriate ACTIONS if there is a loss of the flow path(s). These ACTIONS specify AFW system OPERABILITY in the different MODES of operation and in the different AFW system configurations.

SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the AFW water and steam supply flow paths provides assurance that the proper flow paths exist for AFW operation. This SR does not apply to valves .that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulations; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.5.2 This SR verifies that the AFW pumps develop sufficient discharge pressure to deliver the required flow at the full open pressure of the MSSVs. Because it is undesirable to introduce cold AFW into the steam generators while they are operating, this testing is performed on recirculation flow.

Periodically comparing the reference differential pressure developed at this reduced flow detects trends that might be indicative of incipient failures. Performance of inservice testing, discussed in the ASME/ANSI OM (Part 6) (Ref. 2) satisfies this requirement.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-31 Amendment No. 191 11/25/03

AFW System B 3.7.5 BASES (continued)

SURVEILLANCE SR 3.7.5.2 (continued)

REQUIREMENTS LCO 3.7.5 permits plant operation in MODE 4 with one motor driven AFW pump and/or the turbine driven AFW pump inoperable. During plant operation in MODE 4, the turbine driven AFW pump does not have to be surveilled because steam generator pressure is less than 800 psig (NOTE for SR 3.7.5.2). During plant operation in MODE 4 with one motor driven AFW pump inoperable, SR 3.7.5.2 does not have to be performed on the inoperable motor driven pump (SR 3.0.1).

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established.

This deferral is required because there is an insufficient steam pressure to perform the test.

SR 3.7.5.3 This SR ensures that AFW can be delivered to the appropriate steam generator or that the AFW system is isolated, in the event of any accident or transient that generates an EFAS or MSIS signal, respectively, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal.

Although testing of some of the components of this circuit may be accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-32 Amendment No. 191 11/25/03

AFW System B 3.7.5 BASES (continued)

SURVEILLANCE SR 3.7.5.4 REQUIREMENTS (continued) This SR ensures that the AFW pumps will start in the event of any accident or transient that generates an EFAS signal by demonstrating that each AFW pump starts automatically on an actual or simulated actuation signal. Although testing of some of the components of this circuit may be accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

SR 3.7.5.5 This SR ensures that the AFW System is properly aligned by verifying the flow path to each steam generator prior to entering MODE 2 operation, after 30 days in MODE 5 or 6.

OPERABILITY of AFW flow paths must be verified before sufficient core heat is generated that would require the operation of the AFW System during a subsequent shutdown.

The Frequency is reasonable, based on engineering judgment,and other administrative controls to ensure that flow paths remain OPERABLE. To further ensure AFW System OPERABILITY, the OPERABILITY of the normal flow paths from the CST through the AFW pump to the Steam Generators is verified following extended outages. This SR ensures that the normal paths from the CST to the Steam Generators are OPERABLE by raising Steam Generator level by 2% using AFW flow from the CST.

REFERENCES 1. UFSAR, Section 10.4.9.

2. ASME/ANSI OM (Part 6).

SAN ONOFRE--UNIT 2 B 3.7-33 Amendment No. 191 11/25/03 1

CREACUS B 3.7.11 BASES (continued)

BACKGROUND closes the unfiltered-outside-air intake and unfiltered (continued) exhaust dampers, and aligns the system for recirculation of control room air through the redundant trains of HEPA and charcoal filters.

The emergency mode initiates pressurization of the control room. Outside air is added to the air being recirculated from the control room. Pressurization of the control room prevents infiltration of unfiltered air from the surrounding areas of the building.

The control room supply and the outside air supply of the normal control room HVAC are monitored by radiation and toxic-gas detectors respectively. One detector output above the setpoint will cause actuation of the emergency mode or isolation mode as required. The actions of the isolation mode are more restrictive, and will override the actions of the emergency mode of operation. However, toxic gas and radiation events are not considered to occur concurrently.

A single train will pressurize the control room to at least 0.125 inches water gauge, and provides an air exchange rate in excess of 25% per hour. The CREACUS operation in maintaining the control room habitable is discussed in Reference 1.

Redundant recirculation trains provide the required filtration should an excessive pressure drop develop across the other filter train. Normally-open isolation dampers are arranged in series pairs so that one damper's failure to shut will not result in a breach of isolation. The CREACUS is designed in accordance with Seismic Category I requirements.

The CREACUS is designed to maintain the control room environment for 30 days of continuous occupancy after a Design Basis Accident (DBA) without exceeding a 5-rem whole-body dose.

APPLICABLE The CREACUS components are arranged in redundant safety SAFETY ANALYSES related ventilation trains. The location of components and ducting within the control room envelope ensures an adequate supply of filtered air to all areas requiring access.

The CREACUS provides airborne radiological protection for the control room operators, as demonstrated by the control (continued)

SAN ONOFRE--UNIT 2 B 3.7-57 Amendment No. 127 04/25/05

CREACUS B 3.7.11 BASES (continued)

ACTIONS A.1 (continued)-

With one CREACUS train inoperable, action must be taken to restore OPERABLE status within 14 days. The 14 day AOT is based on a probabilistic risk assessment that does not require administrative controls to be implemented when a CREACUS train is taken out of service. In this Condition, the remaining OPERABLE CREACUS subsystem is adequate to perform control room radiation protection function.

However, the overall reliability is reduced because a single failure in the OPERABLE CREACUS train could result in loss of CREACUS function. The 14 day Completion Time is based on the low probability of a DBA occurring during this time period, and the ability of the remaining train to provide the required capability.

B.1 If the control room boundary is inoperable in MODES 1, 2, 3, or 4, the CREACUS trains cannot perform their intended functions. Actions must be taken to restore an OPERABLE control room boundary within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. During the period that the control room boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC19) should be utilized to protect control room operators from potential hazards such as radioactive contamination, toxic chemicals, smoke, temperature and relative humidity, and physical security. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is a typically reasonable time to diagnose, plan and possibly repair, and test most problems with the control room boundary.

C.1 and C.2 If the inoperable CREACUS or control room boundary cannot be restored to OPERABLE status within the associated Completion Time in MODE 1, 2, 3, or 4, the unit must be placed in a MODE that minimizes the accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-60 Amendment No.127 10/17/01 Re-issued 08/06/03

CREACUS B 3.7.11 BASES (continued)

ACTIONS D.1, D.2.1, and D.2.2 (continued)

In MODE 5 or 6, or during movement of irradiated fuel assemblies, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE CREACUS train must be immediately placed in the emergency mode of operation. This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action D.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel assemblies to a safe position.

E.1 and E.2 When in MODES 5 or 6, or during movement of irradiated fuel assemblies with two trains inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might enter the control room.

This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.

F.1 If both CREACUS trains are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable control room boundary (i.e., Condition B), the CREACUS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-61 Amendment No.128 09/16/03 l

DC Sources - Operating B 3.8.4 BASES (continued)

SURVEILLANCE SR 3.8.4.8 REQUIREMENTS continued) A battery performance test is a test of constant current capacity of a battery, normally done in the "as found" condition, after having been in service, to detect any change in the capacity determined by the acceptance test.

The test is intended to determine overall battery degradation due to age and usage.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The Surveillance Frequency for this test is 60 months, or ever 12 months if the battery shows degradation or has reached 85% of its expected life. Degradation is indicated, according to IEEE-450 (Ref. 9), when the battery capacity drops by more than 10% relative to its capacity on te previous performance test or when it is below 90% of the manufacturer's rating. These frequencies are consistent with the recommendations in IEEE-450 (Ref. 9).

This SR is modified by two Notes. The reason for Note 1 is that performing the Surveillance on a battery that is connected to an OPERABLE DC system would perturb the electrical distribution system and challenge safety systems.

This note does not apply to a battery that is electrically isolated from an OPERABLE system. With BOOX connected, as allowed by TS 3.8.9 and its Bases Table B 3.8.9-1, "AC and DC Electrical Power Distribution Systems," battery performance discharge testing may be performed on electrically isolated batteries when the plant is in Modes 1 through 4." Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

If for any reason a battery has to undergo both service and performance tests, one following the other during a refueling outage, then the battery shall complete the service test first. Recharging of the battery is required before the performance test is conducted. The "as found" condition prior to the performance test will be the state the battery is in immediately before the performance test.

Here at SONGS, two spare cells are normally maintained ualified by installing them on the same seismic rack where 58 active cells reside, kept on float charge and inspected by regular Preventive Maintenance (PM). These spare cells are included in the main bank during service and performance tests to demonstrate their adequacy under the configuration conditions that would be present if they were (continued)

SAN ONOFRE--UNIT 2 B 3.8-55 Amendment No. 127 08/30/04

Distribution Systems -Operating B 3.8.9 BASES (continued)

Table B 3.8.9-1 (page 1 of 1)

AC and DC Electrical Power Distribution Systems TYPE VOLTAGE TRAIN A TRAIN B AC safety 4160 V ESF Bus A04 ESF Bus A06 buses 480 V Load Center B04 Load Center B06 TRAIN A TRAIN C TRAIN B TRAIN D Bus Dl Bus D3 Bus D2 Bus D4 DC buses 125 V from from from from battery battery battery battery B007 and B009 and B008 and B010 and charger charger charger charger B001 B003 B002 B004 TRAIN A TRAIN C TRAIN B TRAIN D AC vital Bus Y01 Bus Y03 Bus Y02 Bus Y04 buses 120 V from from from from inverter inverter inverter inverter YOU1 Y003 Y002 Y004 connected connected connected connected to bus D1 to bus D3 to bus D2 to bus D4 NOTES: (1) Each train of the AC, DC, and AC vital bus electrical power distribution systems is a subsystem.

(2) If a support system (e.g., charger or inverter) is declared inoperable and it has its own LCO, entry into LCO 3.8.9 is not required. Only entry into its LCO is required.

(3) An OPERABLE Class 1E battery bank BOOX may replace either battery B009 or B010 to allow battery maintenance (including replacement) activities.

SAN ONOFRE--UNIT 2 B 3.8-83 Amendment No. 127 08/30/04 1

Containment Penetrations B 3.9.3 BASES (continued)

BACKGROUND closure is not required, the door interlock mechanism may be (continued) disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, containment closure is required; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain closed or operable. Operability of the containment personnel airlock door requires that the door is capable of being closed; that the door is unblocked and no cables or hoses are being run through the airlock; and that a designated individual is continuously available to close the airlock door. This individual must be stationed at the outer airlock door.

The use of temporary ramps for equipment access through the containment personnel air lock doors is acceptable during CORE ALTERATIONS or moving of irradiated fuel within containment. These ramps do not impede closure of the containment personnel airlock doors as the ramps are quickly removed by the designated individual stationed at the outer door. Removal of the ramps is a normal function of door closure, and the ability of plant personnel to close the personnel airlock, if needed, is not compromised by the ramps. Similarly, door seal covers may be used, provided they are removed prior to air lock door closure.

Except the systems that are closed inside of containment, systems conducting a fluid in and/or out of containment can also satisfy LCO 3.9.3 in either of the following configurations:

a. Systems containing devices inside containment which would preclude free air flow from containment such as self-closing quick disconnects, relief valves venting to containment, check valve(s), five foot water seal (periodic seal verification required), reciprocating pump, pipe cap, or any other equivalent device which would preclude free air flow out of containment.
b. Systems containing devices outside containment which would preclude free air flow from containment such as a reciprocating air compressor, compressed gas cylinder, or any of the devices listed in "a" above.

(continued)

SAN ONOFRE--UNIT 2 B 3.9-10 Amendment No. +4a7-193 02/18/05

Containment Penetrations B 3.9.3 BASES (continued)

LCO This LCO limits the consequences of a fuel handling accident in containment by limiting the potential escape paths for fission product radioactivity released within containment.

The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations and the containment personnel airlock.

For the containment personnel airlock, this LCO ensures that the airlock can be closed after containment evacuation in the event of a fuel handling accident. The requirement that the plant be in Mode 6 with 23 feet of water above the fuel in the reactor vessel or defueled configuration with fuel in the containment (i.e., fuel in the refueling machine or upender) ensures that there is sufficient time to close the personnel airlock following a loss of shutdown cooling efore boiling occurs.

LCO part a. is modified by a NOTE:

NOTE----------------_

The equipment hatch may be open if all of the following conditions are met:

1) The Containment Structure Equipment Hatch Shield Doors are capable of being closed within 30 minutes,
2) The plant is in Mode 6 with at least 23 feet of water above the reactor vessel flange,
3) A designated crew is available to close the Containment Structure Equipment Hatch Shield Doors, 43 Containment purge is in service, and
5) The reactor has been subcritical for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

These restrictions include the administrative controls to allow the opening of the containment equipment hatch during CORE ALTERATIONS or movement of irradiated fuel in the containment provided that 1) The Containment Structure Equipment Hatch Shield Doors are capable of being closed within 30 minutes, 2) The plant is in Mode 6 with at least 23 feet of water above the reactor vessel flange, 3) A designated crew is available to close the Containment Structure Equipment Hatch Shield Doors, 4) Containment purge is in service, and 5) The reactor shall be subcritical for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The Containment Structure Equipment Hatch Shield Doors include flashing on the top and sides of the shield doors which act to retard or restrict a release of post-accident fission products. The capability to close the containment shield doors includes requirements that the doors are capable of being closed and that any cables or hoses across the opening have quick disconnects to ensure the doors are capable of being closed within 30 minutes.

(continued)

SAN ONOFRE--UNIT 2 B 3.9-13 Amendment No.2'17 ,193 02/18/05

Containment Penetrations B 3.9.3 BASES (continued)

LCO The 30 minute closure time for the containment shield doors (continued) is considered to start when the control room communicates the need to shut the Containment Structure Equipment Hatch Shield Doors. This 30-minute requirement is significantly less than the fuel handling accident analysis assumption that the containment remains open to the outside environment for a two-hour period subsequent to the accident. Placing containment purge (i.e., main purge exhaust with or without suly) in service will ensure any release from containment wil be monitored.

The administrative controls will also specify the responsibility to be able to communicate with the control room, and specify the responsibility to ensure that the containment shield doors are capable of being closed in the event of a fuel handling accident. These administrative controls will ensure containment closure would be established in the event of a fuel handling accident inside containment.

LCO part b. is modified by a NOTE which allows both doors of the containment airlock to be open provided:

a. one personnel airlock door is OPERABLE, and b.1 the plant is in MODE 6 with 23 feet of water above the fuel in the reactor vessel, or b.2 defueled configuration with fuel in containment (i.e., fuel in refueling machine or upender).

The OPERABILITY requirements ensure that the airlock door is capable of performing its function, and that a designated individual located outside of the affected area is available to close the door. For the OPERABLE containment purge and exhaust penetrations, this LCO ensures that these penetrations are isolable by the Containment Purge Isolation System. The OPERABILITY requirements for this LCO ensure that the automatic purge and exhaust valve closure times specified in the UFSAR can be achieved and therefore meet the assumptions used in the safety analysis to ensure releases through the valves are terminated, such that the radiological doses are within the acceptance limit.

APPLICABILITY The containment penetration requirements are applicable during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment because this is when there is a potential for a fuel handling accident. In MODES 1, 2, 3, (continued)

SAN ONOFRE--UNIT 2 B 3.9-13a Amendment No.-1-2+193 02/18/05

SAN ONOFRE UNIT 3 REVISED BASES PAGES Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core SLs BASES BACKGROUND GDC 10 (Ref. 1) requires and SLs ensure that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (95/95 DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature.

The restrictions of this SL prevent overheating of the fuel and cladding and possible cladding perforation that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state, peak Centerline Temperature below the melting point. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.

Fuel centerline melting occurs when the local peak linear heat rate (LHR), or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.

Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in the heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.

(continued)

SAN ONOFRE--UNIT 3 B 2.0-1 Amendment No. 183 07/19/04

Reactor Core SLs B 2.1.1 BASES (continued)

APPLICABLE h. Local Power Density -High trip; SAFETY ANALYSES (continued) i. DNBR- Low trip;

j. Reactor Coolant Flow- Low trip; and
k. Steam Generator Safety Valves.

The SL represents a design requirement for establishing the protection system trip setpoint allowable values identified previously. LCO 3.2.1, "Linear Heat Rate (LHR)," and LCO 3.2.4, "Departure From Nucleate Boiling Ratio (DNBR),"

or the assumed initial conditions of the safety analyses (as indicated in the UFSAR, Ref. 2) provide more restrictive limits to ensure that the SLs are not exceeded.

SAFETY LIMITS SL 2.1.1.1 and SL 2.1.1.2 ensure that the minimum DNBR is not less than the safety analyses limit and that fuel centerline temperature remains below melting.

The minimum value of the DNBR during normal operation and design basis A00s is limited to 1.31, based on a statistical combination of CE-1 CHF correlation and engineering factor uncertainties, and is established as an SL. Additional factors such as rod bow and spacer grid size and placement will determine the limiting safety system settings required to ensure that the SL is maintained.

A steady state peak linear heat rate of 21 KWI/ft has been established as the Limiting Safety System Setting to prevent fuel centerline melting during normal steady state operation. Following design basis anticipated operational occurrences, the transient linear heat rate may exceed 21 KW/ft provided the fuel centerline melt temperature is not exceeded.

The design melting point of new fuel with no burnable poison is 5080 0F. The melting point is adjusted downward from this temperature depending on the amount of burnup and amount and type of burnable poison in the fuel. The 580 F per 10,000 MWD/MTU adjustment for burnup was accepted by the NRC in Topical Report CEN-386-P-A, Reference 5. Adjustments for burnable poisons are established based on NRC approved Topical Report CENPD-382-P-A, Reference 6.

(continued)

SAN ONOFRE--UNIT 3 B 2.0-3 Amendment No. 183 07/19/04

Reactor Core SLs B 2.1.1 BASES (continued)

APPLICABILITY SL 2.1.1.1 and SL 2.1.1.2 only apply in MODES 1 and 2 because these are the only MODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES 1 and 2 to ensure operation within the reactor core SLs. The steam generator safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function, which forces the unit into MODE 3.

In MODES 3, 4, 5, and 6, Applicability is not required, since the reactor is not generating significant fraction of rated thermal power (RTP).

(continued)

SAN ONOFRE--UNIT 3 B 2.0-3a Amendment No. 183 07/19/04 l

Reactor Core SLs B 2.1.1 BASES (continued)

SAFETY LIMIT 2.2.6 (continued)

VIOLATIONS analyses, and actions are completed before the unit begins its restart to normal operation.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. UFSAR, Section 15.0.3.2, "Initial Conditions."
3. 10 CFR 50.72.
4. 10 CFR 50.73.
5. CEN-386-P-A, "Verification of the Acceptability of a 1-Pin Burnup Limit of 60 MWD/MTU for Combustion Engineering 16x16 PWR Fuel," August 1992.
6. CENPD-382-P-A, "Methodology for Core Designs Containing Erbium Burnable Absorbers," August 1993.

SAN ONOFRE--UNIT 3 B 2.0-5 Amendment No. 183 07/19/04

LHR B 3.2.1 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 1);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (GDC 27, Ref. 4).

The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in determining the power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate so that the peak cladding temperature does not exceed 22000 F (Ref. 5). Peak cladding temperatures exceeding 2200'F cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing the LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core.

Operation within the limits for these variables ensures that their actual values are within the ranges used in the accident analyses.

Fuel cladding damage does not occur from conditions outside the limits of these LCOs during normal operation. However, fuel cladding damage could result if an accident occurs from initial conditions outside the limits of these LCOs. This (continued)

SAN ONOFRE--UNIT 3 B 3.2-4 Amendment No. 183 07/19/04

Fxy B 3.2.2 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 1);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (GDC 26, Ref. 4).

The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This result is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and the uncertainties in the determination of power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate so that the peak cladding temperature does not exceed 22000 F (Ref. 5). Peak cladding temperatures exceeding 2200 0 F cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the T, limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the ranges used in the accident analyses.

Fuel cladding damage does not occur because of conditions outside the limits of these LCOs for ASI, Fxy, and T, during normal operation. However, fuel cladding damage may result if an accident occurs with initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can (continued)

SAN ONOFRE--UNIT 3 B 3.2-12 Amendment No. 183 07/19/04

T4 B 3.2.3 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During a CEA ejection accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 5);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 6).

The power density at any point in the core must be limited to maintain the fuel design criteria (Ref. 1). This result is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analysis (Ref. 2) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in the determination of power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate (LHGR) so that the peak cladding temperature does not exceed 2200°F (Ref. 1). Peak cladding temperatures exceeding 22000 F cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits of these variables ensures that their actual values are within the range used in the accident analyses.

Fuel cladding damage does not occur from conditions outside the limits of these LCOs during normal operation. However, fuel cladding damage could result if an accident occurs due to initial conditions outside the limits of these LCOs. The potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and correspondingly increased local LHRs.

Tq satisfies Criterion 2 of the NRC Policy Statement.

(continued)

SAN ONOFRE--UNIT 3 B 3.2-19 Amendment No. 183 07/19/04

DNBR B 3.2.4 BASES (continued)

APPLICABLE a. During a LOCA, peak cladding temperature must not SAFETY ANALYSES exceed 22000 F (Ref. 5);

(continued)

b. During a loss of flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);
c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 1);

and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 6).

The power density at any point in the core must be limited to maintain the fuel design criteria (Ref. 4). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations between measured quantities, the power distribution, and uncertainties in the determination of power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum linear heat generation rate so that the peak cladding temperature does not exceed 2200'F (Ref. 4). Peak cladding temperatures exceeding 2200'F may cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fxy limits specified in the COLR, and within the Tq limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the range used in the accident analyses (Ref. 1).

Fuel cladding damage does not occur from conditions outside the limits of these LCOs during normal operation. However, fuel cladding damage could result if an accident occurs from initial conditions outside the limits of these LCOs. This (continued)

SAN ONOFRE--UNIT 3 B 3.2-29 Amendment No. 183 07/19/04

ASI B 3.2.5 BASES (continued)

APPLICABLE b. During a loss of flow accident, there must be at least SAFETY ANALYSES 95% probability at the 95% confidence level (the (continued) 95/95 DNB criterion) that the hot fuel rod in the core does not experience a DNB condition (Ref. 4);

c. During an ejected CEA accident, the fission energy input to the fuel must not exceed 280 cal/gm (Ref. 6);
d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 7).

The power density at any point in the core must be limited to maintain the fuel design criteria (Refs. 4 and 5). This is accomplished by maintaining the power distribution and reactor coolant conditions so that the peak Fuel Centerline Temperature and DNB parameters are within operating limits supported by the accident analyses (Ref. 1) with due regard for the correlations among measured quantities, the power distribution, and uncertainties in the determination of power distribution.

Fuel cladding failure during a LOCA is limited by restricting the maximum so that the peak cladding temperature does not exceed 22000 F (Ref. 5). Peak cladding temperatures exceeding 22000 F may cause severe cladding failure by oxidation due to a Zircaloy water reaction.

The LCOs governing LHR, ASI, and RCS ensure that these criteria are met as long as the core is operated within the ASI and Fy limits specified in the COLR, and within the T, limits. The latter are process variables that characterize the three dimensional power distribution of the reactor core. Operation within the limits for these variables ensures that their actual values are within the range used in the accident analysis.

Fuel cladding damage does not occur from conditions outside these LCOs during normal operation. However, fuel cladding damage results when an accident occurs due to initial conditions outside the limits of these LCOs. This potential for fuel cladding damage exists because changes in the power distribution can cause increased power peaking and correspondingly increased local LHRs.

(continued)

SAN ONOFRE--UNIT 3 B 3. 2-38 Amendment No. 183 07/19/04

RPS Instrumentation- Operating B 3.3.1 BASES (continued)

LCO inoperable and reduces the reliability of the affected (continued) Functions.

Actions allow maintenance (trip channel) bypass of individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoints are selected to ensure the setpoints measured by CHANNEL FUNCTIONAL TESTS do not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function.

These uncertainties are defined in CE NPSD-570-P (Ref. 6).

The Bases for the individual Function requirements are as follows:

1. Linear Power Level- High This LCO requires all four channels of Linear Power Level - High to be OPERABLE in MODES 1 and 2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Linear Power Level - High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA ejection accident occur.

2. Logarithmic Power Level- High This LCO requires all four channels of Logarithmic Power Level - High to be OPERABLE in MODE 2, and in (continued)

SAN ONOFRE--UNIT 3 B 3.3-17 Amendment No. 116 09/16/03 l

RPS Instrumentation - Operating B 3.3.1 BASES (continued)

REFERENCES 1. 10 CFR 20.

2. 10 CFR 100.
3. IEEE Standard 279-1971, April 5, 1972.
4. SONGS Units 2 and 3 UFSAR, Chapter 15.
5. 10 CFR 50.49.
6. PPS Setpoint Calculation CE NPSD-570-P (SONGS document number S023-944-C50).
7. UFSAR, Section 7.2.
8. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.
9. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, Calculation Number 09/010-AS93-C-002, November 1993.
10. Methodology for Developing Risk-Based Surveillance Programs for Safety-Related Equipment at San Onofre Nuclear Generating Station Units 2 and 3, PLG-0575, April 1992.
11. NRC Safety Evaluation Report for SONGS Unit 3 Operating License Amendment No. 142 dated February 12, 1999.
12. NRC Safety Evaluation Report for SONGS Unit 3 Operating License Amendment No. 136 dated November 23, 1998.
13. CEOG Topical Report CE NPSD-1167-A, "Elimination of Pressure Sensor Response Time Testing Requirements."

SAN ONOFRE--UNIT 3 B 3.3-37a Amendment No. 179 09/16/03 I

ESFAS Instrumentation B 3.3.5 BASES (continued)

SURVEILLANCE based upon plant operating experience, which shows that REQUIREMENTS random failures of instrumentation components causing (continued) serious response time degradation, but not channel failure, are infrequent occurrences.

SR 3.3.5.7 SR 3.3.5.7 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2 and SR 3.3.5.3, except SR 3.3.5.7 is performed within 120 days prior to startup and is only applicable to bypass functions. Since the Pressurizer Pressure-Low bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13.

The CHANNEL FUNCTIONAL TEST for proper operation of the bypass permissives is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function. Consequently, just prior to startup is the appropriate time to verify bypass function OPERABILITY. Once the bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by SR 3.3.5.2. The allowance to conduct this test once within 120 days prior to each reactor startup is based on a plant specific report based on the reliability analysis presented in topical report CEN-327, "RPS ESFAS Extended Test Interval Evaluation" (Refs. 8 and 10).

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 7.3.

2. 10 CFR 50, Appendix A.
3. IEEE Standard 279-1971.
4. SONGS Units 2 and 3 UFSAR, Chapter 15.
5. 10 CFR 50.49.
6. PPS Setpoint Calculation CE NPSD-570-P (SONGS document number S023-944-C50).
7. SONGS Units 2 and 3 UFSAR, Section 7.2.
8. CEN-327, May 1986, including Supplement 1, March 1989.

(continued)

SAN ONOFRE--UNIT 3 B 3.3-103b Amendment No. 148 09/16/03

PAM Instrumentation B 3.3.11 BASES (continued)

LCO 10. Deleted (continued)

11. Pressurizer Level Pressurizer Level is used to determine whether to terminate safety injection (SI), if still in progress, or to reinitiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the plant conditions necessary to establish natural circulation in the RCS and to verify that the plant is maintained in a safe shutdown condition.
12. Steam Generator Water Level Steam Generator Water Level is provided to monitor operation of decay heat removal via the steam generators. The Category I indication of steam generator level is the wide range level instrumentation. Temperature compensation of this indication is performed manually by the operator.

Redundant monitoring capability is provided by two trains of instrumentation.

Operator action is based on the control room indication of Steam Generator Water Level. The RCS response during a design basis small break LOCA is dependent on the break size. For a certain range of break sizes, the boiler condenser mode of heat transfer is necessary to remove decay heat. Wide range level is a Type A variable because the operator must manually raise and control the steam generator level to establish steaming. Operator action is initiated on a loss of subcooled margin. Feedwater flow is increased until the indicated wide range level reaches the minimum required level.

(continued)

SAN ONOFRE--UNIT 3 B 3.3-166 Amendment No. +i-6E-185 04/25/05 1

PAM Instrumentation B 3.3.11 BASES (continued)

ACTIONS B.1 (continued)

This Required Action specifies initiation of actions in accordance with Specification 5.7.2 (Special Reports), which requires a written report to be submitted to the Nuclear Regulatory Commission. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative Required Actions. This Required Action is appropriate in lieu of a shutdown requirement, given the likelihood of plant conditions that would require information provided by this instrumentation.

Also, alternative Required Actions are identified before a loss of functional capability condition occurs.

C.'

When one or more Functions have two required channels inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAMI operation and the availability of alternate means-to obtain the required information.

Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAMI. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

(continued)

SAN ONOFRE--UNIT 3 B 3.3-171 Amendment No. +1-6--185 04/25/05 {

PAM Instrumentation B 3.3.11 BASES (continued)

ACTIONS D.1 When the required channel of Function 18, 21, 24, or 25 becomes inoperable, Required Action E.1 requires the channel to be restored to OPERABLE status within 7 days. Continuous operation with the required channel inoperable is not acceptable because alternate indications are not available.

E.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.11-1. The applicable Condition referenced in the Table is Function dependent.

Each time Required Action C.1 or D.1 is not met, and the associated Completion Time has expired, Condition E is entered for that channel and provides for transfer to the appropriate subsequent Condition.

F.1 and F.2 If the Required Action and associated Completion Time of Condition C or D are not met and Table 3.3.11-1 directs entry into Condition F, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

G.1 Alternate means of monitoring Reactor Vessel Water Level and Containment Area Radiation have been developed and tested.

These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.7.2. The report provided to the NRC should discuss whether the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

(continued)

SAN ONOFRE--UNIT 3 B 3.3-172 Amendment No. 44-6-1185 04/25/05 l

Pressurizer Safety Valves B 3.4.10 BASES (continued)

ACTIONS B.1 and B.2 (continued)

The 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowed is reasonable, based on operating experience, to reach MODE 3 from full power without challenging plant systems. Similarly, the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed is reasonable, based on operating experience, to reach MODE 4 without challenging plant systems. The change from MODE 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by two pressurizer safety valves.

SURVEILLANCE SR 3.4.10.1 REQUIREMENTS SRs are specified in the inservice testing program.

Pressurizer safety valves are to be tested one at a time and in accordance with the requirements of Section XI of the ASME Code (Ref. 1), which provides the activities and the Frequency necessary to satisfy the SRs.

The as-found pressurizer safety valve tolerance is +3% or

-2% for OPERABILITY. The as-found setpoints include instrument uncertainty (e.g., if instrument uncertainty is

+/- .25%, then the required as-found setpoint requirements would be + 2.75%/-1.75%). Following as-found testing, pressurizer safety valves shall be set within +/-1% of the specified setpoint.

REFERENCES 1. ASME, Boiler and Pressure Vessel Code,Section III, Section XI.

2. UFSAR, Section 5.4
3. UFSAR, Section 15.
4. ABB Letter No. ST-96-623 dated December 19, 1996; subject: Transmittal and Completion of the SCE SONGS 2/3 PSV Tolerance Study.

SAN ONOFRE--UNIT 3 B 3.4-54 Amendment No. +i-6147 4/27/05

SITs B 3.5.1 BASES (continued)

APPLICABLE failure proof; therefore, whenever the SIT isolation valves SAFETY ANALYSES are open, power is removed from their operators and the (continued) switch is key locked open. In addition, whenever the SITs are required to be operable, power is removed from the SIT vent valves by removing the vent valve fuses or placing the disconnect switch in the open position.

These precautions ensure that the SITs are available during an accident (Ref. 4). With power supplied to the valves, a single active failure could result in a valve closure, which would render one SIT unavailable for injection. If a second SIT is lost through the break, only two SITs would reach the core. An active failure that could affect the SITs would be the closure of a motor operated outlet valve or opening of a SIT vent valve. The requirement to remove power from these valves eliminates these failure modes. The surveillance requirement to ensure power is removed from the SIT vent valves is controlled by the Licensee Controlled Specification (LCS).

The minimum volume requirement for the SITs ensures that three SITs can provide adequate inventory to reflood the core and downcomer following a LOCA. The downcomer then remains flooded until the HPSI and LPSI systems start to deliver flow.

The maximum volume limit is based on maintaining an adequate gas volume to ensure proper injection and the ability of the SITs to fully discharge, as well as limiting the maximum amount of boron inventory in the SITs.

A minimum of 1680 cubic feet of borated water, and a maximum of 1807 cubic feet of borated water, are used in the safety analyses as the volume in the SITs.

The minimum nitrogen cover pressure requirement ensures that the contained gas volume will generate discharge flow rates during injection that are consistent with those assumed in the safety analyses.

(continued)

SAN ONOFRE--UNIT 3 B 3.5-4 Amendment No. 116 05/05/03 l

Containment B 3.6.1 BASES (continued)

BACKGROUND 2. closed by manual valves, blind flanges, or (continued) de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.3,

'Containment Isolation Valves."

b. Each air lock is OPERABLE, except as provided in LCO 3.6.2, "Containment Air Locks."

APPLICABLE The safety design basis for the containment is that the SAFETY ANALYSES containment must withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.

The DBAs that result in a release of radioactive material within containment are a loss of coolant accident, a main steam line break (MSLB), and a control element assembly ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate-of 0.10% of containment air weight per day (Ref. 2). This leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as La: the maximum allowable containment leakage rate at the calculated maximum peak containment internal pressure related to the design basis loss-of-coolant accident, Pd, at 45.9 psig (Ref. 4). Pa will conservatively be assumed to be equal to the calculated peak containment internal pressure resulting from the design basis Main Steam Line Break, 56.5 psig (Ref. 4), for the purpose of containment testing in accordance with this Technical Specification.

Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of the NRC Policy Statement.

LCO Containment OPERABILITY is maintained by limiting leakage to

  • 1.0 La, except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, the applicable leakage limits must be met.

Compliance with this LCO will ensure a containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.

(continued)

SAN ONOFRE--UNIT 3 B 3.6-2 Amendment No. 173 04/29/03 Re-issued 08/06/03

Containment B 3.6.1 BASES (continued)

LCO Individual leakage rates specified for the containment air (continued) lock (LCO 3.6.2) and purge valves with resilient seals (LCO 3.6.3) are not specifically part of the acceptance criteria of 10 CFR 50, Appendix J, Option B. Therefore, leakage rates exceeding these individual limits only result in the containment being inoperable when the leakage results in exceeding the overall acceptance criteria of 1.0 La. I APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, containment is not required to be OPERABLE in MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

ACTIONS A.1 In the event containment is inoperable, containment must be restored to OPERABLE status wit hin 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES 1, 2, 3, and 4. This time period also ensures that the probability of an accident (requiring containment OPERABILITY) occurring during periods when containment is inoperable is minimal.

B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SAN ONOFRE--UNIT 3 B 3.6-3 Amendment No. 116, 12/1/98 Re-issued 08/06/03 I

ADVs B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Atmospheric Dump Valves (ADVs)

BASES BACKGROUND The ADVs provide a safety grade method for cooling the unit to Shutdown Cooling (SDC) System entry conditions, should the preferred heat sink via the Steam Bypass System to the condenser not be available, as discussed in the UFSAR, Section 10.3 (Ref. 1). This is done in conjunction with the Auxiliary Feedwater System providing cooling water from the condensate storage tank (CST). The ADVs may also be required to meet the design cooldown rate during a normal cooldown when steam pressure drops too low for maintenance of a vacuum in the condenser to permit use of the Steam

.Bypass System.

The ADVs are used during normal plant startups and cooldowns when either a vacuum in the condenser or the Steam Bypass Control System is not available. The ADVs are capable of being operated remotely from either the Control Room or the Remote Shutdown Panel (L-042), and locally with manual handwheels. However, controlling the ADVs from the Remote Shutdown Panel is not credited in the Safety Analyses.

Operating the ADVs during design bases events from the Remote Shutdown Panel is not a criteria for determining ADV operability.

Two ADV lines are provided. Each ADV line consists of one ADV and an associated block valve. The ADVs are provided with upstream block valves to permit their being tested at power, and to provide an alternate means of isolation. The ADVs are equipped with pneumatic controllers to permit control of the cooldown rate.

The ADVs are normally operated from the plant non-safety instrument air supply. A Seismic Category I Pressurized Gas Supply, which consists of nitrogen stored in accumulators, I is provided to the ADVs on loss of instrument air. The nitrogen accumulator pressure is read locally, and is alarmed in the control room on low pressure. The nitrogen accumulator pressure is used to determine if there is enough backup nitrogen gas for each ADV to have at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of pneumatic operation. This is based on the time needed to reach shutdown cooling (SDC) conditions during a small break (continued)

SAN ONDFRE--UNIT 3 B 3.7-17 Amendment No. 116 06/02/04 1

ADVs B 3.7.4 BASES (continued)

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.4 does not apply.

With one required ADV inoperable, action must be taken to restore the OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

B.1 With two ADVs inoperable, action must be taken to restore one of the ADVs to OPERABLE status. As the block valve can be closed to isolate an ADV, some repairs may be possible with the unit at power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable to repair inoperable ADVs, based on the availability of the Steam Bypass System and MSSVs, and the low probability of an event occurring during this period that requires the ADVs.

C.1 If backup nitrogen gas supply system capacity for one or more required ADV is less than or equal to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, action should be taken to restore nitrogen gas supply system capacity in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The backup nitrogen capacity is controlled to a minimum accumulator pressure of 1018 psig

[1060 psig including total loop uncertainty (Ref. 2)]. This pressure represents enough backup nitrogen gas system capacity for each ADV to have up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of pneumatic operation. This time period is consistent and conservative relative to the SONGS Units 2 and 3 emergency operating instructions.

The completion time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on operating experience and on the fact that normal operating instrument air supply system is still available.

(continued)

SAN ONOFRE--UNIT 3 B 3.7-20 Amendment No. 116 06/02/04 1

ADVs B 3.7.4 BASES (continued)

ACTIONS D.1 and D.2 (conti nued)

If the ADVs cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4, without reliance upon the steam generator for heat removal, within 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 If the nitrogen backup gas supply system can not be restored to OPERABLE status in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> the ADV will be declared inoperable immediately. This Action will place the unit in the condition of operation when only one ADV is available.

In this situation the CONDITION A of this LCO becomes applicable. The COMPLETION TIME for that CONDITION gives 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore one inoperable ADV to OPERABLE status.

SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR ensures there is sufficient backup nitrogen to reach shutdown cooling following a Small Break Loss of Coolant Accident (SBLOCA) or natural circulation cooldown. A minimum accumulator pressure of 1018 psig is used to ensure sufficient backup nitrogen capacity. This pressure includes allowances for seven days worth of leakage and uncertainty in the nitrogen consumption rates and subsequent 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of operation.

The 7 days FREQUENCY is based on operating experience and on the fact that normal operating instrument air supply system is still available.

SR 3.7.4.2 To perform a controlled cooldown of the RCS, the ADVs must be able to be opened and throttled through their full range.

Although use of an ADV during a unit cooldown may satisfy this requirement, the required Inservice Testing program ensures these valves are capable of performing their design function.

(continued)

SAN ONOFRE--UNIT 3 B 3.7-21 Amendment No. 116 06/02/04

ADVs B 3.7.4 BASES (continued)

SURVEILLANCE SR 3.7.4.2 (continued)

REQUIREMENTS The Inservice Testing program requires an ADV partial stroke test on a quarterly frequency and a full stroke test on a cold shutdown frequency.

Operating experience has shown that the Frequency, "In accordance with the IST program," is acceptable from a reliability standpoint.

REFERENCES 1. UFSAR, Section 10.3.

2. Calculation J-ABB-031, "ADV Nitrogen Supply Pressure Indicator Uncertainty" SAN ONOFRE--UNIT 3 B 3.7-22 Amendment No. 116 06/02/04 1

AFW System B 3.7.5 BASES (continued)

ACTIONS H.1 (continued)

CONDITION H specifies the requirements for any automatic valve in any AFW flow path upon receipt of a Main Steam Isolation Signal (MSIS). ACTION H.1 requires the automatic valve or its block valve be closed when this automatic valve is incapable of closing upon receipt of a MSIS. REQUIRED ACTION H.2 requires entering appropriate ACTIONS if there is a loss of the flow path(s). These ACTIONS specify AFW system OPERABILITY in the different MODES of operation and in the different AFW system configurations.

SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the AFW water and steam supply flow paths provides assurance that the proper flow paths exist for AFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulations; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.5.2 This SR verifies that the AFW pumps develop sufficient discharge pressure to deliver the required flow at the full open pressure of the MSSVs. Because it is undesirable to introduce cold AFW into the steam generators while they are operating, this testing is performed on recirculation flow.

Periodically comparing the reference differential pressure developed at this reduced flow detects trends that might be indicative of incipient failures. Performance of inservice testing, discussed in the ASME/ANSI OM (Part 6) (Ref. 2) satisfies this requirement.

(continued)

SAN ONOFRE--UNIT 3 B 3.7-31 Amendment No. 182 11/25/03 l

AFW System B 3.7.5 BASES (continued)

SURVEILLANCE SR 3.7.5.2 (continued)

REQUIREMENTS LCO 3.7.5 permits plant operation in MODE 4 with one motor driven AFW pump and/or the turbine driven AFW pump inoperable. During plant operation in MODE 4, the turbine driven AFW pump does not have to be surveilled because steam generator pressure is less than 800 psig (NOTE for SR 3.7.5.2). During plant operation in MODE 4 with one motor driven AFW pump inoperable, SR 3.7.5.2 does not have to be performed on the inoperable motor driven pump (SR 3.0.1).

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established.

This deferral is required because there is an insufficient steam pressure to perform the test.

SR 3.7.5.3 This SR ensures that AFW can be delivered to the appropriate steam generator or that the AFW system is isolated, in the event of any accident or transient that generates an EFAS or MSIS signal, respectively, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal.

Although testing of some of the components of this circuit may be accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

(continued)

SAN ONOFRE--UNIT 3 B 3.7-32 Amendment No. 182 11/25/03 l

AFW System B 3.7.5 BASES (continued)

SURVEILLANCE SR 3.7.5.4 REQUIREMENTS (continued) This SR ensures that the AFW pumps will start in the event of any accident or transient that generates an EFAS signal by demonstrating that each AFW pump starts automatically on an actual or simulated actuation signal. Although testing of some of the components of this circuit may be accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

SR 3.7.5.5 This SR ensures that the AFW System is properly aligned by verifying the flow path to each steam generator prior to entering MODE 2 operation, after 30 days in MODE 5 or 6.

OPERABILITY of AFW flow paths must be verified before sufficient core heat is generated that would require the operation of the AFW System during a subsequent shutdown.

The Frequency is reasonable, based on engineering judgment,and other administrative controls to ensure that flow paths remain OPERABLE. To further ensure AFW System OPERABILITY, the OPERABILITY of the normal flow paths from the CST through the AFW pump to the Steam Generators is verified following extended outages. This SR ensures that the normal paths from the CST to the Steam Generators are OPERABLE by raising Steam Generator level by 2% using AFW flow from the CST.

REFERENCES 1. UFSAR, Section 10.4.9.

2. ASME/ANSI OM (Part 6). I SAN ONOFRE--UNIT 3 B 3.7-33 Amendment No. 182 11/25/03 1

CREACUS B 3.7.11 BASES (continued)

BACKGROUND closes the unfiltered-outside-air intake and unfiltered (continued) exhaust dampers, and aligns the system for recirculation of control room air through the redundant trains of HEPA and charcoal filters.

The emergency mode initiates pressurization of the control room. Outside air is added to the air being recirculated from the control room. Pressurization of the control room prevents infiltration of unfiltered air from the surrounding areas of the building.

The control room supply and the outside air supply of the normal control room HVAC are monitored by radiation and toxic-gas detectors respectively. One detector output above the setpoint will cause actuation of the emergency mode or isolation mode as required. The actions of the isolation mode are more restrictive, and will override the actions of the emergency mode of operation. However, toxic gas and radiation events are not considered to occur concurrently.

A single train will pressurize the control room to at least 0.125 inches water gauge, and provides an air exchange rate in excess of 25% per hour. The CREACUS operation in maintaining the control room habitable is discussed in Reference 1.

Redundant recirculation trains provide the required filtration should an excessive pressure drop develop across the other filter train. Normally-open isolation dampers are arranged in series pairs so that one damper's failure to shut will not result in a breach of isolation. The CREACUS is designed in accordance with Seismic Category I requirements.

The CREACUS is designed to maintain the control room environment for 30 days of continuous occupancy after a Design Basis Accident (DBA) without exceeding a 5-rem whole-body dose.

APPLICABLE The CREACUS components are arranged in redundant safety SAFETY ANALYSES related ventilation trains. The location of components and ducting within the control room envelope ensures an adequate supply of filtered air to all areas requiring access.

The CREACUS provides airborne radiological protection for the control room operators, as demonstrated by the control (continued)

SAN ONOFRE--UNIT 3 B 3.7-57 Amendment No. 116 04/25/05 l

CREACUS B 3.7.11 BASES (continued)

ACTIONS D.1, D.2.1, and D.2.2 (continued)

In MODE 5 or 6, or during movement of irradiated fuel assemblies, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE CREACUS train must be immediately placed in the emergency mode of operation. This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action D.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel assemblies to a safe position.

E.1 and E.2 When in MODES 5 or 6, or during movement of irradiated fuel assemblies with two trains inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might enter the control room.

This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.

F.1 If both CREACUS trains are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable control room boundary (i.e., Condition B), the CREACUS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

(continued)

SAN ONOFRE--UNIT 3 B 3.7-61 Amendment No. 117 09/16/03 l

DC Sources - Operating B 3.8.4 BASES (continued)

SURVEILLANCE SR 3.8.4.8 REQUIREMENTS (continued) A battery performance test is a test of constant current capacity of a battery, normally done in the "as found" condition, after having been in service, to detect any change in the capacity determined by the acceptance test.

The test is intended to determine overall battery degradation due to age and usage.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The Surveillance Frequency for this test is 60 months, or every 12 months if the battery shows degradation or has reached 85% of its expected life. Degradation is indicated, according to IEEE-450 (Ref. 9), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is below 90% of the manufacturer's rating. These frequencies are consistent with the recommendations in IEEE-450 (Ref. 9).

This SR is modified by two Notes. The reason for Note 1 is that performing the Surveillance on a battery that is connected to an OPERABLE DC system would perturb the electrical distribution system and challenge safety systems.

This note does not apply to a battery that is electrically isolated from an OPERABLE system. With BOOX connected, as allowed by TS 3.8.9 and its Bases Table B 3.8.9-1, "AC and DC Electrical Power Distribution Systems," battery performance discharge testing may be performed on electrically isolated batteries when the plant is in Modes 1 through 4." Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

If for any reason a battery has to undergo both service and performance tests, one following the other during a refueling outage, then the battery shall complete the service test first. Recharging of the battery is required before the performance test is conducted. The "as found" condition prior to the performance test will be the state the battery is in immediately before the performance test.

Here at SONGS, two spare cells are normally maintained qualified by installing them on the same seismic rack where 58 active cells reside, kept on float charge and inspected by regular Preventive Maintenance (PM). These spare cells are included in the main bank during service and performance tests to demonstrate their adequacy under the configuration conditions that would be present if they were (continued)

SAN ONOFRE--UNIT 3 B 3.8-55 Amendment No. 116 08/30/04 }

Distribution Systems - Operating B 3.8.9 Table B 3.8.9-1 (page 1 of 1)

AC and DC Electrical Power Distribution Systems TYPE VOLTAGE TRAIN A TRAIN B AC safety 4160 V ESF Bus A04 ESF Bus A06 buses 480 V Load Center B04 Load Center B06 TRAIN A TRAIN C TRAIN B TRAIN D Bus D1 Bus D3 Bus D2 Bus D4 DC buses 125 V from from from from battery battery battery battery B007 and B009 and B008 and B010 and charger charger charger charger B001 B003 B002 B004 TRAIN A TRAIN C TRAIN B TRAIN D AC vital Bus Y01 Bus Y03 Bus Y02 Bus Y04 buses 120 V from from from from inverter inverter inverter inverter YO01 Y003 Y002 Y004 connected connected connected connected to bus D1 to bus D3 to bus D2 to bus D4 NOTES: (1) Each train of the AC, DC, and AC vital bus electrical power distribution systems is a subsystem.

(2) If a support system (e.g., charger or inverter) is declared inoperable and it has its own LCO, entry into LCO 3.8.9 is not required. Only entry into its LCO is required.

(3) An OPERABLE Class 1E battery bank BOOX may replace either battery B009 or B010 to allow battery maintenance (including replacement) activities.

SAN ONOFRE--UNIT 3 B 3.8-83 Amendment No. 116 08/30/04

Containment Penetrations B 3.°.3 BASES (continued)

BACKGROUND closure is not required, the door interlock mechanism may be (continued) disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, containment closure is required; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain closed or operable. Operability of the containment personnel airlock door requires that the door is capable of being closed; that the door is unblocked and no cables or hoses are being run through the airlock; and that a designated individual is continuously available to close the airlock door. This individual must be stationed at the outer airlock door.

The use of temporary ramps for equipment access through the containment personnel air lock doors is acceptable during CORE ALTERATIONS or moving of irradiated fuel within containment. These ramps do not impede closure of the containment personnel airlock doors as the ramps are quickly removed by the designated individual stationed at the outer door. Removal of the ramps is a normal function of door closure, and the ability of plant personnel to close the personnel airlock, if needed, is not compromised by the ramps. Similarly, door seal covers may be used, provided they are removed prior to air lock door closure.

Except the systems that are closed inside of containment, systems conducting a fluid in and/or out of containment can also satisfy LCO 3.9.3 in either of the following configurations:

a. Systems containing devices inside containment which would preclude free air flow from containment such as self-closing quick disconnects, relief valves venting to containment, check valve(s), five foot water seal (periodic seal verification required), reciprocating pump, pipe cap, or any other equivalent device which would preclude free air flow out of containment.
b. Systems containing devices outside containment which would preclude free air flow from containment such as a reciprocating air compressor, compressed gas cylinder, or any of the devices listed in "a" above.

(continued)

SAN ONOFRE--UNIT 3 B 3.9-10 Amendment No. 416-,184 02/18/05 1

Containment Penetrations B 3.9.3 BASES (continued)

LCO This LCO limits the consequences of a fuel handling accident in containment by limiting the potential escape paths for fission product radioactivity released within containment.

The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations and the containment personnel airlock.

For the containment personnel airlock, this LCO ensures that the airlock can be closed after containment evacuation in the event of a fuel handling accident. The requirement that the plant be in Mode 6 with 23 feet of water above the fuel in the reactor vessel or defueled configuration with fuel in the containment (i.e., fuel in the refueling machine or upender) ensures that there is sufficient time to close the personnel airlock following a loss of shutdown cooling before boiling occurs.

LCO part a. is modified by a NOTE:

NOTE--------------__________

The equipment hatch may be open if all of the following conditions are met:

1) The Containment Structure Equipment Hatch Shield Doors are capable of being closed within 30 minutes,
2) The plant is in Mode 6 with at least 23 feet of water above the reactor vessel flange,
3) A designated crew is available to close the Containment Structure Equipment Hatch Shield Doors, 43 Containment purge is in service, and
5) The reactor has been subcritical for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

These restrictions include the administrative controls to allow the opening of the containment equipment hatch during CORE ALTERATIONS or movement of irradiated fuel in the containment provided that 1) The Containment Structure Equipment Hatch Shield Doors are capable of being closed within 30 minutes, 2) The plant is in Mode 6 with at least 23 feet of water above the reactor vessel flange, and 3) A designated crew is available to close the Containment Structure Equipment Hatch Shield Doors, 4) Containment Purge is in service, and 5) The reactor shall be subcritical for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The Containment Structure Equipment Hatch Shield Doors include flashing on the top and sides of the shield doors which act to retard or restrict a release of post-accident fission products. The capability to close the containment shield doors includes requirements that the doors are capable of being closed and that any cables or hoses across the opening have quick disconnects to ensure the doors are capable of being closed within 30 minutes.

(continued)

SAN ONOFRE--UNIT 3 B 3.9-13 Amendment No. -+66-184 02/18/05

Containment Penetrations B 3.9.3 BASES (continued)

LCO The 30 minute closure time for the containment shield doors (continued) is considered to start when the control room communicates the need to shut the Containment Structure Equipment Hatch Shield Doors. This 30-minute requirement is significantly less than the fuel handling accident analysis assumption that the containment remains open to the outside environment for a two-hour period subsequent to the accident. Placing containment purge (i.e.) main purge exhaust with or without supply) in service will ensure any release from containment wi be monitored.

The administrative controls will also specify the responsibility to be able to communicate with the control room, and specify the responsibility to ensure that the containment shield doors are capable of being closed in the event of a fuel handling accident. These administrative controls will ensure containment closure would be established in the event of a fuel handling accident inside containment.

LCO part b. is modified by a NOTE which allows both doors of the containment airlock to be open provided:

a. one personnel airlock door is OPERABLE, and b.l the plant is in MODE 6 with 23 feet of water above the fuel in the reactor vessel, or b.2 defueled configuration with fuel in containment (i.e., fuel in refueling machine or upender).

The OPERABILITY requirements ensure that the airlock door is capable of performing its function, and that a designated individual located outside of the affected area is available to close the door. For the OPERABLE containment purge and exhaust penetrations, this LCO ensures that these penetrations are isolable by the Containment Purge Isolation System. The OPERABILITY requirements for this LCO ensure that the automatic purge and exhaust valve closure times spe cified in the UFSAR can be achieved and therefore meet e assumptions used in the safety analysis to ensure releases through the valves are terminated, such that the radiological doses are within the acceptance limit.

APPLICABILITY The containment penetration requirements are applicable during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment because this is when there is a potential for a fuel handling accident. In MODES 1, 2, 3, (continued)

SAN ONOFRE--UNIT 3 B 3.9-13a Amendment No.4+6--184 02/18/05 1

Retrieved from "https://kanterella.com/w/index.php?title=ML051790253&oldid=2263545"