ML073450383

From kanterella
Jump to navigation Jump to search
Technical Specification Bases Control Program
ML073450383
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 12/05/2007
From: Head S
South Texas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NOC-AE- 07002207, STI: 32201093
Download: ML073450383 (45)
v  d  e


Text

Nuclear Operating Company South Tefas ProlectElecamc GeneraftngStation PO. Box 289 'dsworth Texas 77483 A A A A December 5, 2007 NOC-AE- 07002207 STI: 32201093 U. S. Nuclear Regulatory Commission Attention: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738 South Texas Project Units 1 & 2 Docket Nos. STN 50-498 & 50-499 Technical Specification Bases Control Program The attached pages are for your information submitted in accordance with the South Texas Project Technical Specification Bases Control Program (Section 6.8.3.m). This submittal includes all bases pages that have been changed since the last submittal; therefore, in a few cases more than one version of a page is enclosed.

Page Number Page Number B 3/4 3-2a Note 10 B 3/4 7-2a Note 5 B 3/4 3-2b Note 1, Note 10 B 3/4 7-3a Note 8 B 3/4 3-2c.1 Note 2 (176) B 3/4 7-5 Note 6 (179/166)

B 3/4 3-3 Note 1 B 3/4 7-6 Note 6 (179/166)

B 3/4 3-3a Note 1 B 3/4 7-7 Note 8 B 3/4 3-5 Note 3 (177/164) B 3/4 8-4 Note 8 B 3/4 3-6 Note 3 (177/164) B 3/4 8-4a Note 8 B 3/4 3-6a Note 3 (177/164) B 3/4 8-16 Note 6 (179/166)

B 3/4 3-6b Note 3 (177/164) B 3/4 8-19 Note 6 (179/166)

B 3/4 3-7 Note 3 (177/164) B 3/4 8-20 Note 6 (179/166)

B 3/4 4-2 Note 7 B 3/4 8-15 through Note 9 (180/167)

B 3/4 8-30 B 3/4 5-1 Note 8 B RMTS-1 Note 6 (179/166)

B 3/4 6-4 Note 4 B RMTS-2 Note 6 (179/166)

B 3/4 7-2 Note 8

NOC-AE-07002207 Page 2 Note 1 Revised to describe when an inoperable slave relay in the Engineered Safety Features Actuation System affects the operability of its associated actuation train.

Note 2 Added a note to allow a one-time provision for corrective maintenance on an inoperable loss of power instrumentation channel. [Amendment 176]

Note 3 Revised the bases with respect to the required action for inoperable wide-range reactor coolant temperature, wide-range steam generator water level, and auxiliary feedwater flow instruments for the Accident Monitoring Instrumentation. [Amendments 177/164]

Note 4 Clarified the bases-with respect to the surveillance requirements for containment isolation check valves.

Note 5 Changed bases section 7.1.3 to incorporate the results of the long-term cooling analysis for the limiting auxiliary feedwater depletion scenario.

Note 6 Added a new action for selected Technical Specification limiting conditions for operation to permit extending the completion times of action requirements subject to the requirement that the risk is assessed and managed.

[Amendments 179/166]

Note 7 Revised to clarify that the automatic function of the pressurizer heaters is not required for operability.

Note 8 Revised to clarify the application of the Risk-Managed Technical Specifications.

Note 9 Updated the bases section associated with the changes in Technical Specification section 8.2. [Amendments 180/167]

Note 10 Revised to address the required action for two inoperable channels in mode 5.

There are no commitments in this letter.

If you have any questions on this matter, please contact Marilyn Kistler at (361) 972-8385 or me at (361) 972-7136.

Scott M. Head Manager, Licensing

Attachment:

Revised Bases Pages IC

NOC-AE-07002207 Page 3 cc:

(paper copy) (electronic copy)

Regional Administrator, Region IV A. H. Gutterman, Esquire U. S. Nuclear Regulatory Commission Morgan, Lewis & Bockius LLP 611 Ryan Plaza Drive, Suite 400 Arlington, Texas 76011-8064 Mohan C. Thadani U. S. Nuclear Regulatory Commission Mohan C. Thadani Thad Hill Senior Project Manager Eddy Daniels U.S. Nuclear Regulatory Commission Marty Ryan One White Flint North (MS 7 D1) Harry Holloway 11555 Rockville Pike Steve Winn Rockville, MD 20852 NRG South Texas LP Senior Resident Inspector Ed Alarcon U. S. Nuclear Regulatory Commission J. J. Nesrsta P. O. Box 289, Mail Code: MN116 R. K. Temple Wadsworth, TX 77483 Kevin Polio City Public Service C. M. Canady Jon C. Wood City.of Austin Cox Smith Matthews Electric Utility Department 721 Barton Springs Road C. Kirksey Austin, TX 78704 City of Austin Richard A. Ratliff Bureau of Radiation Control Texas Department of State Health Services 1100 West 49th Street Austin, TX 78756-3189

INSTRUMENTATION BASES REACTOR TRIP SYSTEM and ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION (Continued)

The Engineered Safety Features Actuation System senses selected plant parameters and determines whether or not predetermined limits are being exceeded. If they are, the signals are combined into logic matrices sensitive to combinations indicative of various accidents, events, and transients. Once the required logic combination is completed, the system sends actuation signals to those Engineered Safety Features components whose aggregate function best serves the requirements of the condition. As an example, the following actions may be initiated by the Engineered Safety Features Actuation System to mitigate the consequences of a steam line break or loss-of-coolant accident: (1) Safety Injection pumps start, (2) Reactor trip, (3) feedwater isolation, (4) startup of the standby diesel generators, (5) containment spray pumps start and automatic valves position, (6) containment isolation, (7) steam line isolation, (8) Turbine trip, (9) auxiliary feedwater pumps start and automatic valves position, (10) reactor containment fan coolers start, (11) essential cooling water pumps start and automatic valves position, (12) Control Room Ventilation Systems start, and (13) component cooling water pumps start and automatic valves position.

The function of the Extended Range, Neutron Flux instrumentation in Table 3.3-1 is to provide a shutdown monitor alarm during subcritical conditions to detect a flux increase (multiplication) and to alert the operator to a possible boron dilution event and pending loss of shutdown margin. The shutdown monitor has no trip function. Shutdown Monitors initiate a flux multiplication alarm (via QDPS) designed to alert the operator to a possible boron dilution event.

This provides a minimum of 15 minutes to respond to a dilution event which is consistent with the safety analysis.

The Extended Range, Neutron Flux instrumentation denoted in LCO 3.3.1, Item 7 in Tables 3.3-1 and 4.3-1 is referring to the Gamma-Metrics Shutdown Monitors. The circuitry consists of hardware/software components which are unique to the Shutdown Monitor itself, such as the flux multiplication alarm contacts; as well as hardware which is shared with the Remote Shutdown (LCO 3.3.3.5) and the Accident Monitoring (LCO 3.3.3.6) QDPS Extended range, Neutron Flux instrumentation. Inoperability of the Shutdown Monitors does not affect the Operability of the QDPS Extended Range instrumentation except for reasons of common mode failure. Conversely, inoperability of the QDPS Extended Range instrumentation should be evaluated for common mode failure with respect to the Shutdown Monitor to verify OPERABILITY of the Shutdown Monitor. (CR 97-908-8)

ACTION 5 applies for one inoperable channel of Extended Range Neutron Flux and requires suspending operations involving positive reactivity changes except for temperature changes or boron dilution changes that are accounted for in the calculated SHUTDOWN MARGIN. There is no action specified for two inoperable channels of Extended Range Neutron Flux. In MODE 3 and MODE 4, TS 3.0.3 applies to this condition. In MODE 5, ACTION 5 also applies for two inoperable channels. However, with no operable extended range channel there is inadequate neutron flux instrumentation for positive reactivity changes and there is not adequate basis for the allowance in ACTION 5 for dilution when the change is accounted for in the calculated SHUTDOWN MARGIN.

The compensatory action for no operable extended range neutron flux is to suspend positive reactivity changes, increase the frequency of boron sampling to at least once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, secure SOUTH TEXAS - UNITS 1 & 2 B 3/4 3-2a Unit 1 - Amendment No. 06-9821-15 Unit 2 - Amendment No. 06-9821-15

INSTRUMENTATION BASES REACTOR TRIP SYSTEM and ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION (Continued) each valve or mechanical joint used to isolate unborated water sources, and to immediately initiate action to restore a channel of extended range neutron flux to OPERABLE status.

In Modes 1, 2, 3 and 4, the radiation monitor actuation of the Control Room Ventilation and FHB HVAC Functional Units is a backup for the SI actuation. The radiation monitor actuation of the Control Room Ventilation and FHB HVAC Functional Units in Modes 5 and 6 is the primary means to ensure that these units perform their function in the event of a fuel handling accident. The automatic and manual radiation monitor inputs are independent of the SI relays in the SSPS. The radiation monitor and manual functions can perform their design safety function with the SSPS "in test", and therefore would remain OPERABLE during this condition in MODES 5 and 6. (CR 97-908-13)

When control rods are at the top or above the active fuel region (Ž step 259), they are no longer capable of adding positive reactivity to the core, and as such, they are not capable of rod withdrawal as intended by MODE 5*. Therefore, ACTION 10 on Table 3.3-1 is not applicable in this region. This allows the Reactor Trip Breakers to be closed, without meeting the requirements of MODE 5*, while unlocking and stepping the control rods to a position no lower than 259. (CR 97-908-17)

Several ACTIONS in Tables 3.3-1 and 3.3-3 have been revised to change the allowed outage times and bypass test times in accordance with WCAP-1 0271 and WCAP-14333.

Additionally, some ACTIONS have been divided such that only certain requirements apply depending on whether the Functional Units have been modified with installed bypass test capability.

Regardless of whether the Functional Units have installed bypass test capability, it should be noted that in certain situations, the ACTIONS permit continued operation (for limited periods of time) with less than the minimum number of channels specified in Tables 3.3-1 and 3.3-3. For example, Table 3.3-1 Functional Unit 11 (Pressurizer Pressure - High) requires a minimum of 3 channels operable. However, since continued operation with an inoperable channel is permitted beyond 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, provided the inoperable channel is placed in trip, and since periodic surveillance testing of the other channels must continue to be performed, ACTION 6 permits a channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to permit testing. Thus, for a limited period of time (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />), 2 channels, or one less than the minimum, would be permitted to be inoperable.

During a plant shutdown for refueling, the Normal Containment Purge System is in operation.

The Supplementary Containment Purge System may be used during normal plant operation.

Redundant Class 1 E radiation monitors (i.e., the Reactor Containment Building [RCB] Purge Isolation) monitor the radiation in these purge lines. Upon either monitor sensing radiation above a preset limit, a signal is sent to the ESFAS logic trains, and the Containment ventilation isolation signal is actuated. In a LOCA, both Normal and Supplementary purge lines are isolated by a Safety Injection (SI) signal. Actuation of the purge isolation by these radiation monitors is not credited in the LOCA accident analyses, and is only a backup function for this event. The subject radiation monitors are credited for purge line isolation for a fuel handling accident.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 3-2b Unit 1 -Amendment No. 06-9821-15 Unit 2 - Amendment No. 06-9821-15

INSTRUMENTATION BASES REACTOR TRIP SYSTEM and ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION (Continued)

LOP Instrumentation Temporary BASES insert for Unit 1 Train A (Functional Unit 8.a, 8.b, 8.c)

For Unit 1 Train A, a note is added to ACTION 20.b for a condition when more than one loss of voltage or more than one degraded voltage channel per bus are inoperable. The action in the note requires restoring all but one channel per bus to OPERABLE status. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval. If the channels are not restored in the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> completion time, the Conditions specified in TS 3.8.1.1, "AC Sources -

Operating," for the DG made inoperable by failure of the LOP DG start instrumentation are required to be entered immediately. The actions of that LCO provides for adequate compensatory actions to assure unit safety. This note supports a one-time change to facilitate corrective maintenance and expires 30 days after approval of the license amendment that added it.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 3-2c.1 (temp) Unit 1 - Amendment No. 06-9821-4

INSTRUMENTATION BASES REACTOR TRIP SYSTEM and ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION (Continued)

ACTION 28.d. applies in MODE 5 & 6 and requires the suspension of core alterations, movement of irradiated fuel assemblies and crane operations with loads over the spent fuel pool.

This effectively precludes the design basis accidents that the control room radioactivity-high actuation system is designed to mitigate.

The Engineered Safety Features Actuation System interlocks perform the following functions:

P-4 Reactor tripped - Actuates Turbine trip via P-16, closes main feedwater valves on Tavg below Setpoint, prevents the opening of the main feedwater valves which were closed by a Safety Injection or High Steam Generator Water Level and allows Safety Injection block so that components can be reset or tripped. Reactor tripped with the source range blocked provides a non-protective function that closes the Steam Generator Blowdown isolation valves and allows reopening the valves after the source range block is reset.

Reactor not tripped - prevents manual block of Safety Injection.

P-11 On increasing pressurizer pressure, P-1I automatically reinstates Safety Injection actuation on low pressurizer pressure or low compensated steamline pressure signals, reinstates steamline isolation on low compensated steamline pressure signals, and opens the accumulator discharge isolation valves. On decreasing pressure, P-11 allows the manual block of Safety Injection actuation on low pressurizer pressure or low compensated steamline pressure signals, allows the manual block of steamline isolation on low compensated steamline pressure signals, and enables steam line isolation on high negative steam line pressure rate (when steamline pressure is manually blocked).

P-12 On increasing reactor coolant loop temperature, P-12 automatically provides an arming signal to the Steam Dump System. On decreasing reactor coolant loop temperature, P-12 automatically removes the arming signal from the Steam Dump System.

P-14 On increasing steam generator water level, P-14 automatically trips the turbine and the main feedwater pumps, and closes all feedwater isolation valves and feedwater control valves.

For Table 4.3-1 Notations 3 and 6, the term "incore" applies to either a PDMS measurement OR a moveable incore detector system measurement, because both methods represent a measurement of the reactor core power distribution.

Actuation Relays Actuation relays consist of slave relays, including the relay contacts for actuating ESF equipment. If the inoperability of a slave relay results in only one train of an ESF system function incapable of being actuated from the ESFAS and the integrated system response that accomplishes the design safety function of the applicable engineered SOUTH TEXAS - UNITS 1 & 2 B 3/4 3-3 Unit 1 - Amendment No. 06-9821-5 Unit 2 - Amendment No. 06-9821-5

INSTRUMENTATION

_BASES REACTOR TRIP SYSTEM and ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION (Continued) safety feature is maintained, then the TS requirements may be limited to those of the applicable system specification for a single inoperable train.

The purpose of ESFAS actuation logic and relays is to initiate the integrated system response that accomplishes the design safety function of the applicable engineered safety feature (ESF). Slave relays actuate individual components within systems that comprise the various ESFs.

The application of slave relays varies from actuation of a single component within a system to multiple components that are shared among systems, and hence, the inoperability of a slave relay could impact one or more components that perform functions in one or more ESFs.

In the case where the impact of an inoperable slave relay failure on a system performing ESF functions is no more severe than a single train within that system not being capable of performing its safety function, then the failure does not conflict with the actuation relays TS requirements because the ability to initiate the integrated system response for the ESF is maintained. In this case, the failure of the slave relay would result only in the loss of the capability to actuate limited aspects of a system, where the collective impact of the slave relay inoperability would be no more severe than the inoperability of a single train in the system. The appropriate TS requirements to be applied under these conditions are limited to those of the system specification.

The loss of that ability due to the slave relay inoperability must be completely within the conditions provided by the TS for a single train being inoperable, whether in the statement of the LCO or in the allowed outage configuration(s) as provided in the action statements.

For example, if a slave relay inoperability resulted in only Train A of containment spray incapable of being actuated by ESFAS, this condition would be no more severe than a component in the train being inoperable. In this case, the TS requirements for an inoperable train of containment spray should be applied. In this case it would be unnecessarily conservative to apply the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> actuation relay TS AOT. The application of the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> AOT could result in an unnecessary shutdown and the associated plant transient and increased risk of operating events associated with plant transients.

Note that for the case where a component is actuated by redundant ESFAS actuation trains, failure of a single slave relay would not make the component (e.g., main steam isolation valve) incapable of performing its safety function since the redundant actuation channel remains operable. In this case, the TS requirement for a single actuation relay train applies.

3/4.3.3 MONITORING INSTRUMENTATION 3/4;3.3.1 NOT USED SOUTH TEXAS - UNITS 1 & 2 B 3/4 3-3a Unit 1 -Amendment No. 06-9821-5 Unit 2 - Amendment No. 06-9821-5

INSTRUMENTATION BASES 3/4.3,3.6 ACCIDENT MONITORING INSTRUMENTATION The OPERABILITY of the accident monitoring instrumentation ensures that sufficient information is available on selected plant parameters to monitor and assess these variables following an accident. This capability is consistent with the recommendations of Regulatory Guide 1.97, Revision 2, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident," December 1980 and NUREG-0737,"Clarification of TMi Action Plan Requirements," November 1980. The instrumentation listed in Table 3.3-10 corresponds to the Category 1 instrumentation for which selection, design, qualification and display criteria are described in Regulatory Guide 1.97, Revision 2.

Consistent with the requirements of NUREG-0737, an evaluation was made of the minimum number of valid core exit thermocouples necessary for measuring core cooling. The evaluation determined the complement of core exit thermocouples necessary lo detect initial core recovery and trend the ensuing core heatup. The evaluations account for core nonuniformities, including incore effects of the radial decay power distributions, excore effects of condensate runback in the hot legs, and nonuniform inlet temperatures. Based on this evaluation, adequate core cooling is ensured with two valid core exit thermocouples channels per quadrant with two core exit thermocouples per required channel. The core exit thermocouple pair are oriented radially to permit evaluation of core radial decay power distribution. Core exit temperature is used to determine whether to terminate Safety Injection, if still in progress, or to reinitiate Safety Injection if it has been stopped. Core exit temperature is also used for unit stabilization and cooldown control.

Two OPERABLE channels of core exit thermocouples are required in each quadrant to provide indication of radial distribution of the coolant temperature rise across representative regions of the core.

Power distribution symmetry was considered in determining the specific number and locations provided for diagnosis of local core problems. Two randomly selected thermocouples are not sufficient to meet the two thermocouples per channel requirement in any quadrant. The two thermocouples in each channel must meet the additional requirement that one is located near the center of the core and the other near the core perimeter, such that the pair of core exit thermocouples indicate the radial temperature gradient across their core quadrant. The unit specific response to Item II.F.2 of NUREG-0737 further discusses the core exit thermocouples. Two sets of two thermocouples ensure a single failure will not disable the ability to determine the radial temperature gradient. The subcooling margin monitor requirements are not affected by allowing 2 thermocouples/channel/quadrant as long as each channel has at least four operable thermocouples in any quadrant (e.g., A Train has four operable thermocouples in one of the quadrants, and C Train has four operable thermocouples in the same quadrant or any other quadrant.). This preserves the ability to withstand a single failure.

SOUTH TEXAS -UNITS 1 & 2 B 3/4 3-5 Unit 1 -Amendment No. 06-9821-6 Unit 2 -Amendment No. 06-9821-6

INSTRUMENTATION BASES 3/4.3.3.6 ACCIDENT MONITORING INSTRUMENTATION (Continued)

Reactor Coolant Outlet Temperature (Thot) Wide Rancqe and Reactor Coolant Inlet Temperature (TcoId)

Wide Rancie (ACTION 35)

There is one channel of Wide Range (WR) Zo per RCS loop with an indication range of 0 -700"'F. They are Class 1 E instruments and provide indication on the Qualified Display Processing System (QDPS) in the control room. Input from each loop channel is also recorded.

For post-accident functions, the RCS hot leg WR temperature provides information to operators to verify adequate core cooling, RcS subcooling, and in conjunction with the RCS cold leg WR temperature indication, the effectiveness of RCS heat removal by the secondary system. RCS temperature is also used to determine if safety injection flow can be reduced.

System redundancy is provided by having a channel of W R RCS hot leg temperature for each RGS loop. Functional diversity for determination of core cooling identified in UFSAR Table 7B.5-1 includes core exit temperature, reactor vessel water level, and RCS subcooling. Functional redundancy for determination of secondary heat sink is provided by steam generator water level, AFW flow, and core exit temperature.

There is one channel of Wide Range (WR) TcoId per RCS loop with an indication range of 0 -700"°F.

They are Class 1E instruments and provide indication on the Qualified Display Processing System (QDPS) in the control room. Input from each loop channel is also recorded.

For.post-accident functions, .the RCS cold leg WR temperature can be used by the plant operators, in conjunction with the RCS hot leg WR temperature, to verify the effectiveness of RCS heat removal by the secondary system. RCS cold leg WR temperatures are monitored during steam generator depressurization to ensure that the depressurization does not impose a challenge to the Integrity Critical Safety Function.

System redundancy is provided by having a channel of WR RCS cold leg temperature for each RCS loop. Functional diversity for determination of secondary heat sink identified in UFSAR Table 7B.5-1 includes steam generator water level, AFW flow, and core exit temperature.

The Minimum Channels Operable requirement for the Reactor Coolant Temperature -Wide Flange functions is four operable channels.

ACTION 35a establishes a 30-day allowed outage time with a requirement for a Special Report if one of the channels is inoperable. The redundancy and availability of diverse indication provide the safety basis. Continued operation beyond the 30 days requires an alternate method of monitoring the function, which provides single failure protection in the unlikely event the function is required in that time.

ACTION 35b requires entry into the 7-day shutdown action if two or more of the required channels are inoperable. There is safety margin in this requirement in the availability of the functionally diverse indications. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument .operation and the availability of alternate means to obtain the required information.

SOUTH TEXAS -UNITS 1 & 2 B 3/4 3-6 Unit 1 -Amendment No. 06-9821-6 Unit 2 -Amendment No. 06-9821-6

INSTRUMENTATION BASES 3/4.3.3.6 ACCIDENT MONITORING INSTRUMENTATION (Continued)

Continuous operation with two or more required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of at least three channels of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

Steam Generator Water Level -Wide Range and AFW Flow (ACTION 35)

For channels of AFW flow instrumentation, ACTION 35 applies only for loss of the indication function. If the control function of an AFW flow channel is inoperable, TS 3.7.1.2 is applicable.

One train of AFW feeding an intact steam generator is sufficient for post-accident decay heat removal.

However, the event selected for determination of the minimum channels operable requirement for AFW flow and wide-range steam generator level indication is the loss of normal feedwater (LONF) with worst-case single failure. For the LONF, the licensing basis requirement for the pressurizer not to go solid is more restrictive than the requirement for decay heat removal. STP's safety analyses show that three trains of AFW feeding three steam generators are required for sufficient RCS cooling to prevent the pressurizer from going water solid in a LONF assuming failure of Train A ESF actuation to start Train A AFW~and Train D AFW and with credit for operator action to manually start one of the failed AFW trains from the control room. For this event, three channels of both AFW and SG water level -NR provided adequate indication, because no additional failures of AFW functions are required to be postulated.

Therefore, maintaining a Minimum Channels Operable Requirement of four channels is conservative Forone inoperable channel of wide range SG level indication or one inoperable channel of AFW flow indication, ACTION 35.a requires restoration the within 30 days or submit a report. The 30-day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels, the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval. Continued operation beyond the 30 days requires an alternate method of monitoring the function, which provides single failure protection in the very unlikely event the function is required in that time. AFW pump running, regulator valve position, and steam generator water level are the alternate indications of AFW flow should one channel of AFW flow be expected to be inoperable for longer than 30 days or if more than one channel of AFW flow is inoperable. Operators will be briefed on the use of the alternate indications if their use is required.

Because only one train of AFW feeding one intact steam generator is adequate for post-accident decay heat removal, there is design margin in having four trains of AFW with cross-connect capability such that any AFW train can feed any one of the steam generators. This AFW margin extends to the AFW Flow function. Similarly, since only one of four steam generators is required for effective decay heat removal, there is design margin for the steam generator level requirements. Three channels for both functions is adequate for the post-accident decay heat removal and identification of the need to initiate feed and bleed aspect of their function and the 30-day action is acceptable.

ACTION 35.b requires entry into the -/-day shutdown action if two or more of the four required SG wide range level instruments or two or more of the four required AFW flow instruments are inoperable. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information.

SOUTH TEXAS -UNITS 1 & 2 B 3/4 3-6a Unit I -Amendment No. 06-9821-6 Unit 2 -Amendment No. 06-9821-6

INSTRUMENTATION BASES 3/4.3.3.6 ACCIDENT MONITORING INSTRUMENTATION (Continued)

There is safety margin in this requirement in the availability of the functionally diverse indications and that unavailability of the level indication or the AFW flow indication does not make the associated steam generator unavailable as a heat sink if it is receiving flow. In the absence of direct AFW flow indication, AFW flow is evidenced by control board indication of the running AFW pumps, the regulator valve position, and by observation of increasing steam generator water level. With respect to the LONF event, the 7-day action is conservative because steam generator level can still be used to confirm AFW flow to the steam generator in the absence of AFW flow indication in the unlikely event of an accident with two of the AFW flow channels inoperable. With respect to the post-accident decay heat removal and determination of the need to initiate feed and bleed, the 7-day action is conservative because it can reasonably be expected that AFW flow and indication and steam generator level indication will be available for at least one generator in the unlikely event of an accident with two or more channels of either function inoperable. Continuous operation with two or more required channels inoperable in a function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of at least three operable channels of the function limits the risk that the PAM function will be in a degraded condition should an accident occur.

ACTION 39.a allows 30 days for the restoration if one of the two channels of Containment Radiation-High.is inoperable. If the instrument cannot be restored in the allowed 30 days, the required action is to submit a report to the NRC outlining the preplanned alternate method of monitoring, the cause of the inoperability, and the plans and schedule for restoring the instrumentation channels to OPERABLE status. The 30 days and required action is acceptable based on operating experience, the low likelihood of anmevent requiring the function, the available redundant channel, and the pre-planned actions defined before loss of function.

ACTION 39.b. allows 7 days for restoration of at least one channel if both channels of Containment Radiation-High are inoperable. If a channel cannot be restored in the required time, the action is to submit a report as described above. The allowed outage time of 7 days is based on the relatively low probability of an event requiring instrument operation and the availability of alternate means to obtain the required information. Prompt restoration of at least one channel is expected because the alternate indications may not fully meet all performance qualification requirements applied to the instrumentation.

Therefore, requiring restoration of one inoperable channel of the function limits the risk that the function will be in a degraded condition should an accident occur.

The pre-planned alternate monitoring capability is provided by a radiation monitor that will be temporarily placed outside the Reactor Containment Building. Implementation elements include the following:

" Procedure directing the temporary monitor to be installed within 7 days with one inoperable channel of Containment Radiation-High and within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> with both channels of Containment Radiation-High inoperable.

  • Requirements for the monitor and its installation on the platform.

" Procedure provisions for the alternate monitoring capability for core damage assessment, dose assessment, and accident classification.

" Calculation basis for relating the alternate monitor readings to accident conditions.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 3-6b Unit 1 - Amendment No. 06-9821 -6 Unit 2 - Amendment No. 06-9821-6

INSTRUMENTATION BASES 3/4.3.3.6 ACCIDENT MONITORING INSTRUMENTATION (Continued)

ACTION 40.a. requires restoration within 30 days if a channel of steam line radiation monitoring or steam generator blowdown line radiation monitoring is inoperable, provided there is functional diverse channel.

Ifthe channel cannot be restored in the 30 days, a report must be submitted to the NRC outlining the preplanned alternate method of monitoring, the cause of the inoperability, and the plans and schedule for restoring the instrumentation channel to OPERABLE status. The steam line radiation monitor and the steam generator blowdown radiation monitor are considered to be functionally redundant to one another. The allowed outage time and required action are acceptable based on operating experience, the low likelihood of an event requiring the function, the available functionally redundant channel, and the pre-planned actions defined before loss of function.

ACTION 40.b. requires restoration within 7 days if a channel of steam line radiation monitoring or steam generator blowdown line radiation monitoring is inoperable, and there is no functional diverse channel. If the channel cannot be restored in the 7 days, a report must be submitted to the NRC. The allowed outage time of 7 days is based on the relatively low probability of an event requiring instrument operation and the availability of alternate means to obtain the required information. Prompt restoration of the channel is expected because the alternate indications may not fully meet all performance qualification requirements applied to the instrumentation. Therefore, requiring restoration of one inoperable channel of the function limits the risk that the function will be in a degraded condition should an accident occur.

STP's procedure for monitoring primary to secondary leakage is the pre-planned alternate method that will be implemented for this ACTION.

3/4.3.3.7 NOT USED 3/4.3.3.8 NOT USED 3/4.3.3.9 NOT USED 3/4.3.3.10 NOT USED 3/4.3.3.11 NOT USED 3/4.3.4 NOT USED 3/4.3.5 ATMOSPHERIC STEAM RELIEF VALVE INSTRUMENTATION The atmospheric steam relief valve manual controls must be OPERABLE in Modes 1, 2, 3, and 4 (Mode 4 when steam generators are being used for decay heat removal) to allow operator action needed for decay heat removal and safe cooldown in accordance with Branch Technical Position RSB 5-1.

The atmospheric steam relief valve automatic controls must be OPERABLE with a nominal setpoint of 1225 psig in Modes 1 and 2 because the safety analysis assumes automatic operation of the atmospheric steam relief valves with a nominal setpoint of 1225 psig with uncertainties for mitigation of the small break LOCA. In order to support startup and shutdown activities (including post-refueling low power physics testing), the atmospheric steam relief valves may be operated in manual and open, or in automatic operation, in Mode 2 to maintain the secondary side pressure at or below an indicated steam generator pressure of 1225 psig.

The uncertainties in the safety analysis assume a channel calibration on each atmospheric steam relief valve automatic actuation channel, including verification of automatic actuation at the nominal 1225 psig setpoint, every 18 months.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 3-7. Unit 1 - Amendment No. 06-9821-6 Unit 2 - Amendment No. 06-9821-6

REACTOR COOLANT SYSTEM BASES SAFETY VALVES (Continued)

During Modes 1, 2, and 3, all pressurizer Code safety valves must be OPERABLE to prevent the RCS from being pressurized above its Safety Limit of 2735 psig. The combined relief capacity of all of these valves is greater than the maximum surge rate resulting from a complete loss-of-load assuming no Reactor trip until the first Reactor Trip System Trip Setpoint is reached (i.e., no credit is taken for a direct Reactor trip on the turbine trip resulting from loss-of-load) and also assuming no operation of the power operated relief valves or steam dump valves.

Demonstration of the safety valves' lift settings will occur only during shutdown and will be performed in accordance with the provisions of Section XI of the ASME Boiler and Pressure Code.

3/4.4.3 PRESSURIZER The 12-hour periodic surveillance is sufficient to ensure that the parameter is restored to within its limit following expected transient operation. The maximum water volume also ensures that a steam bubble is formed and thus the RCS is not a hydraulically solid system. The requirement that a minimum number of pressurizer heaters be OPERABLE enhances the capability of the plant to control Reactor Coolant System pressure and establish natural circulation. The need to maintain subcooling in the long term during loss of offsite power, as indicated in NUREG-0737, is the reason for providing an LCO. The heaters have an automatic actuation feature for pressure control. The accident analysis conservatively considers the potential adverse effects of this feature. However, automatic actuation is not credited for mitigation in the accident analysis and is not required for operability.

3/4.4.4. RELIEF VALVES The power-operated relief valves (PORVs) and steam bubble function to relief RCS pressure during all design transients up to and including the design step load decrease with steam dump. Operation of the PORVs minimizes the undesirable opening of the spring-loaded pressurizer Code safety valves. Each PORV has a remotely operated block valve to provide a positive shutoff capability should a relief valve become inoperable.

The OPERABILITY of the PORVs and block valves is determined on the basis of their being capable of performing the following functions:

A. Manual control of PORVs is used to control reactor coolant system pressure. This is a function that is used for the steam generator tube rupture accident and for plant shutdown.

Manual control of PORVs is a safety related function.

B. Maintaining the integrity of the reactor coolant pressure boundary. This is a function that is related to controlling identified leakage and ensuring the ability to detect unidentified reactor coolant pressure boundary leakage.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 4-2 Unit 1 -Amendment No. 55,7, 06-9821-10 Unit 2 - Amendment No. 44,-6, 06-9821-10

3/4. 5 EMERGENCY CORE COOLING SYSTEMS BASES' 3/4.5.1 ACCUMULATORS The OPERABILITY of each Reactor Coolant System (RCS) accumulator ensures that a sufficient volume of borated water will be immediately forced into the reactor core through three cold legs in the event the RCS pressure falls below the pressure of the accumulators. This initial surge of water into the core provides the initial cooling mechanism during large RCS pipe ruptures.

If one accumulator is inoperable for a reason other than boron concentration, the accumulator must be returned to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In this Condition, the required contents of two accumulators cannot be assumed to reach the core during a LOCA. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> minimizes the potential for exposure of the plant to a LOCA under these conditions, The CRMP may be applied to extend the allowed outage time.

If the boron concentration of one accumulator is not within limits, it must be returned to within the limits within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, ability to maintain subcriticality or minimum boron precipitation time may be reduced. The boron in the accumulators contributes to the assumption that the combined ECCS water in the partially recovered core during the early reflooding phase of a large break LOCA is sufficient to keep that portion of the core subcritical. One accumulator below the minimum boron concentration limit, however, will have no effect on available ECCS water and an insignificant effect on core subcriticality during reflood. Boiling of ECCS water in the core during reflood concentrates boron in the saturated liquid that remains in the core. In addition, current analysis techniques demonstrate that the accumulators do not discharge following a large main steam line break for the majority of plants. Even if they do discharge, their impact is minor and not a design limiting event. Thus, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed to return the boron concentration to within limits.

The surveillance limits on accumulator volume represent a spread about an average value used in the safety analysis and have been demonstrated by sensitivity studies to vary the peak clad

temperature by less than 20 0 F. The surveillance limit on accumulator pressure ensures that the assumptions used for accumulator injection in the safety analysis are met.

The boron concentration should be verified to be within required limits for each accumulator every 31 days since the static design of the accumulators limits the ways in which the concentration can be changed. The 31 day Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage. Sampling the affected accumulator Within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after a 1% volume increase will identify whether inleakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water inventory is from the refueling water storage tank (RWST), because the water contained in the RWST is within the accumulator boron concentration requirements SOUTH TEXAS - UNITS 1 & 2 B 3/4 5-1 Unit 1 - Amendment No. 06-9821-11 Unit 2 - Amendment No. 06-9821-11

CONTAINMENT SYSTEMS BASES 3/4.6.2.3 CONTAINMENT COOLING SYSTEM (continued)

STPEGS has three groups of Reactor Containment Fan Coolers (RCFCs) with two fans in each group (total of six fans). Five fans are adequate to satisfy the safety requirements including single failure. If only one RCFC, out of six available, is inoperable, then there are no restrictions applied on the diesel generators by the RCFC condition and Action statement 3.8.1.1(d) (1) can be met. The fan cooler units are designed to remove heat from the containment during both normal operation and accident conditions. In the event of an accident, all fan cooler units are automatically placed into operation on receipt of a safety injection signal. During normal operation, cooling water flow to the fan cooler units is supplied by the non-safety grade chilled water system.

Following an accident, cooling water flow to the fan coolers is supplied by the safety grade component cooling water system. The chilled water system supplies water at a lower temperature than that of the component cooling water system and therefore requires a lower flow rate to achieve a similar heat removal rate.

3/4.6.3 CONTAINMENT ISOLATION VALVES The OPERABILITY of the containment isolation valves ensures that the containment atmosphere will be isolated from the outside environment in the event of a release of radioactive material to the containment atmosphere or pressurization of the containment and is consistent with the requirements of General Design Criteria 54 through 57 of Appendix A to 10 CFR Part 50. Containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a LOCA.

In the event one containment isolation valve in one or more penetrations is inoperable, and the inoperable valve(s) cannot be restored to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />,:the affected penetration(s) must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and deactivated automatic isolation valve, a closed manual valve, a blind flange, or a check valve~with flow through the valve secured (a check valve may not be used to isolate an affected penetration flow path in which more than one isolation valve is inoperable or in which the isolation barrier is a closed system with a single isolation valve). For a penetration flow path isolated in accordance with Action b or c, the device used to isolate the penetration should be the closest available one to containment and does not have to be a General Design Criterion containment isolation valve.

In cases where multiple isolation valves use the same pipe going through the penetration and with one or more isolation valves inoperable, as long as the inoperable valve(s) is deactivated/manually isolated in its isolation position and the interconnecting isolation valves are operable, the appropriate Action statement is met. In these cases, the Action statement "Isolate each affected penetration..." means "Isolate each affected penetration flow path". (CR 97-908-1)

The TS 3.6.3 Limiting Condition for Operation and associated Actions are applicable to all Containment Isolation Valves (CIVs), including check valves and CIV penetrations. However, Surveillance Requirements (SRs) 4.6.3.1 and 4.6.3.2 are only applicable to power-operated CIVs. Containment Isolation Check Valve operability is verified in accordance with the requirements of SR 4.0.5 (Inservice Inspection and Testing) and SR 4.6.1.2 (Containment Leakage). Furthermore, as permitted by SR 4.0.5 and the Containment Leakage Rate Testing Program, specific containment isolation check valves (such as the Containment Spray Header Check Valves) have been exempted from certain Appendix J and Inservice Testing Requirements, and only require the satisfactory performance of an operational leak check to be returned to service. (CR 05-13492) 3/4.6.4 NOT USED SOUTH TEXAS - UNITS 1 & 2 B 3/4 6-4 Unit 1 - Amendment No. 06-9821-3 Unit 2 - Amendment No. 06-9821-3

PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER SYSTEM The OPERABILITY of the Auxiliary Feedwater (AFW) System ensures that the Reactor Coolant System can be cooled down to less than 350°F from normal operating conditions in the event of a total loss-of-offsite power.

For planned motor-driven AFW pump (MDAFWP) out-of-service time exceeding the front-stop completion time for the pump, station procedures and application of the CRMP require that compensatory measures be implemented in accordance with the Probabilistic Safety Assessment modeling assumptions ifthe CRMP risk management action time is expected to be exceeded.

Compensatory measures are to be implemented in accordance with the CRMP and plant procedures.

These measures normally include the following:

" The work schedule contains no planned maintenance on required systems, subsystems, trains, components, and devices that depend on or that affect the remaining MDAFWP trains.

" The work schedule contains no planned maintenance activities in the switchyard that could directly cause a Loss of Offsite Power event. Maintenance activities that are required to ensure the continued reliability and availability of the offsite power sources are permitted.

  • If in Mode 1, 2, or 3, then verify the work schedule contains no planned maintenance on the turbine-driven AFW pump.
  • The work schedule contains no planned maintenance that would result in the EW and the systems it supports being declared non-functional.

" The work schedule contains no planned maintenance that would result in an inoperable open containment penetration.

  • The work schedule contains no planned maintenance on SWGR 1L(2L) or 1 K(2K).
  • The work schedule contains no planned maintenance on the 138 kV emergency transformer.

" The work schedule contains no planned risk-informed completion time (RICT) for the SDG, EW, or EChW during the MDAFWP out-of-service period.

Should one or more of these compensatory measures not be met during the MDAFWP out-of-service period, action will be taken in accordance with the CRMP to restore the function. If indicated by the risk assessment conducted in accordance with the program, other actions may be taken by station management to reduce risk by restoration of other components, rescheduling work that might increase the risk, or placing the unit in a more appropriate configuration.

If entry into the Action is unplanned (i.e., a failure of a MDAFWP), station procedures require the implementation of the CRMP when it is determined that the configuration risk will exceed the risk management action threshold established in the CRMP. If one or more of the compensatory measures is not functional, action will be taken in accordance with the CRMP to restore the function and to manage the risk.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 7-2 Unit 1 - Amendment No. 06-9821-11 Unit 2 - Amendment No. 06-9821-11

PLANT SYSTEMS BASES AUXILIARY FEEDWATER SYSTEM (Continued)

If two MDAFWPs are inoperable (Action b), it is not necessary to restore both pumps to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If one pump is restored to OPERABLE status, the plant is then in Action statement (a) and a different AOT applies (see CR 01-2103-14 for further details).

Action e prohibits the application of Specification 3.0.4.b to an inoperable AFW train. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an AFW train inoperable and the provisions of Specification 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

Each auxiliary feedwater pump is capable of delivering feedwater to the entrance of the steam generators with sufficient capacity to ensure that adequate feedwater flow is available to remove decay heat and reduce the Reactor Coolant System temperature to less than 350'F when the Residual Heat Removal System may be placed into operation. Verifying that each AFW pump's developed head at the flow test point is greater than or equal to the required developed head ensures that AFW pump performance has not degraded during the cycle (Ref.: Calculations MC-5861 and ZC-7019). Flow and differential head are normal tests of centrifugal pump performance required by Section Xl of the ASME Code. The AFW pumps are tested using the test line back to the AFST and the AFW isolation valves closed to prevent injection of cold water into the steam generators. This testing methodology confirms one point on the curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. Performance of inservice testing, discussed in the ASME Code, Section Xl, satisfies this requirement. The STPEGS isolation valves are active valves required to open on an AFW actuation signal. Specification 4.7.1.2.1 requires these valves to be verified in the correct position.

3/4.7.1.3 AUXILIARY FEEDWATER STORAGE TANK (AFST)

The OPERABILITY of the auxiliary feedwater storage tank with the minimum water volume ensures that following a design basis accident, sufficient water is available to maintain the RCS at HOT STANDBY conditions for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> with steam discharge to the atmosphere, followed by a cooldown to 3500 F. The contained water volume limit includes allowances for uncertainties and water not usable because of tank discharge line location or other physical characteristics.

3/4.7.1.4 SPECIFIC ACTIVITY The limitations on Secondary Coolant System specific activity ensure that the resultant offsite radiation dose will be limited to a small fraction of 10 CFR Part 100 dose guideline values in the event of a steam line rupture. This dose also includes the effects of a coincident 1 gpm primary-to-secondary tube leak in the steam generator of the affected steam line. These values are consistent with the assumptions used in the safety analyses.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 7-2a Unit 1 - Amendment No. 06-9821-1 Unit 2 - Amendment No. 06-9821-1

PLANT SYSTEMS BASES 3/4.7.3 COMPONENT COOLING WATER SYSTEM The OPERABILITY of the Component Cooling Water System ensures that sufficient cooling capacity is available for continued operation of safety-related equipment during normal and accident conditions. The redundant cooling capacity of this system, assuming a single failure, is consistent with the assumptions used in the safety analyses.

3/4.7.4 ESSENTIAL COOLING WATER SYSTEM The OPERABILITY of the Essential Cooling Water (ECW) System ensures that sufficient cooling capacity is available for continued operation of safety-related equipment during normal and accident conditions. The ECW self-cleaning strainer must be in service and functional in order for the respective ECW train to be OPERABLE. The redundant cooling capacity of this system, assuming a single failure, is consistent with the assumptions used in the safety analyses.

When a risk-important system or component (for example ECW) is taken out of service, it is important to assure that the impact on plant risk of this and other equipment simultaneously taken out of service is assessed. The Configuration Risk Management Program evaluates the impact on plant risk of equipment out of service.

SURVEILLANCE REQUIREMENTS SR 4.7.4.a Verifying the correct alignment for manual, power operated, and automatic valves in the ECW flow path provides assurance that the proper flow paths exist for ECW operation. This SR applies to valves that assure ECW flow to required safety related equipment (to CCW heat exchangers, Standby Diesel :Generators, Essential Chillers, and CCW Pump Supplemental Coolers). This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to being locked, sealed, or secured. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 -day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 7-3a Unit 1 - Amendment No. 06-9821-11 Unit 2 - Amendment No. 06-9821-11

PLANT SYSTEMS BASES The time limits associated with the ACTIONS to restore an inoperable train to OPERABLE status are consistent with the redundancy and capability of the system and the low probability of a design basis accident while the affected train(s) is out of service. A limited allowed outage time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for all three trains to be out of service simultaneously in recognition of the fact that there are common plenums and some maintenance or testing activities required opening or entry into these common plenums. This time is reasonable to diagnose, plan, and possibly repair problems with the boundary or the ventilation system. This is acceptable based on the low probability of a design basis event in that brief allowed outage time and because administrative controls impose compensatory actions that reduce the already small risk associated with being in the ACTION. The compensatory actions are consistent with the intent of GDC 19 to protect plant personnel from potential hazards such as radioactive contamination, smoke, and temperature, etc. Pre-planned measures should be available to address these concerns for intentional and unintentional entry into the condition. The compensatory actions include:

Procedures will preclude intentionally removing multiple trains of Control Room Envelope HVAC from service if Containment Spray is not functional or intentionally making a train of Containment Spray unavailable when multiple trains of Control Room Envelope HVAC are out of service. For purposes of this compensatory action, Containment Spray is considered functional if at least one train can be manually or automatically initiated.

The plant will not make planned simultaneous entries into TS 3.7.7 ACTION c. for MODES 1, 2, 3 and 4 and TS 3.7.8 ACTION b or d.

The compensatory action may include placing fans in pull-to-lock as necessary to preclude there being a motive force to transport contaminated air to a clean environment in the event of an accident. These compensatory actions also include administrative controls on opening plenums or other openings such that appropriate communication is established with the control room to assure timely closing of the system ifmecessary. Since the Control Room Envelope boundary integrity also affects operability of the overall system, entry and exit is administratively controlled. Administrative control of entry and exit through doors is performed by the persons) entering or exiting the area. Extended opening of the boundary is coordinated with the control room with appropriate plans for closure and communication.

ACTIONs a, b, and c allow the option of calculating a risk-informed completion time (RICT) in accordance with the requirements of the CRMP. This option applies only to the cooling function of the system supported by the Essential Chilled Water System (EchW) (TS 3.7.14) and may not be applied for conditions that affect the operability of the Control Room Makeup and Cleanup Filtration System (CRMCF) with respect to dose mitigation. In cases where both functions are affected (e.g., an inoperable fan) the dose mitigation function determines compliance and the "frontstop" completion times may not be exceeded.

The cooling function is modeled in the PRA and a RICT can be quantified if the function is not available.

The dose mitigation function is not modeled in the PRA because it has no effect on core damage frequency or large early release frequency. Consequently, there is no technical basis for calculating a RICT for an inoperable condition involving the dose mitigation function.

The dose mitigation function governed by TS 3.7.7 does not depend on the cooling function governed by TS 3.7.7 that is supported by TS 3.7.14 for EchW. Therefore, if a TS 3.7.7 action applies because EchW is not available or the cooling coil for CRMCF is not operable, the provision to apply the.CRMP may be used.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 7-5 Unit 1 - Amendment No. 06-9821-8 Unit 2 - Amendment No. 06-9821-8

PLANT SYSTEMS BASES Surveillance Requirement 4.7.7.e.3 verifies the integrity of the control room enclosure, and the assumed inleakage rates of the potentially contaminated air. The control room positive pressure, with respect to potentially contaminated adjacent areas, is periodically tested to verify proper functioning of the Control Room HVAC. During the emergency mode of operation, the Control Room HVAC is designed to pressurize the control room to at least 1/8 inch water gauge (in-wg) positive pressure with respect to adjacent areas in order to prevent unfiltered inleakage. The Control Room HVAC is designed to maintain this positive pressure with two trains atla makeup flow rate of 2000 cfm. The frequency of 18 months is consistent with the guidance provided in NUREG-0800. If the surveillance results are less than 1/8 in-wg and the pressure differential is not positive, the surveillance requirement is considered not met and the appropriate action of TS 3.7.7 must be applied.

The footnote for Technical Specification Surveillance Requirement 4.7.7.e.3 has expired and is no longer applicable.

3/4.7.8 FUEL HANDLING BUILDING EXHAUST AIR SYSTEM The FHB exhaust air system is comprised of two independent exhaust air filter trains and three exhaust ventilation trains. Each of the three exhaust ventilation trains has a main exhaust fan, an exhaust booster fan, and associated dampers. The main exhaust fans share a common plenum and the exhaust booster fans share a common plenum. An OPERABLE ventilation exhaust train consists of any OPERABLE main exhaust fan, any OPERABLE exhaust booster fan, and appropriate dampers.

The OPERABILITY of the Fuel Handling Building Exhaust Air System ensures that radioactive materials leaking from the ECCS equipment within the FHB following a LOCH are filtered prior to reaching the environment. Operation of the system with the heaters operating for the least 10 continuous hours in a 31-day period is sufficient to reduce the buildup of moisture on the adsorbers and HEPA filters. The operation of this system and the resultant effect on offsite dosage calculations was assumed in the safety analyses. ANSI N510-1980 will be used as a procedural guide for surveillance testing.

The time limits associated with the ACTIONS to restore an inoperable train to OPERABLE status are consistent with the redundancy and capability of the system and the low probability of a design basis accident while the affected trains) is out of service. The allowed outage time for one train of FHB exhaust ventilation or one exhaust filtration train being inoperable,.or a combination of an inoperable exhaust ventilation train and an inoperable exhaust filtration train is 7 days. With more than one inoperable train of either FHB exhaust filtration or FHB exhaust ventilation, or with combinations involving more than one inoperable train of either the exhaust ventilation or the exhaust filtration, the allowed outage time is 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. A limited allowed outage time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for multiple trains to be out of service simultaneously in recognition of the fact that there are common plenums and some maintenance or testing activities required opening or entry into these common plenums. This time is reasonable to diagnose, plan, and possibly repair problems with the boundary or the ventilation system. This is acceptable based on the low probability of a design basis event in that brief allowed outage time and because administrative controls impose compensatory actions that reduce the already small risk associated with being in the ACTION.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 7-6 Unit 1 - Amendment No., 06-9821-8 Unit 2 - Amendment No. 06-9821-8

PLANT SYSTEMS BASES The compensatory actions are consistent with the intent of GDC 19, GDC 60 and Part 100 to protect plant personnel and the public from potential hazards such as radioactive contamination, smoke, and temperature, etc. Pre-planned measures should be available to address these concerns for intentional and unintentional entry into the condition. The compensatory action may include placing fans in pull-to-lock as necessary to preclude there beinga motive force to transport contaminated air to a clean environment in the event of an accident. These compensatory actions include administrative controls on opening plenums or other openings such that appropriate communication is established with the control room to assure timely closing of the system if necessary. Since the Fuel Handling Building boundary integrity also affects operability of the overall system, entry and exit is administratively controlled. Administrative control of entry and exit through doors is performed by the persons) entering or exiting the area. Extended opening of the boundary is coordinated with the control room with appropriate plans for closure and communication.

3/4.7.9 NOT USED 3/4.7.10 NOT USED 3/4.7.11 NOT USED 3/4.7.12 NOT USED

,3/4.7.13 NOT USED

,3/4-7-14 ESSENTIAL CHILLED WATERSYSTEM The OPERABILITY of the Essential Chilled Water System ensures that sufficient cooling capacity is available for continued operation of safety-related equipment during normal and accident conditions. The redundant cooling capacity of this system, assuming a single failure, is consistent with the assumptions used in the safety analyses.

When a risk-important system or component (for example Essential Chilled Water) is taken out of service, it is important to assure that the impact on plant risk of this and other equipment simultaneously taken out of service is assessed. The Configuration Risk Management Program evaluates the impact on plant risk of equipment out of service.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 7-7 Unit 1 - Amendment No. 06-9821-11 Unit 2 - Amendment No. 06-9821-11

ELECTRICAL POWER SYSTEMS BASES A.C. SOURCES, D.C. SOURCES, and ONSITE POWER DISTRIBUTION (Continued) required offsite circuit on a more frequent basis. However, if a second required circuits fails 4.8.1.1.1 .a, the second offsite circuit is inoperable, and Action e, for two offsite circuits inoperable, is entered.

TS 3.8.1.1 Action b.

To ensure a highly reliable power source remains with one diesel generator inoperable, it is necessary to verify the OPERABILITY of the required offsite circuits on a more frequent basis. However, if a required circuit fails 4.8.1.1.1 .a, the offsite circuit is inoperable, and Action c, for one offsite circuit and one diesel generator inoperable, is entered. Action b provides an allowance to avoid unnecessary testing of OPERABLE diesel generators. If it can be determined that the cause of the inoperable diesel generator does not exist on the OPERABLE diesel generators, and is an independently testable component or an inoperable support system, then surveillance requirement 4.8.1.1.2.a.2 does not have to be performed.

The completion time of 14 days has a combination of deterministic and risk-informed bases justified by the redundancy of the plant design and the extremely low probability of an event that cannot be mitigated by one operable ESF train.

The risk-informed component requires application of the Configuration Risk Management Program (CRMP). The actions described in the procedure assure that the configuration of the plant is within acceptable risk criteria during the time the affected components are inoperable.

The deterministic component provides assurance that the plant retains a substantial capability to migrate design basis events with the reduced capability that results from postulating a design basis accident and a single failure with one ESF train out of service, or from postulating an accident (with no single failure) in the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for inoperability of required equipment in one of the other trains.

This evaluation shows that a single operable ESF train can mitigate (at a reduced capacity in certain cases) the design basis accidents except for a large break LOCA where the break is located in the RCS loop associated with the operating train of safety injection. Because postulation of these events is beyond the design basis of the plant, the deterministic analyses may apply less conservative acceptance criteria than those required of design basis analyses.

For planned SDG out-of-service times exceeding the front-stop completion time and where the risk management action threshold established in the CRMP is expected to be exceeded, station procedures and application of the CRMP require that compensatory actions be implemented in accordance with the Probabilistic Safety Assessment modeling assumptions. In addition to meeting the offsite circuit requirements of Technical Specification 3.8.1.1, compensatory actions are to be implemented in accordance with the CRMP and plant procedures. These actions normally include the following:

  • The 138 kV supply through the emergency transformer is functional and available
  • The positive displacement charging pump is functional and available
  • Containment purges are minimized SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-4 Unit 1 - Amendment No. 06-9821-11 Unit 2 - Amendment No. 06-9821-11

ELECTRICAL POWER SYSTEMS BASES A.C. SOURCES, D.C. SOURCES, and ONSITE POWER DISTRIBUTION (Continued)

  • Maintenance in the switchyard that could directly cause a loss of offsite power is not allowed unless required to assure the continued reliability and availability of the offsite power
  • Severe weather that could result in the extended loss of offsite power is not expected Should one or more of these compensatory requirements not be met during the SDG out-of-service period, action will be taken in accordance with the CRMP to restore the function. If indicated by the risk assessment conducted in accordance with the program, other actions may be taken by station management to reduce risk by restoration of other components, rescheduling work that might increase the risk, or placing the unit in a more appropriate configuration.

If entry into the Action is unplanned (e.g., a failure of the SDG), station procedures require the implementation of the CRMP when the out-of-service time exceeds the risk thresholds established in the CRMP. If one or more of the compensatory requirements is not functional, action will be taken in accordance with the CRMP to restore the function and to manage the risk.

TS 3.8.1.1 Action c.

'is inoperable and LCO 3.0.3 should be entered. Action c provides an allowance to avoid unnecessary testing of OPERABLE diesel generators. If it can be determined that the cause of the

. inoperable diesel generator does not exist on the OPERABLE diesel generators, and is an independently testable component or an inoperable support system, then surveillance requirement 4.8.1.1.2.a.2 does not have to be performed.

TS 3.8.1.1 Action d.

This action provides assurance that a loss of offsite power, during the period that a diesel generator is inoperable, does not result in a complete loss of safety function of critical systems. In this condition the remaining OPERABLE diesel generators and offsite circuits are adequate to supply electrical power to the onsite Class 1 E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may be lost; however, function has not been lost.

Discovering one required diesel generator inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the operable diesel generator, results in starting the completion time for the required action. If the required number of channels or trains for a function or component is less than the total number of channels or trains and the TS allow unlimited operation with less than the total number of channels or trains (e.g. some Remote Shutdown System functions), then as long as there is emergency power for at least the required number of channels or trains, the requirements of TS 3.8.1.1 .d are met. Similarly, if only one Reactor Containment Fan Cooler, out of six available, is inoperable, then there are no restrictions applied on the diesel generators and Action statement 3.8.1.1 (d) (1) can be met.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-4a Unit 1 - Amendment No. 06-9821-11 Unit 2.- Amendment No. 06-9821-11

ELECTRICAL POWER SYSTEMS BASES A.C. SOURCES, D.C. SOURCES, and ONSITE POWER DISTRIBUTION (Continued) operation. Verifying average electrolyte temperature above the minimum for which the battery was sized, total battery terminal voltage on float charge, connection resistance values, and the performance of battery service and discharge tests ensures the effectiveness of the charging system, the ability to handle high discharge rates, and compares the battery capacity at that time with the rated capacity.

TS 3.8.2.1 allows the application of the CRMP to extend the two-hour completion time for batteries or battery chargers. It is not appropriate to apply the CRMP to extend the allowed outage time during an ongoing emergent transient condition or where the battery bank is the sole source of power available for the loads on the DC bus. A note has been added to TS 3.8.2.1 to restrict the application of the CRMP for these conditions.

The Surveillance Requirements for demonstrating the OPERABILITY of the station batteries are based on the recommendations of Regulatory Guide 1.129, "Maintenance Testing and Replacement of Large Lead Storage Batteries for Nuclear Power Plants," February 1978, and IEEE Std 450-1980, "IEEE Recommended Practice for Maintenance, Testing, and Replacement of Large Lead Storage Batteries for. Generating Stations and Substations.*

The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The seven-day Frequency is conservative with respect to manufacturer recommendations and IEEE-450 (Ref. 9).

SR 4.8.2. 1. a This action is performed on a nominal seven-day cycle and documents inspection of the battery and battery room condition to the following attributes:

& Charger output current and voltage, e Pilot cell voltage, specific gravity and temperature (values-recorded)

Table 4.8-2 specifies the normal limits for each designated pilot cell and each connected cell for electrolyte level, float voltage, and specific gravity. The limits for the designated pilot cells float voltage and specific gravity, greater than 2.13 volts and 0.015 below the manufacturer's full charge specific gravity or a battery charger current that had stabilized at a low value, are characteristic of a charged cell with adequate capacity. The seven-day frequency is conservative with respect to manufacturer, IEEE Std 450-1980 and regulatory guide recommendations.

SR 4.8.2.1.b This action is performed on a nominal 92-day cycle and documents measurement of the battery parameters to include the following attributes:

" Voltage and specific gravity of each cell

" Electrolyte temperature of selected representative cells

" Connections are visually inspected and resistance measurement is performed only on a connection that appears to be loose or corroded SOUTH TEXAS - UNITS 1 & 2 8 3/4 8-16 Unit 1 - Amendment No. 06-9821-8 Unit 2 - Amendment No. 06-9821-8

ELECTRICAL POWER SYSTEMS BASES 3.8.3.1 ACTIONs c and d of TS 3.8.3.1 allow the option of calculating risk-informed completion time (RICT) in accordance with the requirements of the CRMP. This option may not be applied for DP001 of LCO 3.8.3.1.d or DP002 of LCO 3.8.3.1.g because none of the functions on these distribution panels are modeled in the PRA. Although the functions are not risk-significant, a RICT cannot be quantified in accordance with the requirements of TS 6.8.3.k.

3.8.3.2 The OPERABILITY of the required DC sources and electrical distribution system during shutdown is based on the following conditions:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shutdown, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required.

The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences.

These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

Specifications 3.8.2.2 and 3.8.3.2 require DC power sources and specified electric power distribution for equipment required to be operable during shutdown. If the DC sources or distribution system is inoperable, then the Specifications require the affected components to be declared inoperable or that core alterations and positive reactivity changes be stopped. For a required system or component to be operable, the definition of OPERABLE/OPERABILITY requires the availability of necessary support systems, instrumentation, and electrical power for the required system to meet the design basis requirements. In MODES 5 and 6, the design basis does not include single failure coincident with loss of off-site power.

Consequently, where two trains or channels of equipment are required by the Technical Specifications during MODES 5 and 6, only one of the trains or channels is required to be backed by an emergency power source or battery. Inoperability of the battery for one channel or train does not affect components that have an operable battery on the other required channel or train. Required electric power distribution systems must be operable under accident conditions that are applicable during shutdown, including seismic. For components that have only a detection function and no mitigation function during or after the accident, emergency power and safety related normal power are not required (e.g., Source Range instrumentation in Refueling Mode). When the function of those components is lost, the required actions to suspend core alterations or positive reactivity changes preclude the accident the components would be required to detect.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-19 Unit 1 - Amendment No. 06-9821-8 Unit 2 - Amendment No. 06-9821-8

ELECTRICAL POWER SYSTEMS BASES The ACTIONS specified during shutdown with less than the minimum required power sources or distribution systems, include suspending operations involving positive reactivity additions that could result in loss of required SHUTDOWN MARGIN or refueling boron concentration necessary to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SHUTDOWN MARGIN or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes, including temperature increases when operating with a positive moderator temperature coefficient, must also be evaluated to not result in operation below the required SHUTDOWN MARGIN or refueling boron concentration limits. Control rod withdrawal is not allowed except that it is permissible to unlock the control rods for rapid refueling. To unlock the control rods, they must be withdrawn at least one step.

However, since the control rods are above the active fuel when the unlocking process occurs, there is no reactivity addition.

3/4.8.4 NOT USED SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-20 Unit 1 - Amendment No. 06-9821-8 Unit 2 - Amendment No. 06-9821-8

ELECTRICAL POWER SYSTEMS BASES

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shutdown, the Technical Specification requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required'systems.

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is also required. In MODES 5 and 6, the activities are generally planned and administratively controlled. Relaxation from MODES 1, 2, 3, and 4 LCO requirements is acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.
b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.
c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.
d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all off site power or a loss of all onsite diesel generator (DG) power.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-15 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES 3/4.8.2 DC SOURCES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power.

It also provides both motive and control power to selected safety-related equipment and preferred AC vital bus power (via inverters). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3).

The 125 VDC electrical power system consists of four independent and redundant safety-related Class 1 E DC electrical power subsystems Trains A, B, C, and D. Each subsystem consists of one 125 VDC battery, the associated battery chargers, and the associated control equipment and interconnecting cabling.

There are two .100% capacity battery-chargers per battery. One charger is kept in operation and the other is a backup. If the backup battery charger is applied, the requirements of independence and redundancy between subsystems are maintained.

During normal operation, the 125 VDC load is powered from the battery charger with the battery floating on the system. Following loss of normal power to the battery charger, the DC load is automatically powered from the station battery.

The Train A, B, C, and D electrical power subsystems provide the control power for the associated Class 1 E AC power load group, 4.16 kV switchgear, and 480 V load centers. The DC electrical power subsystems also provide DC electrical power to the inverters, which in turn power the AC vital buses.

The DC power distribution system is described in more detail in the Bases for LCO 3.8.3.1, "Onsite Power Distribution - Operating," and LCO 3.8.3.2, "Onsite Power Distribution - Shutdown."

The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 121.8 V for a 59-cell battery (i.e., cell voltage of 2.065 volts per cell). The open circuit voltage is the voltage maintained when there is no charging or discharging. Once fully charged with its open circuit voltage > 2.065 volts per cell, the battery cell will maintain its capacity for 30 days without further charging. The minimum float voltage required by the battery manufacturer is 2.17 volts per cell, which corresponds to 128 V for 59 cells at the battery terminals. Optimal long-term performance, however, is obtained by maintaining the float voltage between 2.17 and 2.25 volts per cell. This provides adequate over-potential to limit formation of lead sulfate and self-discharge. The nominal float voltage of 2.23 volts per cell corresponds to a total float voltage output of 131.5 V for a 59-cell battery as discussed in UFSAR Chapter 8 (Ref. 4).

Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystems to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class IE subsystems, such as batteries, battery chargers, or distribution panels.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-16 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

Each battery has adequate storage capacity to meet the assumed duty cycle for the bounding design basis event. Additional margin is available to support the ability of the battery to carry the DC loads continuously for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> as discussed in UFSAR Chapter 8 (Ref. 4) for station blackout. The batteries are designed with a 5% margin.

The batteries for Trains A, B, C, and D DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100% design demand. The minimum design voltage limit is approximately 105 V.

Each Train A, B, C, and D DC electrical power subsystem battery charger has sufficient power output capacity for the steady-state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while supplying normal steady-state loads discussed in UFSAR Chapter 8 (Ref. 4).

This charging capacity exceeds the minimum requirements for the charger to support the required DC loads in analyzed accidents and supports minimizing the operational limitations imposed on battery testing and associated recharging.

The battery charger is normally in the float-charge mode. Float charge is the condition in which the

charger supplies the connected loads and the battery cells receive adequate current to maintain the battery in a fully charged condition. This assures the internal losses of a battery are overcome and the battery is maintained in a fully charged state.

When desired, the charger can be placed in the equalize mode. The equalize mode is at a higher voltage than the float mode and charging current is correspondingly higher. The battery charger is operated in the equalize mode after a battery discharge or for routine maintenance. Following a battery discharge, the battery recharge characteristic accepts current at the current limit of the battery charger (if the discharge was significant, e.g., following a battery service test) until the battery terminal voltage approaches the charger voltage setpoint. Charging current then reduces exponentially during the remainder of the recharge cycle. Lead-calcium batteries have recharge efficiencies of greater than 95%, so after at least 105% of the ampere-hours discharged have been returned, the battery capacity would be restored to the same condition as it was prior to the discharge. This can be monitored by direct observation of the exponentially decaying charging current or by evaluating the amp-hours discharged from the battery and amp-hours returned to the battery.

Industry test data also show that when charging at equalized voltage, and the charging current reduces to approximately 13% of the charger current limit setting (42.9 amps), 95% of the original battery capacity has been restored. With the designed margins in battery sizing and the excess capacity available above the maximum assumed load, battery OPERABILITY (including post-maintenance return-to-service) is assured at charging currents well above 10 amps.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-17 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transient analyses in UFSAR Chapter 6 (Ref. 5), and in UFSAR Chapter 15 (Ref. 6), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation.

OPERABILITY of the DC sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one train of DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power; and
b. A worst case single failure.

The DC sources satisfy Criterion 3 of 10CFR50.36(c)(2)(ii).

3/4.8.2.1 DC SOURCES - OPERATING

'LIMITING CONDITION FOR OPERATION Each DC electrical power subsystem is required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Each DC electrical power subsystem consists of one battery, two battery chargers, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train. Loss of the DC electrical power subsystem of any train does not prevent the minimum safety function from being performed (Ref. 4).

An OPERABLE DC electrical power subsystem requires the battery and one associated charger to be operating and connected to the associated DC bus.

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and
b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 5 and 6 are addressed in the BASES for LCO 3.8.2.2, "DC Sources-Shutdown."

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-18 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

ACTIONS TS 3.8.2.1 allows the application of the CRMP to extend the two-hour completion time for batteries or battery chargers. It is not appropriate to apply the CRMP to extend the allowed outage time during an ongoing emergent transient condition or where the battery bank is the sole source of power available for the loads on the DC bus. A note has been added to TS 3.8.2.1 to restrict the application of the CRMP for these conditions.

a. This action is in response to one train with its associated battery bank inoperable. With the battery inoperable, the operable battery charger supplies the DC bus. Any event that results in loss of the AC bus supporting the battery charger will also result in loss of DC to that train.

Therefore, it is imperative that the operator focus attention on stabilizing the unit, thereby minimizing the potential for complete loss of DC power to the affected train.

The 2-hour limit allows sufficient time to effect restoration of an inoperable battery while minimizing the risk of a loss of AC power to the associated battery charger as a result of, imposing a required unit shutdown. During this time, assumption of additional single failures is not required.

b. This action is in response to more than one train with the associated battery banks inoperable.

With the battery inoperable, the operable battery charger supplies the DC bus.

c. This action is in response to one train with both battery chargers inoperable (e.g., the voltage limit of SR 4.8.2.1 .a. is not maintained).

Action 3.8.2.1 .c.1 requires that the terminal voltage of the affected batteries be restored to greater than or equal to the minimum established float voltage within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The 2-hour limit provides for returning the required charger(s) to operable status or providing an alternate means of restoring the associated battery terminal voltage to greater than or equal to the minimum established float voltage. Restoring the terminal voltage of the affected batteries to greater than or equal to the minimum established float voltage provides good assurance that, within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, the affected battery will be restored to its fully charged condition from any discharge that might have occurred due to the charger inoperability.

A spare non-Class 1E battery charger may be provided in the future to serve as an alternate means of restoring the associated battery terminal voltage if the affected batteries have less than the minimum established float voltage and they are to be considered operable after two hours. The spare non-Class 1 E,battery charger will be diesel-backed.

If established battery terminal float voltage cannot be restored to greater than or equal to the minimum established float voltage within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, and the charger is not operating in the current limiting mode, a faulty charger is indicated. A faulty charger that is not capable of maintaining established battery terminal float voltage does not provide assurance that it can revert to and operate properly in the current limit mode that is necessary during the recovery period following a battery discharge event for which the DC system is designed.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-19 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No: 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

Required Action 3.8.2.1 .c.2 allows 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to establish that the battery capacity remains (or is restored) sufficient to perform its required safety function (duty cycle) and further requires that this determination be periodically re-verified. This provides assurance that in the event .of a DBA during the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed by Required Action 3.8.2.1 .c.3 to restore a battery charger to OPERABLE status, the battery will be available to perform its assumed function. If at the expiration of the initial 12-hour period the battery capacity can not be determined to be sufficient to perform the design duty cycle, the battery must be declared inoperable and Action 3.8.2.1 .a entered. A test (e.g., battery service test) to confirm the battery capacity is not required. The intent of this Required Action is to evaluate the capacity based on available operational data. The ability of the battery to satisfy this Required Action can be evaluated by indirect means, such as observation of the charging current or by evaluating the amp-hours discharged from the battery and amp-hours returned to the battery. Consideration of excess capacity determined by previous testing may also be utilized in this evaluation.

During the 12-hour Completion Time of Required Action 3.8.2.1 .c.2, provided the battery is

,otherwise not known to be inoperable (including charging currents not in. excess of 10 amps),

the battery may be considered OPERABLE unless otherwise indicated. This is an acceptable presumption based on: the limited discharge of the battery (< 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />); the expectation that at least some recharge is occurring (Required Action c.1 assures no further discharging is occurring); and that confirmation will be available within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of discovery of the inoperable battery charger.

The charger operating in the current limit mode after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is an indication that the battery is partially discharged and its capacity margins have been reduced. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of load on the associated DC system, the amount of the previous discharge, and

  • the recharge characteristic of the battery.

Without adequate assurance that the battery can be recharged within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, the affected battery must also be declared inoperable and Action 3.8.2.1 .a initiated. This is consistent with the battery parameter requirements and actions of LCO 3.8.2.3.

Required Action 3.8.2.1 .c.3 limits the restoration time for the inoperable required battery charger to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This action is applicable if battery terminal voltage is restored to meet or exceed the minimum established float voltage by using an alternative method. The 72-.hour completion time reflects a reasonable time to effect restoration of the qualified battery charger to operable status.

d. Required Action 3.8.2.1 .d is similar to 3.8.2.1 .c with the exception of shorter time limits for restoration.
e. This condition represents a train with a loss of ability to respond to an event, and a loss of ability to remain energized during normal operation. An example would be failure of a battery breaker. The operator must minimize the potential for complete loss of DC power to the affected train. The 2-hour limit is consistent with the allowed time for an inoperable DC distribution system train.

SOUTH TEXAS - UNITS 1 & 2 , B 3/4 8-20 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

If one of the required DC electrical power subsystems is inoperable, the other DC electrical power subsystems have the capability to support a safe shutdown and to mitigate an accident condition. However, continued power operation should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The 2-hour completion time is based on Regulatory Guide 1.93 and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem. If the DC electrical power subsystem is not restored to OPERABLE status, the time allowed is sufficient to prepare to effect an orderly and safe unit shutdown.

SURVEILLANCE REQUIREMENTS SR 4.8.2.1 .a Verification of battery terminal voltage while on float charge helps to ensure the effectiveness of the battery chargers supporting the ability of the batteries to perform their intended function. Float charge is the condition in which the charger supplies the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state, while supplying the continuous steady-state loads of the associated DC subsystem. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the minimum voltage on float charge established by the battery manufacturer (2.17 volts per cell or 128 V at the battery terminals for a 59-cell battery). This voltage maintains the battery plates in a condition that supports maintaining the grid life (expected to be approximately 20 years). The 7-day cycle is conservative with respect to manufacturer recommendations and IEEE-450 (Ref. 8).

SR 4.8.2.1 .b Not used.

SR 4.8.2.1 .c This charging capacity exceeds the minimum requirements for the charger to support the required DC loads in analyzed accidents. The excess capability supports minimizing the operational limitations imposed on battery testing and associated recharging.

This SR provides two options. One option requires that each battery charger be capable of supplying 300 amps at 128 volts (the minimum established float voltage) for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The ampere requirements are based on the output rating of the chargers. The voltage requirements are based on the charger voltage level after a response to a loss of AC power. The time allowed is sufficient for the charger temperature to stabilize and be maintained for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

The second option requires that each battery charger be capable of recharging the battery within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> following a service test coincident with supplying the largest combined demands of the various continuous steady-state loads (regardless of the status of the plant during which these demands occur). This load level may not normally be available following the battery service test and will need to be supplemented with additional loads. The duration of this test may be longer than the charger sizing criterion since the battery recharge is affected by float voltage, temperature, and the exponential decay in charging current. The battery is recharged when the measured charging current is less than or equal to 2 amps.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-21 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

The surveillance frequency is acceptable, given the unit conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance'during these 18-month intervals. In addition, this frequency is intended to be consistent with expected fuel cycle lengths.

3/4.8.2.2 DC SOURCES - SHUTDOWN LIMITING CONDITION FOR OPERATION One DC electrical power subsystem consisting of one battery, at least one charger, and the corresponding control equipment and interconnecting cabling within the train are required to be OPERABLE to support one train of the distribution systems required to be OPERABLE by LCO 3.8.3.2, "Distribution Systems-Shutdown." This ensures availability of sufficient DC electrical power sources to maintain the unit in a safe condition and to mitigate the consequences of postulated events during shutdown.

APPLICABILITY The DC electrical power sources required as OPERABLE in MODES 5 and 6 provide assurance that:

  • Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core; Required features needed to mitigate a fuel-handling accident are available; Required features needed to mitigate the effects of events that can lead to core damage during shutdown are available; and Instrumentation and control capability are available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

ACTIONS By allowing the option to declare required features inoperable with the associated DC power source inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCO ACTIONS. Allowance is made for sufficiently conservative actions. The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory, provided the required shutdown margin is maintained.

Suspension of these activities does not preclude completion of actions to establish a safe, conservative condition. The actions minimize the probability of occurrence of postulated events.

Use of "immediately" for Completion Time is consistent with the required times for actions requiring prompt attention.

SOUTH TEXAS- UNITS 1 & 2 B 3/4 8-22 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

SURVEILLANCE REQUIREMENT SR 4.8.2.2.a Verification of battery terminal voltage while on float charge helps to ensure the effectiveness of the battery chargers supporting the ability of the batteries to perform their intended function. Float charge is the condition in which the charger supplies the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state, while supplying the continuous steady-state loads of the associated DC subsystem. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the minimum voltage established by the battery manufacturer (2.17 volts per cell or 128 V at the battery terminals for a 59-cell battery). This voltage maintains the battery plates in a condition that supports maintaining the grid life (expected to be approximately 20 years). The 7-day cycle is conservative with respect to manufacturer recommendations and IEEE-450 (Ref. 8).

SR 4.8.2.2.b This charging capacity exceeds the minimum requirements for the charger to support the required DC loads in analyzed accidents. The excess capability supports minimizing the operational limitations imposed on battery testing and associated recharging.

This SR provides two options. One option requires that each battery charger be capable of supplying 300 amps at 125 volts for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The ampere requirements are based on the output rating of the chargers. The voltage requirements are based on the charger voltage level after a response to a loss of AC power. The time allowed is sufficient for the charger temperature to stabilize and be maintained for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

The second option requires that each battery charger be capable of recharging the battery within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> following a service test coincident with supplying the largest combined demands of the various continuous steady-state loads (regardless of the status of the plant during which these demands occur). This load level may not normally be available following the battery service test and will need to be supplemented with additional loads. The duration of this test may be longer than the charger sizing criterion since the battery recharge is affected by float voltage, temperature, and the exponential decay in charging current. The battery is recharged when the measured charging current is less than or equal to 2 amps.

The surveillance frequency is acceptable, given the unit conditions required to perform the test and the other administrative controls present to ensure adequate charger performance during these 18-month intervals. In addition, this frequency is intended to be consistent with expected fuel cycle lengths.

SR 4.8.2.2.c This SR allows a modified performance discharge test to be used in lieu of a battery service test.

Either the battery service test or the modified performance discharge test may be used to satisfy SR 4.8.2.2.c. However, only the modified performance discharge test may be used to satisfy the requirements of SR 4.8.2.3.f.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-23 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued) 3/4.8.2.3 BATTERY PARAMETERS LIMITING CONDITION FOR OPERATION In order to ensure the ability of the batteries to perform their intended function, the batteries are normally maintained in a fully charged state and the environment in which the batteries are located is maintained within the parameters used to determine battery sizing and operation. Verifying average electrolyte temperature, total battery terminal voltage on float charge, connection resistance values, and the performance of battery service and discharge tests ensures the effectiveness of the charging system and the ability to handle high discharge rates, and compares the battery capacity with the rated capacity.

Battery parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Battery parameter limits are conservatively established, allowing continued electrical system function even with limits not met.

Additional preventive maintenance, testing, and monitoring performed in accordance with the Battery.Monitoring and Maintenance Program is conducted without direct impact on the requirements of this Specification. Failure to meet any Battery Monitoring and Maintenance Program requirement is evaluated against the Technical Specification limits, OPERABILITY determinations, and Maintenance Rule Program, but does not necessarily result in failure to meet this LCO.

APPLICABILITY The battery parameters are required solely for the support of the associated DC electrical power subsystems. Therefore, battery parameter limits are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussion in Bases for LCO 3.8.2.1 and LCO 3.8.2.2.

ACTIONS

a. With float voltage in one or more cells in one or more batteries < 2.07 V, the battery cell is degraded. Within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage SR 4.8.2.1 .a. and of the overall battery state of charge by monitoring the battery float charge current SR 4.8.2.3.a. This assures that there is still sufficient battery capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of one or more cells in one or more batteries < 2.07 V, and continued operation is permitted for a limited period up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Since the LCO Actions only specify "perform," failure to satisfy SR 4.8.2.1 .a or SR 4.8.2.3.a acceptance criteria does not result in this Required Action not being met. However, if one of the SRs is not met, the applicable Action in the associated specification is entered.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-24 Unit 1 - Amendment No'06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

b. Float current greater than 2 amps in one or more batteries indicates that a partial discharge of the battery capacity has occurred. This may be'due to a temporary loss of a battery charger or possible due to one or more battery cells in a low voltage condition reflecting some loss of capacity. However, although float current may be greater than 2 amps, the battery capacity remains sufficient to perform its intended safety function during the time allowed.

Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery parameters to normal limits, this time is acceptable for operation prior to declaring the DC batteries inoperable.

If the affected battery float current is less than or equal to 2 amps, and the battery has been discharged as the result of the inoperable battery charger, this indicates that the battery is fully recharged. If, at the expiration of the initial 12-hour period, the battery float current is NOT less than or equal to 2 amps, unit shutdown is initiated. There may be additional battery problems, as well.

c. With one or more batteries with electrolyte level in one or more cells below the minimum established design limits, the battery still retains sufficient capacity to perform the intended function. Even in the event level drops slightly below the top of the plates, the plates are porous and acid will wick from the immersed plate. Therefore, not meeting the specified electrolyte level does not by itself require the affected battery to be considered inoperable.

Level is required to be restored to above the top of plates within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and within 31 days the minimum established design limits for electrolyte level must be re-established.

The limit specified for electrolyte level ensures that the plates suffer no physical damage and maintain adequate electron transfer capability. The frequency is consistent with IEEE-450 (Ref. 8).

d. This Surveillance verifies that the pilot cell temperature is greater than or equal to the minimum established design limit of 65 0F. Pilot cell electrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements. Temperatures lower than assumed in battery sizing calculations act to inhibit or reduce battery capacity. The Frequency is consistent with IEEE-450 (Ref. 8).

With one or more batteries with pilot cell temperature less than the minimum established design limits, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed to restore the temperature to within limits. A low electrolyte temperature limits the current and power available. Because the battery is sized with margin, degraded battery capacity leaves sufficient capacity to perform the intended function and the affected battery is not required to be considered inoperable solely as a result of not meeting the required pilot cell temperature.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-25 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

e. Where batteries in redundant trains are found with batteries not within design limits, and one of the two associated chargers in each affected train is not operable, there is insufficient assurance that battery capacity remains sufficient to the extent that the batteries can still perform their required function. The longer completion times associated with some parameters are therefore not appropriate, and the batteries' conditions must be restored to within limits within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. No more than one battery may be exempted from the two-hour restriction if a longer completion time would otherwise apply.
f. If a battery is found with one or more battery cell float voltage less than 2.07 V, and float current is greater than 2 amps, the battery capacity may not be sufficient to perform the intended functions.

The battery must therefore be declared INOPERABLE immediately.

SURVEILLANCE REQUIREMENTS The surveillance requirements are based on:

  • NRC-approved Technical Specification Task Force (TSTF) Standard Technical Specification Change Traveler TSTF-360, Revision 1, "DC Electrical Rewrite," as incorporated in NUREG-1431, Revision 2, "Standard Technical Specifications, Westinghouse Plants" (June 2001), and

" IEEE 450-2002, "IEEE Recommended Practice for Maintenance, Testing, and Replacement of Large Lead Storage Batteries for Generating Stations and Substations."

The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The seven-day cycle is conservative with respect to manufacturer recommendations and IEEE-450 (Ref. 8).

SR 4.8.2.3.a Verification of battery float current while on float charge is used to determine the state of charge on the battery. Float charge is the condition in which the charger is supplying continuous charge required to overcome the internal losses of a battery and maintain the battery in a charged state.

Float current requirements are based on the float current indicative of a charged battery. Use of float current to determine the state of charge of the battery is consistent with IEEE-450 (Ref. 8).

This surveillance requirement is modified by a Note that states the float current requirement is not required to be met when battery terminal voltage is less than the minimum established float voltage of SR 4.8.2.1 .a. When this float voltage is not maintained, LCO Action 3.8.2.2.a is applicable, and provides the necessary and appropriate verification of the battery condition. The float current limit of 2 amps is based on the nominal float voltage value and is not directly applicable when this voltage is not maintained.

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-26 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

SR 4.8.2.3.b and SR 4.8.2.3.c These SRs require verification that the cell voltages are equal to or greater than the short-term absolute minimum of 2.07 V.

Optimal long-term battery performance is obtained by maintaining a float voltage greater than or equal to the minimum established design limits provided by the battery manufacturer. This provides adequate over-potential, which limits formation of lead sulfate. Monitoring individual cell long-term performance is accomplished by the Battery Monitoring and Maintenance Program, which implements a program for monitoring various battery parameters based on the recommendations of IEEE 450-2002 (Ref.8). Individual cell voltages < 2.13 V will result in increased monitoring and appropriate corrective action(s) in accordance with this program.

The minimum float voltage required by the battery manufacturer is 2.17 volts per cell, which corresponds to 128 V for 59 cells at the battery terminals. Individual cell float voltages less than 2.13 volts per cell, but greater than 2.07 volts per cell, are addressed in Technical Specification Administrative Control subsection 6.8.3.p. The Frequency for cell voltage verification, every 31 days for each pilot cell and 92 days for each connected cell, is consistent with IEEE-450 (Ref. 8). The primary change to incorporate this method is that the pilot cells are no longer average cells. Pilot cells are now the cells with the lowest individual cell voltages.

SR 4.8.2.3.d The limit specified for electrolyte level ensures that the plates suffer no physical damage and maintains adequate electron transfer capability. The Frequency is consistent with IEEE-450 (Ref. 8).

SR 4.8.2.3.e This surveillance verifies that the pilot cell temperature is greater than or equal to the minimum established design limit of 65°F. Pilot cell electrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements. Temperatures lower than assumed in battery sizing calculations act to inhibit or reduce battery capacity.

The Frequency is consistent with IEEE-450 (Ref. 8).

SR 4.8.2.3.f If the battery shows degradation, or if the battery has reached 85% of its expected life and capacity is < 100% of the manufacturer's rating, the surveillance cycle is reduced to 12 months. Degradation is indicated, according to IEEE-450 (Ref. 8), when the battery capacity drops by more than 10%

relative to its capacity on the previous performance test or when it is > 10% below the manufacturer's rating. These frequencies are consistent with the recommendations in IEEE-450 (Ref. 8).

SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-27 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES DC SOURCES (continued)

A modified performance discharge test of battery capacity is given to any battery reaching 85% of the service life with capacity at least equal to the manufacturer's rating. The interval between tests is to be no longer than 24 months.

A modified performance discharge test is performed at 60-month intervals. The acceptance criteria for this surveillance are consistent with IEEE-450 (Ref. 8) and IEEE-485 (Ref. 9). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements. Furthermore, the battery is sized to meet the assumed duty cycle loads when the battery design capacity reaches this 80% limit.

A battery performance discharge test is a test of constant current capacity of a battery to detect any change in the capacity determined by the acceptance test. This test is intended to determine overall battery degradation due to age and usage.

A modified performance discharge test is a test of the battery capacity and its ability toprovide the highest r'ate of the duty cycle. This confirms the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for the service test.

The modified performance test consists of just two rates, the one-minute rate for the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a one-minute discharge represent a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the battery service test for tHe duration of time equal to that of the service test.

Either the battery performance discharge test or the modified battery performance discharge test is acceptable for satisfying SR 4.8.2.2.c; however, only the modified performance discharge test may be used to satisfy the battery service test requirements of SR 4.8.2.3.f.3.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. Regulatory Guide 1.6, March 10, 1971.
3. IEEE-308
4. UFSAR, Chapter 8
5. UFSAR, Chapter 6
6. UFSAR, Chapter 15
7. Regulatory Guide 1.93, December 1974
8. IEEE 450-2002
9. IEEE 485-1983
10. Regulatory Guide 1.32, February 1997 SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-28 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES ONSITE POWER DISTRIBUTION 3.8.3.1 ACTIONs c and d of TS 3.8.3.1 allow the option of calculating risk-informed completion time (RICT) in accordance with the requirements of the CRMP. This option may not be applied for DP001 of LCO 3.8.3.1 .d or DP002 of LCO 3.8.3.1 .g because none of the functions on these distribution panels are modeled in the PRA. Although the functions are not risk-significant, a RICT cannot be quantified in accordance with the requirements of TS 6.8.3.k.

3.8.3.2 The OPERABILITY of the required DC sources and electrical distribution system during shutdown is based on the following conditions:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;
b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such asa fuel handling accident.

In general, when the unit is shutdown, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required.

The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences.

These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

Specifications 3.8.2.2 and 3.8.3.2 require DC power sources and specified electric power distribution for equipment required to be operable during shutdown. If the DC sources or distribution system is inoperable, then the Specifications require the affected components to be declared inoperable or that core alterations and positive reactivity changes be stopped. For a required system or component to be operable, the definition of OPERABLE/OPERABILITY requires the availability of necessary support systems, instrumentation, and electrical power for the required system to meet the design basis requirements. In MODES 5 and 6, the design basis does not include single failure coincident with loss of off-site power. Consequently, where two trains or channels of equipment are required by the SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-29 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

ELECTRICAL POWER SYSTEMS BASES ONSITE POWER DISTRIBUTION (continued)

Technical Specifications during MODES 5 and 6, only one of the trains or channels is required to be backed by an emergency power source or battery. Inoperability of the battery for one channel or train does not affect components that have an operable battery on the other required channel or train.

Required electric power distribution systems must be operable under accident conditions that are applicable during shutdown, including seismic. For components that have only a detection function and no mitigation function during or after the accident, emergency power and safety related normal power are not required (e.g., Source Range instrumentation in Refueling Mode). When the function of those components is lost, the required actions to suspend core alterations or positive reactivity changes preclude the accident the components would be required to detect.

The ACTIONS specified during shutdown with less than the minimum required power sources or distribution systems, include suspending operations involving positive reactivity additions that could result in loss of required SHUTDOWN MARGIN or refueling boron concentration necessary to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SHUTDOWN MARGIN or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes, including temperature increases when operating with a positive moderator temperature coefficient, must also be evaluated to not result in operation below the required SHUTDOWN MARGIN or refueling boron concentration limits. Control rod withdrawal is not allowed except that it is permissible to unlock the control rods for rapid refueling. To unlock the control rods, they must be withdrawn at least one step. However, since the control rods are above the active fuel when the unlocking process occurs, there is no reactivity addition.

3/4.8.4 NOT USED SOUTH TEXAS - UNITS 1 & 2 B 3/4 8-30 Unit 1 - Amendment No. 06-9821-14 Unit 2 - Amendment No. 06-9821-14

APPLICATION OF RISK-INFORMED COMPLETION TIMES BASES The Configuration Risk Management Program (CRMP) as described in TS 6.8.3.k and associated reference to NEI 06-09, "Risk Managed Technical Specifications Guidelines," establishes provisions for performing a risk assessment to determine required actions and allowed outage times for specifically identified specifications for structures, systems, and components. Application of the risk assessment is consistent with the requirements of the Maintenance Rule, 1 OCFR50.65(a)(4), to assess and manage the increase in risk that may result from maintenance activities. The process to manage the risk assesses the rate of accumulation of risk in plant configurations and determines the allowed outage time (AOT) by calculating the time required to cross the incremental core damage probability threshold of 1.0E-05 or the incremental large early release probability threshold of 1.OE-06.

The CRMP and TS 6.8.3.k establish a backstop AOT of 30 days. This backstop AOT prevents allowing a component with little or no risk significance from being inoperable indefinitely and resulting in a de facto change to the design or licensing basis of the plant.

Application of the risk assessment to manage allowed outage time in different plant configurations is complemented by the station's programs to monitor performance indicators for long-term availability of risk-significant components. The requirement to achieve acceptable long-term performance indicators provides a significant disincentive against extending baseline AOTs to the detriment of component or system availability.

The CRMP as described in TS 6.8.3.k and associated reference to NEI 06-09 establishes the conditions for performance of the risk assessment. The LCOs subject to the CRMP specifically reference the CRMP. The baseline AOT or required completion time specified in the LCO may be used to apply the CRMP to determine an alternate AOT and risk management actions.

The CRMP may be used for calculating a risk-informed completion time (RICT) only in Mode 1 and Mode

2. If a MODE is entered where the PRA cannot be applied, the risk-informed provisions of the CRMP may not be applied and only the remaining frontstop completion time for the subject TS shall apply from the time of the MODE change. If the affected TS frontstop has been exceeded, then the applicable MODE 3 - MODE 5 transition times shall apply from the time MODE 3 was entered (e.g., "..be in COLD SHUTDOWN in the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />").

Although the CRMP may be applied to extend the allowed outage time for a referencing TS, except for the extension in the allowed outage time, the other requirements of the referencing TS continue to apply.

For instance, if the CRMP is applied to extend the allowed outage time for Train A ECW (TS 3.7.4.a), the provisions of TS 3.7.4.b. will apply ifanother ECW train becomes inoperable.

TS 3.0.2 applies to the RMTS ACTION statement allowance to calculate a risk-informed completion time (RICT). If the component is restored or ifa RICT is calculated in accordance with the ACTION before a required shutdown is completed, the shutdown need not be completed.

The requirement to continually determine the acceptability of the plant configuration means that once the subject LCO has exceeded the frontstop AOT, the risk assessment must be reperformed to determine the need to adjust the required action and time limits for any affected TS component based on the risk associated with any CRMP component that subsequently becomes inoperable or non-functional. This requirement provides assurance that the configuration risk is adequately assessed.

SOUTH TEXAS - UNITS 1 & 2 B RMTS-1 Unit 1 - Amendment No. 06-9821-8 Unit 2 - Amendment No. 06-9821-8

APPLICATION OF RISK-INFORMED COMPLETION TIMES BASES The CRMP is applied with the referencing specification and the ACTION .required by the referencing specification must be taken ifthe configuration risk exceeds the 1 E-05 incremental core damage probability risk threshold or the 1 E-06 incremental large early release probability risk threshold. The CRMP recognizes that the plant is in an extended AOT that has a specified required action ifthe required action time is exceeded. In a configuration where the risk exceeds one of these thresholds, the calculated RICT has been exceeded and the action required at the expiration of the LCO AOT must be taken.

Application of the CRMP will provide action for conditions where more than one train or channel of a function is inoperable. In accordance with NEI 06-09, a RICT may not be applied for configurations where there is a complete loss of function or for pre-planned activities when all trains of equipment required by the TS LCO would be inoperable. It is permissible to apply a RICT for emergent conditions where all trains of equipment required by the LCO are inoperable provided one or more of the trains are functional as described in the guidance.

If a component is determined to be inoperable, it may still be considered to have PRA Functionality for calculation of a RICT ifthere is reasonable assurance that it can perform its required functions for events not affected by the degraded or non-conforming condition and ifthe condition can be quantified in the PRA. If these conditions are not met, the component will be assumed to be non-functional for calculating the RICT; i.e., it will have no PRA Functionality.

Examples of where a component has PRA Functionality such that the condition could be quantified in the determination of an allowed outage time are listed below:

  • SSCs that don't meet seismic requirements but are otherwise capable of performing their design function.
  • SSCs that are inoperable but secured in their safe position (e.g., a closed containment isolation Valve).
  • SSCs powered from a source other than their normal power source, provided the alternate power source is modeled in the PRA.
  • An SSC with an inoperable automatic function if the manual actuation of the SSC is modeled in the PRA (e.g., a diesel generator with an inoperable sequencer). Actuation channels are associated with their actuated components or trains. Loss of actuation channels is not considered a Loss of Function unless no train of the actuated SSC function has PRA Functionality.
  • An SSC that is functional for mitigation of a set of events (e.g. steam generator tube rupture, small break LOCA) but is not functional for other events for which it is credited (e.g. large break LOCA or steam line break), providing the PRA model can quantify the risk for the calculation of a RICT. An example of this type of condition is degradation of environmental qualification.

Reference 1 specifies the criteria for determining functionality.

Reference:

1. NEI 06-09 "Risk Managed Technical Specifications Guidelines" SOUTH TEXAS - UNITS 1 & 2 B RMTS-2 Unit 1 - Amendment No. 06-9821-8 Unit 2 - Amendment No. 06-9821-8
Retrieved from "https://kanterella.com/w/index.php?title=ML073450383&oldid=2170183"