Text

Proposed Tech Specs 3.8,clarifying Bases for SRs 3.8.1.7, 3.8.1.12 & 3.8.1.15
	ML20207A391
Person / Time
Site:	San Onofre
Issue date:	05/24/1999
From:	; SOUTHERN CALIFORNIA EDISON CO.
To:	;
Shared Package
ML20207A388	List: ML20207A383; ML20207A391;
References
	NUDOCS 9905260300
	Download: ML20207A391 (7)
	v • d • e

i l

1 Unit 2 and Unit 3 Proposed ;

Technical Specification Pages (Ready to issue) l 1

ADOCK 361)

PDR P

AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.2 -------------------NOTES-------------------

1. Performance of SR 3.8.1.7 satisfies this SR.

2. All DG starts may be preceded by an engine prelube period and followed by a warmup period prior to loading.

3. A modified DG start involving idling and gradual acceleration to rated l speed may be used for this SR as recommended by the manufacturer. When modified start procedures are not used, the time, voltage, and frequency tolerances of SR 3.8.1.7 must be met.

Verify each DG starts from standby As specified in conditions and achieves: Table 3.8.1-1 l

a. Steady state voltage 2 4297 V and s 4576 V; and

b. Steady state frequency > 59.7 Hz and l s 61.2 Hz.

(continued) l l

l l

l SAN ON0FRE--UNIT 2 3.8-5 i

l

AC Sources-Operating l 3.8.1 l

l SURVEILLANCE REQUIREMENTS (continued) i SURVEILLANCE FREQUENCY SR 3.8.1.7 -------------------NOTES-------------------

1. All DG starts may be preceded by an l l engine preiube period, )

2. Credit may be taken for unplanned 184 days events that satisfy this SR.

Verify each DG starts from standby condition and:

a. In s 9.4 seconds, achieves voltage 2 4297 V and frequency 2 59.7 Hz;

b. Maintains steady state voltage 2 4297 V and s 4576 V; and

c. Maintains steady state frequency 2 59.7 Hz and s 61.2 Hz.

SR 3.8.1.8 -------------------NOTE------------------

1. Credit may be taken for unplanned events that satisfy this SR.

2. Testing to satisfy this SR shall 24 months include actual automatic and manual transfer to at least one alternate offsite circuit. The other alternate offsite circuit may be verified by overlapping circuit tests.

Verify capability of automatic and manual transfer of AC power sources from the normal offsite circuit to each alternate required offsite circuit.

~

(continued) i l

l 1

SAN ON0FRE--UNIT 2 3.8-7

g-AC Sources-Operating j- 3.8.1 L SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE- FREQUENCY ~

SR 3.8.1.9 -------------------NOTE---- --------------

l Credit may be taken for unplanned events l that satisfy this SR.

l Verify each DG ' rejects a load greater than 24 months or equal to its associated single largest

post-accident load, and

a. Following load rejection, the frequency is s 66.75 Hz; b.. Within 4 seconds following load

! 1 rejection, the voltage is > 4297 Y and s 4576 V; and l

c. Within 4 seconds following load rejection, the frequency is a 59.7 Hz and s 61.2 Hz.

SR 3.8.1.10 -------------------NOTE-------------------

Credit may be taken for unplanned events that satisfy this SR.

Verify each DG, when connected to its bus 24 months in parallel with offsite power and-operating with inductive loading that offsite power conditions permit, during and following a load rejection of a 4450 kW and s 4700 kW: l

a. Does not trip; and l

b. Voltage is maintained s 5450 v. l (continued) l SAN ONOFRE--UNIT 2 3.8-8 I i

e AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.11 -------------------NOTES-------------------

1. All DG starts may be preceded by an engine prelube period.

2. Credit may be taken for unplanned events that satisfy this SR.

Verify on an actual or simulated loss of 24 months offsite power signal:

a. De-energization of emergency buses;

b. Load shedding from emergency buses;

c. DG auto-starts from standby condition and:

1. energizes permanently connected loads and resets the 4.16kV bus undervoltage relay logic in s 10 seconds; i

2. maintains steady state voltage 2 4297 V and s 4576 V; l

3. maintains steady state frequency 2 59.7 Hz and s 61.2 Hz; and l

4. supplies permanently connected loads for 2 5 minutes.

(continued) l l

1 l

l SAN ON0FRE--UNIT 2 3.8-9 I

i

AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued) j SURVEILLANCE FREQUENCY l

SR 3.8.1.12 -------------------NOTES-------------------

1. All DG starts may be preceded by an engine prelube period.

2. Credit may be taken for unplanned events that satisfy this SR.

Verify on an actual or simulated SIAS, each 24 months DG auto-starts from standby condition and:

a. In s 9.4 seconds, achieves voltage 2 4297 V and frequency a 59.7 Hz;

b. Maintains steady state voltage a 4297 V and s 4576 V;

c. Maintains steady state frequency a 59.7 Hz and s 61.2 Hz; and

d. Operates for 2 5 minutes. l (continued) 1 l

l l

(

SAN ON0FRE--UNIT 2 3.8-10 l

r l

AC Sources-Operating

r. 3.8.1.

i SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY l

SR 3.8.1.13 -------------------NOTE-------------------

Credit may be taken for unplanned events that satisfy this SR.- -

l 24 months Verify each DG automatic trip is bypassed 4

'on actual or simulated SIAS except: l .

a. Engine overspeed;

b. Generator differential current; and I

c. Low-low lube oil pressure. l (continued) l i

l l

l i

SAN ON0FRE--UNIT 2 3.8-11 i

AC Sources-0perating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.14 -------------------NOTES-------------------

1.. Momentary transients outside the load '

range does not invalidate this test. l

2. Credit may be taken for unplanned events that satisfy this SR.

Verify each DG, when connected to its bus 24 months in parallel with offsite power and operating with inductive loading that offsite power conditions permit, operates for 2 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months s:

a. For 2 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months loaded 2 4935 kW and s 5170 kW; and .

b. For the remaining hours of the test {

loaded 2 4450 kW and s 4700 kW.

(continued) l 5

l l

SAN ON0FRE--UNIT 2 3.8-12 i

c. .-

AC Sources-Operating l

3.8.1

! SURVEILLANCE REQUIREMENTS (continued) l SURVEILLANCE FREQUENCY l

1 i

SR : 3.8.1.15 -------------------NOTES-------------------

l 1. This Surveillance shall.be performed within 5 minutes of. shutting down the DG after the DG-has operated 2 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months

( loaded a 4450.kW and s 4700 kW..

Momentary transients outside the load l.

!. range do not invalidate this-test.

2. All DG starts may be preceded by an ..

1

?

engine prelube period.

l Verify each DG starts and: 24 months l

a. In s 9.4 seconds, achieves voltage 2 4297 V and frequency a 59.7 Hz; i

b. Maintains steady state voltage 2 4297 V and s 4576 V; l c. Maintains steady state frequency 2 59.7 Hz and s 61.2 Hz; and

d. Operates for 2.5 minutes. l l

t (continued) i l

l l

l SAN ON0FRE--UNIT 2 3.8-13 l i

L

l AC Sources-Operating l 4. 3.8.1 !

SURVEILLANCE REQUIREMENTS L(continued) ;

SURVEILLANCE FREQUENCY ]

SR 3.8.1.16

NOTE--------------------

' Credit may be taken for unplanned events that satisfy this SR.

Verify each DG: 24 months

a. Is capable of being synchronized with l offsite power while loaded with emergency loads upon a simulated restoration of offsite power; ,

b. Transfers loads to offsite power source; and

c. Returns to ready-to-load operation, with:

1. steady state voltage 2 4297 V and s 4576 V;

2. steady state frequency a 59.7 Hz and s 61.2 Hz; and

3. the DG output breaker open. l (continued) j i

l l

l

\

I i

1.

SAN ONOFRE--UNIT 2 3.8-14

AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.17 -------------------NOTE--------------------

Credit may be taken for unplanned events that satisfy this SR.

1 ...........................................

Verify, with a DG operating in test mode 24 months and connected to its bus in parallel with offsite power, an actual or simulated SIAS overrides the test mode by:

a. Returning the DG to ready-to-load operation, with:

1. steady state voltage 2 4297 V and s 4576 V; 1

2. steady state frequency 2 59.7 Hz l and s 61.2 Hz; and

3. the DG output breaker open; and

b. Automatically energizing the emergency loads from offsite power.

SR 3.8.1.18 -------------------NOTE-------------------

Credit may be taken for unplanned events l that satisfy this SR.

Verify interval between each sequenced load 24 months :

block is within i 10% of design interval 1 for each emergency and shutdown load l programmed time interval load sequence. j i

1 (continued) i l

l SAN ONOFRE--UNIT 2 3.8-15 1

L 1

AC Sources-0perating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.19 -------------------NOTES-------------------

1. All DG starts may be preceded by an engine prelube period.

2. Credit may be taken for unplanned events that satisfy this SR.

Verify on an actual or simulated loss of 24 months offsite power signal in conjunction with actual or simulated ESF actuation signals:

a. De-energization of emergency buses;

b. Load shedding from emergency buses;

c. DG auto-starts from standby condition and:

1. energizes permanently connected loads and resets the 4.16 kV bus undervoltage relay logic in s 10 seconds;

2. energizes auto-connected emergency loads through the programmed time interval load sequence;

3. achieves steady state voltage 2 4297 V and s 4576 V; l

4. achieves steady state frequency 2 59.7 Hz and s 61.2 Hz; and l

5. supplies permanently connected and auto-connected emergency loads for a 5 minutes.

(continued)

SAN ON0FRE--UNIT 2 3.8-16 l

AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.20 -------------------NOTE--------------------

All DG starts may be preceded by an engine prelube period.

Verify, when started simultaneously from standby condition, each DG:

a. In s 9.4 seconds, achieves voltage 2 4297 V and frequency 2 59.7 Hz;

b. Maintains steady state voltage 2 4297 V and s 4576 V; and

c. Maintains steady state frequency 2 59.7 Hz and s 61.2 Hz.

I i

)

i SAN ON0FRE--UNIT 2 3.8-17

AC Sources-Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources-Operating BASES BACKGROUND The Class 1E Electrical Power Distribution System AC sources consist of the offsite power sources (normal preferred and alternate preferred power sources), and the standby (onsite) power sources (Train A and Train B Diesel Generators (DGs)).

As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed Each train has connections to two preferred (offsite) power sources and a single DG. l In Modes 1 through 4, the normal preferred power source l (Offsite circuit #1) for each unit is Reserve Auxiliary Transformers XR1 and XR2 for the specific unit. XR1 feeds one 4.16 kV ESF bus (Train A) A04 and XR2 feeds the other 4.16 kV ESF bus (Train B) A06 of the onsite Class 1E AC distribution system for each unit. The alternate preferred power source (Offsite circuit #2) is the other unit's Reserve Auxiliary Transformers XR1 and XR2, or the other unit's Unit Auxiliary Transformer XU1 through the train oriented 4.16 kV ESF bus cross-ties between the two units.

The 4.16 kV ESF bus alignment in the other unit determines which transformer (s) serves as the alternate preferred power source. If the 4.16 kV ESF bus in the other unit is aligned to the Reserve Auxiliary Transformer (XR1 or XR2), then that transformer is the required alternate preferred power source. If the 4.16 kV ESF bus in the other unit is aligned totheUnitAuxiliaryTransformer(XU1),thenthat transformer is the required alternate preferred power source.

In Modes 5 and 6, when the main generator is not operating, l each Class 1E Switchgear can be connected to a third preferred power source ria the Unit Auxiliary Transformers by manually removing the links in the isolated phase bus between the Main Generator and the Main transformer of the non-operating (Modes 5 and 6) unit and closing the 4.16 kV l circuit breaker to the Unit Auxiliary transformer of the (continued)

SAN ON0FRE--UNIT 2 B 3.8-1 s

O l AC Sources-Operating B 3.8.1 BASES:

same unit. In this alignment, the Unit Auxiliary

~

BACKGROUND (continued) Transformer (XU1) serves as the required normal preferred power source of the unit and the alternate preferred power sourcefortheESFbus(es)intheotherunit.

An offsite circuit includes all breakers, transformers,

switches, interrupting devices, cabling, and controls required to tran;mit power from the offsite transmission network to the onsite Class IE ESF bus or buses.

During a Safety Injection Actuation Signal (SIAS), certain required ESF loads are connected to the ESF buses in a predetermined secuence. Within 77 seconds after the SIAS, all automatic anc permanently connected loads needed to recover the unit or maintain it in a safe condition are placed in-service. l The standby (onsite) power source for each 4.16 kV ESF bus l 1s a dedicated DG. DGs G002 and G003 are dedicated to ESF

^ buses A04 and A06, respectively. A DG starts automatically on a SIAS (i.e., low pressurizer pressure or high l containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it will automatically connect to its respective bus after the offsite power supply breaker is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with a SIAS signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on a SIAS alone. Following the trip of offsite power, an undervoltage signal strias selected loads from the ESF bus.

When the DG is tied to t1e ESF bus, the permanently connected loads are energized. If one or more ESF actuation signals are present, ESF loads are then sequentially connected to their respective ESF bus by the programmed time interval load sequence. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic . load application.

In the event of a loss of preferred power in conjunction with one or more ESF actuation signals, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate i the consequences of a Design Basis Accident (DBA) such as a l loss ~of coolant accident (LOCA).

Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service (continued)

SAN ON0FRE--UNIT 2 B 3.8-2

m j l

AC Sources-Operating B 3.8.1 l

i BASES

]

BACKGROUND rating of each DG is 4700 kW with 10% overload permissible (continued) for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. However, for standby class of service like the San Onofre DGs the manufacturer allows specific overload values up to 116.1% of continuous duty rating based on the total hours the DG is operated per year. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES UFSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, i redundancy, and reliability to ensure the availability of l necessary power to ESF systems so that the fuel, Reactor !

Coolant System (RCS), and containment design limits are not '

exceeded. These limits are discussed in more detail in the ;

Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems. i I

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during accident ;

conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and-

b. A worst case single failure.

The AC sources satisfy Criterion 3 of NRC Policy Statement.

LC0 Two qualitied circuits between the offsite transmission network and the onsite Class 1E Electrical Power Distribution System and separate and independent DGs for each train ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an Anticipated Operational Occurrence (A00) l l or a postulated DBA.

l (continued)

SAN ON0FRE--UNIT 2 B 3.8-3

l AC Sources-Operating B 3.8.1 BASES LC0 Qualified offsite circuits are those that are described in (continued) the UFSAR and are part of the licensing basis for the unit.

Required offsite circuits are those circuits that are credited and required to be Operable per LC0 3.8.1.

Each required offsite circuit must be capable of maintaining frequency and voltage within specified limits, and accepting required loads during an accident, while connected to the ESF buses.

In Modes 1 through 4, the normal preferred power source l (Offsite circuit #1) for each unit is Reserve Auxiliary Transformers XR1 and XR2 for the specific unit. XR1 feeds one 4.16 kV ESF bus (Train A) A04 and XR2 feeds the other 4.16 kV ESF bus (Train B) A06 of the onsite Class 1E AC distribution system for each unit. The alternate preferred power source (Offsite circuit #2) is the other unit's Reserve Auxiliary Transformers XR1 and XR2, or the other unit's Unit Auxiliary Transformer XU1 through the train )

oriented 4.16 kV ESF bus cross-ties between the two units.

The 4.16 kV ESF bus alignment in the other unit determines which transformer (s) serves as the alternate preferred power source. If the 4.16 kV ESF bus in the other unit is aligned to the Reserve Auxiliary Transformer (XR1 or XR2), then that transformer is the required alternate preferred power source. If the 4.16 kV ESF bus in the other unit is aligned to the Unit Auxiliary Transformer (XVI), then that transformer is the required alternate preferred power source.

In Modes 5 and 6, when the main generator is not operating, l each Class 1E Switchgear can be connected to a third preferred power source via the Unit Auxiliary Transformers by manually removing the links in the isolated phase bus between the Main Generator and the Main transformer of the non-operating (Modes 5 and 6) unit and closing the 4.16 kV l circuit breaker to the Unit Auxiliary transformer of the same unit. In this alignment, the Unit Auxiliary Transformer (XU1) serves as the required normal preferred power source of the unit and the alternate preferred power sourcefortheESFbus(es)intheotherunit.

Each DG must be capable of starting, accelerating to within specified frequency and voltage limits, connecting to its respective ESF bus on detection of bus undervoltage, and resetting the 4.16 kV bus undervoltage relay logic, in less (continued)

SAN ON0FRE--UNIT 2 B 3.8-4 l

AC Sources-Operating B 3.8.1 BASES i LCO than or equal to 10 seconds. Each DG must also be capable l )

(continued) of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as: DG in standby with the engine hot, DG in standby with the engine at ambient conditions, and DG operating in a parallel test mode. A DG is consiaered already operating if the DG voltage is > 4297 and s 4576 volts and the frequency is 2 59.7 and s 61.2 Hz.

Proper sequencing of loads, including tripping of nonessential loads on a SIAS, is a required function fo: DG l OPERABILITY.

The AC sources in one train must be separate and independent J (to the extent possible) of the AC sources in the other )

train. For the DGs, separation and independence are complete.

For the offsite AC sources, separation and independence are to the extent practical. A circuit may be connected to more than one ESF bus, with transfer capability to the other circuit, and not violate separation criteria. .

)

APPLICABILITY The AC sources and associated automatic load sequence timers are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of A00s or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 5 and 6 are covered in LC0 3.8.2, "AC Sources -Shutdown."

l 1

l

\

(continued)

SAN ON0FRE--UNIT 2 B 3.8-5

l AC Sources-Operating B 3.8.1 BASES ACTIONS M To ensure a highly reliable power source remains with the one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite' circuit on a more frequent basis. Since the Required Action only_

specifies " perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.

However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

U According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and D9s are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring i during this period.

The second Completion Time for Required Action A.2 i establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. -If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LC0 may already have been not met for up to 14 days. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AliQ" connector between (continued)

SAN ON0FRE--UNIT 2 B 3.8-6

AC Sources-Operating B 3.8.1 BASES ACTIONS ju2 (continued) the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 17 day Completion Time means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." This will result in establishing the " time zero" at the time that the LC0 was initially not met, instead of at the time Condition A was entered. !

As required by Section 5.5.2.14, a Configuration Risk Management Program is implemented in the event of Condition A.

fL1 To ensure a highly reliable power source remains when one of the required DGs is inoperable, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies " perform,"

a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required )

Actions must then be entered. l ILZ Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety l function of critical systems. These features are designed with redundant safety related trains. This includes motor driven auxiliary feedwater pumps. Single train systems, such as turbine driven auxiliary feedwater pumps, are not included. Redundant required feature failures consist of l inoperable features associated with a train, redundant to i

the train that has an inoperable DG.

The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also (continued)

SAN ON0FRE--UNIT 2 B 3.8-7

AC Sources-Operating B 3.8.1 BASES ACTIONS ILZ (continued) allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A required feature on the other train is inoperable.

If at any time during the existence of this Condition (one DG inoperable) a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discoverirg one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action.

Four hours from the discovery of these events existing concurrently, is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not l

exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG, the other DG would be declared inoperable upon discovery and Condition E of LC0 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer

(

(continued)

SAN ON0FRE--UNIT 2 B 3.8-8 1

l AC Sources-Operating B 3.8.1 BASES 1 l

l ACTIONS BJ (continued) exists and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG, performance of SR 3.8.1.2 )

suffices to provide assurance of continued OPERABILITY of that DG.

According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is 3 reasonable to confirm that the OPERABLE DG is not affected J by the same problem as the inoperable DG. 1 An augmented analysis using the methodology set forth in Reference 16 provides a series of deterministic and probabilistic justifications and supports continued operations in Condition B for a period that should not exceed 14 days. q In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the ensite Class 1E Distribution System. The 14 day Completion 1 Time takes into account the capacity and capability of the l remaining AC sources, a reasonable time for repairs, and the i low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently returned OPERABLE, the LC0 may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the DG, At this time, an offsite circuit could .

again become inoperable, the DG restored OPERABLE, and an i additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 20 days) allowed prior to complete restoration of the LC0. The 17 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "ANQ" connector between the 14 day and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

l I

(continued)

SAN ON0FRE--UNIT 2 B 3.8-9

1 l

AC Sources-Operating B 3.8.1 BASES ACTIONS BJ (continued)

As in Required Action B.2, the Completion Time allows for an exception to the. normal " time zero" for beginning the allowed time " clock." This will result in establishing the

" time zero" at the time that the LC0 was initially not met, instead of at the time Condition B was entered.

L i As required by Section 5.5.2.14, a Configuration Risk Management Program is implemented in the event of Condition B.

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an l

event with a coincident single failure will not result in a ;

l complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed by Regulatory Guide 1.93 (Ref. 6) for two inoperable required offsite circuits. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance is based upon the assumption that two complete safety trains are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are powered from redundant AC safety trains. This includes motor driven auxiliary feedwater pumps. Single train turbine driven auxiliary pumps, are not included in the list.

y The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also .

allows for an exception to the normal " time zero" for i beginning the allowed outage time " clock." In this Required i Action, the Completion Time only begins on discovery that both:

a. All required'offsite circuits are inoperable; and .

b. A required feature is inoperable.

If at any time during the existence of Condition C (two offsite circuits inoperable) and a required feature becomes inoperable, this Completion Time begins to be tracked.

(continued) l SAN ON0FRE--UNIT 2 B 3.8-10 1

AC Sources-Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued)

According'to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources. ,

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this level of degradation:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the '

unit in a safe shutdown condition in the event of a DBA or transient. In fact..a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were l postulated as a part of the design basis in the safety '

analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design l criteria.

According to Reference 6, with the available offsite AC sources two less than required by the LCO, operatioil may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-11

r

]

AC Sources-Operating B 3.8.1 BASES ACTI'ONS 0.1 and D.2 Pursuant to LC0 3.0.6, the Distribution System (LC0 3.8.9) l ACTIONS would not be entered even if all AC sources to it I were inoperable resulting in de-energization. Therefore, I the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered, the Conditions and Required Actions for LC0 3.8.9, " Distribution Systems-Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of one offsite circuit and one DG without regard to whether a train is de-energized. LC0 3.8.9 provides the appropriate restrictions for a de-energized train.

l According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than I that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the 4 susceptibility of this power system configuration to a l single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the ,

remaining AC sources, a reasonable time for repairs, and the !

low probability of a DBA occurring during this period.

L.1 With Train A and Train B DGs inoperable, there are no remainino standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions.

Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk associated with continued operation for a short time could ,

be less than that associated with an immediate controlled 4 shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC j power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-12 l

AC Sources-0perating B 3.8.1 BASES ACTIONS L 1 (continued)

The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Reference 6, with both DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

F.1 and F.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LC0 does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are ;

reasonable, based on operating experience, to reach the l required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

l ftd I Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been i lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LC0 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and REQUIREMENTS testing of all important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, Appendix A, GDC 18 (Ref. 8). Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions).

The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3), Regulatory Guide 1.108 (Ref. 9), and Regulatory Guide 1.137 (Ref. 10).

(continued)

SAN ON0FRE--UNIT 2 B 3.8-13

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE Where the SRs discussed herein specify voltage and frequency REQUIREMENTS tolerances, the following is applicable. The minimum steady (continued) state output voltage of 4297 V is above the maximum reset voltage of the 4.16 kV bus undervoltage relays (Ref. SR 3.3.7). Achieving a voltage at or above 4297 V ensures that the-LOVS/SDVS/DGVSS relay logic will reset allowing sequencing of the ESF loads on to the ESF bus if one or more ESF actuation signals is present. This minimum voltage limit, which is consistent with ANSI C84.1-1982 (Ref. 11),

is above the allowed voltage drop to the terminals of 4160 V motors whose minimum steady state operating voltage is 3744 V(90%of4160V). This minimum voltage requirement also ensures that adequate voltage is provided to motors and other equipment down through the 120 V level. The specified maximum steady state output voltage of 4576 V ensures that, l for a lightly loaded distribution system, the voltage at the

)

terminals of 4160 V motors is no more than the maximum allowable steady state operating voltage (110% of 4160V).

The specified minimum and maximum frequencies of the DG are 59.7 Hz and 61.2 Hz, respectively. The upper frequency l limit is equal to + 2% of the 60 Hz nominal frequency and is derived from the recommendations given in Regulatory Guide 1.9 (Ref. 3). The lower frequency limit is equal to

- 0.5% of the 60 Hz nominal frequency and is based on maintaining acceptable high pressure safety injection system performance as assumed in the accident analyses.

During a DG surveillance test, steady state DG voltage of 4297 to 4576 volts and steady state frequency of 59.7 to 61.2 Hz shall be verified. For the lower voltage and frequency limits, the Total Loop Uncertainty (TLU) of the measurement device (Reference Calculation E4C-098) shall be considered.

SR 3.8.1.1 This SR assures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source, and that availability of independent offsite circuits is maintained. l The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-14

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 REQUIREMENTS (continued) These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe shutdown condition.

To minimize the wear on moving parts that do not get l lubricated when the engine is not running, DG starts may be j preceded by an engine prelube period. SR 3.8.1.2 is i modified by Notes 2 and 3 to indicate that all DG starts for l SR 3.8.1.2 may be preceded by an engine prelube period and l followed by a warmup period prior to loading. The DG J manufacturer recommends a modified (slow) start (when I possible) in which the starting speed of the DG is limited, I warmup is limited to this lower speed, and the DG is gradually accelerated to rated speed prior to loading. SR )

3.8.1.7 is modified by Note 1 to indicate that all DG starts l for SR 3.8.1.7 may be preceded by an engine prelube period.

For the purposes of SR 3.8.1.2 and SR 3.8.1.7 testing, the l DGs are started from standby conditions. Standby conditions I for a DG mean the diesel engine coolant and oil are being !

continuously circulated and temperature is being maintained consistent with manufacturer recommendations.

SR 3.8.1.7 requires that the DG starts from standby conditions and achieves required voltage and frequency within 9.4 seconds without DG breaker closure. The 9.4 second start requirement ensures that the DG meets the design basis LOCA analysis assumptions (Ref. 5), that the DG l starts, accelerates to within the specified fre voltage limits, connects to the 4.16kV ESF bus,quency and and resets )

the ESF bus undervoltage relay logic within 10 seconds of a '

SIAS.

1 The 9.4 second start requirement is not applicable to I SR 3.8.1.2 when a modified (slow) start procedure described above is used. Since SR 3.8.1.7 requires a 9.4 second start, it is more restrictive than SR 3.8.1.2 and it may be performed in lieu of SR 3.8.1.2. This is the intent of Note 1 of SR 3.8.1.2.

In addition to the SR requirements, the time for the DG to reach steady state operation, unless the modified DG start method is employed, is periodically monitored and is evaluated to identify degradation of governor and voltage regulator performance.

SR 3.8.1.7 is modified by Note 2 which acknowledges that credit may be taken for unplanned events that satisfy this SR.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-15

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 REQUIREMENTS (continued) The normal 31 day Frcquency for SR 3.8.1.2 (see Table 3.8.1-1, " Diesel Generator Test Schedule," in the accompanying LCO) and the 184 day Frequency for SR 3.8.1.7 are consistent with Regulatory Guide 1.9 (Ref. 3). These frequencies provide adequate assurance of DG OPERABILITY, l while minimizing degradation resulting from testing.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads listed in Reference 2.

This capability is verified by performing a load test between 90 to 100% of rated load, for an interval of not less than 60 minutes, consistent with the requirements of Regulatory Guide 1.9 (Ref. 3). The lower load limit of 4450 kW is 94.7% of the DG continuous rating (4700 kW). The 94.7% limit is based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the upper load limit. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Although no power factor ree.uirements are established by l this SR, the surveillance is performed with DG kVAR output that offsite power system conditions without exceeding equipment ratings (permit i.e., withoutduring testing creating an overvoltage condition on the ESF buses, over excitation condition on the ESF buses, over excitation condition in the i generator, or overloading the DG main feeder). The kVAR ;

loading requirement during this test is met, and the equipment ratings are not exceeded, when the DG kVAR output is increased such that: ,

a. kVAR is 2 3000 and s 3200 or i

b. the excitation current is 2 3.8 A and s 4.0 A or (continued)

SAN ON0FRE--UNIT 2 B 3.8-16

AC Sources-Operating B 3.8.1 BASES L.

SURVEILLANCE' SR 3.8.1.3 (continued)

REQUIREMENTS i.

t the ESF bus voltage is 2 4530 V and s 4550 V or

d. DG feeder current is 2 730 A and s 750 A This method of. establishing kVAR loading ensures that, in addition to verifying the load carrying capability (kW) of the diesel engine, the reactive power (kVAR) and voltage regulation capability of the generator is verified to the extent practicable, consistent with the recommendations of Regulatory Guide 1.9-(Ref. 3) and Information Notice 91-13 (Ref. 16).

The normal 31 day Frequency for-this Surveillance Table 3.8.1-1) is consistent with Regulatory Guide 1.9 Ref. 3).

This'SR is modified by four_ Notes. Note 1 indicates that diesel engine ~ runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary DG load transients l do not invalidate this test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order.to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates that a successful DG start must precede this test to credit l satisfactory performance.

SR 3.8.1.4 This SR provides verification that the level of fuel oil in the day tank is at or above the level selected to ensure adequate fuel oil for a minimum of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of DG operation at full load plus 10% The level is expressed as an equivalent volume in inches. The 30 inch level includes instrument uncertainties and corresponds to the minimum requirement of 355.1 gallons of fuel oil.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-17

1 AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 (continued)

REQUIREMENTS The 31 day Frequency is adequate to assure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous microorganisms that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for microbial survival in the day tanks. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, '

including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by microorganisms. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system.

The Surveillance Frequencies are established by Regulatory Guide 1.137 (Ref. 10). This SR is for preventive maintenance. The presence of water does not necessarily represent failure of this SR provided the accumulated water is removed during the performance of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that for each OPERABLE DG at l 1 east one fuel oil transfer punp operates and transfers fuel !

011 from its associated storage tank to its associated day ;

tank. This is required to support continuous operation of l the standby power source. This Surveillance provides assurance that at least one fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and .

control systems for the fuel transfer system are OPERABLE. l l The design of the fuel transfer system is such that one pump ,

will operate automatically, while the other pump can be '

started manually. Either pump will maintain an adequate (continued)

SAN ONOFRE--UNIT 2 B 3.8-18

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.6 (continued)

REQUIREMENTS volume of fuel oil in the day tank. In such a case, a 31 day Frequency is appropriate.

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 I

Verification of the capability to transfer each 4.16 kV ESF bus power supply from the normal preferred power source l (offsite circuit) to each required alternate preferred power l source (offsite circuit), via the train-aligned 4.16 kV l crosstie between Unit 2 and Unit 3, demonstrates the OPERABILITY of the alternate preferred power distribution network to power the post-accident and shutdown loads. For 2A04 the normal offsite power source is 2XR1, and the alternate offsite power source is 3XR1 or 3XU1. For 2A06 the normal offsite power source is 2XR2, and the alternate i offsite power source is 3XR2 or 3XU1. A required alternate l offsite power source is the source that is credited as the alternate source of offsite power in LC0 3.8.1. Therefore, the alignment of the ESF buses in Unit 3 determines which alternate offsite circuit is the required circuit at any point in time.

For each 4.16 kV ESF bus (2A04 or 2A06) this surveillance requirement may be satisfied by performing both a manual transfer and an auto-transfer from the normal offsite power source to at least one of the alternate offsite power sources. The tested source may then be credited as the required alternate offsite power source per LC0 3.8.1. This surveillance may be satisfied for the remaining power source by performing a circuit functional test in addition to the l transfer test above. This functional test shall be I performed such that all components that are required to function for a successful manual or auto-transfer that were not included in the transfer tests above, are tested. This testing may include any series of sequential, overlapping, or total steps so that the entire manual and auto-transfer capability of the source is verified. This is explained in a note to this SR.

1 (continued)

SAN ON0FRE--UNIT 2 B 3.8-19 l

I AC Sources-Operating l B 3.8.1 BASES SURVEILLANCE SR 3.8.1.8 (continued)

REQUIREMENTS (continued) 'The 24 month Frequency of the Surveillance is based on engineering judgment, taking into consideration the unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by j the loss of a large load could cause diesel engine i overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the

, largest single post-accident load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the cverspeed trip. For this unit, the largest single post-accident load for each DG is the Auxiliary Feedwater pump which has a nameplate rating of ;

800 HP. As required by IEEE-308 (Ref. 13), the load !

rejection test is acceptable if the increase in DG frequency does not exceed 66.75 Hz, which is 75% of the difference between synchronous speed (60 Hz) and the overspeed trip setpoint (69 Hz). j The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequencing and load rejection. The 4 seconds specified is equal to 80% of the 5 second load sequence interval associated with sequencing of the largest load. Since SONGS specific analyses '

demonstrate the acceptability of overlapping load groups (i.e., adjacent load groups that start at the same time due to load sequence timer tolerance), the use of 80% of load sequence interval for voltage recovery is consistent with the requirements of Regulatory Guide 1.9 (Ref. 3). The voltage and frequency specified are consistent with the design range of the equipment powered by the DG.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-20

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued)

REQUIREMENTS SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are steady state voltage and frequency values to which the system must recover following load rejection. The 24 month Frequency is consistent with the recommendation of Regulatory Guide 1.9

-(Ref. 3).

In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is performed by rejecting an inductive load with kW and kVAR greater than or equal to the single largest post-accident load (683 kW, 369 kVAR). These test conditions are consistent with the power factor requirements of Regulatory Guide 1.9 (Ref. 3) and the recommendations of Information Notice 91-13 (Ref. 17).

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a load equal to 90% to 100% of its continuous rating without l overspeed tripping or exceeding the predetermined voltage limits. The lower load limit of 4450 kW is 94.7% of the DG continuous rating (4700 kW). The 94.7% limit is based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the upper load limit.

The DG full load rejection may occur because of a system fault, inadvertent breaker tripping or a SIAS received during surveillance testing. This Surveillance ensures proper engine and generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG will not trip upon loss of the load. The voltage transient limit of 5450 V is 125% of rated voltage (4360 V). These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event and continues to be available, this response ensures that the DG is not degraded for future application (e.g., reconnection l to the bus if the trip initiator can be corrected or (continued)

SAN ON0FRE--UNIT 2 B 3.8-21

AC Sources-0perating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)'

REQUIREMENTS isolated). These loads and limits are consistent with l <

Regulatory Guide 1.9 (Ref. 3).

The DG is tested under inductive load conditions that are as close to design basis conditions as possible. Testing is performed with DG kVAR output that offsite power system conditions permit during testing without exceeding equipment ratings-(i.e., without creating an overvoltage condition on the ESF buses, over excitation condition in the generator, or overloading the DG main feeder). The kVAR loading requirement during this test is met, and the equipment ratings are not exceeded, when the DG kVAR output is increased such that:

a. kVAR is 2 3000 and s 3200 or

b. the excitation current is 2 3.8 A and s 4.0 A or

c. the ESF bus voltage is 2 4530 V and s 4550 V or

d. DG feeder current is a 730 A and s 750 A This method of establishing kVAR loading ensures that, in addition to verifying the full load rejection capability (kW) of the diesel engine, the reactive power rejection capability (kVAR) of the generator is verified to the extent practicable, consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 (Ref.16).

The 24 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref. 3) and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

(continued) j SAN ON0FRE--UNIT 2 B 3.8-22 ,

I

p r-

\

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 REQUIREMENTS (continued) As. required by Regulatory Guide 1.9 (Ref. 3), this

= Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source.

This test verifies all actions encountered from the loss of offsite power, including shedding of selected loads and energization of the permanently connected loads from the DG. l The permanently connected loads are the Class 1E 480 V Loadcenters and MCCs. It is recognized that certain l consequential loads may also start following a loss of offsite power and therefore it is important to demonstrate that the DG operates properly with these loads. The consequential loads are sequenced on the DG following a LOVS with the same time delays as for a LOVS with a SIAS. j Therefore, the ability of the DG to operate with the l consequential loads is appropriately demonstrated by the existing Surveillance Requirement simulating a loss of )

offsite power in combination with a SIAS (Surveillance Requirement 3.8.1.19). Since there are no auto-connected shutdown loads, the Regulatory Guide 1.9 (Ref. 3) requirements for sequencing of auto-connected shutdown loads j do not apply (Ref. 17). This surveillance further 4 demonstrates the capability of the DG to automatically achieve the required voltage and frequency, to close the DG output breaker and connect to the ESF bus, and to reset the 4.16 kV bus undervoltage relay logic within the specified time. q The DG auto-start and undervoltage relay logic reset time of l 10 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The J frequency should be restored to within the specified range following energization of the permanently connected loads.

The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting i transients have decayed and stability has been achieved.

The requirement to verify the connection and powe~r supply of permanent loads-is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or shutdown cooling (continued)

SAN ON0FRE--UNIT 2 B 3.8-23 l

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE' SR 3.8.1.11 (continued)

REQUIREMENTS (SDC) systems performing a decay heat removal function are.

not desired to be realigned to thE ECCS mode of operation.

In lieu of actual demonstration of shedding connection, and loading of loads, overlap testing that adequ,ately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential overlapping, or total steps so that the entire l sequence of load sheddin and reenergization of permanently connected loads is verif ed.

The Frequency of 24 months'is consistent with the consideration unit conditions required to perfor)m therecommendation Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs'must be started from standby conditions that is with the engine coolant and oil continuously circuiated and, temperature maintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.12 This Surveillance demonstrates that after a SIAS the DG l automatically starts and achieves the required voltage and frequency within the specified time and operates for 2 5 minutes. The 9.4 second start requirement ensures that the DG meets the design basis LOCA analysis assumption, that the DG starts, accelerates to within the specified frequency and voltage limits, connects to the 4.16 kV ESF bus, and resets the ESF bus undervoltage relay logic within 10 seconds of a SIAS. The 5 minute period provides sufficient time to demonstrate stability.

In addition to the SR requirements, the time for the DG to reach steady state operation, unless the modified DG start method is employed is periodically monitored and is evaluatedtoidentIfydegradationofgovernorandvoltage regulator performance. i The Frequency of 24 months is consistent with Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the (continued)

SAN ON0FRE--UNIT 2 B 3.8-24 t -

L AC Sources-Operating B 3.8.1 )

I BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.13 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature) are bypassed on a SIAS in accordance with Regulatory Guide 1.9 (Ref. 3). The critical protective functions (engine overspeed, generator differential current, and low-low lube oil pressure), which trip the DG to avert substantial damage to the DG unit, are not bypassed. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately to prevent damage to the DG. The DG availability to mitigate the DBA is more critical thanprotecting the engine against minor problems i that are not immediately detrimental to emergency operation of the DG.

Testing to satisfy this surveillance requirement may include any series of sequential, overlapping, or total steps so that the entire noncritical trip bypass function is verified.

The 24 month Frequency is based on engineering judgment, taking into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. The SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-25

AC Sources-Operating 8 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 REQUIREMENTS (continued) Regulatory Guide 1.9 (Ref. 3), requires demonstration once per refueling outage that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , a 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months _ of which is at load equivalent to 105% to 110% of the continuous duty rating and the remainder of the time at a load equivalent to 90% to 100% of the continuous duty rating of the DG. For the 22 hour2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months duration, the lower load limit of 4450 kW is 94.7% of the DG continuous rating (4700 kW). The 94.7% limit is based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the 100%, 105% or 110% load limits.

This test is performed with the DG connected to the offsite

)ower supply. In this alignment DG frequency is controlled

)y the offsite power supply, and the operator has minimal control over DG output voltage. Therefore, specific DG voltage and frequency requirements as recommended by Regulatory Guide 1.9 (Ref. 3) do not apply. l I

The DG starts for this Surveillance can be performed either j from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

The DG is tested under inductive load conditions that are as close to design conditions as possible. Testing is performed with DG kVAR output that offsite power system conditions permit during testing without exceeding equipment ratings (i.e., without creating an overvoltage condition on the ESF buses, over excitation condition in the generator, ,

or overloading the DG main feeder). The kVAR loading requirement during this test is met, and the equipment ratings are not exceeded, when the DG kVAR output is increased such that:

a. kVAR is 2 3000 and s 3200 or

b. the excitation current is 2 3.8 A and s 4.0 A or l

(continued)

SAN ON0FRE--UNIT 2 B 3.8-26

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued) l REQUIREMENTS

c. the ESF bus voltage is a 4530 V and s 4550 V or

d. DG feeder current is 2 730 A and s 750 A This method of establishing kVAR loading ensures that, in addition to verifying the load carrying capability (kW) of the diesel engine, the reactive power (kVAR) and voltage regulation capability of the generator is verified to the extent practicable, consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 (Ref.16).

The kW load band in the SR is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.9, (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. Note I states that momentary DG load transients do not invalidate this l test. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 9.4 seconds. The 9.4 second time is l derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The LOCA analysis assumes that the DG starts, accelerates to within the specified frequency and voltage limits, connects to the (continued)

SAN ONOFRE--UNIT 2 B 3.8-27 I

1 AC Sources-Operating l B 3.8.1 BASES SURVEILLANCE SR 3.8.1.15 (continued) l REQUIREMENTS 4.16 kV ESF bus, and resets the ESF bus undervoltage relay logic within 10 seconds of a SIAS.

In addition to the SR requirements, the time for the DG to reach steady state operation, unless the modified DG start method is employed, is periodically monitored and is evaluated to identify degradation of governor and voltage regulator performance.

The 24 month Frequency is consistent with the i and is I recommendations of Regulatory intended to be consistent Guide fuel with expected 1.9 cyc (Ref. 3)le lengths. l This SR is modified by two Notes. Note 1 ensures that the I test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary DG load transients do not invalidate l )

this test. Note 2 allows all DG starts to be preceded by an i engine prelube period to minimize wear and tear on the diesel during testing.

SR 3.8.1.15 As required by Regulatory Guide 1.9 (Ref. 3), this Surveillance ensures manual synchronization and load l transfer from the DG to the offsite source can be made and that the DG can be returned to ready to load operation when offsite power is restored. Ready to load operation is defined as the DG running within the specified frequency and i voltage limits, with the DG output breaker open. If this i test is )erformed with a SIAS ) resent, the load transfer occurs w1en the offsite power )reaker is manually closed, and the SIAS causes the DG output breaker to open. If this test is performed without a SIAS present, the load transfer occurs when the offsite power breaker is manually closed, and the DG output breaker is manually opened. By design, the LOVS/SDVS/DGVSS logic will have been previously reset thus allowing the DG to reload if a subsequent loss of offsite power or degraded voltage condition occurs. The LOVS/SDVS/DGVSS signal will strip the bus re sequence timers, close the DG output breaker,and setpermit the load resequencing of the ESF loads if an ESF actuation signal is present.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-29a

l AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.16 REQUIREMENTS (continued) The Frequency'of 24 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

l SR 3.8.1.17 For this Surveillance, the DG is in test mode when it is J running, connected to its bus, and in parallel with offsite

! power. Demonstration of the test mode override ensures that:

1) the DG availability under accident conditions will not be compromised as the result of testing with the DG connected to its bus in parallel with offsite power, and

2) the DG will automatically return to ready to load operation, if a SIAS is received during operation in the test mode. l

, Ready to load operation is defined as the DG running within the specified frequency and voltage limits, with the DG output breaker open. These provisions are required by j IEEE-308 (Ref. 13), paragraph 6.2.6(2) and Regulatory Guide 1.9 (Ref. 3).

The intent in the requirement to automatically energize the

) emergency loads with offsite power associated with SR 3.8.1.17.b is to show that the emergency loading was not affected by DG operation in the test mode in parallel with offsite power. In lieu of actual demonstration of connection and loading of loads, testing. that adequately j shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential overlapping, or total steps so that the entire connection and loading sequence is verified.

l (continued) l SAN ON0FRE--UNIT 2- B 3.8-29b

I AC Sources-Operating B 3.8.1 BASES

~ SURVEILLANCE SR 3.8.1.17 (continued)

REQUIREMENTS The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.18 As required paragraph by(Regulatory 2.a. Guide 2), each DG is 1.108 required (Ref. 9),

to demonstrate proper operation for the DBA loading sequence to ensure that voltage and frequency are maintained within the required limits. Under accident conditions, prior to connecting the DGs to their respective buses, all loads are shed except load center feeders and those motor control centers that power Class 1E loads (referred to as " permanently connected" loads). Upon reaching 90% of rated voltage and frequency, the DGs are then connected to their respective buses. Loads are then sequentially connected to the bus by the programmed time interval load sequence. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence start time tolerance ensures that sufficient time exists for the DG to restore frequency and. voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses.

1 For the Containment Emergency Cooling Units only, the ;

sequenced time is the actual start time of the Component i Cooling Water pumps plus 5 10.5 seconds. The tolerance is based on a design interval of 5 seconds.

l The Frequency of 24 months is consistent with the recommendationsofRegulatoryGuide1.108(Ref.9),

paragraph 2.a.(2); takes into consideration unit conditions required to perform the Surveillance; and is intended to be ;

consistent with expected fuel cycle lengths.

{-

l (continued)

SAN ON0FRE--UNIT 2 B 3.8-29c

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE. SR 3.8.1.18 (continued)

REQUIREMENTS This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.19 In the event of a DBA coincident with a' loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the DG operation, as discussed in the Bases for SR 3.8.1.11, during an actual or simulated loss of offsite power signal (LOVS/DGVSS/SDVS) in conjunction with actual or simulated ESF actuation signals (SIAS, CCAS, CSAS, EFAS-1, and EFAS-2). Multiple ESF actuation signals are initiated to simulate worst case DG load sequencing conditions.

In lieu of actual demonstration of shedding, connection, and l loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire load shedding, connection, and loading sequence is verified. l The Frequency of 24 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs.

Note 2 acknowledges that credit may' be taken for unplanned events that satisfy this SR.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-29d l

l

f AC Sources-Operating B 3.8.1

' BASES SURVEILLANCE SR 3.8.1.20-REQUIREMENTS (continued) This Surveillance demonstrates that the DG starting independence has not been compromised. This Surveillance l demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9) paragraph 2.b.

Regulatory. Guide 1.137 (Ref.10), paragraph C.2.f. and Regulatory Guide 1.9 (Ref. 3).

This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated, and temperature maintained consistent with manufacturer recommendations.

Diesel Generator Test Schedule The DG test schedule (Table 3.8.1-1) implements the recommendations of Revision 3 to Regulatory Guide 1.9 (Ref.3). The purpose of this test schedule is to provide timely test data to establish a confidence level associated with the goal to maintain DG reliability above 0.95 per demand.

According to Regulatory Guide 1.9, Revision 3 (Ref. 3), each DG unit should be tested at least once every 31 days.

According to Draft Regulatory Guide DG-1021 (Ref. 14) and 10 CFR 50.63(a)(3)(ii) (Ref.15), whenever a DG has experienced 4 or more valid failures in the last 25 valid tests, the maximum time between tests is reduced to 7 days.

Four failures in 25 valid tests is a failure rate of 0.16, or the threshold of acceptable DG performance, and hence may be an early indication of the degradation of DG reliability.

When considered in the light of a long history of tests, 4 failures in the last 25 valid tests may only be a l statistically probable distribution of random events.

Increasing the test Frequency will allow for a more timely accumulation of additional test data upon which to base judgment of the reliability of the DG. The increased test Frequency must be maintained until seven consecutive,

/

failure free tests have been performed.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-29e

l L AC Sources-Operating B 3.8.1 BASES SURVEILLANCE Diesel Generator Test Schedule (continued) i

. REQUIREMENTS The Frequency for accelerated testing is 7 days, but no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Therefore, the interval between tests should be no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and no more than 7 days. A successful test at an interval of less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months should be considered an invalid test and not count towards the seven consecutive failure free starts. A test interval in i

excess of 7 days constitutes a failure to meet the Srs.

1 REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. UFSAR, Chapter 8.

3. Regulatory Guide 1.9, Rev. 3.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 15.

6. Regulatory Guide 1.93, Rev. O.

7. Generic Letter 84-15.

l 8. 10 CFR 50, Appendix A. GDC 18,

9. Regulatory Guide 1.108, Rev. 1.

10. Regulatory Guide 1.137, Rev.1.

11. ANSI C84.1-1982.

12. ASME, Boiler and Pressure Vessel Code,Section XI.

13. IEEE Standard 308-1978.

14. Craft Regulatory Guide DG-1021, April 1992.

15. 10 CFR 50.63 Register Vol(a)(3)(ii)

. 57, No. 77as page published inApril 14517, Federal 21, 1992.

16. Information Notice 91-13, " INADEQUATE TESTING OF l EMERGENCY DIESEL GENERATORS (EGDs)," 09/16/91.

17. Letter from SCE to the NRC dated May 5, 1995, subject I Docket Nos. 50-361 and 50-362 Diesel Generator !

Loadin i and 3.g San Onofre Nuclear Generating Station Units 2 SAN ON0FRE--UNIT 2 B 3.8-29f

AC Sources-Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME F. Required Action and F.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Associated Completion Time of Condition A, 6E B, C, D, or E not met.

F.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months I

G. Three or more required G.1 Enter LC0 3.0.3. Immediately AC sources inoperable.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.8.1.1 -------------------NOTES-------------------

1. Buses 2A04 and 2D1 are required when unit crosstie breaker 2A0417 is used l to provide a source of AC power. ,

I

2. Buses 2A06 and 2D2 are required when j unit crosstie breaker 2A0619 is used l !

to provide a source of AC power.

Verify correct breaker alignment and power 7 days availability for each required offsite circuit.

l l

(continued)

SAN ON0FRE--UNIT 3 3.8-4

AC Sources-Operating 3.8.1 SURVEILLANCE. REQUIREMENTS (continued) l SURVEILLANCE FREQUENCY SR 3.8.1.2 -------------..----NOTES------------------.

.1. Performance of SR 3.8.1.7 satisfies this SR.

2. All DG starts may be preceded by an engine prelube period and followed by a warmup period prior to loading.

3. A modified DG start involving idling i and gradual acceleration to rated l speed may be used for this SR as recommended by the manufacturer. When modified start procedures are not used, the time, voltage, and frequency tolerant.es of SR 3.8.1.7 must be met. l Verify each DG starts from standby conditions and achieves: As specified in l Table 3.8.1-1 i

a. Steady state voltage a 4297 V and s 4576 V; and

b. Steady state frequency 2 59.7 Hz and l s 61.2 Hz.

(continued) i I

l 1 SAN ON0FRE--UNIT 3 3.8-5 ;

I AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued) )

SURVEILLANCE FREQUENCY l SR 3.8.1.7 ------------------NOTES-------------------- j

1. All DG starts may be preceded by an !

engine prelube period.

2. Credit may be taken for unplanned 184 days events that satisfy this SR.

, Verify each DG starts from standby l

condition and:

a. In s 9.4 seconds, achieves voltage 2 4297 V and frequency 2 59.7 Hz;

b. Maintains steady state voltage !

2 4297 V and s 4576 V; and

c. Maintains steady state frequency }

2 59.7 Hz and s 61.2 Hz.

SR 3.8.1.8 -------------------NOTE------------------

1. Credit may be taken for unplanned ;

events that satisfy this SR. {

l 2. Testing to satisfy this SR shall 24 months include actual automatic and manual transfer to at least one alternate l

offsite circuit. The other alternate offsite circuit may be verified by overlapping circuit tests.

1 .........................................

Verify capability of automatic and manual transfer of AC power sources from the normal offsite circuit to each alternate required offsite circuit.

1 (continued) l \

l 1 l

(

SAN ON0FRE--UNIT 3 3.8-7 l

L

AC Sources-Operating 3.8.1

~ SURVEILLANCE' REQUIREMENTS'(continued)

SURVEILLANCE FREQUENCY SR 3.8.1.9 -------------------NOTE-------------------

Credit may be taken for unplanned events that satisfy this SR.

Verify each DG rejects a load greater than 24 months or equal to its associated single largest post-accident. load, and:

a. Following load rejection, the frequency is s 66.75 Hz;

b. Within 4 seconds following load rejection, the voltage is a 4297 V and s 4576 V; and

c. Within 4 seconds following load rejection, the frequency is a 59.7 Hz and s 61.2 Hz.

I SR 3.8.1.10 -------------------NOTE------------------- !

Credit may be taken for unplanned events that satisfy this SR.

Verify each DG, whEn connected to its bus 24 months f in parallel with offsite power and j operating with inductive loading that '

offsite power conditions permit, during and following a load rejection of a 4450 kW and s 4700 kW: l

a. Does not trip; and l

b. Voltage is maintained s 5450 V. l (continued) l l

SAN ON0FRE--UNIT 3 3.8-8 i

AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)-

SURVEILLANCE FREQUENCY SR 3.8.1.11 -------------------NOTES-------------------

1. All DG starts may be preceded by an engine prelube period.

2. Credit may be taken for unplanned events that satisfy this SR.

Verify on an actual or simulated loss of offsite power signal: 24 months

a. De-energization of emergency buses; i

b. Load shedding from emergency buses;

c. DG auto-starts from standby condition and:

1. energizes permanently connected j loads and resets the 4.16kV bus undervoltage relay logic in s 10 seconds;

2. maintains steady state voltage 2 4297 V and s 4576 V; l

3. maintains steady state frequency ,

2 59.7 Hz and s 61.2 Hz; and l

4. supplies permanently connected loads for 2 5 minutes.

1 (Continued)

SAN ON0FRE--UNIT 3 3.8-9

AC Sources-Operating

} 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.12 -----------------NOTES-------------------

1. All DG starts may be preceded by an engine prelube period.

2. Credit may be taken for unplanned events that satisfy this SR.

Verify on an actual or simulated SIAS, each DG auto-starts from standby condition and: 24 months

a. In s 9.4 seconds, achieves voltage 2 4297 V and frequency 2 59.7 Hz;

b. Maintains steady state voltage 2 4297 Y and s 4576 V; and

c. Maintains steady state frequency 2 59.7 Hz and s 61.2 Hz.

d. Operates for 2 5 minutes. l SR 3.8.1.13 -------------------NOTE-------------------

Credit may be taken for unplanned events that satisfy this SR.

Verify each DG automatic trip is bypassed 24 months on actual or simulated SIAS except: l

a. Engine overspeed;

b. Generator differential current; and

c. Low-low lube oil pressure.

(continued)

SAN ONOFRE--UNIT 3 3.8-10

m AC Sources-Operating 3.8.1 i--

SURVEILLANCE REQUIREMENTS (continued) l

' SURVEILLANCE FREQUENCY l

l.

SR 3.8.1.14 -------------------NOTES-------------------

1. Momentary transients outside the load-range does not invalidate this test. l

2. Credit may be taken for unplanned

! . events that satisfy this SR.

! when connected.to its bus 24 months Verify in parallel each DG,h wit offsite power and operating with inductive loading that offsite power conditions permit,-operates for 2 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months s:

a. For 2 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months loaded 2 4935 kW and s 5170 kW; and

b. For the remaining hours of the test loaded a 4450 kW and s 4700 kW.

SR 3.8.1.15 -------------------NOTES------------------- l

1. This Surveillance shall be performed within 5 minutes of shutting down the DG after the DG has operated 2 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months loaded 2 4450 kW and s 4700 kW.

Momentary transients outside the load l range do not invalidate this test.

2. All DG starts may be preceded by an l engine prelube period.

Verify each DG starts and: 24 months l

a. In s 9.4 seconds, achieves voltage i 2 4297 V and frequency 2 59.7 Hz;

b. Maintains steady state voltage 2 4297 V and s 4576 V;

c. Maintains steady state frequency 1 2 59.7 Hz and s 61.2 Hz; and

d. Operates for 2 5 minutes. l l (continued)

SAN ONOFRE--UNIT 3 3.8-11 l-l

AC Sources-Operating 3.8.1

' SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.16 ---------

NOTE--------------------

Credit ma be taken for unplanned events that sati fy.this SR.

Verify each DG: 24 months

a. Is capable of being synchronized with l offsite power while. loaded with emergency loads upon a simulated restoration of ofisite power;

b. Transfers loads to offsite power source; and

c. Returns to ready-to-load operation, with:

1. steady state voltage 2 4297 V and s 4576 V;

2. steady state frequency 2 59.7 Hz and s 61.2 Hz; and

3. the'DG output breaker open. l SR 3.8.1.17 --------- ---------NOTE--------------------

Credit ma be taken for unplanned events that sati fy this SR.

Verify, with a DG operating in test mode 24 months and connected to its bus in parallel with offsite power, an actual or simulated SIAS overrides the test mode by:

a. Returning DG to ready-to-load operation, and l

1. steady state voltage 2 4297 V and s 4576 V;

2. steady state frequency 2 59.7 Hz and s 61.2 Hz; and

3. the DG output breaker open; and l

b. Automatically energizing the emergency loads from offsite power.

(continued)

SAN ON0FRE--UNIT 3 -

3.8-12 r

l l

AC Sources-Operating 3.8.1 SURVEILLANCE- REQUIREMENTS =-(conti nued) '

SURVEILLANCE- FREQUENCY SR 3.8.1.18 -------------------NOTE-------------------

Credit may be taken~for unplanned events that satisfy this SR.

Verify interval between each sequenced load 24 months block is within i 10%;of design interval for each emergency and shutdown load-programmed time interval' load. sequence.

(continued) l 1

1 l

l l

SAN ON0FRE--UNIT 3 3.8-13

AC Sources-Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.19 ------------___----NOTES-------------------

1. All DG starts may be preceded by an engine prelube period.

2. Credit may be taken for unplanned events that satisfy this SR.

Verify on an actual or simulated loss of 24 months offsite power signal in conjunction with actual or simulated ESF actuation signals:

a. De-energization of emergency buses;

b. Load shedding from emergency buses;

c. DG auto-starts from standby condition and:

1. energizes permanently connected loads and resets the 4.16 kV bus undervoltage relay logic in ;

s 10 seconds;

2. energizes auto-connected l emergency loads through the programmed time interval load sequence;

3. achieves steady state voltage 2 4297 V and s 4576 V; l l

4. achieves steady state frequency a 59.7 Hz and s 61.2 Hz; and l

5. supplies permanently connected and auto-connected emergency loads for 2 5 minutes.

(continued) i SAN ONOFRE--UNIT 3 3.8-14 l

1 i

AC Sources-0perating 3.8.1 SURVEILLANCE REQUIREMENTS (continued) j l

l SURVEILLANCE FREQUENCY I

SR' 3.8.1.20 -------------------NOTE----------..--------

All DG starts may be preceded by an engine prelube period.

I 1

Verify, when started simultaneously from 10 years standby condition, each DG:

a. In s 9.4 seconds, achieves voltage '

2 4297 V and frequency 2 59.7 Hz;

b. Maintains steady state voltage l 2 4297 V and s 4576 V; and '

c. Maintains steady state frequency !

2 59.7 Hz and s 61.2 Hz. !

=

l l

SAN ONOFRE--UNIT 3 3.8-15 l

s

AC Sources-Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B-3.8.1 AC Sources-Operating BASES-BACKGROUND The Class 1E Electrical Power Distribution System AC sources consist of the offsite' power. sources (normal preferred and alternate preferred power sources), and the standby (onsite) power sources-(Train A and Train B Diesel Generators DGs)).

As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1)(, the

. design of the. AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The onsite. Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from-being performed. Each train has connections to two i preferred (offsite) power sources and a single DG. l I In Modes 1 through 4, the normal preferred power source l (Offsite circuit #1) for each unit is Reserve Auxiliary Transformers XR1 and XR2.for the specific unit. XR1-feeds one 4.16 kV ESF bus (Train A) A04 and XR2 feeds the other 4.16 kV ESF bus (Train B) A06 of the onsite Class 1E AC distribution system for each unit. The alternate preferred power source (Offsite circuit #2) is the other unit's Reserve Auxiliary Transformers XR1 and XR2, or the other unit's Unit Auxiliary Transformer XU1 through the train oriented 4.16 kV ESF bus cross-ties between the two units.

The 4.16 kV ESF bus alignment in the other unit determines -

which transformer (s) serves as the alternate preferred power source. If the 4.16 kV ESF bus in the other unit is aligned totheReserveAuxiliaryTransformer(XR1orXR2),thenthat ,

transformer is the required alternate preferred power j source. If the 4.16 kV ESF bus in the other unit is aligned ;

totheUnitAuxiliaryTransformer(XU1),thenthat transformer is the required alternate preferred power ;

source. !

In Modes 5 and 6, when the main generator is not operating, l each Class IE Switchgear can be connected to a third preferred power source via the Unit Auxiliary Transformers by manually removing the links in the isolated phase bus between the Main Generator and the Main l (continued) i SAN ONOFRE--UNIT 3 B 3.8-1

AC Sources-Operating B 3.8.1 BASES BACKGROUND transformer of the non-operating (Modes 5 and 6) unit and (continued) closing the 4.16 kV circuit breaker to the Unit Auxiliary transformer of the same unit. In this alignment, the Unit Auxiliary Transformer (XVI) serves as the required normal preferred power source of the unit and the alternate preferred power source for the ESF bus (es) in the other unit.

An offsite circuit includes all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class IE ESF bus or buses.

During a Safety Injection Actuation Signal (SIAS), certain required ESF loads are connected to the ESF buses in a predetermined secuence. Within 77 seconds after the SIAS, ;

i all automatic anc permanently connected loads needed to recover the unit or maintain it in a safe condition are placed in service. l The standby (onsite) power source for each 4.16 kV ESF bus l is a dedicated DG. DGs G002 and G003 are dedicated to ESF buses A04 and A06, respectively. A DG starts automatically on a SIAS (i.e., low pressurizer pressure or high l containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it will automatically connect to its respective bus after the offsite power supply breaker is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with a SIAS_ signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on a SIAS alone. Following the trip of offsite power, an undervoltage signal strips selected loads from the ESF bus.

When the DG is tied to the ESF bus, the permanently connected loads are energized. If one or more ESF actuation !

signals are present, ESF loads are then sequentially !

connected to their respective ESF bus by the programmed time ,

interval load sequence. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

In the event of a loss of preferred power in conjunction with one or more ESF actuation signals, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate ,

the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

(continued)

SAN ON0FRE--UNIT 3 B 3.8-2

l AC Sources-Operating B 3.8.1 BASES BACKGROUND Ratings for Train A and Train B DGs satisfy the requirements (continued) of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each DG is 4700 kW with 10% overload permissible for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. However, for standby class of service like the San Onofre DGs the manufacturer allows specific overload values up to 116.1% of continuous duty rating based on the total hours the DG is operated per year. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES UFSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources !

are designed to provide sufficient capacity, capability, l redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

1 The OPERABILITY of the AC electrical power sources is l consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC l power; and '

i A worst case single failure.

b.

The AC sources satisfy Criterion 3 of NRC Policy Statement.

l LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Power Distribution System and separate and independent DGs for j each train ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an Anticipated Operational Occurrence (A00) l I or a postulated DBA.

(continued) r SAN ON0FRE--UNIT 3 B 3.8-3 L

l l

AC Sources-Operating B 3.8.1 BASES l

LC0 Qualified offsite circuits are those that are described in l (continued) the UFSAR and are part of the licensing basis for the unit. 1 Required offsite circuits are those circuits that are credited and required to be Operable per LC0 3.8.1.

Each required offsite circuit must be capable of maintaining frequency and voltage within specified limits, and acce) ting required loads during an accident, while connected to tie ESF buses.

In Modes 1 through 4, the normal preferred power source l (Offsite circuit #1) for each unit is Reserve Auxiliary <

Transformers XR1 and XR2 for the specific unit. XR1 feeds f one 4.16 kV ESF bus (Train A) A04 and XR2 feeds the other 4.16 kV ESF bus (Train B) A06 of the onsite Class 1E AC distribution system for each unit. The alternate preferred power source (Offsite circuit #2) is the other unit's Reserve Auxiliary Transformers XR1 and XR2, or the other unit's Unit Auxiliary Transformer XU1 through the train oriented 4.16 kV ESF bus cross-ties between the two units.

The 4.16 kV ESF bus alignment in the other unit determines which transformer (s) serves as the alternate preferred power source. If the 4.16 kV ESF bus in the other unit is aligned to the Reserve Auxiliary Transformer (XR1 or XR2), then that transformer is the required alternate preferred power source. If the 4.16 kV ESF bus in the other unit is aligned totheUnitAuxiliaryTransformer(XVI),thenthat transformer is the required alternate preferred power source.

In Modes 5 and 6, when the main generator is not operating, l each Class IE Switchgear can be connected to a third

) referred power source via the Unit Auxiliary Transformers

)y manually removing the links in the isolated phase bus between the Main Generator and the Main transformer of the non-operating (Modes 5 and 6) unit and closing the 4.16 kV l circuit breaker to the Unit Auxiliary transformer of the same unit. In this alignment, the Unit Auxiliary Transformer (XVI) serves as the required normal preferred power source of the unit and the alternate preferred power source for the ESF bus (es) in the other unit.

Each DG must be capable of starting, accelerating to within specified frequency and voltage limits, connecting to its respective ESF bus on detection of bus undervoltage, and resetting the 4.16 kV bus undervoltage relay logic, in less than or equal to 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading (continued)

SAN ON0FRE--UNIT 3 B 3.8-4 i

AC Sources-0perating B 3.8.1 BASES LC0 sequence intervals, and continue to operate until offsite (continued) power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as: DG in standby with the engine hot, DG in standby with the engine at ambient conditions, and DG operating in a parallel test mode. A DG is considered already operating if the DG voltage is a 4297 and s 4576 volts and the frequency is 2 59.7 and s 61.2 Hz.

Proper sequencing of loads, including tripping of nonessential loads on a SIAS, is a required function for DG l OPERABILITY.

The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, separation and independence are complete.

For the offsite AC sources, separation and independence are to the extent practical. A circuit may be connected to more than one ESF. bus, with transfer capability to the other circuit, and not violate separation criteria.

APPLICABILITY The AC sources and associated automatic load sequence timers are required to be OPERABLE-in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of A00s or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 5 and 6 are covered in LC0 3.8.2, "AC Sources - Shutdown."

ACTIONS L1 To ensure a highly reliable power source remains with the 4 one offsite circuit inoperable, it is necessary to verify :

the OPERABILITY of the remaining required offsite circuit on l l

(continued) j SAN ON0FRE--UNIT 3 B 3.8-5

AC Sources-Operating B 3.8.1 BASES ACTIONS U (continued)

.a more frequent basis. Since the Required Action only specifies " perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.

However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

1 M

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the ca)acity and capability of the remaining AC sources, a reasona)le time for repairs, and the low probability of a DBA occurring j during this period.

The second Completion Time for Required Action A.2 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a '

DG is inoperable, and that DG is subsequently returned i OPERABLE, the LC0 may already have been not met for up to l 14 days. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "A E" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 17 day Completion Time means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-6

AC Sources-Operating B 3.8.1 BASES i

ACTIONS L2 (continued)

As in Required Action A.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." This will result in establishing the " time zero" at the time that the LC0 was initially not met, instead of at the time Condition A was entered.

As required by Section 5.5.2.14, a Configuration Risk Management Program is implemented in the event of Condition A.

fL1 To ensure a highly reliable power source remains when one of the required DGs is inoperable, it is necessary to verify !

the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies " perform,"

a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required l Actions must then be entered. I fLZ Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is !

inoperable, does not result in a complete loss of safety l function of critical systems. These features are designed with redundant safety related trains. This includes motor driven auxiliary feedwater pumps. Single train systems, such as turbine driven auxiliary feedwater pumps, are not included. Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG.

The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." In this Required Action, the Completion Time only begins on discovery that both:

(continued)

SAN ON0FRE--UNIT 3 8 3.8-7

AC Sources-0perating B 3.8.1 BASES ACTIONS fL2 (continued)

a. An inoperable DG exists; and

b. A required feature on the other train is inoperable.

If at any time during the existence of this Condition (one i DG inoperable) a required feature subsequently becomes ;

inoperable, this Completion Time begins to be tracked. !

Discovering one required OG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action.

Four hours from the discovery of these events existing l concurrently, is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's ,

function may have been lost; however, function has not been '

lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the ,

low probability of a DBA occurring during this period.

B.3.1 and B.3.2 '

Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG, the other DG would be declared inoperable upon discovery and Condition E of LC0 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer exists and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-8

l l

AC Sources-Operating ;

B 3.8.1 BASES ACTIONS B.3.1 and B.3.2 (continued) j According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is !

reasonable to confirm that the OPERABLE DG is not affected I by the.same problem as the inoperable DG. l Bd An augmented analysis usirg the methodology ' set forth in Reference 16 provides a series of. deterministic and probabilistic justifications and supports continued operations in Condition B for a period that should not exceed 14 days.

In Condition B, the remaining OPERABLE DG and offsite I circuits are adequate to supply electrical power to the !

onsite Class IE Distribution System. The 14 day Completion !

Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 ,

establishes a limit on the maximum time allowed for any )

combination of required AC power ' sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. 'If Condition B is entered while, for instance, an 1 offsite circuit is' inoperable and that circuit 'is subsequently returned OPERABLE, the LC0 may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 17' days, since initial failure to meet the LCO, to ,

restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 20 days)' allowed prior .

to complete restoration of the LCO. The 17 day Completion I Time provides a limit on time allowed in a specified l condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which J Conditions A and B are entered concurrently. The "AliQ" connector between the 14 day and 17 day Completion Times l means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an 1 exception' to the normal " time zero" for beginning the allowed time " clock." This will result in establishing the (continued)

. SAN ON0FRE--UNIT 3'. B 3.8-9 !

r l

AC Sources-Operating i B 3.8.1 1 BASES ACTIONS fLi (continued)

" time zero" at the time that the LC0 was initially not met, instead of at the time Condition B was entered. ,

1 As required by Section 5.5.2.14, a Configuration Risk l Management Program is implemented in the event of Condition B.

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed by j Regulatory Guide 1.93 (Ref. 6) for two inoperable required ;

offsite circuits. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance is based upon the l assumption that two complete safety trains are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are powered from redundant AC safety trains. This includes motor driven auxiliary feedwater pumps. Single train turbine driven auxiliary pumps, are not included in the list.

The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." In this Required Action, the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable; and

b. A required feature is inoperable.

If at any time during the existence of Condition C (two offsite circuits inoperable) and a required feature becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition C for a period that should not exceed (continued)

SAN ON0FRE--UNIT 3 B 3.8-10

AC Sources-0perating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued) 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

)

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this level of degradation:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the l unit in a safe shutdown condition in the event of a DBA or j transient. In fact, a simultaneous loss of offsite AC i sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety l analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a l period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Reference 6, with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-11

AC Sources-Operating B 3.8.1 BASES ACTIONS .D.1 and D.2 (continued)

Pursuant to LC0 3.0.6, the Distribution System (LC0 3.8.9)

ACTIONS would not be entered even if all AC sources to it were inoperable resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered, the Conditions and Required Actions for LC0 3.8.9, " Distribution Systems-Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of one offsite circuit and one DG without regard to whether a train is de-energized. LC0 3.8.9 provides the appropriate restrictions for a de-energized train.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the j susceptibility of this power system configuration to a I single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

L1 With Train A and Train B DGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions.

Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk associated with continued operation for a short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the (continued)

SAN ON0FRE--UNIT 3 B 3.8-12

n AC Sources-Operating B 3.8.1 BASES ACTIONS L1'(continued) time allowed for continued operation is severely restricted.

The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Reference 6, with both DGs inoperable, operation may continue for. a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

F.1 and F.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LC0 does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

IL1 Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LC0 3.0.3 to commence a controlled shutdown.

I SURVEILLANCE The AC sources are designed to permit inspection and l REQUIREMENTS testing of all important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, Appendix A GDC 18 (Ref. 8). Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions).

The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3), Regulatory Guide 1.108 (Ref. 9), and Regulatory Guide 1.137 (Ref. 10).

(continued)

SAN ON0FRE--UNIT 3 B 3.8-13

l I

AC Sources-0perating l B 3.8.1 BASES 1 SURVEILLANCE Where the SRs discussed herein specify voltage and frequency REQUIREMENTS tolerances, the following is applicable. The minimum steady (continued) state output voltage of 4297 V is above the maximum reset voltage of the 4.16 kV bus undervoltage relays (Ref. SR 3.3.7). Achieving a voltage at or above 4297 V ensures that the LOVS/SDVS/DGVSS relay logic will reset allowing sequencing of the ESF loads on to the ESF bus if one or more ESF actuation signals is present. This minimum voltage ,

limit, which is consistent with ANSI C84.1-1982 (Ref. 11), '

is above the allowed voltage drop to the terminals of 4160 V -

motors whose minimum steady state operating voltage is l 3744 V (90% of 4160 V). This minimum voltage requirement i also ensures that adequate voltage is provided to motors and other equipment down through the 120 V level. The specified maximum steady state output voltage of 4576 V ensures that, l for a lightly loaded distribution system, the voltage at the terminals of 4160 V motors is no more than the maximum allowable steady state operating voltage (110% of 4160V).

The specified minimum and maximum frequencies of the DG are 59.7 Hz and 61.2 Hz, respectively. The upper frequency limit is equal to + 2% of the 60 Hz nominal frequency and is derived from the recommendations given in Regulatory Guide 1.9 (Ref. 3). The lower frequency limit is equal to

- 0.5% of the 60 Hz nominal frequency and is based on maintaining acceptable high pressure safety injection system performance as assumed in the accident analyses.

During a DG surveillance test, steady state DG voltage of 4297 to 4576 volts and steady state frequency of 59.7 to 61.2 Hz shall be verified. For the lower voltage and frequency limits, the Total Loop Uncertainty (TLU) of the measurement device (Reference Calculation E4C-098) shall be considered.

SR 3.8.1.1 This SR assures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source, and that availability of independent offsite circuits is maintained. l The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-14

AC Sources-Operating B 3.8.1 j BASES 3.8.1.2 and SR 3.8.1.7 SURVEILLANCE SR REQUIREMENTS (continued) These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and i to maintain the unit in a safe shutdown condition. !

l To minimize the wear on moving parts that do not get lubricated when the engine is not running, DG starts may be preceded by an engine prelube period. SR 3.8.1.2 is modified by Notes 2 and 3 to indicate that all DG starts for SR 3.8.1.2 may be preceded by an engine prelube )eriod and followed by a warmup period prior to loading. T1e DG manufacturer recommends a modified (slow) start (when possible) in which the starting speed of the DG is limited, J warmup is limited to this lower speed, and the D', is gradually accelerated to rated speed prior to iuading. SR 3.8.1.7 is modified by Note 1 to indicate that all DG starts for SR 3.8.1.7 may be preceded by an engine prelube period.

For the purposes of SR 3.8.1.2 and SR 3.8.1.7 testing, the DGs are started froin standby conditions. Standby conditions for a DG mean the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.

SR 3.8.1.7 recuires that the DG starts from standby conditions anc achieves required voltage and frequency within 9.4 seconds without DG breaker closure. The 9.4 second start requirement ensures that the DG meets the design basis LOCA analysis assumptions (Ref. 5), that the DG starts, accelerates to within the specified fre voltage limits, connects to the 4.16kV ESF bus,quency and and resets the ESF bus undervoltage relay logic within 10 seconds of a ,

SIAS. j l

The 9.4 second start requirement is not applicable to )

SR 3.8.1.2 when a modiffed (slow) start procedure described I above is used. Since SR 3.8.1.7 requires a 9.4 second l start, it is more restrictive than SR 3.8.1.2 and it may be i

)erformed in lieu of SR 3.8.1.2. This is the intent of iote 1 of SR 3.8.1.2.

In addition to the SR requirements, the time for the DG to reach steady state operation, unless the modified DG start method is employed, is periodically monitored and is evaluated to identify degradation of governor and voltage regulator performance.

SR 3.8.1.7 is modified by Note 2 which acknowledge that credit may be taken for unplanned events that satisfy this SR.

(continued)

SAN ON0FRE--UNIT 3 8 3.8-15

f f.

AC Sources-Operating B 3.8.1 :

BASES l

SURVEILLANCE SR '3.8.1.2 and SR 3.8.1.7 (continued)

REQUIREMENTS The normal 31 day Frequency for-SR 3.8.1.2 (see Table 3.8.1-1, " Diesel Generator Test Schedule," in the accompanying LCO) and the 184 day Frequency for SR 3.8.1.7 are consistent with Regulatory Guide 1.9 (Ref. 3). These Frequencies provide adequate assurance of DG OPERABILITY, while minimizing degradation resulting from testing.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads listed in Reference 2.

This capability is verified by performing a load test between 90 to 100% of rated load, for an interval of not less than 60 minutes, consistent with the requirements of Regulatory Guide 1.9 (Ref. 3). The lower load limit of 4450 kW is 94.7% of the DG continuous rating (4700 kW). The 94.7% limit is based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the upper load limit. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the i

offsite source.

Although no power factor requirements are established by ;

this SR, the surveillance is performed with DG kVAR output !

that offsite power system conditions permit during testing l without exceeding equipment ratings (i.e., without creating i an overvoltage condition on the ESF buses, over excitation condition on the ESF buses, over excitation condition in the '

generator, or overloading the DG main feeder). The kVAR loading requirement during this test is met, and the equipment ratings are not exceeded, when the DG kVAR output is increased such that:

a. kVAR is 2 3000 and s 3200 or

b. the excitation current is a 3.8 A and s 4.0 A or

c. the ESF bus voltage is 2 4530 V and s 4550 V or

d. DG feeder current is a 730 A and s 750 A This method of establishing kVAR loading ensures that, in addition to verifying the load carrying capability (kW) of l the diesel engine, the reactive power (kVAR) and voltage l

I f (continued) l SAN ON0FRE--UNIT 3 B 3.8-16

I AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued)

REQUIREMENTS regulation capability of the generator is verified to the

extent practicable, consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 (Ref. 16).

l The normal 31 day Frequency for this Surveillance (Table 3.8.1-1) is consistent with Regulatory Guide 1.9 (Ref. 3). ,

t l This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual {

loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are i minimized. Note 2 states that momentary DG load transients l do not invalidate this test. l Note 3 indicates that this i Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from ]

offsite circuit or grid perturbations. Note 4 stipulates that a successful DG start must precede this test to credit l satisfactory performance. )

SR 3.8.1.4 This SR provides verification that the level of fuel oil in the day tank is at or above the level selected to ensure adequate fuel oil for a minimum of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of DG operation at full load plus 10%. The level is expressed as an equivalent volume in inches. The 30 inch level includes instrument uncertainties and corresponds to the minimum requirement of 355.1 gallons of fuel oil.

The 31 day Frequency is adequate to assure that a sufficient supply of fuel oil .is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.

SR 3.8.1.5 i

Microbiological fouling is a major cause of fuel oil degradation. There are numerous microorganisms that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates ;

the necessary environment for microbial survival in the day tanks. This is the most effective means of controlling (continued)

SAN ON0FRE--UNIT 3 B 3.8-17

i.

AC Sources-Operating B 3.8.1 BASES l SURVEILLANCE SR 3.8.1.5 (continued)

REQUIREMENTS microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, l

contaminated fuel oil, and from breakdown of the fuel 011'by l microorganisms. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system.

The Surveillance Frequencies are established by Regulatory l Guide 1.137 (Ref. 10). This SR is for preventive I maintenance. The presence of water does not necessarily i represent failure of this SR provided the accumulated water is removed during the performance _of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that for each OPERABLE DG at l 1 east one fuel oil transfer pump operates and transfers fuel l oil from its associated storage tank to its associated day tank. This is required to support continuous operation of the standby power source. This Surveillance provides assurance that at least one fuel oil transfer pump is l OPERABLE, the fuel oil piping system is intact, the fuel I

delivery piping is not obstructed, and the controls and control systems for the fuel transfer system are OPERABLE. l The design of the fuel transfer system is such that one pump will operate automatically, while the other pump can be started manually. Either pump will maintain an adequate volume of fuel oil in the day tank.. In such a case, a 31 day Frequency is appropriate.

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Verification of the capability to transfer each 4.16 kV ESF bus power supply from the normal preferred power source (offsite circuit) to each required alternate preferred power source (offsite circuit), via the train-aligned 4.16 kV (continued)

SAN ON0FRE--UNIT 3 B 3.8-18

p AC Sources-Operating B 3.8.1 i BASES i

SURVEILLANCE SR 3.8.1.8 (continued) l REQUIREMENTS (continued) crosstie between Unit 2 and Unit 3, demonstrates the l

OPERABILITY of the alternate preferred power distribution network to power the post-accident and shutdown loads. For L 2A04 the normal offsite power source is 2XR1, and the alternate offsite power source is 3XR1 or 3XU1. For 2A06 l the normal offsite power source is 2XR2, and the alternate offsite power source is 3XR2 or 3XU1. A required alternate offsite power source is the source that is credited as the alternate source of offsite power in LC0 3.8.1. Therefore, the alignment of the ESF buses in Unit 3 determines which alternate offsite circuit is the required circuit at any point in time.

For each 4.16 kV ESF bus (2A04 or 2A06) this surveillance requirement may be satisfied by performing both a manual transfer and an auto-transfer from the normal offsite power source to at least one of the alternate offsite power sources. The tested source may then be credited as the required alternate offsite power source per LC0 3.8.1. This surveillance may be satisfied for the remaining power source by performing a circuit functional test in addition to the transfer test above. This functional test shall be performed such that all components that are required to function for a successful manual or auto-transfer that were not included in the transfer tests above, are tested. This testing may include any series of sequential, overlapping, or total steps so that the entire manual and auto-transfer capability of the source is verified. This is explained in a note to this SR.

The 24 month Frequency of the Surveillance is based on engineering judgment, taking into consideration the unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

Operating experience has shown that these components usually I pass the.SR when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note which acknowledges that credit l may be taken for unplanned events that satisfy this SR.

1 I

l (continued) l SAN ON0FRE--UNIT 3 B 3.8-19

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE- .SR 3.8.1.9

' : REQUIREMENTS (continued) .Each DG is'provided with an' engine overspeed trip to prevent

' damage to the engine. Recovery.from the transient caused by the loss of a large load could cause-diesel engine ;

overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the.

largest. single post-accident load without exceeding

. predetermined voltage and frequency.and while maintaining a specified margin.to the overspeed trip. For this unit, the largest single post-accident load for each DG is the Auxiliary Feedwater pump which has a nameplate rating of 800 HP. As required by IEEE-308 (Ref. 13), the load rejection, test is acceptable if the increase in DG frequency does not exceed 66.75 Hz, which is 75% of the difference between synchronous speed (60 Hz) and the overspeed trip setpoint (69 Hz).

The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref.3) recommendations for response during load sequencing and load rejection. The 4 seconds specified is equal to 80% of the 5 second. load sequence interval associated with sequencing of the largest load. Since SONGS specific analyses demonstrate the acceptability of overlapping load groups (i.e., adjacent load groups that start at the same time due to load sequence timer tolerance), the use of 80% of load sequence interval for voltage recovery is consistent with the requirements of Regulatory Guide 1.9'(Ref. 3). The voltage and frequency specified are consistent with the design range of the equipment powered by the DG.

SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are steady state voltage and frequency values to which the system m"st recover following load rejection. The 24 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref.3).

In order to ensure that the DG is tested under load conditions that are.as close to design basis conditions as possible, testing is performed by rejecting an inductive load with kW and kVAR greater than or equal to the single largest post-accident load (683 kW, 369 kVAR). These test conditions are consistent with the power factor requirements of Regulatory Guide 1.9 (Ref. 3) and the reconnendations of Information Notice 91-13 (Ref.17).

(continued)

SAN ON0FRE--UNIT 3 B 3.8-20 i

e I

AC Sources-Operating i B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued)

REQUIREMENTS This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR. i SR 3.8.1.10 l This Surveillance demonstrates the DG capability to reject a load equal to 90% to 100% of its continuous rating without l l overspeed tripping or exceeding the predetermined voltage l

limits. The lower load limit of 4450 kW is 94.7% of the DG l continuous rating (4700 kW). The 94.7% limit is based on ,

design basis loading and includes instrument uncertainty i plus margin. Instrument uncertainty is not applied to the upper load limit.

l The DG full load rejection may occur because of a system l i fault, inadvertent breaker tripping or a SIAS received during surveillance testing. This Surveillance ensures proper engine and generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG will not trip upon loss of the load. The voltage transient limit of l

5450 V is 125% of rated voltage (4360 V). These acceptance >

criteria provide DG damage protection. While the DG is not expected'to experience this transient during an event and i continues to be available, this response ensures that the DG ,

l is not degraded for future application (e.g., reconnection l :

to the bus if the trip initiator can be corrected or !

isolated). These loads and limits are consistent with ( .

Regulatory Guide 1.9-(Ref. 3). l I

The DG is tested under inductive load conditions that are as close to design basis conditions as possible. Testing is performed with DG kVAR output that offsite power system conditions permit during testing without exceeding equipment ratings (i.e., without creating an overvoltage condition on I the ESF buses, over excitation condition in the generator,

or overloading the DG main feeder). The kVAR loading l_ requirement during this test is met, and the equipment ,

l ratings are not exceeded, when the DG kVAR output is increased such that:

a. kVAR is 2 3000 and s 3200 or

( b. the excitation current is 2 3.8 A and s 4.0 A or (continued)

SAN ON0FRE--UNIT 3 B 3.8-21

r l

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS

c. the ESF bus voltage is 2 4530 V and s 4550 V or

d. DG feeder current is 2 730 A and s 750 A This method of establishing kVAR loading ensures that, in i addition to verifying the full load rejection capability (kW) of the diesel engine, the reactive power rejection capability (kVAR) of the generator is verified to the extent

, practicable, consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 (Ref. 16).

The 24 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref. 3) and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3), this l Surveillance demonstrates the as designed operation of the

! standby power sources during loss of the offsite source.

l This test verifies all actions encountered from the loss of offsite power, including shedding of selected loads and energization of the permanently connected loads from the DG.

, The permanently connected loads are the Class 1E 480 V I

Loadcenters and MCCs. It is recognized that certain consequential loads may also start following a loss of offsite power and therefore it is im)ortant to demonstrate that the DG operates properly with taese loads. The consequential loads are sequenced on the DG following a LOVS with the same time delays as for a LOVS with a SIAS.

Therefore, the ability of the DG to operate with the consequential loads is appropriately demonstrated by the existing Surveillance Requirement simulating a loss of i

offsite power in combination with a SIAS (Surveillance l Requirement 3.8.1.19). Since there are no auto-connected l shutdown loads, the Regulatory Guide 1.9 (Ref. 3) i requirements for sequencing of auto-connected shutdown loads ;

do not apply (Ref.17). This surveillance further demonstrates the capability of the DG to automatically

, achieve the required voltage and frequency, to close the DG output breaker and connect to the ESF bus, and to reset the 4.16 kV bus undervoltage relay logic within the specifiea time.

l (continued)

SAN ON0FRE--UNIT 3 B 3.8-22

r AC Sources-Operating

) B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS The DG auto-start and undervoltage relay logic reset time of l 10 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The frequency should be restored to within the specified range following energization of the permanently connected loads.

The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The requirement to verify the connection and power :;upply of permanent loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or shutdown cooling (SDC) systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation.

In lieu of actual demonstration of shedding, connection, and loading of loads, overlap testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overla aping, or total steps so that the entire sequence of load sledding and reenergization of permanently connected loads is verified.

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-23 I

l

i

)

AC Sources-Operating B 3.8.1 BASES' SURVEILLANCE- SR 3.8.1.12 I l

REQUIREMENTS (continued) the DG l This Surveillance-demonstrates automatically starts and achievesthat'after a SIAS,ltage the required vo and frequency within the specified time and operates for

> 5 minutes. The 9.4 second start requirement ensures that the DG meets the design basis LOCA analysis assumption, that the DG starts accelerates to within the specified frequency andvoltagellmits,connectstothe4.16kVESFbus,and !

resets the ESF bus undervoltage relay logic within '

10 seconds of a SIAS. The.5 minute period provides sufficient time to demonstrate stability.

In addition to the SR requirements, the time for the DG to reach steady state o unless the modified DG start method is employed is .peration,ically period monitored and is evaluated to identify degradation of governor and voltage regulator performance. )

The Frequency of 24 months is consistent with Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions i and is intended to be l required consistenttowith perform the Surveillance,le the expected fuel cyc lengths. Operating experience has shown that these components usually pass the i SR when performed at the 24 month Frequency. Therefore the l Frequency was concluded to be acceptable from a reliability standpoint.

This'SR is modified by two Notes. The reason for Note 1 is l to minimize wear and tear on the DGs during testing. For j the purpose of this testing, the DGs.must be started from ,

standby conditions that is with the engine coolant and oil '

continuouslycirculatedand,temperaturemaintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events j that satisfy this SR.

SR 3.8.1.13 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature) are bypassed on a-SIAS in accordance with Regulatory Guide 1.9 (Ref. 3 . The critical protective functions overspeed, g)enerator differential current, and low (engine

-low lube oilpressure)t,whichtriptheDGtoavertsubstantialdamage to the DG uni are.not bypassed. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately to prevent damage to the DG. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems ,

that are not immediately detrimental to emergency operation l of_the DG.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-24

AC Sources-Operating B 3.8.1 {

BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS Testing to satisfy this surveillance requirement may include .

any series of sequential, overlap)ing, or total steps so !

that the entire noncritical trip )ypass function is j verified. l The 24 month Frequency is based on engineering judgment, I taking into consideration unit conditions required to i perform the Surveillance, and is intended to be consistent with ex)ected fuel cycle lengths. Operating experience has shown t1at these components.usually pass the SR when ;

. performed at the 24 month Frequency. Therefore, the i Frequency was concluded to be acceptable from a reliability standpoint.

l The'SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3), requires demonstration once per refueling outage that the DGs can start and run continuously at full load capability for an interval of not j less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , ;t 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of which is at load i equivalent to 105% to 110% of the continuous duty rating and the remainder of the time at a load equivalent to 90% to 100% of the continuous duty rating of the DG. For the 22 l hour duration, the lower load limit of 4450 kW is 94.7% of )

the DG continuous rating (4700 kW). The 94.7% limit is i based on design basis loading and includes instrument uncertainty plus margin. Instrument uncertainty is not applied to the 100%,105% or 110% load limits.

This test is performed with the DG connected to the offsite

)ower supply. In this alignment DG frequency is controlled

)y the offsite power supply, and the operator has minimal control over DG output voltage. Therefore, specific DG requirements as recommended by voltage and Regulatory frequency Guide 1.9 (Ref. 3) do not apply.

The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading,, discussed in SR 3.8.1.3, are applicable to this SR.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-25

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS The DG is tested under inductive load conditions that are as close to design conditions as possible. Testing is performed with DG kVAR output that offsite power system conditions permit during testing without exceeding equipment ratings (i.e., without creating an overvoltage condition on the-ESF buses, over excitation condition in the generator,

, or overloading the DG main feeder). The kVAR icading requirement during this test is met, and the equipment ratings are not exceeded, wnen the DG kVAR output is increased such that:

a. kVAR is 2 3000 and s 3200 or '

b. the excitation current is 2 3.8 A and s 4.0 A or !

c. the ESF bus voltage is a 4530 V and s 4550 V or i

d. DG feeder current is 2 730 A and s 750 A I This method of establishing kVAR loading ensures that, in l addition to verifying the load carrying capability (kW) of l the diesel engine, the reactive power (kVAR) and voltage i regulation capability of the generator is verified to the extent practicable, consistent with the recommendations of 1 Regulatory Guide 1.9 (Ref. 3) and Information Notice 91-13 l (Ref. 16).

The kW load band in the SR is provided to avoid routine overloading of the DG. Routine overloading may result in more frecuent teardown inspections in accordance with vendor recommencations in order to maintain DG OPERABILITY.

The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.9, (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. Note 1 states that momentary DG load transients do not invalidate this l test. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.15 '

This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 9.4 seconds. The 9.4 second time is l (continued)

SAN ON0FRE--UNIT 3 B 3.8-26

r AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1 15 (continued)

REQUIREMENTS derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The LOCA analysis assumes that the DG starts, accelerates to within the specified fre 4.16 kV ESF bus,and quency and resets thevoltage E5F buslimits, connects relay undervoltage to the logic within 10 seconds of a SIAS.

In addition to the SR requirements, the time for the DG to reach steady state operation unless the modified DG start method is employed isperiodicallymonitoredandis evaluated to identify degradation of governor and voltage regulator performance.

The 24 month Frequency is consistent with the and is recommendations of Regulatory intended to be consistent Guide 1.9 with expected fuel (Ref.

cyc 3)le lengths.

This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary DG load transients do not invalidate l this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.

SR 3.8.1.16 AsrequiredbyRegulatoryGuide1.9(Ref.3),this Surveillance ensures manual synchronization and load l transfer from the DG to the offsite source can be made and that the DG can be returned to ready to load operation when offsite power is restored. Ready to load operation is defined as the DG running within the specified frequency and voltage limits, with the DG output breaker open. If this test is performed with a SIAS present, the load transfer occurs when the offsite power breaker is manually closed and the SIAS causes the DG output breaker to open. IfthIs test is performed without a SIAS present the load transfer occurs when the offsite power breaker is, manually closed, and the DG output breaker is manually opened. By design the LOVS/SDVS/DGVSS logic will have been previously resef.

thus allowing the DG to reload if a subsequent loss of offsite power or degraded voltage condition occurs. The LOVS/SDVS/DGVSS signal will strip the bus re sequence timers, close the DG output breaker, setpermit and the load (continued)

SAN ON0FRE--UNIT 3 B 3.8-27 I

i

r 1 AC Sources-0perating B 3.8.1 j BASES SURVEILLANCE SR 3.8.1.16 (continued) i REQUIREMENTS i resequencing of.the ESF loads.if an ESF actuation signal is i present.

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This' SR is modified-by a Note which acknowledges that credit

-may be taken for unplanned events that satisfy this SR.

SR 3.8.1.17 For this Surveillance, the DG is in test mode when it is running, connected to its bus, and in parallel with offsite power. Demonstration of the test mode override ensures that:

1) the DG availability under accident conditions will not be compromised as the result of testing with the DG connected to its bus in parallel with offsite power, and

2) the DG will automatically return to ready to load operation, if a SIAS is received during operation in the test mode.

l Ready to load operation is defined as the DG running within l the specified frequency and voltage limits, with the DG output breaker open. These )rovisions are required by IEEE-308 (Ref. 13), paragrapi 6.2.6(2) and Regulatory Guide 1.9 (Ref. 3).

The intent in the requirement to automatically energize the emergency loads with offsite power associated with SR 3.8.1.17.b is to show that the emergency loading was not affected by DG operation in the test mode in parallel with offsite power. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential overlapping, or total steps so that the entire connection and loading sequence is verified.

(continued)

I l

SAN ON0FRE--UNIT 3 B 3.8-28 '

l i 1

y AC Sources-Operating B 3.8.1 BASES SURVE1LLANCE SR 3.8.1.17 (continued)

REQUIREMENTS The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.18 Re As required paragraph by(2)gulatory 2.a. , each DGGuide 1.108to(Ref.

is required 9),

demonstrate proper operation for the DBA loading sequence to ensure that voltage and frequency are maintained within the required limits. Under accident conditions, prior to connecting the DGs to their respective buses, all loads are shed except load center feeders and those motor control centers that power Class 1E loads (referred to as " permanently connected" loads). Upon reaching 90% of rated voltage and frequency, the DGs are then connected to their res)ective buses. Loads are then sequentially connected to the aus by the programmed time interval load sequence. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence start time tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF ecuipment time delays are not violated. Reference 2 provices a summary of the automatic loading of ESF buses.

For the Containment Emergency Cooling Units only, the sequenced time is the actual start time of the Component Cooling Water pumps plus 510.5 seconds. The tolerance is based on a design interval of 5 seconds. ;

The Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9),

paragraph 2.a.(2); takes into consideration unit conditions !

required to perform the Surveillance; and is intended to be !

consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit ,

may be taken for unplanned events that satisfy this SR. j (continued)

SAN ONOFRE--UNIT 3 B 3.8-29

(;

AC Sources-Operating 8 3.8.1 BASES SURVEILLANCE SR 3.8.1.19 REQUIREMENTS (continued) In the event of a DBA coincident with a loss of offsite lower, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the DG operation, as discussed in theofBases simulated loss offsitefor SR 3.8.1.11,(during power an actual or signal LOVS/DGVSS/SDVS)in conjunction with actual or simulated ESF actuation signals (SIAS, CCAS, CSAS, EFAS-1, and EFAS-2). Multiple ESF actuation signals are initiated to simulate worst case DG load sequencing conditions.

In lieu of actual demonstration of shedding, conne-tion, and l loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire load shedding, connection, and loading sequence is verified. l The Frequency of 24 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs.

Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Surveillance l demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9), paragraph 2.b, Regulatory Guide 1.137 (Ref. 10), paragraph C.2.f, and Regulatory Guide 1.9 (Ref. 3).

(continued)

SAN ON0FRE--UNIT 3 B 3.8-29a

AC Sources-0perating B 3.8.1 BASES l

SURVEILLANCE SR 3.8.1.20 (continued) l REQUIREMENTS I This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby {

conditions, that is, with the engine coolant and oil continuously circulated, and temperature maintained {

consistent with manufacturer recommendations.

1 Diesel Generator Test Schedule !

The DG test schedule (Table 3.8.1-1) implements the recommendations of Revision 3 to Regulatory Guide 1.9 (Ref. 3). The purpose of this test schedule is to provide timely test data to establish a confidence level associated with the goal to maintain DG reliability above 0.95 per demand.

According to Regulatory Guide 1.9, Revision 3 (Ref. 3), each ,

DG unit should be tested at least once every 31 days. 1 According to Draft Regulatory Guide DG-1021 (Ref. 14) and 10 CFR 50.63(a)(3)(ii) (Ref.15), whenever a DG has experienced 4 or more valid failures in the last 25 valid j

tests, the maximum time between tests is reduced to 7 days.

Four failures in 25 valid tests is a failure rate of 0.16, or the threshold of acceptable DG performance, and hence may be an early indication of the degradation of DG reliability.

When considered in the light of a long history of tests, I 4 failures in the last 25 valid tests may only be a l l statistically probable distribution of random events. I Increasing tne test Frequency will allow for a more timely accumulation of additional test data upon which to base judgment of the reliability of the DG. The increased test Frequency must be maintained until seven consecutive, failure free tests have been performed.

The Frequency for accelerated testing is 7 days, but no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Therefore, the interval between tests should be no less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and no more than 7 days. A successful test at an interval of less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months should be considered an invalid test and not count towards the seven consecutive failure free starts. A test interval in excess of 7 days constitutes a failure to meet the Srs.

(continued)

SAN ON0FRE--UNIT 3 8 3.8-29b L_

AC Sources-0perating B 3.8.1 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. UFSAR, Chapter 8.

3. Regulatory Guide 1.9, Rev. 3.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 15.

6. Regulatory Guide 1.93, Rev. O.

7. Generic Letter 84-15.

8. 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.108, Rev. 1.

10. Regulatory Guide 1.137, Rev. 1.

11. ANSI C84.1-1982.

12. ASME, Boiler and Pre 5sure Vessel Code,Section XI.

13. IEEE Standard 308-1978.

14. Draft Regulatory Guide DG-1021, April 1992.

15. 10 CFR 50.63(a)(3)(ii) as published in Federal Register Vol. 57, No. 77 page 14517, April 21,1992.

16. Information Notice 91-13, " INADEQUATE TESTING OF EMERGENCY DIESEL GENERATORS (EGDs)".

17. Letter from SCE to the NRC dated May 5,1995, subject Docket Nos. 50-361 and 50-362, Diesel Generator Loading San Onofre Nuclear Generating Station Units 2 and 3.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-29c k

ML20207A391

Text

Navigation menu

Search