Text

Proposed Cycle 10 Update to TS Bases That Have Been Revised Between 980101-990630
	ML20210N512
Person / Time
Site:	San Onofre
Issue date:	08/09/1999
From:	; SOUTHERN CALIFORNIA EDISON CO.
To:	;
Shared Package
ML20210N509	List: ML20210N505; ML20210N512;
References
	NUDOCS 9908110132
	Download: ML20210N512 (200)
	v • d • e

F i 1

SAN ONOFRE UNIT 2 REVISED BASES PAGES )

1 1

9908110132 990809 PDR ADOCK 05000361 P PDR i

j

SR Applicability B 3.0 BASES SR 3.0.2 not be suitable for conducting the Surveillance (e.g.,

(continued) transient conditions or other ongoing Surveillance or maintenanceactivities).

The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of.the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. An example of where SR 3.0.2 does not apply is the Containment Leakage Rate Testing Program. Test frequencies specified in the Containment Leakage Rate Testing Program may be extended consistent with the guidance provided in NEI 94-01," Industry Guideline For Implementing Performance-Based Option Of 10CFR 50, Appendix J," as endorsed by Regulatory Guide 1.163.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25%

extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25%

extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.

The provisions of SR 3.0.2 are not intended to be used I repeatedly merely as an operational convenience to extend Surveillance intervals or periodic Completion Time intervals beyond those specified.

l SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring i affected equipment inoperable or an affected variable ;

outside the specified limits when a Surveillance has not (continued)

SAN ON0FRE--UNIT 2 B 3.0-12 Amendment No. 12712/1/98

)

[,

Boration Systems - Operating B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEM B 3.1.9 Boration Systems - Operating l

BASES BACKGROUND The Chemical and Volume Control System (CVCS) functions to provide a means for, reactivity control and maintaining reactor coolant inventory, activity, and chemistry. The CVCS includes the letdown and boron injection subsystems.

The boron injection subsystem is required to establish and maintain a safe shutdown condition for the reactor. The letdown portion of the CVCS is used for normal plant l operation, however, it is not required for safety.

Two OPERABLE boron injection flow paths are required while operating in Modes 1, 2, 3, and 4. One flow path includes the OPERABLE RWST (TS 3.5.4) the associated gravity feed valves, and the charging pumps. The s c ond flow path includes the Boric Acid. Makeup (BAMU) tanks with their individual or combined contents in accordance with the LCS, the associated gravity feed valves, BAMU pump (s), and charging pumps. Power is provided by the OPERABLE onsite emergency power supply specified by TS 3.8.1.

The boron concentration is controlled to provide shutdown margin (SDM) for maintenance, refueling and emergencies.

Boron concentration is adjusted to obtain optimum CEA positioning and compensate for normal reactivity changes associated with changes in reactor coolant temperature, core burnup, and xenon concentration. The boration capability is sufficient to provide a SDM of 3.0% Ak/k assuming the highest worth CEA is stuck out after xenon decay and .

cooldown to 200*F in accordance with GDC 26 and 27 (Ref.1 I and 2). In addition, the boration system injects boron into l the RCS to mitigate a Main Steam Line Break (MSLB).

APPLICABLE I SAFETY ANALYSES The charging pumps inject borated water into the RCS to provide reactivity control. There are three installed .

charging pumps with one normally in operation balancing the letdown purification flow and the reactor coolant pump controlled bleed-off flow. A Safety Injection Actuation l Signal (SIAS) is initiated by either low pressurizer 1 pressure or high containment pressure in Modes 1 through 3.

(continued) f SAN ON0FRE--UNIT 2 B 3.1-54 Amendment No. 127 4/30/98 1

.j

Boration Systems - Operating B 3.1.9 BASES APPLICABLE All three charging pumps receive start signals from SIAS and SAFETY ANALYSES the associated boric acid flow path valves open to provide (continued) emergency boration via the charging pumps.

The capacity of the charging pumps and the required amount of borated water stored in the RWST and BAMUs is sufficient to maintain shutdown margin during a plant cooldown to MODE l

5 with a shutdown margin of at least 3%Ak/k at any time during plant life. The maximum expected boration capability requirements occurs at the end of core life from full power equilibrium xenon conditions. During this condition the required boric acid solution is supplied by the BAMU tanks with the contents in accordance with the LCS plus approximately 13,000 gallons of 2350 ppm borated water from the OPERABLE RWST.

l The design of the boration systems incorporates a high degree of functional reliability by providing redundant i

components, an alternate path for charging and either offsite or onsite power supplies. Gravity feed lines from each Boric Acid Makeup (BAMU) tank and the RWST assures that a source of borated water is available to the charging pump suction header. Should the charging line inside containment be inoperable, the line may be isolated outside containment and flow redirected through the high pressure safety injection headers to assure boron injection. If the normal I power supply system should fail, the charging pumps, boric

) acid makeup pumps, and all related automatic control valves are powered from an emergency bus. The malfunction or failure of one active component would not reduce the ability !

to borate the RCS since an alternate flow path is always '

I available for emergency boration. l The Boration Systems satisfy Criterion 3 of the NRC Policy Statement.

l (cortinued)

SAN ON0FRE--UNIT 2 B 3.1-55 Amendment No. 127 4/30/98

P Boration Systems - Operating B 3.1.9 BASES (continued)

SURVEILLANCE SR 3.1.9.1 and 3.1.9.2 REQUIREMENTS SR 3.1.9.1 verifies that the boron concentration of the ;

available boric acid solution in the BAMU tanks is i sufficient for reactivity control. SR 3.1.9.2 verifies that a sufficient volume of borated water is available for RCS makeup. The minimum required volume and concentration of stored boric acid in the BAMU tank (s) is dependent upon the RWST boron concentration and is specified in a Licensee Controlled Specification. The 7 day Surveillance Frequency '

ensures that an adequate initial water supply is available for boron injection.

l l

SR 3.1.9.3 and 3.1.9.4 These SRs demonstrate that each automatic boration system i pump and valve is operable and actuates as required. In i response to an actaal or simulated SIAS the charging pumps I start, the VCT is isolated, and the charging pumps take suction from the OPERABLE BAMU tank (s) and RWST.

Verificatic.i of the correct alignment for manual, power operated, and automatic valves in the Boration System Flow paths ncovides assurance that proper boration flow paths are available. These SRs do not apply to valves that are locked, sealed, or otherwise secured in position, because these valves were previously verified to be in the correct position.

REFERENCES 1. 10 CFR E0, Appendix A, GDC 26.

2. 10 CFR 50, Appendix A, GDC 27.

l l

f l

SAN ON0FRE--UNIT 2 8 3.1-58 Amendment No. 127 4/30/98 j

p i

' RPS Instrumentation-Operating B 3.3.1 BASES

APPLICABLE 2. Locarithmic Power Level =lligh l SAFETY ANALYSES l (continued) The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

! Cn MODES 2, 3, 4, and 5, with the RTCBs closed and the CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when i

logarithmic power is < 4E-5% RTP. The indication and l alarm portion must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. For events originating above this power level, other trips provide adequate protection.

MODES 3, 4, and 5, with the RTCBs closed, are addressed in LC0 3.3.2, " Reactor Protective System (RPS) Instrumentation-Shutdown."

In' MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power l Level-High trip does not have to be OPERABLE.

3. Pressurizer Pressure lligh The Pressurizer Pressure-High trip provides protection for the high RCS pressure SL. In conjunction with the !

pressurizer safety valves and the main steam safety valves (MSSVs), it provides protection against J l overpressurization of the RCPB during the following l events:

Loss of Electrical Load Without a Reactor Trip l Being Generated by the Turbine Trip (A00);

. Loss of Condenser Vacur.m (A00);

{

a CEA Withdrawal From Low Power Conditions (A00);

and l . Chemical and Volume Control System Malfunction (A00).

t (continued) l SAN ON0FRE--UNIT 2 B 3.3-12 Amendment No. 127 03/12/99 I

l

RPS . Instrumentation - Operating B 3.3.1

! ' BASES.

l l l .

i LC0 '2. Loaarithmic Power level =]iigh (continued) j MODE 3 4, or 5 when the'RTCBs are shut and the CEA I l Drive System is-capable of CEA withdrawal.

The MODES 3, 4, and 5 Condition is addressed in

! LC0 3.3.2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary ,

Logarithmic Power Level-High reactor trips during i l normal plant operations. The Allowable Value is low j enough for the system to maintain a margin to !

unacceptable fuel cladding damage should a CEA 1 withdrawal event occur. l l

The Logarithmic Power Level-High trip may be bypassed '

when logarithmic power is above 1E-4% RTP to allow the l reactor to be brought to power during a reactor startup. The trip must be enabled when logarithmic power is < 4E-5% RTP. At 2 4E-5% RTP, the CPC LPD/DNBR trip, the Linear Power Level-High and Pressurizer Pressure-High trips provide protection for !

reactivity transients. '

physics l' The trippursuant testing may be to manually bypassed LC0 3.1.12, "Speciadurin$ Test '

Exceptions - Low Power Physics Testing." During this

! testing, the Linear Power Level-High trip and administrative controls provide the required protection.

l- 3. Pressurizer Pressure =lligh This LC0 requires four channels of Pressurizer Pressure-High to be OPERABLE in MODES 1 and 2.

' The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its operation avoids the undesirable operation of these l valves during normal plant operation. In the event of a complete loss of electrical load from 100% power.

l this set)oint ensures the reactor trip will take L place, tiereby limiting further heat input to the RCS i and consequent pressure rise. The pressurizer safety .

l l

(continued)

SAN ON0FRE--UNIT 2 B 3.3-18 Amendment No. 127 03/12/99 i

I E

r- 1 RPS Instrumentation-Operating B 3.3.1 BASES LCO 8, 9. Steam Generator Level Lox (continued)

The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations.

The same bistable providing the reactor trip also initiates emergency feedwater to the affected generator via the Emergency Feedwater Actuation Signals (EFAS). The minimum setpoint is governed by EFAS requirements. The reactor trip will remove the heat source (except decay heat), thereby conserving i the reactor heat sink. l

10. Reactor Coolant Flow - Low This LC0 requires four channels of Reactor Coolant Flow-Low for Steam Generator #1, and four channels of Reactor Coolant Flow-Low for Steam Generator #2 to be OPERABLE in MODES 1 and 2. The Allowable Value is set low enough to allow for slight variations in reactor coolant flow during normal plant operations while providing the required protection. Tripping the reactor ensures that the resultant power to flow ratio provides adequate core cooling to maintain DNBR under the expected pressure conditions for this event.

The Reactor Coolant Flow-Low trip may be manually bypassed when reactor power is less than 1.E-4% RTP. l l This allows for de-energization of one or more RCPs (e.g., for )lant cooldown), while maintaining the l ability to (eep the shutdown CEA banks withdrawn from the core if desired.

LC0 3.4.5, "RCS Loops -MODE 3," LC0 3.4.6, "RCS Loops -MODE 4," and LC0 3.4.7, "RCS Loops-MODE 5, Loops Filled," ensure adequate RCS flow rate is maintained. The trip must be enabled when logarithmic power is > 1.5E-4% RTP. When below the power range, the Reactor Coolant Flow-Low is not required for plant protection.

11. Local Power Density:lligh This LCO requires four channels of LPD-High to be OPERABLE.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-21 Amendment No. 127 03/12/99

RPS Znstrumentation-Operating 8 3.3.1 BASES LC0 11. Local Power Densitv=lligh (continued)

The LC0 on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable.

A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety function.

The CPC channels may be manually bypassed below 1E-4% RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR-Low and LPD-High trips from the RPS Logic circuitry. The operating bypass is removed when l e

enabling bypass conditions are no longer satisfied.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure-Low or RCPs off.

During special testing pursuant to LC0 3.1.12, the CPC channels may be manually bypassed when logarithmic power is below 5% RTP to allow special testing without generating a reactor trip.

12. Deoarture from Nucleate Boilina Ratio (DNBR) = Log This LCO requires four channels of DNBR-Low to be OPERABLE.

The LC0 on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-22 Amendment No. 127 03/12/99

(. .

r l

L RPS Inst- untation - Operating B 3.3.1 l

I BASES LC0 12. Deoarture from Nucleate Boilino Ratio (DNBR)-1,3 l

(continued)

A CPC is not considered inoperable if CEAC inputs to

, the CPC are inoperable. The Required Actions required l

in the event of CEAC channel failures ensure the CPCs are capable of performing their safety Function.

The CPC channels may be manually bypassed below l 1E-4% RTP, as sensed by the logarithmic nuclear i instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR-Low and LPD-High trips from the RPS logic circuitry. The operating bypass is removed when l enabling bypass conditions are no longer satisfied.

This operating bypass is required to perform a plant

startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurize'r Pressure-Low or RCPs off.

During special testing pursuant to LC0 3.1.12, the CPC l

channels may be manually bypassed when logarithmic power is below 5% RTP to allow special testing without j generating a reactor trip.

Ooeratina Bvoasses The LCO on bypass permissive removal channels requires that the automatic by) ass removal feature of all four operating l bypass channels ae OPERABLE for each RPS Function with an

! rperating bypass in the MODES addressed in the specific LC0 for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are

. inadvertently bypassed.

This LC0 a) plies to the bypass removal feature only. If the bypass enaale Function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level-High trip (Function 2), the l

absence of a bypass will limit maximum power to below the l trip setpoint.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-23 Amendment No. 127 03/12/99

F RPS Instrumentation-Operating B 3.3.1 BASES l

J SURVEILLANCE SR 3.3.1.6 (continued)

REQUIREMENTS l- The 120 day Frequency is adequate because the demonstrated l long term drift of the instrument channels is minimal.

SR 3.3.1.7 A CHANNEL FUNCTIONAL TEST on each channel is performed every 30 days on a STAGGERED TEST BASIS to ensure the entire

! channel will perform its intended function when needed. The SR is modified by two Notes. Note 1 is a requirement to l verify the correct CPC addressable constant values are installed in the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. Note 2 allows the CHANNEL FUNCTIONAL TEST for l

! the Logacithmic Power Level-High channels to be performed '

2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after THERMAL POWER drops below 1E-4% RTP and is j l required to be performed only if the RTCBs are closed. Not required if performed within the surveillance interval. The intent of Note 2, as justified in References 11 and 12, is l l toallowtheCHANNELFUNCTIONALTESTtobeperformed2 hours

, after reducing logarithmic power below 1E-44 RTP and only if l the RTCBs are closed.

LC0 3.3.1 Action A permits plant operation with one or more Functions with one automatic RPS trip channel inoperable until MODE 2 entry following the next MODE 5 entry (provided the channel is placed in bypass or trip). During plant operation in that condition, CHANNEL FUNCTIONAL TESTS on the inoperable Functions in that channel are not required (SR 3.0.1), and n remains at 4, . here n is the total number of channels in the definition of STAGGERED TEST BASIS, l Therefore, tests on the affected Functions in the remaining l 3 channels may continue to be performed such that each channel is tested every 4 Surveillance Frequency intervals.

l Discussions with the NRC Technical Specifications Branch on

, this clarification are documented in Action Request 980601488-1.

l The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in Reference 7. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

(continued)

SAN ON0FRE--UNIT 2 B 3.3-32 Amendment No. 127 03/12/99

pm RPS Instrumentation-Operating B 3.3.1 i i

BASES l SURVEILLANCE Bistable Tests L REQUIREMENTS A test signal is superimposed on the input in one channel.at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with ,

the affected RPS channel trip channel bypassed. '

The requirements for this verification are outlined in References 8 and 9. <

l Matrix Loaic Tests Matrix Logic' tests are addressed in LC0 3.3.4. This test is performed one matrix at a time. It verifies that a 4 coincidence in the two input channels for each Function i removes power from the matrix relays. During testing holding power is applied to the matrix relay test colis and prevents the matrix relay contacts from assuming their l

de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or s

trip channel bypass contacts.

Trio Path Tests o Trip path (Initiation Logic) tests are addressed in i LC0 3.3.4. These tests are similar to the Matrix Logic l tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to l

de-energize, thereby opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three j initiation circuits, or a reactor trip may result.

The Frequency of 120 days is based on a plant specific report based on the reliability analysis presented in topical regort CEN-327, "RPS/ESFAS Extended Test Interval Evaluation (Refs. 8 and 9).

The CPC and CEAC channels and excore nuclear instrumentation channels are tested separately.

The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel l test signal is inserted into the preamp 11fier input, so as to test the first active element dcwnstream of the detector.

l The power range excore test signal is inserted at the drawer input, since there is no preamplifier.

(continued) l SAN ON0FRE--UNIT 2 B 3.3-33 Amendment No. 127 03/12/99 j i

7 RPS Instrumentation-Operating B 3.3.1 BASES SURVEILLANCE Trio Path Tests (continued)

REQUIREMENTS The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using

. software. This software includes preassigned addressable

. constant values that may differ from the current values.

Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants.

SR 3.3.1.8 A Note. indicates that neutron detectors are excluded from CHANNEL CAI.IBRATION. A CHANNEL CALIBRATION of the power range neutron flux channels every 120 days ensures that the channels are reading accurately and within tolerance (Refs. 8 9 and 10). The Surveillance verifies that the channel r,esponds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error '

determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.

Operating experience has shown this Frequency to be satisfactory. The detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a

- meaningful signal . Slow changes in leakage of neutrons with core burnup are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the quarterly linear subchannel gain check (SR 3.3.1.6). In addition, the associated control room indications are monitored by the operators.

SR 3.3.1.9 SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION every l 24 months. j l

(continued) l SAN ON0FRE--UNIT 2 B 3.3-34 Amendment No. 127 03/12/99

y l

l RPS Instrumentation-Operating B 3.3.1 l 1

BASES !

! SURVEILLANCE SR 3.3.1.9 (continued) l REQUIREMENTS

( CHANNEL CALIBRATION is a complete check of the instrument l channel including the sensor. The Surveillance verifies l

that the channel. responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves l the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant i specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.

The Frequency is based upon the assumption of a 24 month calibration interval for the determination of the magnitude ,

of equipment drift in the setpoint analysis as well '

asoperating experience and consistency with the typical :

24 month fuel cycle.

l l The Surveillance is modified by a Note to indicate that the

! neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. l Slow changes in leakage of neutrons with core burnup are r

compensated for by performing the daily calorimetric calibration (SR 3.3.1.4 l

gain check (SR 3.3.1.6)). and the quarterly linear subchannel 4

SR 3.3.1.10 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on l the CPCs. The CHANNEL FUNCTIONAL TEST shall include the l injection of a signal as close to the sensors as practicable to verify 0PERABILITY including alarm and trip Func< ions.

The basis for the 24 month Frequency is that the CPCs

! perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS.

This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure

, modes that are undetectable by the self monitoring function.

! Operating experience has shown that undetected CPC or CEAC failures do not occur in any given 24 month interval.

(continued) l SAN ON0FRE--UNIT 2 B 3.3-35 Amendment No. 127 03/12/99

p RPS Instrumentation-Operating B 3.3.1 BASES SURVEILLANCE ~ SR 3.3.1.11 REQUIREMENTS The three excore detectors used by each CPC channel for axial flux distribution information are far enough from the core to be exposed to flux from all heights in the core although it is desired that they only read their particular level . The CPCs adjust for this flux overlap by using shape annealing matrix elements in the CPC software.

. After refueling, it is necessary to verify the shape annealing matrix elements for the excore detectors based on more accurate incore detector readings. This is necessary to confirm that refueling did not produce a significant change in the CPC axial shape synthesis.

Incore detectors are inaccurate at low power levels < 15%.

THERMAL POWER should be significant but < 85% to perform an accurate axial shape calculation used to verify the shape annealing matrix elements.

By restricting power to s 85% until shape annealing matrix elements are verified, excessive local power peaks within the fuel are avoided.

SR 3.3.1.12 SR 3.3.1.12 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.7, except SR 3.3.1.12 is applicable only to bypass functions and is performed once within 120 days prior to each startup. Proper operation of bypass permissives is critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY 1s Just prior to startup. The allowance to conduct this Surveillance within 120 days of startup is based on a plant specific report based on the reliability analysis presented in topical report CEN-327 "RPS/ESFAS Extended Test Interval Evaluation" (Refs. 8 and 9 . Once the operating bypasses are removed, the bypasses m)ust not fail in such a way that the associated trip Function gets inadvertently bypassed.

This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.7.

Therefore, further testing of the bypass function after startup is unnecessary.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-36 Amendment No. 127 03/12/99 k --

[-

RPS Instrumentation -Operating B 3.3.1 I BASES' l \

i SURVEILLANCE SR 3.3.1.13 l REQUIREMENTS (continued) This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the l safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or. total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on an 24 month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given channel of n x 24 months, where n is the number of channels in the function. The Frequency of 24 months is based upon i operating experience, which has shown that random failures

. of instrumentation components causing serious response time i degradation, but not channel failure, are infrequent i occurrences. Also, response times cannot be determined at power, since equipment operation is required. Testing may l be performed in one measurement or in overlapping segments, with verification that all components are tested.

l A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in leakage of neutrons with core burnup are compensated for by performing the daily calorimetric calibration (SR3.3.1.4).

l l

t (continued) l SAN ON0FRE--UNIT 2 B 3.3-37 Amendment No. 127 09/18/98

RPS Instrumentation-Operating 8 3.3.1 BASES REFERENCES 1. : 10 CFR 20.

2. '10 CFR 100.

3. .IEEE Standard 279-1971, April 5,1972.

'4. SONGS Units 2 and 3 UFSAR, Chapter 15.

5. '10'CFR 50.49.-

6. PPS Setpoint Calculation CE-NPS0-570, Revision 3.

7. UFSAR, Section 7.2.

8. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.

9.- RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testin at SONGS Units 2 and 3 Calculation Number.09 010-AS93-C-002, November 1993.

10. Methodology for Developing Risk-Based Surveillance Programs for Safety-Related Equipment at San Onofre Nuclear Generating Station Units 2 and 3, PLG-0575, April.1992.

11. -NRC Safety Evaluation Report for SONGS Unit 2 Operating License Amendment No. 150 dated-February 12, 1999.

12. NRC Safety Evaluation Report for SONGS Unit 2

' Operating License Amendment No. 142 dated ;

September 25, 1998. ;

l l

i l

SAN ONOFRE--UNIT 2 B 3.3-37a Amendment No. 127 03/12/99 h

I

[

L RPS Instrumentation-Shutdoen i

B 3.3.2 BASES'(continued) i APPLICABLE The RPS functions to maintain the SLs during A00s and l SAFETY ANALYSES. ' mitigates.the consequence of DBAs in all MODES in which the RTCBs are closed.

i Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC 1- staff approved licensing basis for the plant. Noncredited Functions ir.clude the Steam Generator Water Level-High.

l The Steam Generator Water Level-High trip is purely ;

l equipment protective, and its use minimizes the potential ;

for equipment damage.

i The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

In MODES 2, 3, 4, and 5, with the RTCBs closed, and the j Control Element Assembly (CEA) Drive System capable of CEA i withdrawal, protection is required for CEA withdrawal events i originating when logarithmic power is < 1E-4% RTP. The l indication and alarm portion must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. For events originating above this power level, other trips provide adequate protection.

i MODES 3, 4, and 5, with the RTCBs closed, are addressed in i L this LCO. MODE 2 is addressed in LC0 3.3.1. !

In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level-High trip does not have to be OPERABLE..

The RPS satisfies Criterion 3 of the NRC Policy Statement.

l LC0 The LC0 requires the Logarithmic Power Level-High RPS Function to be OPERABLE. Failure of any required portion of

, the instrument channel renders the affected channel (s) i inoperable and reduces the reliability of the affected Function.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-40 Amendment No. 127 9/25/98

RPS Instrumentation-Shutdown B 3.3.2 BASES-(continued).

. LC0 Actions allow maintenance (trip channel) bypass of (continued); individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

Only the Allowable Values are specified- for this RPS trip l Function in the LCO. Nominal trip setpoints are specified I in the plant specific setpoint calculations. The nominal setpoint is selected to ensure the setpoint measured by 1 CHANNEL FUNCTIONAL = TESTS does not exceed the Allowable Value l if the bistable is performing as required. Operation with a' '

trip setpoint less conservative than the nominal trip

- setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations.

Each- Allowable Value specified is more conservative than the analytical limit assumed in the safety analysis in order to account for instrument uncertainties appropriate to the trip Function. These uncertainties are defined in PPS Setpoint Calculation CE-NPSD-570 (Ref. 4). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

This LC0 requires all four channels of the Logarithmic Power l Level-High to be OPERABLE in MODE 3, 4, or 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal. i i

.The Allowable Value is high enough to provide an operating i envelope that prevents unnecessary Logarithmic Power

- Level-High reactor trips' during normal plant operations.

The Allowable Value is. low enough for the system to maintain )

a safety margin for unacceptable fuel cladding damage should i a CEA withdrawal event occur.

The Logarithmic ~ Power Level-High trip may be bypassed when logarithmic power is above 1E-4% RTP to allow the reactor to l be brought to power ~ during a reactor startup. This bypass is automatically removed when logarithmic power decreases l !

below 1E-4% RTP. Above IE-4% RTP, the Linear Power

-Level - High 1

(continued)

SAN ONOFRE--UNIT 2 B 3.3-41 Amendment No. 127 9/25/98

RPS instrumentation-Shutdown B 3.3.2 BASES (continued)

SURVEILLANCE SR 3.3.2.1 REQUIREMENTS (continued) Thus, performance of the CHANNEL CHECK guarantees that undetected overt channel failure is limited to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LC0 required channels.

SR 3.3.2.2 A CHANNEL FUNCTIONAL TEST on each channel, except power range neutron flux, is performed every 30 days on a STAGGERED TEST BASIS to ensure the entire channel will perform its intended function when needed. This SR is identical to SR 3.3.1.7. Only the Applicability differs.

LC0 3.3.2 Action A permits plant operation in MODES 3,4, and 5 with one RPS logarithmic power level trip channel inoperable until M0DE 2 entry following the next MODE 5 entry (provided the channel is placed in bypass or trip).

During plant operation in that condition, CHANNEL FUNCTIONAL TESTS on the inoperable trip channel are not required (SR 3.0.1), and n remains 4, where n is the total number of channels in the definition of STAGGERED TEST BASIS.

Therefore, tests of the 3 OPERABLE channels may continue to be performed such that each channel is tested every 4 Surveillance Frequency intervals. Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in the FSAR, Section 7.2 (Ref. 3). These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

i Bistable Tests I A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed.

(continued)

SAN ONOFRE--UNIT 2 B 3.3-48 Amendment No. 127 09/18/98

~

p RPS Instrumentation-Shutdomn B 3.3.2 BASES (continued)-

SURVEILLANCE Bistabla Tests (continued)

REQUIREMENTS The setpoint shall be left set consistent with the i

assumptions of the current plant specific setpoint analysis.

Matrix looic Tests I

_ Matrix Logic Tests are addressed in LC0 3.3.4. This test is performed one matrix at a time. It verifies that a i

coincidence in the two input channels for each Function removes power from the matrix relays. During testing, l holding power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. . This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or l trip channel bypass contacts.

l Trio Path Test Trip path (Initiation Logic) tests are addressed in LC0 3.3.4. These tests are similar to the Matrix Logic tests except that test power is withheld from one matrix i relay at a time, allowing the initiation circuit to '

de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three ;

initiation circuits, or a reactor trip may result. l The Frequency of 120 days is based on a plant specific !

report based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Refs. 6 and 7). The excore channels use preassigned test signals to verify proper channel alignment.

The excore logarithmic channel test signal is inserted into l the preamplifier input, so as to test the first active element downstream of the detector.

1 SR 3.3.2.3 SR 3.3.2.3 is a CllANNEL FUNCTIONAL TEST similar to SR 3.3.2.2, except SR 3.3.2.3 is applicable only to bypass functions and is performed once within 120 days pr'ior to each startup. This SR is identical to SR 3.3.1.12. Only the Applicability differs.

(continued) l l

SAN ON0FRE--UNIT 2 B 3.3-49 Amendment No. 127 09/18/98 1

RPS Instrumentation-Shutdown B 3.3.2 BASES (continued)

. SURVEILLANCE SR .3.3.2.3 (continued)

REQUIREMENTS Proper operation of bypass permissives is critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips.

Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this Surveillance within 120 days of startup is based on a plant specific report based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Refs. 6 and 7). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.2.2. Therefore, further testing of the bypass function after startup is unnecessary.

SR 3.3.2.4 SR 3.3.2.4 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is identical to SR 3.3.1.9. Only the Applicability differs. !

CHANNEL CALIBRATION is a complete check of the instrument channel excluding the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.

The Frequency is based upon the assumption of an 24 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 24 month fuel cycle.

The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and (continued)

SAN ONOFRE--UNIT 2 B 3.3-50 Amendment No. 127 09/18/98

RPS Instrumentation-Shutdown B 3.3.2 BASES; (continued)~

SURVEILLANCE SR 3.3.2.4'(continued)

REQUIREMENTS because of the difficulty of simulating a meaningful signal.

Slow changes in leakage of neutrons with core burnup are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4). This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the

-maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open.

Response times are conducted on a 24 month STAGGERED TEST BASIS. This results in the interval between successive tests of a given channel of n x 24 months, where n is the number of channels in the Function. The 24 month Frequency is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Also, response times cannot be determined at power, since equipment operation is required.

Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

REFERENCES. 1. 10 CFR 20.

2. -10'CFR 100.

3. SONGS Units 2 and 3 UFSAR, Section 7.2. !

l

4. PPS Setpoint Calculation CE-NPSD-570. i

5. NRC Safety Evaluation Report.

6. CEN-327, June 2,1986, including Supplement 1, March 3, 1989.

7. RPS/ESFASExtendedTestIntervalEvaluationfor120 Days Staggered Testing at SONGS Units 2 and 3, CalculationNumber09/010-AS93-C-002, November 1993.

l l

I SAN ONOFRE--UNIT 2 B 3.3-51 Amendment No. 127 09/18/98

P CEACs B 3.3.3 l i

j BASES !

l SURVEILLANCE SR 3.3.3.2 REQUIREMENTS (continued) The CEAC autorestart count is checked every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to monitor the CPC and CEAC for normal operation. If three or ,

more autorestarts of a nonbypassed CPC occur within a j 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period, the CPC may not be completely reliable.

Therefore, the Required Action of Condition D must be performed. The Frequency is based on operating experience that demonstrates the rarity of more than one channel falling within the same 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval.

SR 3.3.3.3 A CHANNEL FUNCTIONAL TEST on each CEAC channel is performed every 60 days on a STAGGERED TEST BASIS to ensure the entire channel will perform its intended function when needed. The quarterly CHANNEL FUNCTIONAL TEST is performed using test software. The Frequency of 60 days on a STAGGERED TEST {

BASIS is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval I Evaluation" (Refs. 4 and 5), j i

LC0 3.3.3 Actions A and B permit )lant operation with one or both CEACs inoperable (provided tie Required Actions are performed). During plant operation with both CEACs inoperable, CHANNEL FUNCTIONAL TESTS on the inoperable CEACs are not required (SR 3.0.1). During plant operation with one CEAC inoperable, CHANNEL FUNCTIONAL TESTS on the inoperable CEAC arb not required (SR 3.0.1) and n remains at 2, where n is the total number of channels in the definition of STAGGERED TEST BASIS. Therefore, tests of the OPERABLE CEAC may continue to be performed every 2 Surveillance Frequency intervals. Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

The method of injecting simulated process data during the functional testing of the CEACs is described in the General Software Specification for the CEACs. When the CEAC is placed "in test," periodic test #2 causes the substitution of " simulated process data" in the real time data base. The program algorithms are then executed and the calculated results of the algorithm are then compared to expected results stored in the test record. An error message is generated if the results do not match.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-60 Amendment No. 127 09/18/98

o i

CEACs !

B 3.3.3 )

BASES I SURVEILLANCE SR 3.3.3.4 REQUIREMENTS (continued) SR 3.3.3.4 is the performance of a CHANNEL CALIBRATION every 24 months.

CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains l operational between successive surveillances. Measurement l error determination, setpoint error determination, and calibration adjustment must be performed consistent with the i plant specific setpoint analysis. The channel shall be left '

calibrated consistent with the assumptions of the current i plant specific setpoint analysis.

The RSPTs are rigid tube containing a string of fixed resistors and reed switches encapsulated in a solid material. The RSPT is clamped into position on the control element drive mechanism (CEDM) shroud. Therefore, due to their construction, the individual RSPTs are not subject to drift within the reed switch string. However, the entire RSPT string may drift due to mechanical repositioning within the clamp. A mechanical zero check calibration is performed to ensure proper RSPT positioning.

The Frequency is based upon the assumption of an 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 24 month fuel cycle.

SR 3.3.3.5 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on the CEACs; The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY, including alarm and trip Functions.

The basis for the 24 month Frequency is that the CEACs perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS.

This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-61 Amendment No. 127 09/18/98

1 i

l CEACs !

B 3.3.3 BASES SURVEILLANCE SR 3.3.3.5 REQUIREMENTS (continued) Operating experience has shown that undetected CPC or CEAC failures do not occur in any given 24 month interval.

SR 3.3.3.6 The isolation characteristics of each CEAC CEA position isolation amplifier and each optical isolator for CEAC to CPC data transfer are verified once per refueling to ensure that a fault in a CEAC or a CPC channel will not render another CEAC or CPC channel inoperable. The CEAC CEA l position isolation amplifiers, mounted in CPC cabinets A i and D, prevent a CEAC fault from propagating back to CPC A or D. The optical isolators for CPC to CEAC data transfer prevent a fault originating in any CPC channel from propagating back to any CEAC through this data link.

The Frequency is based on plant operating experience with regard to channel 0PERABILITY, which demonstrates the failure of a channel in any 24 month interval is rare.

REFERENCES 1. 10 CFR 20.

2. 10 CFR 100.

3. SONGS Units 2 and 3 UFSAR, Section 7.2.

4. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.

5. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, CalculationNumber09/010-AS93-C-002, November 1993.

I SAN ONOFRE--UNIT 2 B 3.3-62 Amendnent No. 127 09/18/98

ESFAS Instrumentation B 3.3.5 BASES LC0 b. Pressurizer Pressure:-Lg (continued)

The Allowable Value for this trip is set low enough to prevent actuating the ESF Functions (SIAS) during normal plant operation and 3ressurizer pressure transients. The setting is ligh enough that, with the specified accidents, the ESF systems will actuate to perform as expected, mitigating the consequences of the accident.

The Pressurizer Pressure-Low trip setpoint, which provides SIAS, and RPS trip, may be manually decreased to a floor value of 300 psia to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, or SIAS. The margin between actual 3ressurizer pressure and the trip set)oint must

)e maintained less than or equal to t1e specified value (400 psia) to ensure a reactor trip, and SIAS will occur if required during RCS cooldown and depressurization.

From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure increases, tracking actual RCS pressure until the trip setpoint is reached.

The Pressurizer Pressure - Low trip and the SIAS Function may be simultaneously bypassed when RCS pressure is below 400 psia, when neither the reactor trip nor an inadvertent SIAS actuation are desirable and these Functions are no longer needed to protect the plant. The bypass is automatically removed as RCS pressure exceeds 500 psia (the corresponding bistable allowable value is s 472 asia). The s 472 psia value represents an allowable value which includes margin to account for instrument loop ;

uncertainties and ensures the 500 psia analytical ;

limit will not be exceeded.

i Ooeratino Bvoass Removal This LC0 requires four channels of bypass removal for Pressurizer Pressure-Low to be OPERABLE in MODES 1, 2, and 3.

(continued)

SAN ONOFRE--UNIT 2 8 3.3-87 Amendment No. 127 02/24/99

ESFAS Instrumentation 1 B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 and SR 3.3.5.3 )

REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed every 30 days on a STAGGERED TEST BASIS for SR 3.3.5.2 to ensure the entire channel will perform its intended function when needed.

LC0 3.3.5 Action A permits plant operation with one or more Functions with one automatic ESFAS trip channel inoperable I until MODE 2 entry following the next MODE 5 entry (provided the Functional Unit is placed in bypass or trip). During plant- operation in that condition, CHANNEL FUNCTIONAL TESTS on the inoperable Functions. in that channel are not required (SR 3.0.1), and n remains at 4, where n is the total number of channels in the definition of STAGGERED TEST BASIS.

Therefore, tests on the affected Functions in the remaining 3 channels may continue to be performed such that each channel is tested every 4 Surveillance Frequency intervals.

Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sec uence, consisting of SR 3.3.5.2, SR 3.3.5.3, SR 3.3.6.1, anc SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays. These overlapping tests are described in Reference 1. SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing.

SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized.

SR 3.3.5.3 is performed every 120 days to verify ESFAS channel bypass removal function.

These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components. SRs 3.3.6.1 and 3.3.6.2 are addressed j in LC0 3.3.6. SR 3.3.5.2 includes bistable tests. !

A test signal is superimposed on the input in one channel at ;

a time to verify that the bistable trips within the l s)ecified tolerance around the setpoint. This is done with tie affected PPS trip channel bypassed.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-101 Amendment No. 127 09/18/98

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.4 and SR 3.3.5.5 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor and the bypass removal functions, if applicable. The Surveillance verifies that ,

the channel responds to a measured parameter within the '

necessary range and. accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left-calibrated consistent with the assumptions of the current

)lant specific setpoint analysis. The 24 month Frequency is '

3ased on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for nn unplanned transient if the Surveillance were performed :<ith the reactor at power.

SR 3.3.5.6 This Surveillance ensures that the train actuation response times are within the maximum values assumed in the safety analyses.

Response time testing acceptance criteria are included in Reference 9.

ESF RESPONSE TIME tests are conducted on a STAGGERED TEST BASIS of once every 24 months. The 24 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences, j i

SR- 3.3.5.7 '

SR 3.3.5.7 is a CHANNEL FUNCTIONAL TEST similar to ,

SR 3.3.5.2 and SR 3.3.5.3, except SR 3.3.5.7 is performed within 120 days prior to startup and is only applicable to bypass functions. Since the Pressurizer Pressure-Low 1 bypass is identical for both the RPS and ESFAS, this is the l same Surveillance performed for the RPS in SR 3.3.1.13. ~

(continued) l.

l SAN ON0FRE--UNIT 2 B 3.3-102 Amendment No. 127 09/18/98 L-

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.7 (continued)

REQUIREMENTS The CHANNEL FUNCTIONAL TEST for proper operation of the bypass permissives is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function. Consequently,just prior to startup is the appro)riate time to verify bypass function OPERABILITY. Once t1e bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by SR 3.3.5.2. The allowance to conduct this test once within 120 days prior to each reactor startup is based on a plant specific report based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Refs. 8 and 10).

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 7.3.

2. 10 CFR 50, Appendix A.

3. IEEE Standard 279-1971.

4. SONGS Units 2 and 3 UFSAR, Chapter 15.

5. 10 CFR 50.49.

6. PPS Setpoint Calculation CE-NPSD-570.

7. SONGS Units 2 and 3 UFSAR, Section 7.2. j

8. CEN-327, May 1986, including Supplement 1 March 1989.

9. LicenseeControlledSpecification3.3.100,"RPS/ESFAS l Response Times."

10. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, CalculationNumber09/010-AS93-C-002, November 1993.

SAN ON0FRE--UNIT 2 B 3.3-103 Amendment No. 127 02/24/99 f

E ,

CRIS B 3.3.9 BASES (continued)

APPLICABLE The CRIS, in conjunction with the Control Room Emergency Air SAFETY ANALYSES Cleanup System (CREACUS), maintains the control room atmosphere within conditions suitable for prolonged occupancy throughout the duration of any one of the accidents discussed in Reference 1. The radiation exposure of control. room personnel, through the duration of any one f of the postulated accidents discussed in " Accident j

' Analysis," SONGS Units 2 and 3 UFSAR, Chapter 15 (Ref. 1),

does not exceed the limits set by 10 CFR 50, Appendix A,

-GDC 19 (Ref. 3).

LCO . LCO 3.3.9 requires one channel of CRIS to be OPERABLE. The recuired channel consists of Actuation Logic, Manual Trip, anc gaseous radiation monitors. The specified value for the setpoint of the CRIS is listed in the SR.

The Bases for the LC0 on the CRIS are discussed below for each Function:

a. Manual Trio The LC0 on Manual Trip backs up the automatic trips and ensures operators have the capability to rapidly initiate the CRIS Function if any parameter is trending toward its setpoint. One channel must be OPERABLE. This considers that the Manual Trip capability is a backup and that other means are available to actuate the redundant train if required, '

including manual SIAS.

b. Airborne Radiation One channel of Airborne Radiation detection in the required train is required to be OPERABLE to ensure the control room isolates on high gaseous i concentration. l 1

c. Actuation Loaic One train of Actuation Logic must be OPERABLE, since ;

there are alternate means available to actuate the !

redundant train, including SIAS.

The CRIS function actuates the CREACUS system. Therefore, if a train of CREACUS is inoperable, the associated train of CRIS is not capable of performing its specified function and must also be considered inoperable.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-146 Amendment No. 127 03/19/98

FHZS B 3.3.10 B 3.3 INSTRUMENTATION B 3'3.10 Fuel Handling Isolation Signal (FHIS)

BASES BACKGROUND This LC0 encompasses FHIS actuation, an instrumentation channel that performs an actuation Function for plant protection but is not otherwise included in LC0 3.3.6,

" Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip," or LC0 3.3.7, " Diesel Generator (DG)-Undervoltage Start." This is a non-Nuclear Steam l Supply System ESFAS Function that, because of differences in purpose, design, and operating requirements, is not included in LC0 3.3.6 and LC0 3.3.7.

The FHIS provides protection from radioactive contamination in the spent fuel pool area in the event that a spent fuel element ruptures. l The FHIS will detect radioactivity from fission products in the fuel and will initiate appropriate actions so the release to the environment is limited. More detail is provided in Reference 1.

The.FHIS includes two independent, redundant subsystems, including actuation trains. Each train employs a separate sensor to detect gaseous activity. If the bistable j monitoring the sensor indicates an unsafe condition, that train will be actuated (one-out-of-two logic). The two trains actuate separate equipment.

Trio Setooints and Allowable Values The bistable trip.setpoints are set sufficiently high to prevent spurious alarm / trips yet sufficiently low to assure an alarm / trip should a fuel rupture accident occur (Reference 2). The Allowable Value specified in SR 3.3.10.2 appears in Reference 3. The actual nominal trip setpoints entered into the bistables are more conservative than that specified by the Allowable Value. - If a measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

(continued)

SAN ON0FRE--UNIT 2 B 3.3-152 Amendment No. 127 12/17/98

r FHTS B 3.3.10 BASES BACKGROUND Trio Setooints and Allowable Values (continued)

A setpoint in accordance with the Allowable Value will help mitigate the consequences of a fuel rupture accident.

I APPLICABLE The FHIS isolates the Fuel Handling Building normal SAFETY ANALYSES ventilation system and automatically initiates the recirculation and filtration systems in the event of a fuel rupture accident in the Fuel Handling Building. The FHIS helps mitigate the consequences for the dropping of a spent fuel bundle breaching up to 60 fuel pins, or dropping a Spent Fuel Pool gate, breaching up to 236 fuel pins.

The FHIS satisfies the requirements of Criterion 3 of the NRC Policy Statement.

LC0 LC0 3.3.10 requires one channel of FHIS to be OPERABLE. The required channel consists of Actuation Logic, Manual Trip, and gaseous radiation monitor. The specific Allowable Value for the setpoint of the FHIS is listed in the SRs.

! Only the Allowable Value is specified for the trip Function l l

in the SRs. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its l

Allowable Value, is acceptable, provided that the difference between the nominal' trip setpoint and the Allowable Value is !

equal to or greater than the drift allowance assumed for each trip in the transient and accident analyses.

l The Bases for the LC0 on the FHIS are discussed below for each Function:

l

a. Man;al Trip

! The LCO on Manual Trip ensures that the FHIS Function l can easily be initiated if any parameter is trending rapidly toward its setpoint. Components can be actuated independently of the FHIS. l l

l (continued)

SAN ON0FRE--UNIT 2 B 3.3-153 Amendment No. 127 12/17/98 L

FHIS B 3.3.10 BASES.

LC0 b. Airborne Radiation (continued)

The LC0 on the gaseous radiation monitor channel requires that the channel be OPERABLE for automatic initiation capability and for Control Room indication in support of the Manual Trip function.

1

c. Actuation Loaic l l

The LC0 on the Actuation Logic ensures manual and automatic actuation capability.

APPLICABILITY One FHIS channel is required to be OPERABLE during movement of irradiated fuel in the fuel building. The FHIS isolates the Fuel Handling Building and automatically initiates the recirculation and filtration systems in the event of a fuel rupture accident.

ACTIONS An FHIS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most common cause of channel inoperability is outright failure or l drift of the bistable or process module sufficient to exceed the Allowable Value. Typically, the drift is not large and l would result in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it within specification. If the trip setpoint is not consistent with the Allowable Value in SR 3.3.10.2, the l channel must be declared inoperable immediately and the appropriate Conditions must be entered.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the sensor, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel are recuired to be declared inoperable and the LC0 Condition entered for the particular

! protective function affected.

l (continued)

SAN ON0FRE--UNIT 2 B 3.3-154 Amendment No. 127 12/17/98

0 FHlS B 3.3.10 BASES l

ACTIONS . A.1 and A.2 (continued)

Condition A applies to FHIS Manual Trip, Actuation Logic, and required gaseous radiation monitor inoperable during movement of irradiated fuel in the fuel handling building.

The Required Actions are to place one OPERABLE PACU train in l operation, or suspend movement of irradiated fuel in the fuel building. These Required Actions are required to be l completed immediately. The Completion Time accounts for the higher likelihood of releases in the Fuel Handling Building l during fuel handling.

SURVEILLANCE SR 3.3.10.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is l key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, i including indication and readability. If a channel is outside the match criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit.

4 The Frequency, about once every shift, is based on operating i

experience that demonstrates the rarity of channel failure.

Thus, performance of the CHANNEL CHECK guarantees that undetected overt channel failure is limited to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

, Since the probability of two random failures in redundant l channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is low, the CHANNEL CHECK l minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK (continued)

SAN ON0FRE--UNIT 2 B 3.3-155 Amendment No. 127 12/17/98

I L

FHIS B 3.3.10 BASES

! SURVEILLANCE SR 3.3.10.1 (continued)

REQUIREMENTS supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the j displays associated with the LC0 required channels.

'SR 3.3.10.2 A CHANNEL FUNCTIONAL TEST is performed on the required fuel building radiation monitoring channel to ensure the entire channel will perform its intended function.

The setpoint shall be left set consistent with the Allowable Value.

The Frequency of 92 days is based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 92 day Frequency is a rare event.

SR 3.3.10.3 Proper operation of the individual initiation relays is l verified by actuating these relays during the CHANNEL FUNCTIONAL TEST of the Actuation Logic every 18 months.

This will actuate the Function, operating all associated equipment. Proper operation of the equipment actuated by each train is thus verified. The Frequency of 18 months is based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function during any 18 month Frequency is a rare event.

A Note to the SR indicates that this Surveillance includes

- verification of operation.for each initiation relay.

l l

(continued)

SAN ON0FRE--UNIT 2 B 3.3-156 Amendment No. 127 12/17/98

FHIS B 3.3.10 l BASES l-l SURVELLANCE SR 3.3.10.4 l REQUIREMENTS i - (. continued) Cvery 18 months, a CHANNEL FUNCTIONAL TEST is performed on l

the FHIS Manual Trip channel.

This Surveillance verifies that the trip push buttons are capable of opening contacts in the Actuation Logic as designed, de-energizing the initiation relays and providing l Manual Trip of the Function. 03erating experience has shown these components usually pass tie Surveillance when l

performed at a Frequency of once every 18 months.

SR 3.3.10.5 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves i the channel adjusted to account for instrument drift between l

successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration

-adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left

-calibrated consistent with the assumptions of the current l plant specific setpoint analysis.

As found and as left channel calibration values are recorded. If the as found calibration is outside its Allowable Value, the plant s)ecific setpoint analysis may be revised as appropriate, if tie history of this setpoint and all other pertinent information indicate. a need for setpoint revision. The setpoint analysis shall be revised before the l next time this channel is calibrated.

The Frequency is based upon the assumption of an 24 month calibration interval for the determination of the magnitude

, of equipment drift in the setpoint analysis.

1 REFERENCES 1. SONGS Units 2 and 3 UFSAR, Chapter 9.

2. SONGS Unit 2 Technical Specification Amendment No. 56. l l

l

3. Combustion Engineering Owners' Group Standard Technical Specifications, NUREG-1432.

SAN ON0FRE--UNIT 2 B 3.3-157 Amendment No. 127 12/17/98

I l

This page intentionally blank i

SAN ON0FRE--UNIT 2 B 3.3-158 Amendment No. 127 12/17/98

PAM Instrumentation l B 3.3.11 L BASES BACKGROUND +

Provide information regarding the release of (continued) radioactive materials to allow for early indication of the need to initiate action necessary to protect the public as well as to obtain an estimate of the magnitude of any impending threat.

i These key variables are identified by plant specific Regulatory Guide 1.97 analyses (Ref.1). These analyses identified the plant specific Type A variables and provided justification for deviating from the NRC proposed list of Category I variables.

l Two channels are required to be OPERABLE for all but five Functions. Two OPERABLE channels ensure that no single failure within the PAMI or its auxiliary supporting features or power sources, concurrent with failures that are a l condition of or result from a specific accident, prevents operators from being presented the information necessary for them to determine the safety status of the plant and to bring the plant to and maintain it in a safe condition following that accident.

In Table 3.3.11-1, the exceptions to the two channel requirement are Containment Isolation Valve Position,

Auxiliary Feedwater Flow, Pressurizer Safety Valve Position, l HPSI Flow Cold Leg, Tc , T, and HPSI Flow Hot Leg.

Two OPERABLE core exit thermocouples are required for each channel in each quadrant to provide indication of the coolant temperature rise across separate quadrants of the core. Power distribution Symmetry was considered in determining the specific number and locations provided for diagnosis of local core problems. Plant s'pecific l evaluations in response to Item II.F.2 of NUREG-0737

.(Ref. 3) have concluded that specific thermocouple pairings l

within a core quadrant are not necessary to satisfy these i requirements. l l

l (continued)

SAN ON0FRE--UNIT 2 B 3.3-160 Amendment No. 127 02 99 Reissued on 06 99

r- 1 PAM Instrument.ation B 3.3011 BASES SURVEILLANCE SR 3.3.11.4 REQUIREMENTS A CHANNEL CALIBRATION is performed every 18 months. CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies the channel responds to the measured parameter within the necessary range and accuracy.

The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an 18 month calibration interval for the determination of the magnitude of equipment drif t.

l' SR 3.3.11.5 A CHANNEL CALIBRATION is performed every 24 months for the Containment Area Radiation Monitor.

REFERENCES 1. SONGS Units 2 and 3 Regulatory Guide 1.97 Instrumentation Report #90065, Rev. 0, dated October 1, 1992.

2. Regulatory Guide 1.97, Revision 2.

3. NUREG-0737, Attachment 1. I SAN ON0FRE--UNIT 2 B 3.3-175 Amendment No. 127 02/01/99 Reissued on 06/23/99 l

l i

Remote Shutdown. System B 3.3.12 B 3.3 INSTRUMENTATION B 3.3.12 Remote Shutdown System BASES ,

i I

BACKGROUND The Remote Shutdown System provides the control room I operator with sufficient instrumentation to place and maintain the unit in a safe shutdown condition from a location other than the control room. This capaoility is )

necessary to protect against the possibility that the '

control- room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator safety valves or the steam generator atmospheric dump valves can be used to remove core decay heat and meet all safety I requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside-the control room allow extended operation in MODE 3.

In the event that the control room becomes inaccessible, the operators can establish control using the remote shutdown system and place and maintain the unit in MODE 3. The unit automatically reaches MODE 3 following a unit shutdown and can be maintained safely in MODE 3 for an extended period of time. Note: Not all of the Remote Shutdown System instrumentation and controls are located on the remote shutdown panel.

The OPERABILITY of the Remote Shutdown System l instrumentation- Functions ensures that there is sufficient information available on selected plant parameters to bring the plant to, and maintain it in, MODE 3 should the control room become inaccessible.

APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a capability to promptly shut down the plant and maintain it in'a safe-condition in MODE 3.

The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in (continued)

SAN ON0FRE--UNIT 2 8 3.3-176 Amendment No. 127 10/30/98

o Remote Shutdown System B 3.3.12 BASES APPLICABLE 10 CFR 50, Appendix A, GDC 19 (Ref. 1) l SAFETY ANALYSES (continued) The Remote Shutdown System has been identified as an important contributor to the reduction of plant accident risk and, therefore, has been retained in the Technical Specifications, as indicated in the NRC Policy Statement.

LCO The Remote Shutdown System LC0 provides the requirements for the OPERABILITY of the instrumentation necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation required are listed in Table 3.3.12-1 in the accompanying LCO. The number of channels that fulfill GDC-19 requirements for the number of OPERABLE channels required is part of the licensing basis as described in the Safety Evaluation Report (Ref. 2)

Instrumentation is required for:

Reactivity Control (initial and lo~ng term);

Vital Auxiliaries a RCS Inventory Control;

= RCS Pressure Control;

Decay Heat Removal; and

Safety support systems'for the above Functions, and onsite power including the diesel generator.s.

A Function of a Remote Shutdown System is OPERABLE if all instrument channels needed to support the remote shutdown ,

Functions are OPERABLE. In some cases, Table 3.3.12-1 may indicate that the required information is available from several alternative sources. In these cases, the Remote Shutdown System 1s OPERABLE as long as one channel of any of the alternative information for each Function is OPERABLE. i The Remote Shutdown System instrumentation circuits covered by this LC0 do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the (continued)

SAN ON0FRE--UNIT 2 B 3.3-177 Amendment No. 127 10/30/98 u

l Remote Shutdown System B 3.3.12 BASES ACTIONS 1L1 (continued) operating experience and the low probability of an event that would require evacuation of the control room.

B.1 and B.2 l

If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly

l. manner and without challenging plant systems.

l SURVEILLANCE SR 3.3.12.1 REQUIREMENTS-Performance of the CHANNEL CHECK once every 31 days ensures l that a gross failure of instrumentation has not occurred. A CHANNEL CHECK for normally energized instrumentation is a l comparison of the parameter indicated on one channel to a l similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the l channels or of something even more serious. A CHANNEL CHECK l will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement l criteria are determined by the plant staff, based on a 1 combination of the channel instrument uncertainties, l including indication and readability. If a channel is

outside the match criteria, it may be an indication that the l

sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are l normally energized. j For Essential Plant Parameter Monitoring panel L-411, the following instruments are not normally energized. For these instruments, the CHANNEL CHECK consists of verifying that (continued)

SAN ON0FRE--UNIT 2 B 3.3-179 Amendment No. 127 9/E4/98 l

l l

Remote Shutdown System B 3.3.12 l

BASES SURVEILLANCE SR 3.3.12.1 (continued)

REQUIREMENTS (continued) the instrument reads as expected for the deenergized 1 condition, thereby verifying that no easily recognized gross l physical damage has occurred.

LI-1106 Steam Generator E-088 Narrow Range Level PI-0100A Pressurizer High Range Pressure LI-0103A Pressurizer Level LI-1105 Steam Generator E-089 Narrow Range Level 3

i The Frequency is based on plant operating experience that '

demonstrates channel failure is rare.

SR 3.3.12.2 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to the measured parameter within the necessary range and accuracy.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant ,

outage and the potential for an unplanned transient if the ;

Surveillance were performed with the reactor at power. 1 REFERENCES 1. 10 CFR 50, Appendix A GDC 19.

2. NUREG-0712 NRC Safety Evaluation Report (SER), dated February 1981.

I l

SAN ON0FRE--UNIT 2 B 3.3-180 Amendment No. 127 9/24/98

7 RCS DNB (Pressure, Temperature, and Floa) Limits B 3.4.1 B 3.'4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 RCS DNB (Pressure, Temperature, and Flow) Limits BASES BACKGROUND These Bases address requirements for maintaining RCS pressure, temperature, and flow rate within limits assumed in the safety analyses. The safety analyses (Ref. 1) of anticipated operational occurrences and design basis accidents assume initial conditions within the normal steady state envelope. The limits placed on DNB related parameters ensure that these parameters will not be less conservative than were assumed in the analyses and thereby provide assurance that the minimum departure from nucleate boiling ratio (DNBR) will meet the required criteria for each of the transients analyzed.

The LC0 limits for minimum and maximum RCS pressures as measured at the pressurizer are consistent with operation within the nominal operating envelope and are bounded by those used as the initial pressures in the analyses.

The LC0 limits for minimum and maximum RCS cold leg temperatures are consistent with operation at the indicated power level and are bounded by those used as the initial temperatures in.the analyses.

The LC0 limit for minimum RCS volumetric flow rate bounds that used as the initial flow rate in the analyses. The RCS volumetric flow rate is not expected to vary during plant l

operation with all pumps running. l l

APPLICABLE The requirements of LC0 3.4.1 represent the initial SAFETY ANALYSES conditions for DNB limited transients analyzed in the safety analyses (Ref.1). The safety analyses have shown that transients initiated from the limits of this LC0 will meet the DNBR criterion of 2 1.31. This is the acceptance limit for the RCS DNB parameters. Changes to the facility that !

could impact these parameters must be assessed for their impact on the DNBR criterion. The transients analyzed for include loss of coolant flow events and dropped or stuck control element assembly (CEA) events. A key assumption for the analysis of these events is that the core is operated (continued)

SAN ONOFRE--UNIT 2 8 3.4-1 Amendment No. 127 02/24/99

l RCS ONB (Pressure, Temperature, and Flom) Limits B 3.4.1 i

l BASES

]

APPLICABLE within the limits of LC0 3.1.7, " Regulating CEA Insertion SAFETY ANALYSES Limits"; LC0 3.1.8, "Part Length CEA Insertion Limits";

(continued) LC0 3.2.3, " AZIMUTHAL POWER TILT .(T,)"; and LC0 3.2.5,

" AXIAL SHAPE INDEX (ASI)". The safety analyses are l performed over the following range of initial values: RCS pressure 2000 - 2300 psia, core inlet temperature 533 - 1

560 F (for > 30% power), and 520 - 560 F (for s 30% power) l and reactor vessel inlet coolant volumetric flow rate a 95%.

The RCS Pressure, Temperature, and Flow limits satisfy Criterion 2 of the NRC Policy Statement.

l i LC0 This LC0 specifies limits on the monitored process l variables-RCS pressurizer pressure, RCS cold leg temperature-to ensure that the core operates within the limits assumed for the plant safety analyses. Operating within these limits will result in meeting the DNBR l

criterion in the event of a DNB limited transient.

l The LCO numerical values for pressure and temperature are l

given for the measurement location but have not been adjusted for instrument error. The uncertainties for pressure and temperature are accounted for in the CPC and COLSS overall uncertainty analyses. The RCS flow uncertainty must be applied to the value stated in this LCO. l l

l APPLICABILITY In MODE 1, the limits on RCS pressurizer pressure, RCS cold leg temperature, and RCS flow rate must be maintained during steady state operation in order to ensure that DNBR criteria will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient. In all other MODES, the power level is low enough so that DNBR is not a Concern.

A Note has been added to indicate the limit on pressurizer l pressure may be exceeded during short term operational transients such as a THERMAL POWER ramp increase of > 5% RTP per minute or a THERMAL POWER step increase of > 10% RTP.

1 (continued)

SAN ON0FRE--UNIT 2 B 3.4-2 Amendment No. 127 02/24/99 i

L

p

! RCS DNB (Pressure, Temperature, and Floc) Limits B 3.4.1 i

BASES SURVEILLANCE SR 3.4.1.2 !

I REQUIREMENTS

.(continued) Since Required Action A.1 allows a Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to restore parameters that are not within limits, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for cold leg temperature is sufficient to ensure that the RCS coolant temperature can ;

be restored to a normal operation, steady state condition i following load changes and other expected transient operations. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval has been shown by i operating practice to be sufficient to regularly assess for potential degradation and to verify operation is within i safety analysis assumptions.

l SR 3.4.1.3 !

1 l The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for RCS total flow rate has been shown by operating experience to be sufficient to assess for potential degradation and to verify operation is within safety analysis assumptions.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for RCS total flow rate l is normally performed using the Core Operating Limits '

Supervisory System (COLSS) generated flow. COLSS utilizes sensor inputs of RCP speed, RCP differential pressure, cold leg temperature, and Pressurizer pressure to calculate the l volumetric flow through each RCP. Total RCS flow is then ;

calculated by COLSS as the sum of the flows of each of the '

four RCPs.

When COLSS is out of service, RCS Volumetric Flowrate is l determined manually. An evaluation of the heat balance between primary and secondary plant powers is the preferred ;

method. The heat balance involves first determining the RCS !

mass flow rate and then converting it to volumetric flow rate using the RCS fluid conditions at the discharge of the 4 Reactor Coolant Pumps (RCPs). Another acceptable methodology is to determine RCS Volumetric Flowrate by performing an evaluation of the differential pressure across each RCP. !

(continued)

SAN ON0FRE--UNIT 2 B 3.4-5 Amendment No. 127 02/24/99 l

LTOP System RCS Temperature s 256*F ,

B 3.4.12.1 l BASES.

SURVEILLANCE SR 3.4.12.1.3 (continued)

REQUIREMENTS

b. Once every 31 days for a valve that is locked, sealed, or otherwise secured open and once every 31 days for open flanged RCS penetrations.

The passive vent arrangement must only be open to be OPERABLE. This Surveillance need only be performed if the 1 vent is being used to satisfy the requirements of this LCO. l The Frequencies consider operating experience with I mispositioning of unlocked and locked vent valves, l respectively. I SR 3.4.12.1.4 and SR 3.4.12.1.5 I

When one or both SDCS Relief Valve isolation valve (s) in one isolation valve pair becomes inoperable, the other OPERABLE SDCS Relief Valve isolation valve pair is verified in a power-lock open condition every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to preclude a single failure which might cause undesired mechanical motion of one or both of the OPERABLE SDCS Relief Valve isolation valve (s) in a single isolation valve pair and result in loss l of system function. i This surveillance requirement, SR 3.4.12.1.4, is modified by two notes. Note 1 requires to perform this SR when the SDCS Relief Valve isolation valve pair is inoperable. Note 2 specifies that the power lock-open requirement is satisfied i either with the AC breakers open for valve pair 2HV9337 and l 2HV9339 or the regulating transformer output breakers open l for valve pair 2HV9377 and 2HV9378, whichever valve pair is i OPERABLE.

When both pairs of SDCS Relief Valve isolation valves are OPERABLE and the SDCS Relief Valve is used for overpressure protection, the isolation valves are verified open every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

SR 3.4.12.1.6 The SDCS. Relief Valve Setpoint is verified periodically in accordance with the Inservice Testing Program.

(continued)

SAN ON0FRE--UNIT 2 8 3.4-63 Amendment No. 12701/25/99

RCS Operational LEAKAGE B 3.4.13 BASES (continued)

APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses SAFETY ANALYSES do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The safety analysis for an event resulting ,

in steam discharge to the atmosphere assumes a 1 gpm primary )

to secondary LEAKAGE as the initial condition. !

Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a steam line break (SLB) accident. To a lesser extent, other accidents or transients involve secondary steam release to the atmosphere, such as a steam generator tube rupture (SGTR). l The leakage contaminates the secondary fluid. l The UFSAR (Ref. 3) analysis for SGTR assumes the contaminated secondary fluid is only briefly released via safety valves and the majority is steamed to the condenser.

The 1 gpm primary to secondary LEAKAGE is relatively inconsequential.

The SLB is more limiting for site radiation releases. The safety analysis for the SLB accident assumes 1 gpm primary to secondary LEAKAGE in one generator as an initial condition. The dose consequences resulting from the SLB accident are well within the limits defined in 10 CFR 50 or the staff approved licensing basis (i.e., a small fraction oftheselimits).

RCS operational LEAKAGE satisfies Criterion 2 of the NRC Policy Statement.

LC0 RCS operational LEAKAGE shall be limited to:

a. Pressure Boundarv LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE.

Violation of this LC0 could result in continued degradation of the RCPB. With the exception of LEAKAGE past a mechanical nozzle seal assembly, LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

(continued)

SAN ON0FRE--UNIT 2 B 3.4-71 Amendment No. 127 01/27/98

f RCS Operational LEAKAGE B 3.4.13 BASES l

l LC0 b. Unidentified LEAKAGE (continued) l One gallon per mirute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LC0 could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.

c. Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of identified LEAKAGE i and is well within the capability of the RCS makeup l system. Identified LEAKAGE includes LEAKAGE to the

) containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a normal function not considered LEAKAGE).

Violation of this LC0 could result in continued i

degradation of a component or system.

LC0 3.4.14, "RCS Pressure Isolation Valve (PIV) l Leakage," measures leakage through each individual PIV l and can impact this LCO. Of the two PIVs in series in l each isolated line, leakage measured through one PIV l does not result in RCS LEAKAGE when the other is leaktight. If both valves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE.

d. Primary to Secondary LEAKAGE throuah All Steam Generators (SGs)

Total primary to secondary LEAKAGE amounting to 1 gpm through all SGs produces acceptable offsite doses in the SLB accident analysis. Violation of this LC0 could exceed the offsite dose limits for this accident analysis. A more conservative LC0 limit of 150 Gallons per day (GPD) through each steam generator is imposed to address steam generator tube sleeving and steam generator tube degradation. This limit is imposed on both SGs in Unit 2 following installation of a steam generator tube sleeve in either SG. The (continued)

I SAN ON0FRE--UNIT 2 B 3.4-72 Amendment No. 127 9/24/98 l

{

L

RCS Operational LEAKAGE B 3.4.13 BASES LCO relationship between leakage limits and tube (continued) degradation and sleeving is discussed in the following section f. Primary to secondary LEAKAGE must be included in the total allowable limit for identified LEAKAGE.

e. Primary to Secondary LEAKAGE throuah Any One SG The 7L u)11on per day limit on primary to secondary LEAKAGE through any one SG allocates the total 1 gpm allowed primary to secondary LEAKAGE equally between the two generators. A limit of 150 Gallons per day through any one steam generator is imposed on Unit 2 following installation of steam generator tube sleeves.

f. Steam generator tube degradation such as stress corrosion cracking defects may occur and propagate from inside or from the outside of the tubes, particularly in the areas within the tubesheet and immediately above the tubesheet. Stress corrosion cracking is also seen in U-bends and in the tubes within the tube support eggcrates. Crack-like indications shall be removed from service by plugging or repaired by sleeving. The technical bases for sleeving is described in the current NRC approved ABB-CE Technical report - CEN-630-P Revision 2 " Repair of 3/4" 0.D. Steam Generator Tubes Using Leak Tight Sleeves." This includes the installation process and i heat treatment process. Heat treatment at 1300 F to i l 1425'F will be performed for 3 to 5 minutes to reduce residual stresses. The qualification of the sleeves foreddycurrentexaminationofthesleeve/ tube i pressure boundary is described in ABB-CE report 96-0SW-003-P Revision 00, "EPRI Steam Generator l Examination Guidelines Appendix H Qualification for 1

Eddy Current Plus-Point Probe Examination of ABB-CE Welded Sleeves."

The periods between inspections account for the growth of incipient cracking to ensure that cracks do not develop in service and grow to a size that would risk tube burst or sleeve burst during normal operating conditions or during accident or faulted conditions.

This methodology and the structural margin criteria are stated in Regulatory Guide 1.121.

(continued)

SAN ONOFRE--UNIT 2 B 3.4-73 Amendment No. 127 9/24/98

RCS Operational LEAKAGE B 3.4.13 BASES l

LC0 In spite of steam generator repair and analysis to (continued) restore and demonstrate adequate margins against tube

! rupture, leakage has been experienced from tubes and sleeves in PWR steam generators. Active steam l generator tube degradation increases the probability of leakage. Active steam generator tube leakage has been seen in the industry to be a frequent precursor to tube rupture. As an effort to reduce the frecuency and consequences of tube ruptures, Regulators anc the industry have, as a conservative measure, developed primary-to-secondary steam generator tube leakage guidelines that entail lower primary-to-secondary leakage limits from steam generator tubes. These lower limits are documented in EPRI TR-104788, "PWR Primary-to-Secondary Leak Guidelines" which describes leak measurement methods and limitations. A primary-to-secondary leakage limit of 150 GPD per steam generator is a conservative and achievable detection limit. Leakage in excess of this limit will require plant shutdown and an unscheduled inspection, during which the leaking tube will be located and plugged or repaired by sleeving.

APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

ACTIONS AJ Unidentified LEAKAGE, identified LEAKAGE, or primary to secondary LEAKAGE in excess of the LC0 limits must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

B.1 and B.2 If any pressure boundary LEAKAGE exists or if unidentified, identified, or primary to secondary LEAKAGE cannot be 1

(continued)

SAN ONOFRE--UNIT 2 B 3.4-74 Amendment No. 127 9/24/98

RCS Operational LEAKAGE B 3.4.13 BASES ACTIONS B.1 and B.2 (continued) reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential consequences. The reactor must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.

The allowed Completion Times are reasonable, based on operating experience, to reach the required conditions from full power conditions in an orderly manner and without challenging plant systems. In MODE 5, the pressure stresses acting on the RCPB are much lower, and further deterioration is much less likely.

SURVEILLANCE SR 3.4.13.1 REQUIREMENTS Verifying RCS LEAKAGE to be within the LC0 limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE and can only be positively identified by inspection.

Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance. Primary to secondary LEAKAGE is also measured by performance of an RCS water inventory balance in conjunction with effluent monitoring within the secondary steam and feedwater systems.

This requirement is typically satisfied continuously by a radiation annunciator which detects primary to secondary 3 leakage not being in the alarm state.

The RCS water inventory balance must be performed with the reactor at steady state operating conditions. Therefore, l t

this SR is not required to be performed in MODES 3 and 4, l until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of steady state operation have elapsed. j Steady state operation is required to perform a proper water inventory balance; calculations during maneuvering are not useful and a Note requires the Surveillance to be met when steady state is established. For RCS operational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows. "

(continued) l l b 1

SAN ON0FRE--UNIT 2 B 3.4-75 Amendment No. 12709/24/98 l

l

RCS Operational LEAKAGE B 3.4.13 BASES SURVEILLANCE SR 3.4.13.1 (continued)

REQUIREMENTS An early warning of pressure boundary LEAKAGE or I unidentified LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and the containment sump level. These leakage detection systems are specified in LC0 3.4.15, "RCS Leakage Detection Instrumentation."

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Frequency is a reasonable interval to trend LEAKAGE and recognizes the importance of early leakage detection in the prevention of accidents. A Note under the Frequency column states that this SR is required to be performed during steady state operation.

If a transient evolution is occurring 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from the last water inventory balance, then a water inventory balance shall be performed within 120 hours0.00139 days 0.0333 hours 1.984127e-4 weeks 4.566e-5 months of the last water j inventory balance.

SR 3.4.13.2 l

This SR provides the means necessary to determine SG 1 OPERABILITY in an operational MODE. The requirement to ]

demonstrate SG tube integrity in accordance with the Steam l Generator Tube Surveillance Program emphasizes the 4 importance of SG tube integrity, even though this Surveillance cannot be performed at normal operating conditions.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 30. j

2. Regulatory Guide 1.45, May 1973. l

3. UFSAR, Section 15. l SAN'ON0FRE--UNIT 2 B 3.4-75a Amendment No. 12709/24/98

SITS B 3.5.1 l

BASES l

l- ACTIONS M _(continued) i during reflood concentrates the boron in the saturated liquid that remains in the core. In addition, the volume of l- the SIT is still available for injection. Since the boron L requirements are based on the average boron concentration of l the total volume of three SITS, the consequences are less severe than they would be if an SIT were not available for injection. Thus, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to return the boron concentration to within limits.

M Section 7.4 of Reference 5, NUREG-1366, discusses surveillance requirements in technical specifications for the instrument channels used in the measurement of water level and pressure in SITS.

Section 7.4 of Reference 5 states in part:

"The combination of redundant level and pressure instrumentation for any single SIT may provide sufficient information so that it may not be worthwhile to always attempt to correct drift associated with one instrument

[with resulting radiation exposures during entry into containment] if there were sufficient time to repair one in the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage for them. The

[NRC] staff, therefore, recommends that an additional (continued)

SAN ON0FRE--UNIT 2 B 3.5-7 Amendment No. 127 07/15/98

SITS B 3.5.1 BASES ACTIONS IL1 (continued) condition be established for the specific case, where "One accumulator I water level a[nd SIT] is inoperable pressure dueintowhich channels," the inoperability of the completion l time to restore the accumulator to operable status will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . While technically inoperable, the accumulator would be available to fulfill its safety function during this time and, thus, this change would have a negligible increase in risk."

Although Action B.1 has a risk-informed Completion Time, implementation of the Configuration Risk Management Program (CRMP) described in Administrative Controls Section 5.5.2.14 is not required as stated in Reference 8.

C.1 If one SIT is inoperable, for a reason other than boron concentration

4 or the inability to verify level or pressure, SIT must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

m this Condition the required contents of three SITS )

cannot be assumed,to reach the core during a LOCA as is !

assumed in Appendix K to 10CFR50.

Reference 7 provides series of deterministic and probabilistic findings that support 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months as being either " risk beneficial" or " risk neutral" in comparison to shorter periods for restoring the SIT to OPERABLE status.

Reference 7 discusses a best-estimate analysis that confirmed that, during large-break LOCA scenarios, core melt can be prevented by either operation of one Low Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT.

Reference 7 also discusses a plant-specific probabilistic analysis that evaluated the risk-impact of the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months recovery period in comparison to shorter recovery periods.

Although Action C.1 has a risk-informed Completion Time, i implementation of the Configuration Risk Management Program l l

(CRMP) described in Administrative Controls Section 5.5.2.14 1s not required as stated in Reference 8.

D.1 and D.2 If the SIT cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to < 715 psia (continued)

SAN ON0FRE--UNIT 2 B 3.5-8 Amendment No. 127 07/15/98

i SITS l

B 3.5.1 BASES ACTIONS D.1 and D.2 (continued) !

-(continued)-

'within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are ,

reasonable, based on operating experience, to reach the recuired plant conditions from full power conditions in an orcerly manner and without challenging plant systems.

L1 1 4 If more than one SIT is inoperable, the unit is in a condition outside the accident analyses. Therefore, LC0 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.5.1.1

REQUIREMENTS Verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that each SIT isolation valve is fully open, as indicated in the control room, ensures that SITS are available for injection and ensures timely discovery if a valve should be partially closed. If an isolation valve is not fully o)en, the rate of injection to the RCS would'be reduced. Altlough a motor operated valve should not change position with power removed, a closed valve could result in not meeting accident analysis assumptions. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered reasonable in view of other administrative. controls that ensure the unlikelihood of a mispositioned isolation valve.

SR 3.5.1.2 and SR 3.5.1.3 SIT borated water volume and nitrogen cover pressure should be verified to be within specified limits every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months in order to ensure adequate injection during a LOCA. Due to the static design of the SITS, a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency usually allows the operator sufficient time to identify changes before the limits are reached. Operating experience has shown this Frequency to be appropriate for early detection and correction of off normal trends.

1 i SR 3.5.1.4 l

I Thirty-one days is reasonable for verification to determine

! that each SIT's boron concentration is within the required 1

(continued)

SAN ON0FRE--UNIT 2 B 3.5-9 Amendment No. 127 07/15/98 i

l SITS B 3.5.1 BASES j 1

-SURVEILLANCE SR 3.5.1.4 (continued)

REQUIREMENTS limits, because the static design of the SITS limits the ways in which the concentration can be changed. The 31 day Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage. A l 3 referred method to sampling is permitted for verifying the

)oron concentration in the SIT after a greater than or equal l to 1% volume increase in the SIT not caused by deliberate filling of the SIT from the RWST. This method requires, within six hours, that the new beton concentration of the affected SIT shall be calculated using the volume change of the SIT and the results of the recent RCS boron analysis. I If the result of the calculation indicates the boron concentration of the affected SIT is within the limits l specified in this SR, the surveillance verification is satisfied. It is not necessary to verify boron concentration if the added water is from the RWST, because l the water contained in the RWST is within the SIT boron

! concentration requirements. This is consistent with the recommendations of NUREG-1366 (Ref. 5), Reference 6, and Reference 7.

I SR 3.5.1.5 l Verification every 31 days that power is removed from each SIT isolation valve operator when the pressurizer pressure is 2 715 psia ensures that an active failure could not result in the undetected closure of an SIT motor operated isolation valve. If this were to occur, only two SITS would be available for injection, given a single failure coincident with a LOCA. Since installation and removal of power to the SIT isolation valve operators is conducted l under administrative control, the 31 day Frequency was

! chosen to provide additional assurance that power is removed.

l This SR allows power to be supplied to the motor operated l isolation valves when RCS aressure is < 715 psia, thus allowing operational flexi)ility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal provided to the valves would open a closed valve in the event of a LOCA.

(continued)

SAN ON0FRE--UNIT 2 8 3.5-10 Amendment No. 127 07/15/98 q !

1-L

S8Ts B 3.5.1 BASES (continued) -

REFERENCES 1. IEEE Standa'rd 279-1971.

2. UFSAR, Section 6.3.

3. 10 CFR 50.46. .

4. UFSAR, Chapter 15.

5. NUREG-1366, December 1992.

6. NRC Generic Letter 93-05, "Line-Item Technical Specification Improvements to Reduce Surveillance Requirements for Testing During Power Operations,"

September 27, 1993.

7. CE NPSD-994, "CEOG Joint Application Report for Safety Injection Tank A0T/STI Extension," April 1995.

8. NRC Safety, Evaluation Report, June 19, 1998.

SAN ON0FRE--UNIT 2 B 3.5-10a Amendment No. 127 07/15/98

l ECCS -Operating B 3.5.2 B 3.5 EMERGENCYCORECOOLINGSYSTEMS(ECCS)

B 3.5.2 ECCS -Operating BASES BACKGROUND The function of the ECCS.is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:

a. Loss.of. coolant accident (LOCA);

b. Control Element Assembly (CEA) ejection accident;

c. Loss of secondary coolant accident, including '

uncontrolled steam release; and

d. Steam generator tube rupture (SGTR).

1. The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where primary cooldown could add enough positive reactivity to achieve criticality and return to significant power.

There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is !

initially cold legs.added

. After to thethe Reactor refueling Coolant water storageSystem (RCS)(via the tank RWST) l ,

has been depleted, the ECCS recirculation phase is entered l as the ECCS suction is automatically transferred to the l l containment sump. During the later portions of the 1 recirculation phase, the injection flow is split i approximately equally between the hot and cold legs. !

Two redundant, 100% capacity trains are provided. In MODES 1, 2, and 3, with pressurizer pressure 2 400 psia, each train consists of high pressure safety injection (HPSI), low pressure safety injection (LPSI), and charging subsystems. In MODES- 1, 2, and 3, with pressurizer pressure

, a 400 psia, both trains must be OPERABLE. This ensures that 100% of the core cooling requirements can be provided in the event of a single active failure.

'A suction header supplies water from the RWST or the containment sump to the ECCS pumps. Separate piping supplies each train. The discharge headers from each HPSI l pump divide into four supply lines. Both HPSI trains feed L

1 (continued)

SAN ONOFRE--UNIT 2 B 3.5-11 Amendment No. 127 4/30/98

li ECCS - Operating B 3.5.2 BASES BACKGROUND .into each of the four injection lines. The discharge header (continued) from LPSI pumps divides into two supply lines, each feeding the injection line to two RCS cold legs. Orifices are set to balance the flow to the RCS. This flow balance directs sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs.

, Credit is taken for the inventory provided by the charging system only for certain small break LOCAs. The charging pumps take suction from the RWST or the Boric Acid Makeup Tanks (BAMUs) on a safety injection ar cuation signal (SIAS) and discharge directly to the RCS through a common header.

The normal supply source for the charging pumps is isolated on an SIAS to prevent noncondensible gas (e.g., air, nitrogen, or hydrogen) from being entrained in the charging pumps. The charging pumps deliver water through the charging header to the RCS Loops 1A and 2A injection lines.

An ECCS. train charging subsystem includes the train's respective charging pump, P-190 for Train A and P-192 for Train B, and the two RCS injection lines. The charging i header and injection lines are common to both ECCS trains I charging subsystems. The swing charging pump, P-191, can provide support to either Train A or B.

Except under emergency operating conditions (e.g., natural !

circulation cooldown) motor-operated auxiliary spray valve ,

HV-9201 and manual auxiliary spray bypass valve MU-130 are l required to remain locked closed whenever the unit is 1 operating in Modes 1, 2, or 3 (with pressurizer pressure !

greater than or equal to 400 psia). This is to ensure the flow of one charging pump is not further diverted from the charging flow path to the auxiliary sprays during the initial automated response to a LOCA.

The above condition is established to ensure consistency with the assumptions made in the accident analyses regarding charging system flow to the RCS cold legs during the initial automated response to a LOCA. Considering single failure, 15.8 gpm is the charging flow through one injection line credited in the small break LOCA analysis. Considering the worst case flow split in both Units 2 and 3, a charging pump flow rate of 36.2 gpm is required to ensure a flow rate of 15.8 gpm to the RCS.

(continued)

SAN ON0FRE--UNIT 2 B 3.5-12 Amendment No. 127 4/30/98

ECCS-Operating l

B 3.5.2 BASES 1

BACKGROUND- In addition, all valves in the charging flow path between (continued) the discharge header of the charging pumps and RCS Loop 1A l and 2A shall remain open when operating in Modes 1 and 2, and in Mode 3 (with pressurizer pressure 2 400 psia).

During this period, the steam generators (SGs) must provide the core cooling function.

During low temperature conditions in the RCS, limitations are placed on the maximum number of HPSI pumps that may be OPERABLE. Refer to the Bases for LC0 3.4.12, " Low Temperature Overpressure Protection (LTOP) System," for the basis of these requirements.

During a large break LOCA, RCS pressure will decrease to

< 200 psia in < 20 seconds. The safety injection (SI) systems are actuated upon receipt of an SIAS. The actuation l

of safeguard loads is accomplished in a programmed time If offsite power is available, the safeguard sequence.

loads start immediately in the programmed sequence. If i offsite power is not available, the Engineered Safety Feature (ESF) buses shed normal operating loads and are l connected to the diesel generators (DGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting, sequenced loading,and pump starting determines the time required before pumped

! flow is available to the core following a LOCA.

The active ECCS components, along with the passive safety l injection tanks .(SITS) covered in LC0 3.5.1, " Safety Injection Tanks (SITS)," and the RWST covered in LC0 3.5.4, t

" Refueling Water Storage Tank (RWST),"

water necessary to meet GDC 35 (Ref. 1) provide the cooling l

l APPLICABLE The LC0 helps to ensure that the following acceptance l SAFETY ANALYSES criteria, established by 10 CfR 50.46 (Ref. 2) for ECCSs, l will be met following a LOCA:

a. Maximum fuel element cladding temperature is s 2200 F; l

i

b. Maximum cladding oxidation is s 0.17 times the total i cladding thickness before oxidation;

c. Maximum hydrogen generation from a zirconium water reaction is s 0.01 times the hypothetical amount l

(continued) l SAN ONOFRE--UNIT 2 B 3.5-13 Amendment No. 127 4/30/98 j

l ECCS-Operating

8 3.5.2 l l

BASES j APPLICABLE generated if all of the metal in the cladding SAFETY ANALYSES cylinders surrounding the fuel, excluding the cladding j (continued) surrounding the plenum volume, were to react; '

d. Core is maintained in a coolable geometry; and i

e. Adequate long term core cooling capability is j maintained. {

The LC0 also limits the potential for a post trip return to power following a steam line break (SLB) and ensures that containment temperature limits are met, i Both HPSI and LPSI subsystems are assumed to be OPERABLE in the large break LOCA analysis at full power (Ref. 3). This l analysis establishes a minimum required runout flow for the l HPSI and LPSI pumps, as well as the maximum required response time for their actuation. The HPSI pumps and charging pumps are credited in the small break LOCA analysis. This analysis establishes the flow and discharge head requirements at the design point for the HPSI pump.

The SGTR and SLB analyses also credit the HPSI pumps, but are not limiting in their design.

l The large break LOCA event with a loss of offsite power and

a single failure (disabling one ECCS train) establishes the OPERABILITY requirements for the ECCS. During the blowdown l

l stage of a LOCA, the RCS depressurizes as primary coolant is j l ejected through the break into the containment. The nuclear '

l reaction is terminated either by moderator voiding during large breaks or control element assembly (CEA) insertion

, during small breaks. Following depressurization, emergency

cooling water is injected into the cold legs, flows into the j downcomer, fills the lower plenum, and refloods the core.

l On smaller breaks, RCS pressure will stabilize at a value

! dependent upon break size, heat load, and injection flow. l l The LC0 ensures that an ECCS train will deliver sufficient water to match decay heat boiloff rates soon enough to minimize core uncovery for a large LOCA. It also ensures that the HPSI and charging pumps will deliver sufficient ;

water during a small break LOCA, and that the HPSI pumps i will provide sufficient boron to maintain the core subcritical following an SLB. The SGs continue to serve as the heat sink providing core cooling during a small break LOCA.

(continued)

SAN ON0FRE--UNIT 2 B 3.5 14 Amendment No. 127 4/30/98 f

I

ECCS - Operating !

B 3.5.2 BASES APPLICABLE ECCS-Operating satisfies Criterion 3 of the NRC Policy SAFETY ANALYSES Statement.

-(continued)

LC0 In MODES 1, 2, and 3, with pressurizer pressure 2 400 psia, two independent '(and redundant) ECCS trains are required to ensure that sufficient ECCS flow is available, assuming i there is a single failure affecting either train. l Additionally, individual components within the ECCS trains may be called upon to mitigate the consequences of other transients and accidents.

In MODES 1 and 2, and in MODE 3 with pressurizer pressure 2 400 psia, an ECCS train consists of a HPSI subsystem, a LPSI subsystem, and a charging subsystem. !

Each train includes the piping, instruments, and controls to ensure the availability of an OPERABLE flow path capable' of taking suction from the RWST on a SIAS and automatically ;

transferring suction to the containment sump upon a recirculation actuation signal (RAS).

During an event requiring ECCS actuation, a flow path is provided to ensure an abundant supply of water from the RWST to the RCS, via the HPSI and LPSI pumps and their respective supply headers, to each of the four cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to supply part of its flow to the RCS hot legs via the shutdown cooling (SDC) suction nozzles. The charging pump flow path l takes suction from the RWST or the BAMUs and supplies the RCS via the normal charging lines.

The flow path for each train must maintain its designed independence to ensure that no single failure can disable i both ECCS trains. I APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS pressure 2 400 psia, the ECCS OPERABILITY requirements for the

, limiting Design Basis Accident (DBA) large break LOCA are I

based on full power operation. Although reduced power would not require the rame level of performance, the accident I

(continued) l SAN ONOFRE--UNIT 2 B 3.5-15 Amendment No. 127 4/30/98

I i

ECCS-Operating i B 3.5.2 !

l l BASES 1

l APPLICABILITY analysis does not provide for reduced cooling requirements (continued) in the lower MODES. The HPSI pump performance is based on the small break LOCA, which establishes the pump performance curve and has less dependence on power. The charging pump performance. requirements are based on a small break LOCA.

l The requirements of MODES 2, and 3 with RCS pressure

t 400 psia, are bounded by the MODE 1 analysis.

The ECCS functional requirements of MODE 3, with RCS pressure < 400 psia, and MODE 4 are described in LC0 3.5.3, i

"ECCS - Shu tdown. "

In MODES 5 and 6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LC0 3.4.7, "RCS Loops MODE 5, Loops Filled,"

and LC0 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." j MODE 6 core

" Shutdown cooling Cooling (SDC req)uirements are addressedWater and Coolant Circulation-High by LC0 3.9.4, Level," and LC0 3.9.5, " Shutdown Cooling (SDC) and Coolant Circulation-Low Water Level."

l l

l ACTIONS A.1 and B.1 l

An ECCS train is inoperable if it is not capable of delivering the design flow to the RCS. The individual components are inoperable if they are not capable of l performing their design function, or if supporting systems l

are not available.

l The LC0 requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the ,

diversity of subsystems, the inoperability of one component I i

in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of function for the ECCS. he intent of j each of Condition A and Condition B is to maintain a l l combination of OPERABLE equipment such that 100% of the ECCS flow equivalent to 100% of a single OPERABLE train remains i available. This allows increased flexibility in plant operations when components in opposite trains are l

inoperable.

l l

(continued)

SAN ON0FRE--UNIT 2 B 3.5-16 Amendment No. 127 07/1598 Re-issued 08/1498 f

r ECCS- Operating B 3.5.2 BASES ACTIONS A.1 and B.1 (continued)

Each of Condition-A and Condition B includes a combination of OPERABLE equipment such that at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train remains available.

Condition A addresses the specific condition where the only affected ECCS subsystem is a single LPSI subtrain. The availability of a least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is implicit in the definition of Condition A.

If LC0 3.5.2 requirements are not met due only to the existence of Condition A, then the inoperable LPSI subtrain components must be returned to OPERABLE status within 7 days of discovery of Condition A. A Configuration Risk Management Program (CRMP) defined in Administrative Controls section 5.5.2.14 is implemented in the event of Condition A.

This 7-day Completion Time is based on the findings of the deterministic and probabilistic analysis that are discussed in Reference 6. Seven days is a reasonable amount of time to perfore many corrective and preventative maintenance items on the affected LPSI subtrain. Reference 6 concluded that the overall risk impact of this Completion Time was either risk-beneficial or risk-neutral.

Condition B addresses other scenarios where the availability of at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train exists but the full requirements of LC0 3.5.2 are not met. If Condition B exists, then inoperable components must be restored such that Condition B does not exist within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of discovery. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on an NRC reliability study (Ref. 4) and is a reasonable amount of time to effect many repairs.

l Because of the configuraticn of each train's charging subsystem, which includes common injection lines, an inoperable charging line will render the charging subsystem for both ECCS trains inoperable. With both HPSI trains l

operable more than 100% of the ECCS flow equivalent is available. Therefore, with the charging subsystems inoperable and both HPSI trains operable, the allowable l completion time for the affected charging line to be returned to operable status is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

(continued)

SAN ON0FRE . UNIT 2 B 3.5-17 Amendment No. 127 07 5 98 Re-issued 08 4 98

l ECCS - Operating B 3.5.2 l BASES ACTIONS A.1 and B.1 (continued) l An event accompanied by a loss of offsite power and the i failure of an emergency DG can disable one ECCS train until l power is restored. A reliability analysis (Ref. 4) has '

shown that the impact with one full ECCS train inoperable is sufficiently small to justify continued operation for '

72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . ,

1 Reference 5 describes situations in which one component, such as a shutdown cooling total flow control valve, can 1 disable both ECCS trains. With one or more components inoperable, such that 100Ss of the equivalent flow to a single OPERABLE ECCS train is not available, the facility is ;

in a condition outside the accident analyses. In such a '

situation, LC0 3.0.3 must be immediately entered.

l C.1 and C.2 l l

l If the inoperable train cannot be restored to OPERABLE l l status within the associated Completion Time, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to

< 400 psia within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.5.2.1 and 3.5.2.2 REQUIREMENTS SR 3.5.2.1 verification of proper valve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves could render both ECCS trains inoperable. Securing these valves in position by removing power or by key locking the control in the correct position ensures that the valves cannot be inadvertently misaligned or change position as the result of an active failure. These valves are of the type described in Reference 5, which can disable the function of both ECCS (continued)

SAN ON0FRE--UNIT 2 B 3.5-18 Amendment No. 127 07/15/98 i

l-l~ ECCS - Operating l- B 3.5.2 L

BASES l SURVEILLANCE SR 3.5.2.1 and 3.5.2.2 (continued) i REQUIREMENTS l trains and invalidate the accident analysis. SR 3.5.2.2 verification of the proper positions of the Containment EmergencySumpisolationvalvesandECCSpumps/ containment spray pumps miniflow valves ensures that ECCS operability and containment integrity are maintained. Securing these valves in position with power available will provide additional assurance that these valves will operate on a RAS. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered reasonable in view of other administrative controls ensuring that a mispositioned valve is an unlikely possibility.

SR 3.5.2.3 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are l locked, sealed, or otherwise secured in position, since l these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This Surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The 31 day Frequency is appropriate because the valves are operated under procedural control and an improper valve position would only affect a single train. This Frequency has been shown to be acceptable through operating experience.

1 (continued)

. SAN ONOFRE--UNIT 2 B 3.5-19 Arcendment No.127 07/15/98 l

l

I l -

I h ECCS-Operating B 3.5.2 !

l BASES l ;

i SURVEILLANCE SR 3.5.2.4 i

REQUIREMENTS (continued) With the exception of systems in operation, the ECCS pumps I are normally in a standby, nonoperating mode. As such, flow l path piping has the potential to develop voids and pockets l

of entrained gases. Maintaining the piping from the ECCS pumps to the RCS full of water ensures that the system will -

perform properly, injecting its full capacity into the RCS 3 upon demand. This will also prevent water hammer, pump j cavitation, and pumpin l nitrogen, or hydrogen)g of the into noncondensible gas reactor vessel (e.g., air, following an {

SIAS or during SDC. The 31 day Frequency takes into '

consideration the gradual nature of gas accumulation in the ECCS piping and the adequacy of the procedural controls i governing system operation.

SR 3.5.2.5 i Periodic surveillance testing of ECCS pumps to detect gross ,

degradation caused by impeller structural damage or other I hydraulic component problems is required by Section XI of I the ASME Code. This type of testing may be accomplished by j measuring the pump developed head at only one point of the '

pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of j the original pump baseline performance and that the j performance at the test flow is greater than or equal to the l performance assumed in the unit safety analysis. SRs are l specified in the Inservice Testing Program, which encompassesSection XI of the ASME Code.Section XI of the ASME Code provides the activities and Frequencies necessary to satisfy the requirements.

SR 3.5.2.6 Discharge head at design flow is a normal test of charging pump performance required by Section XI of the ASME Code. A quarterly Frequency for such tests is a Code requirement. ;

Such inservice inspections detect component degradation and l incipient failures. For positive displacement charging pumpsSection XI of the ASME Code allows an alternate testing for design flow only. l (continued) i I

SAN ON0FRE--UNIT 2 8 3.5-20 Amendment No. 127 07/15/98

ECCS - Operating B 3.5.2 BASES SURVEILLANCE SR 3.5.2.7. SR 3.5.2.8. and SR 3.5.2.9 REQUIREMENTS (continued) These SRs demons'trate that each automatic ECCS valve actuates to the required position on an actual or simulated SIAS and/or an actual or simulated RAS as appropriate to each valve, that each ECCS pump starts on receipt of an actual or simulated SIAS, and that the LPSI pumps stop on receipt of an actual or simulated RAS. As a part of SR 3.5.2.8, safety subgroup injection relaysigna actuation K108,l and disables non-safetywhich starts th related pump trips on low suction pressure and high pressurizer level, needs-to be tested to verify these trips are disabled. The 24 month Frequency is based on the need <

to perform these Surveillances under the conditions that l apply during a plant outage and the potential for unplanned 1 transients if the Surveillances were performed with the l reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability (and confirming operating experience) of the equipment. The actuation logic is tested as part of the Engineered Safety ,

Feature Actuation System and equipment I performanceismonitoreda(ESFAS)testingInserviceTesting s part of the 1 Program.

SR 3.5.2.10 Periodic inspection of the containment sump ensures that it l 1s unrestricted and stays in proper operating condition. i The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during an outage, on the need to have access to the location. This Frequency is sufficient to detect abnormal degradation and is confirmed by operating experience.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 35.

'2. 10 CFR 50.46.

3. UFSAR, Section 6.3.

4. NRC Memorandum to V.. Stello, Jr., from R. L. Baer,

" Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.

5. 'IE Information Notice No. 87-01, January 6, 1987.

6. CE NPSD-995, "CE0G Joint Applications Report for Low Pressure Safety Injection System A0T Extension," May 1995.

SAN ON0FRE--UNIT 2 B 3.5-20a Amendment 127 07 98 Reissued on 06 99

E l

Containment

~

B 3.6.1 i

B 3.6 CONTAINMENT SYSTEMS l B 3.6.1 Containment l

BASES BACKGROUND The containment consists of the concrete reactor building (RB), its steel liner, and the penetrations through this structure. The structure is designed to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA). Additionally, this structure provides shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a shallow dome roof. The cylinder wall is prestressed with a post tensioning system in the vertical and horizontal directions, and the dome roof is prestressed utilizing a three way post tensioning system. The inside surface of the containment is lined with a carbon steel liner to ensure a high degree of leak tightness during operating and accident conditions.

The concrete RB is required for structural integrity of the containment under DBA conditions. The steel liner and its penetrations establish the leakage limiting boundary of the !

containment. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment. SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J, Option B l (Ref.1), as modified by approved exemptions. ]

The isolation devices for the penetrations in the containment boundary are a part of the containment leak I tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accident conditions are either:

1. capable of being closed by an OPERABLE automatic containment isolation system, or .

I 1

(continued) l l

SAN ON0FRE--UNIT 2 B 3.6-1 Amendment No. 12712/1/98 1 I

Containment B 3.6.1 BASES BACKGROUND 2. closed by manual valves, blind flanges, or (continued) de-activated automatic valves secured in their closed gositions,exceptasprovidedinLC03.6.3, Containment Isolation Valves."

b. Each air lock is OPERABLE, exce)t as provided in LC0 3.6.2, " Containment Air Loc (s."

APPLICABLE The safety design basis for the containment is that the SAFETY ANALYSES containment must withstand-the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.

'The DBAs that result in a release of radioactive material )

within containment are a loss of coolant accident, a main ejection accident (Ref). 2). steam In the line breakof(MSLB analysis each of, and a control elem these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leaka 0.10% of containment air weight per day (Ref. 3)ge This rate of ,

leakage rate is defined in 10 CFR 50, Appendix J, Option B l (Ref.1), as L.: the maximum allowable containment leakage rate at the calculated maximum Seak containment internal pressure related to the design aasis loss-of-coolant accident, P , at 55.1 psig (Ref. 5). P, will conservatively be assumed to be equal to the calculated peak containment internal pressure of the design basis Main Steam Line Break, 56.6 psig (Ref. 5), for the purpose-of containment testing ,

in accordance with this Technical Specification. j Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of the NRC Policy !

Statement.

LCi Containment OPERABILITY is maintained by limiting leakage to s 1.0 L , except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, the applicable leakage limits must be met.

Compliance with this LC0 will ensure a containment configuration, including equipment hatches, that is structurally sound and that will linit leakage to those leakage rates assumed in the safety analysis.

(continued)

SAN ON0FRE--UNIT 2 B 3.6-2 Amendment No. 12712/1/98

B +1 Containment B 3.6.1 BASES l

LC0 Individual leakage rates specified for the containment air (continued) lock (LC0 3.6.2) and purge valves with resilient seals (LC0 3.6.3) are not specifically part of the acceptance criteria of 10 CFR 50, Appendix J, Option B. Therefore. l j leakage rates exceeding these individual limits only result j in the containment being inoperable when the leakage results !

in exceeding the overall acceptance criteria of 1.0 L,. l 4

l APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, containment is not required to be OPERABLE in MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LC0 3.9.3, " Containment I Penetrations."

ACTIONS L1

In the event containment is inoperable, containment must be ;

restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months l

Completion Time provides a period of time to correct the i problem commensurate with the importance of maintaining l containment during MODES 1, 2, 3, and 4. This time period i also ensures that the probability of an accident (requiring !

containment OPERABILITY) occurring during periods when '

containment is inoperable is minimal.

B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this

! status, the plant must be brought to at least MODE 3 within l 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed l Completion Times are reasonable, based on operating I experience, to reach the required plant conditions from full l power conditions in an orderly manner and without I challenging plant systems.

(continued)

SAN ON0FRE--UNIT 2 B 3.6-3 Amendment No. 12712/1/98

Containment B 3.6.1 BASES SURVEILLANCE SR 3.6.1.1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test I requirements of the Containment Leakage Rate Testing Program. Failure to meet air lock and purge valve with l resilient seal leakage limits specified in LC0 3.6.2 and LC0 3.6.3 does not invalidate the acceptability of these overall leakage determinations unless their contribution to overall Type A, B, and C leakage causes that to exceed limits. As left leakage prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test is required.to be s 0.5 L for combined l

TypeBandCleakagefollowinganoutageorsh$tdownthat included Type B and C testing only, and s 0.75 L, for l overall Type A leakage following an outage or shutdown that j included Type A testing. At all other times between required leakage rate tests, the acceptance criteria is l based on an overall Type A leakage limit of s 1.0 L,. At s 1.0 L, the offsite dose consequences are bounded by the assumptions of the safety analysis. SR Frequencies are as specified in the Containment Leakage Rate Testing Program. <

l Thus, SR 3.0.2 (which allows Frequency extensions) does not I

apply. These periodic testing requirements verify that the l containment leakage rate does not exceed the leakage rate I assumed in the safety analysis.

l SR 3.6.1.2 For ungrouted, post tensioned tendons, this SR ensures that '

the structural integrity of the containment will be maintained in accordance with the' provisions of the Containment Tendon Surveillance Program. Testing and l Frequency are consistent with the recommendations of Regulatory Guide 1.35 (Ref. 4).

REFERENCES 1. 10 CFR 50, Appendix J, Option B. l

2. SONGS Units 2 and 3 UFSAR, Section 15.1 l

l 3. SONGS Units 2 and 3 UFSAR, Section 15.4

4. Regulatory Guide 1.35, Revi.sion 3 l 5. SONGS Units 2 and 3 UFSAR, Section 6.2 l

l SAN ON0FRE--UNIT 2 B 3.6-4 Amendment No. 12712/1/98

Containment Air Locks B 3.6.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Air Locks BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all !

MODES of operation. l 4

Each air lock is nominally a right circular cylinder,10 ft in diameter, with a door at each end. The doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door l interlock mechanism may be disabled, allowing both doors of l an air lock to remain open for extended periods when frequent containment entry is necessary. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a Design Basis Accident (DBA) in l containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an increase in containment internal pressure results in increased sealing force on each door).

l The containment air locks form part of the containment pressure boundary. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the safety analysis. SR 3.6.2.1 leakage rate requirements are in conformance with 10 CFR 50, Appendix J, Option B (Ref.1), j as modified by approved exemptions.

l l

(continued) l SAN ONOFRE--UNIT 2 B 3.6-5 Amendment No. 127 12/1/98 l

l

i Containment Air Locks B 3.6.2 BASES (continued)

APPLICABLE For atmospheric containment, the DBAs that result in a SAFETY ANALYSES release of radioactive material within containment are a loss of coolant accident (LOCA), a main steam line break (MSLB) and a control element assembly (CEA) ejection accident (Ref. 2). In the analysis of each of these 4 accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate.of containment leakage. The containment was designed with an allowable leaka 0.10% of containment- air weight per day (Ref. 2)geThis rate of leakage rate is defined in 10 CFR 50, Appendix J, Option B l (Ref. 1), as L,: the maximum allowable containment leakage i rate at the calculated maximum Jeak containment internal pressure related to the design aasis loss-of-coolant accident, P., at 55.1 psig (Ref. 3). P, will conservatively be assumed to be equal to the calculated peak containment internal . pressure of the design basis Main Steam Line Break, 56.6 psig (Ref. 3), for the purpose of containment testing in accordance with this Technical Specification. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock.

The containment air locks satisfy Criterion 3 of the NRC i Policy Statement.

LC0 Each containment air lock forms 3 art of the containment 3ressure boundary. As part of tie containment pressure

)oundary, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The door seals and sealing surface are considered a part of the air lock. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach nf containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into or l exit from containment.

(continued)

SAN ONOFRE--UNIT 2 B 3.6-6 Amendment No. 127 12/1/98 l

j

V , 3 Containment Air Locks B 3.6.2 BASES SURVEILLANCE SR 3.6.2.1 (continued)

REQUIREMENTS the Containment Leakage Rate Testing Program. This SR l reflects the leakage rate testing requirements with regard ,

to air lock leakage (Type B leakage tests). The acceptance !

criteria were established during initial air lock and j containment OPERABILITY testing. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall containment t

. leakage rate. The Frequency is as specified in the Containment Leakage Rate Testing Program.

The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous :

successful performance of the overall air . lock leakage test. l This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR requiring the ;

results to be evaluated against the acceptance criteria i which is applicable to SR 3.6.1.1. This ensures that air l I lock leakage is properly accounted for in determining the i combined Type B and C containment leakage rate. l SR 3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containment OPERABILITY while the air lock is being used for personnel transit into and out of containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of

, the inner and outer doors will not inadvertently occur. Due to the purely mechanical nature of this interlock, and given that the interlock mechanism is only challenged when containment is entered, Note 1 specifies that this test is ;

only required -to be performed upon entering containment but I is not required more frequently than every 184 days. The second note states that SR 3.0.4 is not applicable. The 184 day Frequency is based on engineering judgment and is (continued)

SAN ON0FRE--UNIT 2 B 3.6-11 Amendment No. 12712/1/98

r Containment Air Locks B 3.6.2 BASES S'URVEILLANCE SR 3.6.2.2' (continued)

REQUIREMENTS considered adequate in view of other indications of door and interlock mechanism status available to operations personnel.

REFERENCES 1. 10 CFR 50, Appendix J, Option B. l

2. .UFSAR, Section 15.1, 15.4.

3. UFSAR, Section 6.2.

SAN ON0FRE--UNIT 2 B 3.6-12 Amendment No. 12712/1/98

Containment Isolation Valves B 3.6.3 BASES SURVEILLANCE SR 3.6.3.5 REQUIREMENTS l.

(continued) Verifying that the isolation time of each power operated and automatic containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analysis. The isolation. time and Frequency of this SR are in accordance with the Inservice. Testing Program.

SR 3.6.3.6 4 i

For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10 CFR 50, Appendix J, Option B. (Ref. 5), is required to l ensure OPERABILITY. Operating experience has demonstrated that this type of seal has the potential to degrade in a l

1 shorter time period than do other seal types.

Based on this observation and the importance of maintaining this penetration leak tight (due to the direct path between containment and the environment), a Frequency of 184 days was established as part of the NRC resolution of Generic Issue B-20, " Containment Leakage Due to Seal Deterioration" (Ref. 3).

Additionally, this SR must be performed within 92 days after l

, opening the valve. The 92 day Frequency was chosen i recognizing that cycling the valve could introduce

! additional seal degradation (beyond that occurring to a valve that has not been opened). Thus, decreasing the interval (from 184 days) is a prudent measure after a valve has been opened.

i A Note to this SR requires the results to be evaluated l L against the acceptance criteria of SR 3.6.1.1. This ensures l that excessive containment purge valve leakage is properly accounted for in determining the overall containment leakage rate to verify containment OPERABILITY.

l (continued) l l

l~ SAN ON0FRE--UNIT 2 B 3.6-25 Amendment No. 12712/1/98 l

1

Containment Isolation Valves B 3.6.3 BASES SURVEILLANCE SR 3.6.3.7 REQUIREMENTS (continued) The containment isolation valves covered by this SR are required to be demonstrated OPERABLE at the indicated frequency.This SR is modified by two notes. Note 1 specifies that the provisions of the Inservice Testing Program are not applicable when the valves are secured open.

The second note indicates that SR 3.0.4 is not applicable.

SR 3.6.3.8 Automatic containment isolation valves close on an actuation signal to prevent leakage of radioactive material from containment following a DBA. This SR ensures each automatic containment isolation valve will actuate to its isolation position on an actuation signal. The 24 month Frequency was developed considering it is prudent that this SR be performed only during a unit outage, since isclation of penetrations would eliminate cooling water flow and disrupt normal operation of many critical components. Operating experience has shown that these components usually pass this l SR when performed on !

the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

I REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 6.2.

2. SONGS Units 2 and 3 UFSAR, Section 6.

3. Generic Issue B-20.

4. Generic Issue B-24.

5. 10 CFR 50, Appendix J, Option B. l SAN ON0FRE--UNIT 2 B 3.6-26 Amendment No. 12712/1/98

MSSVs B 3.7.1 BASES (continued)

' APPLICABLE The design basis for the MSSVs comes from Reference 2; its SAFETY ANALYSES purpose is to limit secondary system pressure to s 110% of design pressure when passing 100's of design steam flow.

This design basis is sufficient to cope with any anticipated operational occurrence (A00) or accident considered in the Design Basis Accident (DBA) and transient analysis.

The events that challenge the MSSV relieving capacity, and thus RCS pressure, are those characterized as decreased heat !

removal events, and are presented in the UFSAR, Section 15.2 (Ref.3). Of these, the full power loss of condenser vacuum 3 (LOCV) event is the limiting A00. An LOCV isolates the i turbine and condenser, and terminates normal feedwater flow I to the Steam Generators. Before delivery of auxiliary !

feedwater to the Steam Generators, RCS pressure reaches '

s 2750 psig. This peak pressure is less than or equal to 110% of the design pressure of 2500 psia, but high enough to actuatr., the pressurizer safety valves. The maximum relievir.g rate of the MSSVs during the LOCV event (Ref. 3, Fig. 15.2-10), is within the rated capacity of the MSSVs.

The limiting accident for peak RCS pressure is the full power feedwater line break (FWLB), inside containment, with 1 the failure of the backflow check valve in the feedwater l line from the affected Steam Generator. Water from the affected Steam Generator is assumed to be lost through the break with minimal additional heat transfer from the RCS.

With heat removal limited to the unaffected Steam Generator, j the reduced heat transfer causes an increase in RCS J temperature, and the resulting RCS fluid expansion causes an The RCS pressure increases to increase s 3000 psia in p(ressure.Ref. 3, Fig.15.2-40), with the pressurizer l

safety valves providing relief capacity. The maximum relieving rate of the MSSVs during the Feedwater Line Break event (Ref. 3, Fig.15.2-51), is within the rated capacity of the MSSVs.

The MSSVs satisfy Criterion 3 of the NRC Policy Statement.

l I

(continued)

SAN ON0FRE--UNIT 2. B 3.7-2 Amendment No. 12708/18/98 I

l 1

)

r MSSVs B 3.7.1 BASES LC0 This LC0 requires all MSSVs to be OPERABLE in compliance with Reference 2, even though this is not a requirement of j the DBA analysis. This is because operation with less than the full number of MSSVs requires limitations on allowable l THERMAL POWER (to meet Reference 2 requirements) and j adjustment to Reactor Protection System trip setpoints.

l These limitations are according to those shown in Table 3.7.1-1, Required Action A.1, and Required Action A.2. An MSSV is considered inoperable if it fails to open upon demand, i

The OPERABILITY of the MSSVs is defined as the ability to >

open in accordance with Lift Settings specified in Table 3.7.1-2, relieve Steam Generator overpressure, and reseat when pressure has been reduced. The OPERABILITY of the MSSVs is determined by periodic surveillance testing in accordance with the inservice testing program.

, The Lift Settings specified in Table 3.7.1-2 correspond to ambient conditions of the valve at nominal operating temperature and pressure.

This LC0 provides assurance that the MSSVs will perform

their designed safety function to mitigate the consequences l of accidents that could result in a challenge to the Reactor Coolant Pressure Boundary.

l l APPLICABILITY In MODE 1, the accident analysis requires a minimum of five l

MSSVs per Steam Generator which is limiting and bounds all lower MODES. In MODES 2 and 3, both the ASME Code and the accident analysis require only one MSSV per Steam Generator to provide overpressure protection.

In MODES 4 and 5, there are no credible transients requiring the MSSVs.

l (continued)

SAN.0N0FRE--UNIT 2 B 3.7-3 Amendment No. 12708/18/98

(

f l

MSIVs B 3.7.2 B'3.7 PLANT SYSTEMS B 3.7.2 MainSteamIsolationValves(MSIVs)

BASES

{

BACKGROUND The MSIVs isolate steam flow from the secondary side of the '

steam generators following a high energy line break (HELB).

MSIV closure terminates flow from the unaffected (intact) steam generator.

One MSIV is located in each main steam line outside, but close to, containment. The MSIVs are downstream from the main steam safety valves (MSSVs), atmospheric dump valves, and stxiliary feedwater pump turbine steam supplies to prevent them from being isolated from the steam generators by MSIV-closure. Closing the MSIVs isolates each steam generator from the other, and isolates the turbine, Steam Bypass System, and other auxiliary steam supplies from the steam generators.

The valves are held in the open position by a hydraulic system which exerts pressure on the bottom of a piston actuator. Nitrogen pressure on top of the piston actuator acts as the driving force for valve closure. For these valves to shut and perform their safety function, redundant actuation solenoids, powered from separate 1E power sources, open and dump hydraulic oil from the bottom of the piston actuator through two separate dump. lines.

MSIVs are capable of performing their specified function in l their closed position. l The MSIVs close on a main steam isolation signal generated j by low steam generator Actuation Signal (CIAS)bypressure and on Containment high containment pressure. TheIsolation MSIVs fail closed on loss of control or actuation power.

.MSIS and CIAS also actuate the main feedwater isolation valves (MFIVs) to close. The MSIVs may also be actuated '

i manually.

l l A description of the MSIVs is found in the UFSAR, 1 Section 10.3 (Ref.1).

(continued)

SAN ON0FRE--UNIT 2 B 3.7-7 Amendment No. 127 04/16/99 L

MSIVs B 3.7.2 BASES (Continued)

APPLICABLE The design basis of the MSIVs is established by the SAFETY ANALYSES containment analysis for the large steam line break (SLB) inside containment, as discussed in the UFSAR, Section 6.2 (Ref. 2). It is also influenced by the accident analysis of the SLB events presented in the UFSAR, Section 15.1.5 (Ref. 3). The design precludes the blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSIV to close on demand).

The limiting case for the containment analysis is the hot i zero power SLB inside containment with a loss of offsite '

power following turbine trip, and failure of the MSIV on the affected steam generator to close. At zero power, the steam generator inventory and temperature are at their maximum, maximizing the analyzed mass and energy release to the containment. Due to reverse flow, failure of the MSIV to close contributes to the total release of the additional mass and energy in the steam headers, which are downstream of the other MSIV. With the most reactive Single Control Element Assembly assumed stuck in the fully withdrawn position, there is an increased possibility that the core will become critical and return to power. The core is ultimately shut down by the borated water injection delivered by the Emergency Core Cooling System. Other failures considered are the failure of an MFIV to close, and failure of an emergency diesel generator to start.

The accident analysis compares several different SLB events against different acceptance criteria. The large SLB :

outside containment upstream of the MSIV is limiting for offsite dose, although a break in this short section of main steam header has a very low probability. The large SLB inside containment at hot zero power is th'e limiting case for a post trip return to power. The analysis included scenarios with offsite power available and with a loss of offsite power following turbine trip.

(continued)

SAN ON0FRE--UNIT 2 B 3.7-8 Amendment No. 127 04 99 Reissued 06 99 L

l MFIVs B 3.7.3 BASES I

BACKGROUND The Main Feedwater Isolation Valves (MFIVs) have body (continued) drains which are either blind flanged or closed by a manual l valve and capped. The body drain isolation valves are not subject to the requirements that all manual containment I isolation valves be verified closed monthly in MODES 1 through 4, because they drain a volume in the MFIV body l which is isolated from in-containment piping whenever the {

MFIV's double disk gate is closed. These drain valves are i an integral part of the MFIVs and are not credited with affecting containment isolation in the UFSAR.

A description of the MFIVs is found in the UFSAR, Section 10.4.7 (Ref.1). ,

I APPLICABLE The design basis of the MFIVs is established by the I SAFETY ANALYSES analysis for the large SLB. It is also influenced by the accident analysis for the large FWLB. Closure of the MFIVs may also be relied on to terminate a steam break for core response analysis and an excess feedwater flow event upon receipt of a MSIS on low steam generator pressure.

Failure of an MFIV to close following an SLB, FWLB, or excess feedwater flow event can result in additional mass and energy to the steam generators contributing to cooldown.

This failure also results in additional mass and energy releases following an SLB or FWLB event.

The MFIVs satisfy Criterion 3 of the NRC Policy Statement.

LC0 This LC0 ensures that the MFIVs will isolate MFW flow to the steam generators. Following an FWLB or SLB, these valves will also isolate the nonsafety related portions from the safety related portions of the system. This LC0 requires that the one MFIV in each feedwater line be OPERABLE. The MFIVs are considered OPERABLE when the isolation times are within limits, and will close on MSIS and CIAS.

(continued)

SAN ON0FRE--UNIT 2 B 3.7-14 Amendment No. 127 04/16/99 l

I AFB System B 3.7.5 BASES SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the AFW water and steam supply flow paths provides assurance that the proper flow paths exist for AFW operation. This SR does not apply to valves that l' are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to incking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulations; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

l SR 3.7.5.2 This SR verifies that the AFW pumps develop sufficient discharge pressure to deliver the required flow at the full open pressure of the MSSVs. Because it is undesirable to introduce cold AFW into the steam generators while they are operating, this testing is performed on recirculation flow.

Periodically comparing the reference differential pressure developed at this reduced flow detects trends that might be indicative of incipient failures. Performance of inservice testing, discussed in NUREG 1366 (Ref. 2), on a STAGGERED TEST BASIS satisfies this requirement.

LC0 3.7.5 permits plant operation in MODE 4 with one motor driven AFW pump and/or the turbine driven AFW pump inoperable. During plant operation in MODE 4, the turbine driven AFW pump does not have to be surveilled because steam generator pressure is less than 800 psig (NOTE for SR3.7.5.2). During plant operation in MODE 4 with one motor driven AFW pump inoperable, SR 3.7.5.2 does not have to be performed on the inoperable motor driven pump (SR 3.0.1), and n remains at 3, where n is the total number of designated components in the definition of STAGGERED TEST BASIS. Therefore, performance of SR 3.7.5.2 on the OPERABLE motor driven AFW pump is only required every 3 Surveillance Frequency intervals. Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

(continued) l l

SAN ONOFRE--UNIT 2 B 3.7-31 Amendment No. 127 09/18/98 L

r AFB System B 3.7.5 BASES SURVEILLANCE SR 3.7.5.2 (continued)

REQUIREMENTS This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established.

This deferral is required because there is an insufficient steam pressure to perform the test.

This SR ensures that AFW can be delivered to the appropriate steam generator, in the event of any accident or transient that generates an EFAS signal, by demonstrating that each automatic valve in the flow path actuates to it', correct position on an actual or simulated actuation signal.

Although testing of some of the components of this circuit may be accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

SR 3.7.5.4 This SR ensures that the AFW pumps will start in the event of any accident or transient that generates an EFAS signal by dcmonstrating that each AFW pump starts automatically on an actual or simulated actuation signal. Although testing of some of the components of this circuit may be

accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance j under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

l (continued) l SAN ON0FRE--UNIT 2 B 3.7-32 Amendment No. 127 09/18/98 l

f 1 L 1

AFM System i B 3.7.5 BASES I SURVEILLANCE ~SR 3.7.5.5 L

REQUIREMENTS (continued) This SR ensures that the AFW System is properly aligned by verifying the flow path to each steam generator prior to entering MODE 2 operation, after 30 days in MODE 5 or 6.

OPERABILITY of AFW flow paths must be verified before sufficient core heat is generated that would require the operation of the AFW. System during a subsequent shutdown.

The Frequency is reasonable, based on engineering judgment,and other administrative controls to ensure that flow' paths remain OPERABLE. To further ensure AFW System

- 0PERABILITY, the OPERABILITY of the normal flow paths from the CST through the AFW pump to the Steam Generators is

-verified following extended outages. This SR ensures that the normal paths from the CST to the Steam Generators are OPERABLE by raising Steam Generator level by 2% using AFW flow from the CST.

REFERENCES 1. UFSAR, Section 10.4.9.

2. NUREG 1366, " Improvements to Technical Specifications Surveillance Requirements," Section 9.1 l

l l

l:

l SAN ON0FRE--UNIT 2 B 3.7-33 Amendment No. 127 09/18/98 ;

CCW System B 3.7.7 8 3.7 PLANT SYSTEMS

.B 3.7.7~ Component Cooling Water (CCW) System BASES BACKGROUND The.CCW System provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis Accident (DBA) or transient. During normal. operation, the CCW System also provides this function for various nonessential components, as well as the spent-fuel pool. The CCW System serves as a barrier to the release of radioactive byproducts between potentially radioactive systems and the Salt Water Cooling System, and thus to the environment.

The CCW System is arranged as two independent full capacity cooling loops, and has isolatable nonsafety related components. .Each safety related train includes a full capacity pump, surge tank, heat exchanger, piping, valves, and instrumentation. Each safety related train is powered from a separate bus. A pressurized surge tank in the system ensures sufficient net positive suction head is available.

The pump in each train is automatically started on receipt of. a safety injection actuation signal, and all nonessential components are isolated.

Following a Design Basis Event, both the non-safety related Auxiliary Gas System and Nuclear Service Water system'are assumed to be unavailable. A postulated Design Basis Event could result in CCW system voiding'and a subsequent water hammer. The Backup Nitrogen. Supply (BNS) system is an independent, safety related, Seismic Category I source of pressurized nitrogen to prevent high-point voiding by maintaining the CCW critical loops water-solid during Design Basis Event mitigation.

Additional information on the design and operation of the system, along with a list of the components served, is presented in the UFSAR, Section 9.2.2, Reference 1. The principal safety related function of the CCW System is the removal of decay heat from the reactor via the Shutdown Cooling (SDC) System heat exchanger. This may utilize the SCS heat exchanger, during a. normal or post accident cooldown and shutdown, or the Containment Spray System during the recirculation phase following a loss of coolant accident (LOCA).

(continued)

SAN ONOFRE--UNIT 2- B 3.7-39 Amendment No. 127 Reissued 06/23/99

f 1 CREACUS B 3.7.11 4

B 3.7 PLANT SYSTEMS B 3.7.11 Control Room Emergency Air Cleanup System (CREACUS)

BASES BACKGROUND The CREACUS provides a protected environment from which operators can control the plant following an uncontrolled l release of radioactivity.

The CREACUS consists of two independent, redundant trains l that recirculate and filter the control room air. Each I CREACUS train consists of emergency air conditioning unit, emergency ventilation air supply unit, emergency isolation dampers, and cooling coils and two cabinet coolers per Unit.

Each emergency air conditioning unit includes a prefilter, a high efficiency particulate air (HEPA) filter, an activated carbon adsorber section for removal of gaseous activity i (principally iodine), and a fan. A second bank of HEPA l filters follows the adsorber section to collect carbon fines. Each emergency ventilation air supply unit includes pref 11ter, HEPA filter, carbon adsorber and fan. Ductwork, ,

motor-operated dampers, and instrumentation also form part of the system. Air and motor-operated dampers are provided !

for air volume control and system isolation purposes.

Upon receipt of the actuating signal, normal air supply to the control room is isolated, and the stream of ventilation ;

air is recirculated through the system's filter trains. The !

prefilters remove any large particles in the air to prevent !

excessive loading of the HEPA filters and charcoal ,

adsorbers. Continuous operation of each train for at least '

15 minutes per month verifies proper system operability.

There are two CREACUS operational modes. Emergency mode is l an operational mode when the control room is isolated to protect operttional personnel from radioactive exposure through the duration of any one of the postulated limiting faults discussed in Chapter 15 UFSAR (Ref. 2). Isolation mode is an operational mode when the control room is isolated to protect operational personnel from toxic gasses and smoke.

Actuation of the CREACUS places the system into either of two separate states of operation, depending on the initiation signal. Actuation of the system to either the emergency mode or isolation mode of CREACUS operation (continued)

SAN ONOFRE--UNIT 2 B 3.7-56 AmendmentNo.12706/28/99

P CREACUS B 3.7.11 BASES BACKGROUND closes the unfiltered-outside-air intake and unfilterdd (continued) exhaust dampers, and aligns the system for recirculation of control room air through the redundant trains of HEPA and charcoal filters. l l

The emergency mode initiates pressurization of the control room. Outside air is added to the air being recirculated from the control room. Pressurization of the control room prevents infiltration of unfiltered air from the surrounding areas of the building.

The control room supply and the outside air supply of the normal control room HVAC are monitored by radiation and toxic-gas detectors respectively. One detector output above the setpoint will cause actuation of the emergency mode or isolation mode as required. The actions of the isolation mode are more restrictive, and will override the actions of the emergency mode of operation. However, toxic gas and radiation events are not considered to occur concurrently.

l A single train will pressurize the control room to at least 0.125 inches water gauge, and provides an air exchange rate in excess of 45% per hour.- The CREACUS operation in maintaining the control room habitable is discussed in Reference 1.

Redundant recirculation trains provide the recuired filtration should an excessive pressure drop cevelop across the other filter train. Normally-open isolation dampers are arranged in series pairs so.that one damper's failure to shut will not result in a breach of isolation. The CREACUS is designed in accordance with Seismic Category I requirements.

The CREACUS is designed to maintain the control room environment for 30 days of continuous occupancy after a l DesignBasisAccident(DBA)withoutexceedinga5-rem l whole-body dose.

APPLICABLE The CREACUS components are arranged in redundant safety ,

~ SAFETY ANALYSES related ventilation trains. The location of components and l ducting within the control room envelope ensures an adequate supply of filtered air to all areas requiring access.

The CREACUS provides airborne radiological' protection for

! the control room operators, as demonstrated by the control (continued) ;

i l -SAN ON0FRE--UNIT 2 B 3.7-57 AmendmentNo.12706/28/99

y CREACUS B 3.7.11 l BASES' APPLICABLE room accident dose analyses for'the most limiting design

' SAFETY ANALYSES basis loss of coolant accident fission product release (continued) presented in the UFSAR, Chapter 15 (Ref. 2).

Dose calculations, as specified in Unit 2/3 UFSAR (Table 15B-5, Appendix 15B), only take credit for the HEPA filters and charcoal adsorbers of the emergency recirculation air corditioning unit. The emergency ventilation supply unit is ,

credited only with contributing to the pressurization of the l control room to 1/8 inch water gauge positive pressure !

(minimum) to prevent unfiltered inleakage as indicated in Unit 2/3UFSAR.

The analysis of toxic gas releases demonstrates that the toxicity limits are not exceeded in the control room following a toxic chemical release, as presented in l Reference 1. j The worst case single active failure of a component of the l CREACUS . assuming a loss of offsite power, does not impair theabilityofthesystemtoperformitsdesignfunction.

The CREACUS satisfies Criterion 3 of the NRC Policy l Statement.

I LC0 Two independent and redundant trains of the CREACUS are ;

required to be OPERABLE to ensure that at least one is 1 available, assuming that a single failure disables the other train. Total system failure could result in a control room operator receiving a dose in excess of 5 rem in the event of a large radioactive release.

The CREACUS is considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both trains. A CREACUS train is considered ;

OPERABLE when the associated: i

a. Fan is OPERABLE; i

b. HEPA filters and charcoal adsorber are not excessively restricting flow, and.are capable of performing their '

filtration functions; and

c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained. If an Emergency Isolation Damper is stuck open, the associated train of CREACUS may still be considered OPERABLE if the redundant damper in series with the inoperable damper is closed with power removed.

(continued)

SAN ON0FRE--UNIT 2' B'3.7-58 AmendmentNo.12701/13/99

c Fuel Handling Building Post-Accident Cleanup Filter System B 3.7.14 B 3.7 PLANT SYSTEMS B 3.7.14 Fuel Handling Building Post-Accident Cleanup Filter System BASES BACKGROUND The Fuel Handling Building Post-Accident Cleanup Filter System filters air 3orne radioactive particulates and gases from the area of the fuel pool following a fuel rupture l accident. The Fuel Handling Building Post-Accident Cleanup Filter System, in conjunction with normally operating l systems, also provides environmental control of temperature in the fuel pool area.

The Fuel Handling Building Post-Accident Cleanup Filter System consists of two independent, redundant trains. Each train consists of a prefilter, two banks of high efficiency particulate air (HEPA) filters, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), a Component Cooling Water cooling coil, and a fan. Ductwork, dampers, and instrumentation also form part of the system, as well as duct heaters which function to reduce the relative humidity of the air stream.

The second bank of HEPA filters follows the adsorber section to collect carbon fines and provide backup in case of failure of the main HEPA filter bank. The downstream HEPA filter is not credited in the analysis, but serves to collect charcoal fines, and to back up the upstream HEPA filter should it develop a leak. The system initiates filtered ventilation of the fuel handling building following receipt of a high radiation signal.

The Fuel Handling Building Post-Accident Cleanup Filter System is a standby system, part of which may also be operated during normal unit operations. Upon receipt of the actuating signal, the fuel handling building is isolated, and the stream of ventilation air discharges through the system filter trains. The prefilters remove any large particles in the air, to prevent excessive loading of the HEPA filters and charcoal adsorbers.

Operation of the FHB normal HVAC system in parallel with one operating PACFS unit and the other unit inoperable is permissible provided both radiation monitors RT-7823 and 7822 and their associated circuitry remain OPERABLE.

(continued)

SAN ON0FRE--UNIT 2 8 3.7-63 Amendment No. 127 12/17/98

1 1

Fuel Handling Building Post . Accident Cleanup Filter System B 3.7.14 BASES BACKGROUND The Fuel Handling Building Post-Accident Cleanup Filter (continued) System is discussed in the UFSAR, Sections 6.5.1, 9.4.3.1, and 15.7.3.4 (Refs.1, 2, and 3, respectively) .

1 APPLICABLE The Fuel Handling Building Post-Accident. Cleanup Filter l SAFETY ANALYSES System is designed to mitigate the consequences of a fuel l handling accident in which 60 pins in a fuel assembly are l assumed to be damaged, or a Spent Fuel Pool gate drop accident in which 236 pins are assumed-to be damaged. The analyses of-the fuel rupture acidents are given in References 3 and 6. The analyses take no credit for the i Fuel Handling Building Post-Accident Cleanup Filter System.

The amount of fission products available for release from thel Fuel Handling Building is determined for a fuel rupture

~

l accident. These assumptions and the analysis follow the guidance provided in Regulatory Guide 1.25 (Ref. 4).

j The Fuel Handling Building Post-Accident Cleanup Filter System. satisfies Criterion 3.of the NRC Policy Statement.

LC0 Two independent and redundant trains of the Fuel Handling l

Building Post-Accident Cleanup Filter System are required to be OPERABLE to ensure that at least one is available, assuming a single failure that disables the other train coincident with a loss of offsite power. )

The Fuel Handling Building Post-Accident Cleanup Filter )

System is considered OPERABLE when the individual components necessary to control exposure in the fuel handling building l are OPERABLE in both trains. A Fuel Handling Building Post- l

i. Accident Cleanup Filter System train is considered OPERABLE l when its associated:

a. Fan is OPERABLE;

b. HEPA filters and charcoal adsorber are not excessively l restricting flow, and are capable of performing their '

filtration functions; and

.c. Heater, ductwork, valves, and dampers are OPERABLE, I and air circulation can be maintained.

(continued)

SAN ON0FRE--UNIT 2 B 3.7-64 Amendment No. 127 12/17/98 m

[

L Fuel Handling Building Post-Accident Cleanup Filter System l B 3.7.14 ,

{ j BASES L . APPLICABILITY During movement of irradiated fuel assemblies in the fuel building, the Fuel Handling Building Post-Accident Cleanup Filter System is required to be OPERABLE to mitigate the consequences of a fuel rupture accident. l ACTIONS Al If one . Fuel Handling Building Post-Accident Cleanup Filter System train is inoperable, action must be taken to restore OPERABLE status within 7 days. During this time period, the remaining OPERABLE train is adequate to perform the Fuel Handling Building Post-Accident Cleanup Filter System function. The 7 day Completion Time is reasonable, based on the risk from an event occurring requiring the inoperable Fuel Handling Building Post-Accident Cleanup Filter System train, and ability of the operable train to provide the l required protection.

B.1 and B.2 When Required Action A.1 cannot be completed within the required Completion Time during movement of irradiated fuel l in the fuel building, the OPERABLE Fuel Handling Building l Post-Accident Cleanup Filter System train must be started immediately or fuel movement suspended. This action ensures that the remaining train is OPERABLE, that no undetected failures preventing system operation will occur, and that any active failure will be readily detected.

Operation of the FHB normal HVAC system in parallel with one operating PACFS unit and the other unit inoperable is permissible provided both radiation monitors RT-7823 and 7822 and their associated circuitry remain OPERABLE.

1 If the system is not placed in operation, this action requires suspension of fuel movement, which precludes a fuel handling accident. This does not preclude the movement of fuel to a safe position.

(continued)

SAN ON0FRE--UNIT 2 B 3.7-65 i Amendment No. 127 12/17/98 i

E Fuel Handling Building Post-Acciuent Cleanup Filter System B 3.7.14 BASES SURVEILLANCE -SR '3.7.14.3 REQUIREMENTS (continued). This SR verifies that each Fuel Handling Building Post-Accident Cleanup Filter System train starts and operates on an actual or simulated actuation. signal. The 24 month Frequency is consistent with that specified in Reference 5.

REFERENCES. 1. UFSAR, Section 6.5 1.

2. UFSAR, Section 9.4.3.1.

3.. UFSAR, Section 15.7.3.4.

4. Regul.atory Guide 1.25.

5. Regulatory Guide 1.52.

6; UFSAR, Section 15.7.3.6 l I

SAN 0NOFRE--UNIT 2- B 3.7-67 Amendment No. 12712/17/98 I

Fuel Storage Pool Water Level B 3.7.16 B 3.7 PLANT SYSTEMS B 3.7.16 Fuel Storage Pool Water Level ,

i BASES BACKGROUND The minimum water level in the fuel storage pool meets the ;

assumptions of iodine decontamination factors following a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides shielding during the movement of spent fuel.

A general description of the fuel storage pool design is given in the UFSAR, Section 9.1.2, Reference 1, and the i Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section 9.1.3 (Ref. 2). The assumptions of the fuel handling accident are given in the UFSAR, Section 15.7.3.4 and 15.7.3.6 (Ref. 3 and Ref. 6).

APPLICABLE The minimum water level in the fuel storage pool meets the SAFETY ANALYSES assumptions of the fuel handling accident described in Regulatory Guide 1.25 (Ref. 4). The resultant 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months thyroid dose to a person at the exclusion area boundary is a small fraction of the 10 CFR 100 (Ref. 5) limits.

According to Reference 4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface for a fuel handling accident. With this 23 ft of water, the assumptions of Reference 4 can be used directly. In practice, this LC0 preserves this assumpti.on for the bulk of the fuel in the storage racks. In the case of a single bundle, dropped and lying horizontally on top of the spent fuel racks, there would be < 23 ft of water above the top of the bundle.

However, when the potential of a dropped fuel assembly exists (which is when fuel is being moved) a water level is maintained that would ensure that there would be >23 feet above the fuel assembly laying on top of the racks. This increased water level is required by LC0 3.9.6 when the fuel storage pool is connected to the refueling cavity and by station procedures whenever fuel is being moved.

(continued)

SAN ONOFRE--UNIT 2 B 3.7-68 Amendment No. 127 10 98 Reissued 06 99

F Fuel Storage Pool Water Level B 3.7.16 BASES (continued)

APPLICABLE The fuel storage pool water level satisfies Criterion 3 of SAFETY ANALYSES the NRC Policy Statement.

(continued)

LC0 The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 3). As such, it is the minimum required for fuel storage and movement within the fuel storage pool.

APPLICABILITY This LC0 applies during movement of irradiated fuel assemblies in the fuel storage pool since the potential for a release of fission products exists.

ACTIONS Ad Required Action A.1 is modified by a Note indicating that LC0 3.0.3 does not apply.

When the initial conditions for an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended. This effectively precludes a spent fuel handling accident from occurring. This does not preclude moving a fuel assembly to a safe position.

If moving irradiated fuel assemblies while in MODE 5 or 6, i LC0 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations. ;

Therefore, in either case, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. 1 l

l i

(continued) l l

2 SAN ON0FRE--UNIT 2 B 3.7-69 Amendment No. 127 10/13/98

1 Fuel Storage Pool Water Level B 3.7.16 BASES SURVEILLANCE SR 3.7.16.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The water level in the fuel storage pool must be checked periodically. The 7 day Frequency is appropriate because the volume in the pool is normally stable. Water level changes are controlled by unit procedures and are acceptable, based on operating experience.

During refueling operations, the level in the fuel storage pool is at equilibrium with that of the refueling canal, and l the level in the refueling canal is checked daily in ,

accordance with LC0 3.9.6, " Refueling Water Level." l REFERENCES 1. UFSAR, Section 9.1.2. l l

2. UFSAR, Section 9.1.3.

l

3. UFSAR, Section 15.7.3.4.

1

4. Regulatory Guide 1.25 ;

5. 10 CFR 100.11.

6. UFSAR, Section 15.7.3.6 l

l l

l SAN ON0FRE--UNIT 2 B 3.7-70 Amendment No. 127 10/13/98 1

r i AC Sources-Operating )

B 3.8.1 BASES !

ACTIONS L2 (continued) systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class IE Distribution System. 1 The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.2 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LC0. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LC0 may already have been not met for up to 14 days. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "A M" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 17 day Completion Time means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." This will result in establishing the " time zero" at the time that the LC0 was initially not met, instead of at the time Condition A was entered.

As required by Section 5.5.2.14, a Configuration Risk Management Program is implemented in the event of Condition A.

1L1 To ensure a highly reliable power source remains when one of the required DGs is inoperable, it is necessary to verify (continued)

SAN ON0FRE--UNIT 2 B 3.8-6 Amendment No. 12709/28/98

l AC Sources-0perating l B 3.8.1 l

BASES i

l ACTIONS M (continued)

An augmented analysis using the methodology set forth in Reference 16 provides a series of deterministic and probabilistic justifications and supports continued operations in Condition B for a period that should not exceed 14 days.

In Condition B, the remaining OPERABLE DG and offsite circuits are. adequate to supply electrical power to the onsite Class 1E Distribution System. The 14 day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

1 The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Cor.dition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently returned OPERABLE, the LC0 may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 20 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrent 1y'. The "AE" connector between the 14 day and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an l exception to the normal " time zero" for beginning the allowed time " clock." This will result in establishing the

" time zero" 'at the time that the LC0 was initially not met, instead of at the time Condition B was entered.

As required by Section 5.5.2.14, a Configuration Risk Management Program is implemented in the event of Condition B. !

l l

(continued)

SAN ON0FRE--UNIT 2 B 3.8-9 Amendment No. 12709/28]98 1

AC Sources-Operating B 3.8.1 ,

BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS The Frequency of 24 months is consistent with Regulatory Guide 1.9 (Ref. 3), takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.13 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature) are bypassed on a loss of voltage signal concurrent with an ESF actuation test signal in accordance with Reference 3.

The critical protective functions (engine overspeed, generator differential current, and low-low lube oil

. pressure), which trip the DG to avert substantial damage to the DG unit, are not bypassed. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The 24 month Frequency is based on engineering judgment, taking into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

(continued)

SAN ONOFRE--UNIT 2 B 3.8-22 Amendment No. 127 12/21/96 Reissued 01/20/98

r AC Sources-Operating B 3.8.1 BASES REFERENCES 5. UFSAR, Chapter 15.

-(continued)

6. ' Regulatory Guide 1.93, Rev. O.

7. Generic Letter 84-15.

8.' 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.108, Rev.1.

10. Regulatory Guide 1.137, Rev.1.

11. ANSI C84.1-1982.

12. ASME, Boiler and Pressure Vessel Code,Section XI.

13. IEEE Standard 308-1978.

14. .Oraft Regulatory Guide DG-1021, April 1992. ,

15. 10 CFR 50.63(a)(3)(ii) as published in Federal !

Register Vol. 57, No. 77 page 14517, April 21, 1992.

16. . CE.NPSD-996, "CEOG Joint Applications Report for Emergency Diesel Generator A0T Extension," May 1995.

l I

i i

SAN ON0FRE--UNIT 2 B 3.8-29 Amendment No. 12709/28/98

Diesel Fuel Oil, Lube Oile and Starting Air J B 3.8.3 .

BASES BACKGROUND Each DG is equipped with two air start systems which are (continued) independent and redundant. Each air start system has adequate capacity for five successive start attempts on the i DG without recharging the air start receivers.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 4), and in the UFSAR, Chapter 15 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to 1 provide sufficient capacity, capability, redundancy, and i reliability to ensure the availability of necessary power to l ESF systems so that fuel, Reactor Coolant System and 1 containment design limits are not exceeded. These limits !

are discussed in more detail in the Bases for LC0 l Section 3.2, Power Distribution Limits; Section 3.4, Reactor '

Coolant System (RCS); and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, and the air start subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of the NRC Policy l Statement.

LC0 Stored diesel fuel oil is required to have sufficient supply !

for 7 days of full load operation. It is also required to j meet specific standards for quality. Additionally, sufficient lubricating oil supply must be available to ;

ensure the capability to operate at full load for 7 days.

This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (A00) or a postulated DBA with loss of offsite power. DG day tank fuel requirements, as well as :

transfer capability from the storage tank to the day tank, are addressed in LC0 3.8.1, "AC Sources-Operating," and LC0 3.8.2, "AC Sources - Shutdown."

The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-37 Amendment No. 127 1/21/98

m 3 1

i Diesel Fuel Oil, Lube Oil, and Starting Air i B 3.8.3 BASES ACTIONS D.d (continued) acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and I proper engine performance has been recently demonstrated l (within 31 days), it is prudent to allow a brief period '

prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil.

L1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its intended function.

1 With starting air receiver pressure < 175 psig, sufficient capacity for five successive DG start attempts does not exist. However, as long as the receiver pressure is a 136 psig, there is adequate capacity for at least one start attempt. In the event the redundant air start system is out of service, the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit.

i A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete l restoration to the required pressure prior to declaring the l DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts (continued)

SAN ON0FRE--UNIT 2 B 3.8-40 Amendment No. 127 1/21/98

DC Sources-Operating B 3.8.4 i

B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources-Operating j BASES BACKGROUND The station DC electrical power system provides the AC l emergency power system with control power. It also provides I both motive and control power to selected safety related equipment and preferred AC vital bus power (via inverters).

As required by 10 CFR 50, Appendix A, GDC 17 (Ref.1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3).

The 125 VDC electrical power system consists of four independent and redundant safety related Class 1E DC electrical power subsystems (Train A, Train B, Train C and Train D). Each subsystem consists of one 125 VDC battery, a l battery charger for the battery, and all the associated control equipment and interconnecting cabling.

During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.

Train A and Train B 125 VDC electrical power subsystems provide control power for the 4.16 KV switchgear and 480 V load center AC load groups A and B, Diesel generator A and B control systems, and Train A and B control systems, respectively. Train A and Train B DC subsystems also provide DC power to the Train A and Train B inverters, as well as to Train A and Train B DC valve actuators, respectively.

Train C and Train D 125 VDC electrical power subsystems provide power for NSSS control power and DC power to Train C and Train D inverters, respectively, as well as to the inverters for the two redundant shutdown cooling system suction valves. Train C DC subsystem also provides DC power to the Auxiliary Feedwater Pump inlet valve HV-4716 and the AFWP electric governor.

1 (continued) 1 SAN ON0FRE--UNIT 2 B 3.8-46 Amendment No. 127 01/22/99 l

l

n DC Sources-0perating - l B 3.8.4 BASES J BACKGROUND Train C DC subsystem also provides DC power to both Train A l (continued) and Train C loads when Trains A and C are manually cross-connected during Modes 5 and 6 to allow the Train A DC bus to be operable during Train A battery replacement and/or testing, or when required during a station blackout event.

With two DC subsystems manually cross-connected, only Train C subsystem consists of its battery and charger, Train A subsystem has been stripped of its battery to meet the operability of the combined crosstie. During cross-connection operation either Train A or Train C battery charger can be used to power Train A and Train C DC Buses with Train C battery breaker closed.

Train D DC subsystem also provides DC power to both Trains B and D subsystem loads when Trains B and D DC subsystems are manually cross-connected during Modes 5 and 6 to allow the Train B DC bus to be operable during Train B battery replacement and/or testing, or when required during a station blackout event. With two DC subsystems manually cross-connected, only Train D subsystem consists of its battery and charger, Train B subsystem has been stripped of I its battery to meet the operability of the combined i crosstie. During cross-connection operation either Train B or Train D battery charger can be used to power Train B and Train D DC Buses with Train D battery breaker closed.

The DC power distribution system is described in more detail in the- Bases -for LC0 3.8.9, " Distributions System Operating," and for LC0 3.8.10, " Distribution Systems-Shutdown."

The batteries for Trains A and B each has adequate storage l capacity to carry the required loads continuously for at least 90 minutes without support of a battery charger. The batteries for Trains C and D can carry the required loads continuously for at least 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months as discussed in the UFSAR, Chapter 8 (Ref. 4). '

Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystem to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between ,

(continued)

SAN ON0FRE--UNIT 2 B 3.8-47 Amendment No. 127 01/22/99

i DC Sources-Operating B 3.8.4 BASES BACKGROUND redundant Class 1E subsystems, such as batteries, battery (continued) chargers, or distribution panels except when 125 VDC Trains A and C or B and D are manually cross-connected during Modes 5 and 6, or when required during a station blackout event.

The batteries for Trains A, B, C, and D DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100% design demand. Battery size is based on 125% of required capacity. The voltage limit is 2.13 V per cell. The criteria for sizing large lead storage batteries are defined in IEEE-485 (Ref. 5).

l l

(continued)

SAN ON0FRE--UNIT 2 B 3.8-47a Amendment No. 127 01/22/99

1 DC Sources-Operating B 3.8.4 ;

BASES'

~

LC0 . An OPERABLE DC electrical power subsystem requires the (continued)- required battery and charger to be operating and connected (

to the associated DC bus.

APPLICABILITY- The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to

. ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of A00s or abnormal transients; and

b. Adequate core cooling is provided, and containment i integrity and other vital functions are maintained in i the event of a postulated DBA.

The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LC0 3.8.5, "DC Sources-Shutdown."

ACTIONS Ad Condition A represents one train with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is J

consistent with the allowed time for an inoperable DC

-distribution system train.

If one of the required battery banks is inoperable, then its associated DC electrical power subsystems is inoperable.

-The remaining DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure would, however, result in the loss of two of the remaining 125 VDC electrical power subsystems with attendant loss of ESF functions, continued power operation should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is based on Regulatory Guide 1.93 (Ref. 8) and reflects (continued)

SAN ON0FRE--UNIT.2 B 3.8-49 Amendment No. 12701/22/99

DC Sources-Operating B 3.8.4 l BASES SURVEILLANCE SR 3.8.4.4 and SR 3.8.4.5 (continued)

REQUIREMENTS i TheseSurveillancesareconsistentwithIEEE-450(Ref.9),

which recommend cell to cell and terminal connection ;

resistance measurement. The 24 month surveillance frequency is consistent with the existing licensing basis and is intended to be consistent with expected fuel cycle lengths.

SR 3.8.4.6 This SR requires that each battery charger be capable of supplying at least 300 amps and 2 129 V for 2 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . l These requirements are based on the design capacity of the chargers (Ref. 4). According to Regulatory Guide 1.32 (Ref.10), the battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensure that these requirements can be satisfied.

The Surveillance Frequency is acceptable, given the unit conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.4.7 A battery service test is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements.

The Surveillance Frequency of 24 months is consistent with the recommendations of Regulatory Guide 1.32 (Ref. 10) and Regulatory Guide 1.129 (Ref.11), which state that the battery service test should be performed during refueling l

(continued)

SAN ON0FRE--UNIT 2 B 3.8-53 Amendment No. 12701/22/99 rf' a

DC Sources-Operating B 3.8.4 BASES-SURVEILLANCE SR 3.8.4.7 (continued)

REQUIREMENTS operations, or at some other outage, with intervals between tests not to exceed 24 months.

This SR is modified by three Notes. Note 1 allows the once per 48 months performance of SR 3.8.4.8 in lieu of SR 3.8.4.7. This substitution is acceptable because SR 3.8.4.8 represents a more severe test of battery capacity than does SR 3.8.4.7. The reason for Note 2 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. Note 3 acknowledges that credit may be taken for unplanned events that satisfy this SR.

If for any reason a battery has to undergo both service and performance tests, one following the other during a refueling outage, then the battery shall complete the service test first. Recharging of the battery is required before the performance test is conducted. The "as found" condition prior to the performance test will be the state the battery is in immediately before the performance test.

Here at SONGS, two spare cells are normally maintained qualified by installing them on the same seismic rack where 58 active cells reside, kept on float charge and inspected by regular Preventive Maintenance (PM). These spare cells are included in the main bank during service and performance tests to demonstrate their adequacy under the configuration conditions that would be present if they were required for use. Adding the spare cell (s) to the tests may create a 59 or.60 cell configuration and the service test results are adjusted by subtracting the spare cell (s) voltage contribution to the overall bank voltage at the end of discharge. This voltage adjustment is not necessary for the performance test. In addition, to meet the definition of "as found" for the test configuration and further demonstrate that the test results are not affected by the addition of the spare cells, "before" and "after" micro-ohmmeter readings of the intercell connections at the insertion point will be taken. It is expected there will be a change in the connection resistance. As it was stated above, however, it will have a negligible effect on the test results.

(continued)

SAN ON0FRE--UNIT 2 B 3.8-54 Amendment No. 12708/05/98

1 DC Sources-0perating B 3.8.4 BASES (continued) l SURVEILLANCE SR 3.8.4.8 REQUIREMENTS (continued) ;A battery performance test is a test of constant current capacity of a battery, normally done in the "as found" f condition, after having been'in service, to detect any change'in the capacity determined by the acceptance test.

l The test is intended to determine overall battery degradation due to age and usage. l The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These )

references recommend that the battery be replaced if its I capacity is below 80% of the manufacturer rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the '

load requirements.

The Surveillance Frequency for this test is 60 months, or every 12 months if the battery shows degradation or has reached 85% of its expected life. Degradation is indicated, according to IEEE-450 (Ref. 9), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is below 90% of the manufacturer's rating. These frequencies are consistent with the recommendations in IEEE-450 (Ref. 9).

This SR is modified by two Notes. The reason for Note 1 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems.

Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

If for any reason a battery has to undergo both service and performance tests, one following the other during a refueling outage, then the battery shall complete the service test first. Recharging of the battery is required before the performance test is conducted. The "as found" condition prior to the performance test will be the state the battery is in immediately before the performance test.

Here at SONGS, two spare cells are normally maintained qualified by installing them on the same seismic rack where 58 active cells reside, kept on float charge and inspected by regular Preventive Maintenance (PM). These spare cells are included in the main bank during service and performance tests to demonstrate their adequacy under the configuration conditions that would be present if they were I

(continued)

SAN ON0FRE--UNIT 2 B 3.8-55 Amendment No. 12708/05/98

F 1 DC Sources-Operating B 3.8.4 4

BASES (continued) i SURVEILLANCE- SR - 3.8.4.8 - (continued)

REQUIREMENTS required for use. Adding the spare cell (s) to the tests may create a 59 or 60 cell configuration and the service test results are adjusted by subtracting the spare cell (s) voltage contribution to the overall bank voltage at the end of discharge. This voltage adjustment is not necessary for the performance test. In addition, to meet the definition of "as'found" for the test configuration and further ]

demonstrate that the test results are not affected by the

. addition of the spare cells, "before" and "after" micro-ohmmeter readings of the intercell connections at the insertion point will be taken. It is expected there will be a change in the connection resistance. As it was stated above, however, it will have a negligible effect on the test results.

REFERENCES 1. 10 CFR.50, Appendix A, GDC 17.

2. Regulatory Guide 1.6, March 10,.1971.

3. IEEE-308-1978.

4. UFSAR, Chapter 8.

5. IEEE-485-1983, June 1983.

6. UFSAR, Chapter 6.

7. UFSAR, Chapter 15.

8. Regulatory Guide 1.93, December 1974.

9. IEEE-450-1980.

10. Regulatory Guide 1.32, February 1977. ;

11. ' Regulatory Guide 1.129, April 1977.

e 1

I l

l l

SAN ON0FRE--UNIT 2 B 3.8-55a Amendment No. 12708/05/98

r Containment Penetrations B 3.9.3 8 3.9 REFUELING OPERATIONS B 3.9.3 Containment Penetrations BASES BACKGROUND During CORE ALTERATIONS or movement of fuel assemblies within containment with irradiated fuel in containment, a release of fission product radioactivity within the containment will be restricted from escaping to the environment when the LC0 requirements are met. In MODES 1, 2, 3, and 4, this is accomplished by maintaining containment OPERABLE as described in LC0 3.6.1, " Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containment from the outside atmosphere can be less stringent. The LC0 requirements are referred to as

" containment closure" rather than " containment OPERABILITY."

Containment closure means that all potential escape paths are closed or capable of being closed. Since there is no potential for containment pressurization, the Appendix J, Option B leakage criteria and tests are not required.

The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures ,

are maintained well within the requirements of 10 CFR 100. I Additionally, the containment structure provides radiation i shielding from the fission products that may be present in the containment atmosphere following accident conditions. j The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containment.

During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, the equipment hatch must be held in place by at least four bolts. Good engineering practice dictates that the bolts required by this LC0 be approximately equally spaced.

The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1, 2, 3, and 4 operation in accordance with LC0 3.6.2, " Containment Air Locks." Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of shutdown when containment (continued)

SAN ON0FRE--UNIT 2 B 3.9-9 Amendment No. 12712/1/98

SDC and Coolant Circulation-High Water Level B 3.9.4 BASES (continued) l APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200*F, boiling of the reactor coolant could result. This could lead to inadequate cooling of the reactor fuel due to a resulting loss of coolant in the reactor vessel.

Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity, and because of the possible addition of j water to the reactor vessel with a lower boron concentration than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction of boron concentration l in the reactor coolant would eventually challenge the !

integrity of the fuel cladding, which is a fission product barrier. One loop of the SDC System is required to be operational in MODE 6, with the water level 2 20 ft above the top of the reactor vessel flange, to prevent this challenge. The LC0 does permit de-energizing of the SDC pump for'short durations under the condition that the boror concentration is not diluted. This conditional de-energizing of the SDC pump does not result in a challenge to the fission product barrier, 1

SDC and Coolant Circulation-High Water Level satisfies l Criterion 3 of the NRC Policy Statement. l l

LCO Only one SDC loop is required for decay heat removal in 1 MODE 6, with water level 2 20 ft above the top of the l reactor vessel flange. Only one SDC loop is required because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one SDC loop must be in operation to provide:

a. Removal of decay heat;

b. Mixing of borated coolant to minimize the possibility of a criticality; and

c. Indication of reactor coolant temperature.

An OPERABLE SDC loop includes an SDC pump, a heat exchanger, valves, piping, instruments, and controls to ensure an i

OPERABLE flow path and to determine the low end temperature.

(continued) ,

SAN ON0FRE--UNIT 2 B 3.9-17 l Amendment No. 127 06/03/99 l L

[ l SDC and Coolant Circulation-High Water Level B 3.9.4 BASES (continued)-

LCO The flow path starts in one of the RCS hot legs and is (continued) returned to the RCS cold legs.

The LCO is modified by two Notes. With the upper guide structure removed from the reactor vessel Note 1 allows the required operating SDC loop to be removed from service for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in each 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period, provided that: l

a. The maximum RCS temperature is maintained s 140"F.

b. No operations are permitted that would cause a reduction of the RCS boron concentration.

c. The capability to close the containment penetrations with direct access to the outside temperature within the calculated time to boil is maintained.

d. The reactor cavity water level is maintained 2 20 feet above the top of the reactor pressure vessel flange, or, for core alterations, a 23 feet above the top of the reactor pressure vessel flange.

This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles, RCS to SDC isolation valve testing, and inservice testing of LPSI system components. During this 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period, decay heat is removed by natural convection to the large mass of water in the refueling canal.

Note 2 allows Operations to use a' containment spray pump in place of a low pressure safety injection pump to provide shutdown cooling flow.

APPLICABILITY One SDC loop must be in operation in MODE 6, with the water level 2 20 ft above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the SDC System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS), and Section 3.5, Emergency Core Cooling Systems (ECCS). SDC loop requirements in MODE 6, with the water level < 20 ft above the top of the l reactor vessel flange, are located in LC0 3.9.S, " Shutdown Cooling (SDC) and Coolant Circulation-Low Water Level."

l ACTIONS SDC loop requirements are met by having one SDC loop OPERABLE and in operation, except as permitted in the Note to the LCO. <

(continued)

SAN ONOFRE--UNIT 2 B 3.9-18 Amendment No. 127 06/03/99 l L.

r SDC and Coolant Circulation-High Water Level B 3.9.4 BASES (continued)

ACTIONS M (continued) f If SDC loop requirements are not met, there will be no 1 forced circulation to provide mixing to establish uniform baron concentrations. Reduced boron concentrations can i occur through the addition of water with a lower boron concentration than that contained in the RCS. Therefore, actions that reduce boron concentration shall be suspended immediately.

M l 1

If SDC loop requirements are not met, actions shall be taken '

immediately to suspend loading irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core. A minimum refueling water level of 20 ft above the reactor vessel l flange provides an adequate available heat sink. Suspending any operation that would increase the decay heat load, such as loading a fuel assembly, is a prudent action under this condition.

M If SDC loop requirements are not met, actions shall be initiated and continued in order to satisfy SDC loop requirements.

A.4 If SDC loop requirements are not met, all containment penetrations to the outside atmosphere must be closed to prevent fission products, if released by a loss of decay heat event, from escaping the containment building. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or within the calculated time to boil Completion Time l allows fixing most SDC problems without incurring the additional action of violating the containment atmosphere.

l l

(continued)

SAN ONOFRE--UNIT 2 B 3.9-19 Amendment No. 127 06/03/99 l

)

SDC and Coolant Circulation-Low Mater Level B 3.9.5 BASES (continued)

APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200*F, boiling of the reactor coolant could result. This could lead to inadequate cooling of the reactor fuel due to the resulting loss of coolant in the reactor vessel.

Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration than is required to keep the reactor subtritical. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two loops of the SDC System are required to be OPERABLE, and one loop is required to be in operation in MODE 6, with the water level < 20 ft above the top of the reactor vessel flange, to prevent this challenge.

With the reactor vessel head removed and 12 feet of water above the reactor vessel flange and all the specified requirements met, a heat sink is available for core cooling and a method is available to restore the reactor cavity level to 20 feet above the reactor vessel flange.

Therefore, in the event of a failure of the operating shutdown cooling loop, adequate time is provided to initiate emergency procedures to cool the core.

SDC and Coolant Circulation-Low Water Level satisfies Criterion 3 of the NRC Policy Statement.

LCO In MODE 6, with the water level < 20 ft above the top of the l reactor vessel flange, both SDC loops must be OPERABLE.

Additionally, one loop of the SDC System must be in operation in order to provide:

a. Removal of decay heat;

b. Mixing of borated coolant to minimize the possibility of a criticality; and

c. Indication of reactor coolant temperature. ;

i An OPERABLE SDC loop consists of an SDC pump, a heat ;

exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end l (continued) l SAN ON0FRE--UNIT 2 B 3.9-22 Amendment No. 127 06/03/99 l

F

'SDC 'and Coolant Circulation-Low Water Level B 3.9.5 BASES (continued) .

l LC0 temperature. The flow path starts in one of the RCS hot (continued) legs and is returned to the RCS cold legs.

This LC0 is modified by the Note that allows Operations to use a containment spray pump in place of a low pressure safety injection pump to provide shutdown cooling flow.

or l l 1) The reactor hes been shutdown for at least 6 days. l

2) The water level above the reactor vessel flange is 12 feet or greater.

3) The associated loop of Salt Water Cooling (SWC) is ;

OPERABLE and operating. 1 l 4) The associated Component Cooling Water (CCW) pump and the CCW swing pump are OPERABLE, and the associated CCW loop is OPERABLE and operating.

5) The Shutdown Cooling system is operating using the containment spray pump, and the associated high pressure safety injection pump and the low pressure safety injection pump are OPERABLE and at ambient

) temperature, available for injection from the RWST.

t i The RWST contains the volume of water required to 6) l- raise the level to 20 feet above the reactor vessel flange.

7) The associated Emergency Diesel Generator is Operable. l

8) The water temperature of the SDC system is maintained less than 120*F.

APPLICABILITY Two SDC loops are required to be OPERABLE, and one SDC loop must be in operation in MODE 6, with the wa+.er level < 20 ft l above the top of the reactor vessel flange, ', provide decay heat removal. Requirements for the SDC Systee in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System. MODE 6 requirements, with a water level 2 20 ft l above the reactor vessel flange, are covered in LC0 3.9.4,

" Shutdown Cooling and Coolant Circulation-High Water Level . "

(continued) l SAN ONOFRE--UNIT 2 B 3.9-23 Amendment No. 127 06/03/99 l

I SDC and Coolant Circulation-Low Sater Level B 3.9.5 BASES (continued)

ACTIONS A.1 and A.2 When two SDC loops are operable and if one SDC loop becomes inoperable, actions shall be immediately initiated and continued until the SDC loop is restored to OPERABLE status and to operation, or until 2 20 ft of water level is l established above the reacior vessel flange. When the water level is established at 2 20 ft above the reactor vessel l flange, the Applicability will change to that of LC0 3.9.4,

" Shutdown Cooling and Coolant Circulation-High Water Level," and only one SDC loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.

fL1 When one loop of the SDC is operable with requirements 1-8 satisfied and the SDC loop becomes inoperable or any of the 8 requirements are not met, actions shall be immediately 7 initiated to establish a water level > 20 feet above the reactor flange. When the water level is established at > 20 feet above the reactor vessel flange, the applicability will change to that of LCO 3.9.4, " Shutdown Cooling and Coolant Circulation-High Water Level," and only one SDC loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.

R I If no SDC loop is in operation or no SDC loops are OPERABLE, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations can occur by the addition of water with lower boron concentration than that contained in the RCS.

Therefore, actions that reduce boron concertration shall be suspended immediately.

u l If no SDC loop is in operation or no SDC loops are OPERABLE, actions shall be initiated immediately and continued without interruption to restore one SDC loop to OPERABLE status and operation. Since the unit is in Conditions A and B (continued)

SAN ON0FRE--UNIT'2 B 3.9-24 1.mendment No. 127 06/03/99 l i

r SDC and Coolant Circulation-Lou Water Level B 3.9.5 BASES (continued)

ACTIONS concurrently, the restoration of two OPERABLE SDC loops and (continued) one operating SDC loop should be accomplished expeditiously.

U l If SDC loops requirements are not met, all containment penetrations to the outside atmosphere must be closed to prevent fission products, if released by a loss of decay heat event, from escaping the containment building. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or within the calculated time to boil Completion Time l allows fixing most SDC problems without incurring the additional action of violating the containment atmosphere.

SURVEILLANCE SR 3.9.5.1 REQUIREMENTS This Surveillance demonstrates that one SDC loop is operating and circulating reactor coolant. The flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability and to prevent thermal and boron stratification in the core. In addition, this Surveillance demonstrates that the other SDC loop is OPERABLE.

In addition, during operation of the SDC loop with the water level in the vicinity of the reactor vessel nozzles, the SDC l loop flow rate determination must also consider the SDC pump 4 suction requirements. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is .

sufficient, considering the flow, temperature, pump control, and alarm indications available to the operator to monitor the SDC System in the control room.

Verification that the required loops are OPERABLE and in operation ensures that loops can be placed in operation as needed, to maintain decay heat and retain forced circulation. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is considered reasonable, since other administrative controls are available and have proven to be acceptable by operating experience.

REFERENCE 1. UFSAR, Section 7.4.

SAN ON0FRE--UNIT 2 B 3.9-24a Amendment No. 127 06/03/99 l

Refueling dater Level B 3.9.6 r

BASES (continued)

APPLICABLE The applicability statement is modified by a note which SAFETY ANALYSES allows that the water level may be lowered to a minimum of (continued) 23 feet above the top of the fuel- for movement of four finger CEAs, coupling and uncoupling of CEA extension shafts or for verifying the coupling-and uncoupling.

LC0 A minimum refueling water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits as provided by the guidance of Reference 3.

APPLICABILITY LC0 3.9.6 is applicable during movement of fuel assemblies or CEAs within the reactor pressure vessel when either the fuel assemblies being moved or the fuel assemblies seated with the reactor pressure vessel are irradiated, and during movement of irradiated fuel assemblies within containment.

A note provides an exception that the water level may be lowered to a minimum of 23 feet above the top of the fuel for movement of four finger CEAs, coupling and uncoupling of CEA extension shafts or for verifying the coupling and uncoupling. The LC0 minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LC0 3.7.16, " Fuel Storage Pool Water Level."

ACTIONS A.1 and A.2 With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving CORE ALTERATIONS or movement of irradiated fuel assemblies shall be suspended immediately to ensure that a fuel handling accident cannot occur.

The suspension of CORE ALTERATIONS and fuel movement shall not preclude completion of movement of a component to a safe position.

(continued)

SAN ON0FRE--UNIT 2 B 3.9-26 Amendment No. 12710/13/98 i I

I !

I I Refueling Water Level l

B 3.9.6 j BASES ;

! SURVEILLANCE SR 3.9.6.1 l

REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated to result from a fuel handling accident inside containment (Ref. 2).

1

\

The Frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is based on engineering judgment and is considered adequate in view of the large volume of water and the normal procedural controls of valve positions, l which make significant unplanned level changes unlikely.

REFERENCES 1. Regulatory Guide 1.25, March 23, 1972.

l

2. UFSAR, Section 15.7.3.9.

3. NUREG-0712, Safety Evaluation Report related to the operation of San Onofre Nuclear Generating Station, Units 2 and 3, February 1981.

4. 10 CFR 100.10. l 1

I SAN ON0FRE--UNIT 2 B 3.9-27 Amendment No. 12710/13/98

m SAN ONOFRE UNIT 3 REVISED BASES PAGES l

1

' SR Applicability B 3.0 l

BASES SR 3.0.2 not be suitable for conducting the Surveillance (e.g.,

(continued) transient conditions or other ongoing Surveillance or maintenanceactivities).

The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at l

its specified Frequency. This is based on the recognition that the most probable- result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the i Frequency does not apply. These exceptions are stated in the individual Specifications. An example of where SR 3.0.2 does not apply is the Containment Leakage Rate Testing Program. Test frequencies specified in the Containment Leakage Rate Testing Program may be extended consistent with !

l the guidance provided in NEI 94-01," Industry Guideline For j Implementing Performance-Based Option Of 10CFR 50, Appendix i l J," as endorsed by Regulatory Guide 1.163.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25%

extension applies to each performance after the initial performance. The initial performance of the Required j Action, whether it is a particular Surveillance or some i other remedial action, is considered a single action with a ,

l single Completion Time. One reason for not allowing the 25% !

extension to this Completion Time is that such an action

, usually verifies that no loss of function has occurred by i checking the status of redundant or diverse components or i accomplishes the function of the inoperable equipment in an alternative manner. l l

The provisions of SR 3.0.2 are not intended to be used i repeatedly merely as an operational convenience to extend l Surveillance intervals or periodic Completion Time intervals beyond those specified.

SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not i

(continued) i SAN ONOFRE--UNIT 3 B 3.0-12 Amendment No. 11612/1/98

Boration Systems - Operating B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEM B 3.1.9 Boration Systems - Operating !

l BASES I l

j BACKGROUND The Chemical and Volume Control System (CVCS) functions to provide a means for reactivity control and maintaining reactor coolant inventory, activity, and chemistry. The ;

CVCS includes the letdown and boron injection subsystems. !

The boron injection subsystem is required to establish and maintain a safe shutdown condition for the reactor. The letdown portion of the CVCS is used for normal plant operation, however, it is not required for safety.

Two OPERABLE boron injection flow paths are required while 1 operating in Modes 1, 2, 3, and 4. One flow path includes '

the OPERABLE RWST (TS 3.5.4) the associated gravity feed valves, and the charging pumps. The second flow path includes the Boric Acid Makeup (BAMU) tanks with their individual or combined contents in accordance with the LCS, the associated gravity feed valves, BAMU pump (s), and charging pumps. Power is provided by the OPERABLE onsite emergency power supply specified by TS 3.8.1.

The boron concentration is controlled to provide shutdown margin (SDM) for maintenance, refueling and emergencies.

Baron concentration is adjusted to obtain optimum CEA positioning and compensate for normal reactivity changes associated with changes in reactor coolant temperature, core burnup, and xenon concentration. The boration capability is sufficient to provide a SDM of 3.0% Ak/k assuming the highest worth CEA is stuck out after xenon decay and cooldown to 200"F in accordance with GDC 26 and 27 (Ref. 1 and2). In addition, the boration system injects boron into l the RCS to mitigate a Main Steam Line Break (MSLB).

APPLICABLE SAFETY ANALYSES The charging pumps inject borated water into the RCS to provide reactivity control. There are three installed charging pumps with one normally in operation balancing the letdown purification flow and the reactor coolant pump controlled bleed-off flow. A Safety Injection Actuation l Signal (SIAS) is initiated by either low pressurizer pressure or high containment pressure in Modes 1 through 3.

(continued)

SAN ON0FRE--UNIT 3 B 3.1-54 Amendment No. 116 4/30/98

Boration Systems - Operating B 3.1.9

, BASES l

APPLICABLE All three charging pumps receive start signals from SIAS and l SAFETY ANALYSES the associated boric acid flow path valves open to provide (continued) emergency boration via the charging pumps.

The capacity of the charging pumps and the required amount of borated water stored in the RWST and BAMUs is sufficient to maintain shutdown margin during a plant cooldown to MODE 5 with a shutdown margin of at least 3%Ak/k at any time l during plant life. The maximum expected boration capability requirements occurs at the end of core life from full power equilibrium xenon conditions. During this condition the required boric acid solution is supplied by the BAMU tanks with the contents in accordance with the LCS plus approximately 13,000 gallons of 2350 ppm borated water from the OPERABLE RWST.

The design of the boration systems incorporates a high !

degree of functional reliability by providing redundant components, an alternate path for charging and either offsite or onsite power supplies. Gravity feed lines from each Boric Acid Makeup (BAMU) tank and the RWST assures that l a source of borated water is available to the charging pump suction header. Should the charging line inside containment be inoperable, the line may be isolated outside containment and flow redirected through the high pressure safety injection headers to assure boron injection. If the normal power supply system should fail, the charging pumps, boric acid makeup pumps, and all related automatic coiitrol valves are powered from an emergency bus. The malfunction or I failure of one active component would not reduce the ability '

to borate the RCS since an alternate flow path is always available for emergency boration.

i The Boration Systems satisfy Criterion 3 of the NRC Policy Statement.

l (continued)

SAN ON0FRE--UNIT 3 8 3.1-55 Amendment No. 116 4/30/98

Boration Systems - Operating B 3.1.9 .

l l

l BASES (continued)

SURVEILLANCE SR 3.1.9.1 and 3.1.9.2 ;

I REQUIREMENTS SR 3.1.9.1 verifies that the boron concentration of the available boric acid solution in the BAMU tanks is sufficient for reactivity control. SR 3.1.9.2 verifies that a sufficient volume of borated water is available for RCS makeup. The minimum required volume and concentration of stored boric acid in the BAMU tank (s) is dependent upon the RWST boron concentration and is specified in a Licensee Controlled Specification. The 7 day Surveillance Frequency ensures that an adequate initial water supply is available for boron injection.

SR 3.1.9.3 and 3.1.9.4 These SRs demonstrate that each automatic boration system ,

pump and valve is operable and actuates as required. In l response to an actual or simulated SIAS the charging pumps !

start, the VCT is isolated, and the charging pumps take suction from the OPERABLE BAMU tank (s) and RWST.

Verification of the correct alignment for manual, power operated, and automatic valves in the Boration System Flow i paths provides assurance that proper boration flow paths are I available. These SRs do not apply to valves that are locked, sealed, or otherwise secured in position, because these valves were previously verified to be in the correct position.

I REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

1

2. 10 CFR 50, Appendix A, GDC 27.

I I

1 SAN ON0FRE--UNIT 3 B 3.1-58 Amendment No. 116 4/30/98

l.

RPS Instrumentation-Operating B 3.3.1

. BASES.

. APPLICABLE. 2. Loaarithmic Power Level-liish SAFETY ANALYSES (continued) The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

In MODES 2, 3, 4, and 5, with the RTCBs closed and the i

CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when logarithmic power is < 4E-5% RTP. The indication and l l alarm portion must be OPERABLE to ensure proper 1 indication of neutron population and to indicate a boron dilution event. For events originating above j this power level, other trips provide adequate protection.

MODES 3, 4,.and 5, with the RTCBs closed, are I addressed in LC0 3.3.2, " Reactor Protective System l (RPS) Instrumentation-Shutdown."

In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level-High trip does not have to be OPERABLE.

3. Pressurizer Pressure-Rt.gh The Pressurizer Pressure-High trip provides protection for the high RCS pressure SL. In conjunction with the pressurizer safety valves and the main steam safety valves (MSSVs), it provides protection against overpressurization of the RCPB during the following l events:

. Loss of Electrical Load Without a Reactor Trip Being Generated by the Turbine Trip (A00);

. Loss of Condenser Vacuum (A00);

. CEA Withdrawal From Low Power Conditions (A00);

I and

. Chemical and Volume Control System Malfunction (A00).

4 (continued)

SAN ON0FRE--UNIT 3 B 3.3-12 Amendment No. 11603/12/99

RPS fnstrumentation-Operating B-3.3.1 BASES LC0 2. Loaarithmic Power level-liigh (continued)

MODE 3, 4 or 5 when the RTCBs are shut and the CEA Drive System is capable of CEA withdrawal.

The MODES 3, 4, and 5 Condition is addressed in LC0 3.3.2.

The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level-High reactor trips during normal plant operations. The Allowable Value is low-enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur.

The Logarithmic Power Level-High trip may be bypassed !

when logarithmic power is above 1E-4% RTP to allow the l reactor to be brought to power during a reactor startup. The trip must be enabled when logarithmic power is < 4E-5% RTP. At :t 4E-5% RTP, the CPC LPD/DNBR trip, the Linear Power Level-High and Pressurizer Pressure-High trips provide protection for reactivity transients.

The trip may be manually bypassed during physics testing pursuant to LC0 3.1.12, "Special Test ,

Exceptions - Low Power Physics Testing." During this 4 testing, the Linear Power Level-High trip and !

administrative controls provide the required l protection.

3. Pressurizer Pressure-High ,

This LC0 requires four channels of Pressurizer Pressure-High to be OPERABLE in MODES 1 and 2.

The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its 4 operation avoids the undesirable operation of these valves during normal plant operation. In the event of a complete loss of electrical load from 100% power, this setpoint ensures the reactor trip will take place, thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety (continued)

SAN ON0FRE--UNIT 3 B 3.3-18 Amendment No. 11603/12/99

l RPS Instrumentation-Operating B 3.3.1 BASES LC0 8, 9. - Steam Generator Level = Log (continued) 1 The Allowable Value is sufficiently below the normal operating level for the steam generators so as not to cause a reactor trip during normal plant operations.

The same bistable providing the reactor trip also initiates emergency feedwater to the affected generator via the Emergency Feedwater Actuation Signals (EFAS). The minimum setpoint is governed by EFAS requirements. The reactor trip will remove the heat source (except decay heat), thereby conserving the reactor heat sink.

10. Reactor Coolant Flow - Low This LC0 requires four channels of Reactor Coolant ,

Flow-Low for Steam Generator #1, and four channels of i

, Reactor Coolant Flow-Low for Steam Generator #2 to be I OPERABLE in MODES 1 and 2. The Allowable Value is set I low enough to allow for slight variations in reactor coolant flow during normal plant operations while l providing the required protection. Tripping the j reactor ensures that the resultant power to flow ratio j provides adequate core cooling to maintain DNBR under 1 the expected pressure conditions for this event. j I

l The Reactor Coolant Flow-Low trip may be manually i bypassed when logarithmic power is less than 1E-4% RTP. This allows for de-energization of one or i more RCPs (e.g., for plant cooldown), while

maintaining the ability to keep the shutdown CEA banks l withdrawn from the core if desired.

LC0 3.4.5, "RCS Loops -MODE 3," LCO 3.4.6, "RCS i Loops-MODE 4," and LC0 3.4.7, "RCS Loops-MODE 5, i

Loops Filled," ensure adequate RCS flow rate is maintained. The trip must be enabled when logarithmic power is > 1.5E-4% RTP. When below the power range, l the Reactor Coolant Flow-Low is not required for plant protection.

11. Local Power Densitv =111gh This LC0 requires four channels of LPD-High to be OPERABLE.

l t

i (continued) l l SAN ON0FRE--UNIT 3 B 3.3-21 Amendment No. 116 03/12/99 l l

i i

RPS Instrumentation-Operating '

B 3.3.1 BASES LCO- 11. Local Power Densitv =liigh (continued) l The LC0 on the CPCs ensures that the SLs are i maintained during all A00s and the consequences of j accidents are acceptable. j A CPC is not considered inoperable if CEAC inputs to ,

the CPC are inoperable. The Required Actions required ;

in the event of CEAC channel failures ensure the CPCs '

are capable of performing their safety Function. l The CPC channels may be manually bypassed below i 1E-4% RTP, as sensed by the logarithmic nuclear !

instrumentation. This bypass is enabled manually in ,

all four CPC channels when plant conditions do not l warrant the trip protection. The bypass effectively i removes the DNBR-Low and LPD-High trips from the RPS l Logic circuitry. The operating bypass is removed when l enabling bypass conditions are no longer satisfied.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in 1 effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure-Low or RCPs off.

During special testing pursuant to LC0 3.1.12, the CPC l channels may be manually bypassed when logarithmic l l power is below 5% RTP to allow special testing without )

generating a reactor trip.

12. Deoarture from Nucleate Boilina Ratio (DNBR) =LQE ,

This LC0 requires four channels of DNBR-Low to be OPERABLE.

The LC0 on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable.

(continued)

SAN ONOFRE--UNIT 3 B 3.3-22 Amendment No. 116 03/12/99

RPS Instrumentation-Operating B 3.3.1 BASES LCO 12. Deoarture from Nucleate Boilina Ratio (DNBR)-Lgw l (continued)

A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety Function.

l The CPC channels may be manually bypassed below 1E-4% RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR-Low and LPD-High trips from the RPS logic circuitry. The operating bypass is removed when l enabling bypass conditions are no longer satisfied.

This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure-Low or RCPs off.

During special testing pursuant to LC0 3.1.12, the CPC channels may be manually bypassed when logarithmic l power is below 5% RTP to allow special testing without .

generating a reactor trip. I Ooeratina Bvoas,wi l The LC0 on bypass permissive removal channels requires that ;

the automatic bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODES addressed in the specific LC0 for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed.

This LC0 applies to the bypass removal feature only. If the l

bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level-High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint.

i l

l (continued)

SAN ON0FRE--UNIT 3 B 3.3-23 Amendment No. 116 03/12/99 l

RPS Instrumentation-Operating B 3.3.1 BASES SURVEILLANCE- SR 3.3.1.6 (continued)

REQUIREMENTS The 120 day Frequency is-adequate because the demonstrated long term drift of the instrument channels is minimal.

SR 3.3.1.7' A CHANNEL FUNCTIONAL TEST on each channel is performed every 30 days ~on a STAGGERED TEST BASIS to ensure the entire 1 channel will perform its intended function when needed. The l SR is modified by two Notes. Note 1 is a requirement to verify the correct CPC addressable constant values are installed in the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. Note 2 allows the CHANNEL FUNCTIONAL TEST for the Logarithmic Power Level-High channels to be performed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after THERMAL POWER drops below 1E-4% RTP and is l required to be performed only if the RTCBs are closed. Not required if performed within the surveillance interval. The intent of Note 2, as justified in References 11 and 12, is to allow the CHANNEL FUNCTIONAL TEST to be performed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after reducing logarithmic power below 1E-4% RTP and only if the RTCBs are closed.

LC0 3.3.1 Action A permits plant operation with one or more Functions with one automatic RPS trip channel inoperable until MODE 2 entry following the next MODE 5 entry (provided i the channel is placed in bypass or trip). During plant operation in that condition, CHANNEL FUNCTIONAL TESTS on the-inoperable Functions in that channel are not required (SR 3.0.1), and n remains at 4, where n is the total number of_ channels in the definition of STAGGERED TEST BASIS.

Therefore, tests on the affected Functions in the remaining 3 channels may continue to be performed such that each channel is tested every 4 Surveillance Frequency intervals.

Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

The RPS CHANNEL FUNCTIONAL TEST consists of three i overlapping tests as described in Reference 7. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They '

include:

(continued)

SAN ONOFRE--UNIT 3 B 3.3-32 Amendment No. 116 03/12/99

RPS Instrumentation-Operating 1 B 3.3.1 BASES l

l SURVEILLANCE Bistable Tests l REQUIREMENTS (continued) A test signal is superimposed on the input in one channel at a time to verify that,the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed.

The requirements for this verification are outlined in References 8 and 9.

Matrix Loaic Tests Matrix Logic tests are addressed in LC0 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Function ,

removes power from the matrix relays. During testing, I holding power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their i de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

Trio Path Tests '

Trip path (Initiation Logic) tests are addressed in LC0 3.3.4. These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, thereby opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of 120 days is based on a plant specific ,

report based on the reliability analysis presented in <

topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Refs. 8 and 9).

l The CPC and CEAC channels and excore nuclear instrumentation channels are tested separately.

I The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so es to test the first active element downstream of the detector.

The power range excore test signal is inserted at the drawer input, since there is no preamplifier.

(continued)

SAN ON0FRE--UNIT 3 B 3.3-33 Amendment No. 116 03/12/99

RPS Instrumentation-Operating B 3.3.1 BASES i

i SURVEILLANCE Trio Path Tests (continued) l REQUIREMENTS The quarterly CPC CHANNEL FUNCTIONAL TEST is performed using $

L software. This software includes preassigned addressable constant values that may differ from the current values.

Provisions are made to store the addressable constant values on a computer disk prior to testing and to reload them after testing. A Note is added to the Surveillance Requirements to verify that the CPC CHANNEL FUNCTIONAL TEST includes the correct values of addressable constants.

SR 3.3.1.8 i

A Note indicates that neutron detectors are excluded from CHANNEL CALIBP.ATION. A CHANNEL CALIBRATION of the power range neutron flux channels every 120 days ensures that the ,

channels are reading accurately and within tolerance ;

l (Refs. 8, 9 and 10). The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error l determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left' calibrated consistent with the assumptions of the current plant specific setpoint analysis.

Operating experience has shown this Frequency to be satisfactory. The detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a

! meaningful signal. Slow changes in leakage of neutrons with I core burnup are compensated for by performing the daily l calorimetric calibration (SR 3.3.1.4) and the quarterly linear subchannel gain check (SR 3.3.1.6). In addition, the l associated control room indications are monitored by the operators.

SR 3.3.1.9 l

l SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION every 24 months.

(continued) l SAN ON0FRE--UNIT 3 8 3.3-34 Amendment No. 116 03/12/99

RPS Instrumentation-0perating B 3.3.1 )

BASES 1

l SURVEILLANCE SR 3.3.1.9 (continued)

REQUIREMENTS CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for inscrument drift between l

successive calibrations to ensure that the channel remains l operational between successive tests. Measurement error determination, setpoint error determination, and calibration 3 adjustment must be performed consistent with the plant '

specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.

The Frequency is based upon the assumption of a 24 month calibration interval for the determination of the magnitude ;

of equipment drift in the setpoint analysis as well '

acoperating experience and consistency with the typical j 24 month fuel cycle. 1 The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal.

Slow changes in leakage of neutrons with core burnup are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the quarterly linear subchannel ,

gain check (SR 3.3.1.6). i SR 3.3.1.10 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on the CPCs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alarm and trip Functions.

The basis for the 24 month Frequency is that the CPCs perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS.

This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

Operating experience has shown that undetected CPC or CEAC failures do not occur in any given 24 month interval.

(continued)

SAN ON0FRE--UNIT 3 8 3.3-35 Amendment No. 116 03/12/99

f RPS instrumentation-Operating L. B 3.3.1 BASES SURVEILLANCE SR 3.3.1.11 .

! REQUIREMENTS l (continued) The three excore detectors used by each CPC channel for axial flux distribution information are far enough from the core to be exposed to flux from all heights in the core, although it is desired that they only read their particular I level. The CPCs adjust for this flux overlap by using shape annealing matrix elements in the CPC software.

After refueling, it is necessary to verify the shape annealing matrix elements for the excore detectors based on more accurate incore detector readings. This is necessary to confirm that refueling did not produce a significant change in the CPC axial shape synthesis.

Incore detectors are inaccurate at low power levels < 15%.

THERMAL POWER should be significant but < 85% to perform an accurate axial shape calculation used to verify the shape annealing matrix elements.

By restricting power to s 85% until shape annealing matrix elements are verified, excessive local power peaks within !

the fuel are avoided.

l SR 3.3.1.12 SR 3.3.1.12 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.7, except SR 3.3.1.12 is a)plicable only to bypass functions and is performed once wit 11n 120 days prior to each startup. Proper operation of bypass ;a.Lusives i', I critical during plant startup because the bypasses act be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this Surveillance within 120 days of startu) is based on a plant specific report based on the relia)ility analysis presented in topical reportCEN-327,"RPS/ESFASExtendedTestInterval Evaluation" (Refs. 8 and 9). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed.

This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.7.

Therefore, further testing of the bypass function after startup is unnecessary.

l (continued)

SAN ON0FRE--UNIT 3 B 3.3-36 Amendment No. 116 03/12/99

RPS 2nstrumentation-Operating B 3.3.1 BASES SURVEILLANCE- SR 3.3.1.13 REQUIREMENTS (continued) This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point

.at which the RTCBs open. Response times are conducted on an 24 month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given channel of n x 24 months, where n is the number of channels in the function. The Frequency of 24 months is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Also, response times cannot be determined at

power, since equipment operation is required. Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in leakage of neutrons with core burnup are compensated for by performing the daily calorimetric calibration (SR3.3.1.4).

I REFERENCES 1. 10 CFR 20. l

2. 10 CFR 100.

3. IEEE Standard 279-1971, April 5,1972.

4. SONGS Units 2 and 3 UFSAR, Chapter 15.

5. 10 CFR 50.49. l

6. PPS Setpoint Calculation CE-NPSD-570, Revision 3.

(continued)

SAN ON0FRE--UNIT 3 B 3.3-37 Amendment No. 116 03/12/99

l RPS instrumentation-Operating l

B 3.3.1 BASES l

REFERENCES 7. UFSAR, Section 7.2.

(continued)

8. CEN-327, June 2,1986, including Supplement 1, March 3, 1989.

9. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, CalculationNumber09/010-AS93-C-002, November 1993.

10. Methodology for Developing Risk-Based Surveillance Programs for Safety-Related Equipment at San Onofre Nuclear Generating Station Units 2 and 3, PLG-0575, April 1992.

11. NRC Safety Evaluation Report for SONGS Unit 3 Operating License Amendment No. 142 dated February 12, 1999.

12. NRC Safety Evaluation Report for SONGS Unit 3 Operating License Amendment No. 136 dated November 23, 1998.

1 l

l 1

l I

SAN ON0FRE--UNIT 3 8 3.3-37a Amendment No. 116 03/12/99 1

RPS Instrumentation-Shutdown B 3.3.2 BASES (continued)-

APPLICABLE The RPS functions to maintain the SLs during A00s and SAFETY ANALYSES mitigates the consequence of DBAs.in all MODES in which the RTCBs are closed.

Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. Noncredited Functions-include the Steam Generator Water Level-High.

The Steam Generator Water Level-High trip is purely equipment protective, and its use minimizes the potential for equipment damage.-

The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.

In MODES 2, 3, 4, and 5, with the RTCBs closed, and the Control Element Assembly (CEA) Drive System capable of CEA withdrawal, protection is ' required for CEA withdrawal events originating when logarithmic power is < 1E-4% RTP. The l indication and alarm portion must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. For events originating above this power level, other trips provide adequate protection.

MODES 3, 4, and 5, with the RTCBs closed, are addressed in this LCO. MODE 2 is addressed in LC0 3.3.1.

l In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal,. the Logarithmic Power Level-High trip does not have to be OPERABLE.

l The RPS satisfies Criterion 3 of the NRC Policy Statement.

1 l

LC0 The LC0 requires the Logarithmic Power Level-High RPS l-Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel (s) inoperable and reduces the reliability of the affected

,_ Function, l

1 (continued)

SAN ON0FRE--UNIT 3 B 3.3-40 Amendment No. 116 12/9/98

RPS Instrumentation-Shutdown B 3.3.2 BASES (continued) 1 l

LC0 Actions allow maintenance (trip channel) bypass of (continued) individual channels, but the bypass activates interlocks that prevent operation with a second channel in the same Function bypassed. With one channel in each Function trip channel bypassed, this effectively places the plant in a two-out-of-three logic configuration in those Functions.

Only the Alloweble Vaiues are specified for this RPS trip Function in the LC0. Nominal trip setpoints are specified in the plant specific setpoint calculations. The nominal setpoint is selected to ensure the setpoint measured by CHANNEL FUNCTIONAL TESTS does not exceed the Allowable Value if the bistable is performing as required. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable provided that operation and testing are consistent with the assumptions of the plant specific setpoint calculations. ,

Each Allowable Value specified is more conservative than the l analytical limit assumed in the safety analysis in order to !

account for. instrument uncertainties appropriate to the trip i Function. These uncertainties are defined in PPS Setpoint Calculation CE-NPSD-570 (Ref. 4). A channel is inoperable if its actual trip setpoint is not within its required l Allowable Value.

This LC0 requires all four channels of the Logarithmic Power Level-High to be OPERABLE in MODE 3, 4, or 5 when the RTCBs are closed and the CEA Drive System is capable of CEA withdrawal.

The Allowable Value is high enough to provide an operating ;

. envelope that prevents unnecessary Logarithmic Power i Level-High reactor trips during normal plant operations.

The Allowable Value is low enough for the system to maintain a safety margin for unacceptable fuel cladding damage should a CEA withdrawal event occur.

The Logarithmic Power Level-High trip may be bypassed when logarithmic power .is above 1E-4% RTP to allow the reactor to l be brought to power during a reactor startup. This bypass is automatically removed when logarithmic power decreases l below 1E-4% RTP. Above 1E-4% RTP, the Linear Power Level - High (continued)

SAN ONOFRE--UNIT-3 B 3.3-41 Amendment No. 116 12/9/98 l

RPS Instrumentation-Shutdoan B 3.3.2 j BASES (continued)

SURVEILLANCE SR 3.3.2.1 {

REQUIREMENTS (continued) Thus, performance of the CHANNEL CHECK guarantees that i undetected overt channel failure is limited to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . '

Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is extremely low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel 0PERABILITY during normal operational use of the displays associated with the LC0 required channels.

SR 3.3.2.2 A CHANNEL FUNCTIONAL TEST on each channel, except power range neutron flux, is performed every 30 days on a !

STAGGERED TEST BASIS to ensure the entire channel will perform its intended function when needed. This SR is l identical to SR 3.3.1.7. Only the Applicability differs. '

LCO 3.3.2 Action A permits plant operation in MODES 3,4, and 5 with one RPS logarithmic power level trip channel inoperable until MODE 2 entry following the next MODE 5 entry (provided the channel is placed in bypass or trip).

During plant operation in that condition, CHANNEL FUNCTIONAL TESTS on tne inoperable trip channel are not required (SR 3.0.1), and n remains 4, where n is the total number of I channels in the definition of STAGGERED TEST BASIS.

Therefore, tests of the 3 OPERABLE channels may continue to be performed such that each channel is tested every 4 Surveillance Frequency intervals. Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

The RPS CHANNEL FUNCTIONAL TEST consists of three overlapping tests as described in the FSAR, ';ection 7.2 (Ref. 3). These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include:

Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the ,

(continued)

SAN ON0FRE--UNIT 3 8 3.3-48 Amendment No. 116 09/18/98

RPS Instrumentation-Shutdown B 3.3.2 BASES (continued)

SURVEILLANCE Bistable Tests (continued)

REQUIREMENTS specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed.

1 The setpoint shall be left set consistent with the i assumptions of the current plant specific setpoint analysis. j Matrix Loaic Tests Matrix Logic Tests are addressed in LC0 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for' each Function removes power from the matrix relays. During testing, holding power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.

Trio path Test Trip path (Initiation Logic) tests are addressed in LC0 3.3.4. These tests are similar to the Matrix Logic tests except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs

~

must then be closed prior to testing the other three initiation circuits, or a reactor trip may result.

The Frequency of 120 days is based on a plant specific report based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Refs. 6 and 7). The excore channels use preassigned test signals to verify proper channel alignment.

The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector.

i (continued)

SAN ONOFRE--UNIT 3 8 3.3-49 Amendment No. 116 09/18/98

RPS Instrumentation-Shutdown B 3.3.2 BASES (continued)

SURVEILLANCE- SR 3.3.2.3 REQUIREMENTS (continued) 'SR 3.3.2.3 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.2.2, except SR 3.3.2.3 is applicable only to bypass functions and is performed once within 120 days prior to each startu). This SR is identical to SR 3.3.1.12. Only the Applica)llity differs.

Proper operation of bypass permissivas is critical during plant startup because the bype aust be in place to allow startup operation and must be removed at the appropriate l

points during power ascent to enable certain reactor trips.

Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this Surveillance within 120 days of startup is based on a plant specific report based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Refs. 6 and 7). Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.2.2. Therefore, further testing of the bypass function after startup is unnecessary.

SR 3.3.2.4 SR 3.3.2.4 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is identical to SR 3.3.1.9. Only the

. Applicability differs.

CHANNEL CALIBRATION is a complete check of the instrumat channel excluding the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.

The Frequency is based upon the assumption of an 24 month calibration interval for the determination of the magnitude (continued)

SAN ONOFRE--UNIT 3 B 3.3-50 Amendment No. 116 09/18/98

1 RPS Instrumentation-Shutdoen B 3.3.2 BASES (continued)

SURVEILLANCE SR 3.3.2.4(continued)

. REQUIREMENTS l of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 24 month fuel cycle.

The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal.

Slow changes in leakage of neutrons with core burnup are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4).

This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on a 24 month STAGGERED TEST BASIS. This results in the interval between successive tests of a given channel of n x 24 months, where n is the number of channels in the Function. The 24 month Frequency is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time j degradation, but not channel failure, are infrequent occurrences. Also, response times cannot be determined at power, since equipment operation is required. Testing may be performed in one measurement or in overlapping segments, with verification that all components are tested.

i 4

(continued)

SAN ON0FRE--UNIT 3 B 3.3-51 Amendment No. 116 09/18/98

RPS Instrumentation-Shutdomn B 3.3.2 BASES (continued)

REFERENCES .1. 10 CFR 20.

2. 10 CFR 100.

3. -SONGS Units 2 and 3 UFSAR, Section 7.2.

4. PPS Setpoint Calculation CE-NPSD-570. I l

5. NRC Safety Evaluation Report.

6.- CEN-327, June 2,11986, including Supplement 1, March 3, 1989.

1

7. RPS/ESFAS Extended Test Interval Evaluation for 120 l Days Staggered Testing at SONGS Units 2 and 3, ;

CalculationNumber09/010-AS93-C-002, November 1993.

I l

l i

i SAN ON0FRE--UNIT 3 B 3.3-51a Amendment No. 116 09/18/98

r ;

l l

CEACs !

B 3.3.3 BASES .

I SURVEILLANCE SR 3.3.3.2 REQUIREMENTS (continued) The CEAC autorestart count is checked every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to monitor the CPC and CEAC for normal operation. If three or more autorestarts of a nonbypassed CPC occur within a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period, the CPC may not be completely reliable.

Therefore, the Required' Action of Condition D must be !

performed. The Frequency is based on operating experience '

that demonstrates the rarity of more than one channel failing within the same 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval.

i SR 3.3.3.3 1

A CHANNEL FUNCTIONAL TEST on each CEAC channel is performed every 60 days on a STAGGERED TEST BASIS to ensure the entire ,

channel will perform its intended function when needed. The quarterly CHANNEL FUNCTIONAL TEST is performed using test software. The Frequency of 60 days on a STAGGERED TEST I BASIS is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval I Evaluation" (Refs. 4 and 5).

LC0 3.3.3 Actions A and B permit )lant operation with one or both CEACs inoperable (provided tie Required Actions are performed). During plant operation with both CEACs 1 inoperable, CHANNEL FUNCTIONAL TESTS on the inoperabl.e CEACs are not required (SR 3.0.1). During plant operation with one CEAC inoperable, CHANNEL FUNCTIONAL TESTS on the inoperable CEAC are not required (SR 3.0.1) and n remains '

at 2, where n is the total number of channels in the definition of STAGGERED TEST BASIS. Therefore, tests of the OPERABLE CEAC may continue to be performed every 2 Surveillance Frequency intervals. Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

The method of injecting simulated process data during the functional testing of the CEACs is described in the General Software Specification for the CEACs. When the CEAC is placed "in' test," periodic test #2 causes the substitution of " simulated process data" in the real time data base. The program algorithms are then executed and the calculated results of .the algorithm are then compared to expected results stored in the test record. An error message is generated if the results do not match.

(continued)

SAN ON0FRE--UNIT 3 B 3.3-60 Amendment No. 116 09/18/98

y CEACs B 3.3.3 BASES SURVEILLANCE' SR 3.3.3.4 REQUIREMENTS (continued) SR 3.3.3.4 is the performance of a CHANNEL CALIBRATION every 24 months.

i CHANNEL CALIBRATION is a complete check of the. instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis.

The RSPTs are rigid tube containing a string of fixed resistors and reed switches encapsulated in a solid material. The RSPT is clamped into position on the control element drive mechanism (CEDM) shroud. Therefore, due to their construction, the individual RSPTs are not subject to drift within the reed switch string. However, the entire RSPT string the clamp. .may drift due zero A mechanical to mechanical repositioning check calibration within is performed

-to ensure proper RSPT positioning.

The Frequency is based upon the assumption of an 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis and includes operating' experience and consistency with the typical 24 month fuel cycle.

SR 3.3.3.5 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on the CEACs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors'as practicable to verify 0PERABILITY, including alarm and trip Functions.

The basis for the 24 month Frequency is that the CEACs perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS.

This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

(continued)

SAN ONOFRE--UNIT 3_ B 3.3-61 Amendment No. 116 09/18/98

CEACs B 3.3.3 l

BASES i

l SURVEILLANCE SR 3.3.3.5 (continued) i REQUIREMENTS Operating experience has shown that undetected CPC or CEAC i

failures do not occur in any given 24 month interval.

SR 3.3.3.6 The isolation characteristics of each CEAC CEA position isolation amplifier and each optical isolator for CEAC to CPC data transfer are verified once per refueling to ensure that a fault in a CEAC or a CPC channel will not render 1 another CEAC or CPC channel inoperable. The CEAC CEA position isolation amplifiers, mounted in CPC cabinets A and D, prevent a CEAC fault from propagating back to CPC A l or D. The optical isolators for CPC to CEAC data transfer prevent a fault originating in any CPC channel from propagating back to any CEAC through this data link.

The Frequency is based on plant operating experience with regard to channel 0PERABILITY, which demonstrates the l

failure of a channel in any 24 month interval is rare.

REFERENCES 1. 10 CFR 20.

2. 10 CFR 100.

3. SONGS Units 2 and 3 UFSAR, Section 7.2.

4. CEN-327, June 2,1986, including Supplement 1, March 3, 1989.

5. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, Calculation Number 09/010-AS93-C-002, November 1993.

l l

1 SAN ON0FRE--UNIT 3 B 3.3-62 Amendment No. 116 09/18/98 1

I

ESFAS Instrumentation B 3.3.5 BASES LC0 b. Pressurizer Pressure--Ln (continued)

The Allowable Value for this trip is set low enough to prevent actuating ESF Functions (SIAS) during normal plant op, : ion and

)ressurizer pressure transient;. The setting is ligh enough that, with the specified accidents, the ESF systems will actuate to perform as i expected, mitigating the consequences of the 1 accident.

The Pressurizer Pressure-Low trip setpoint, !

which provides SIAS, and RPS trip, may be manually decreased to a floor value of 300 psia to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, or SIAS. The margin between actual pressurizer pressure and the trip setpoint must be maintained less than or equal to the specified value (400 psia) to ensure a reactor trip, and ,

SIAS will occur if required during RCS cooldown l and depressurization.

From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure i

increases, tracking actual RCS pressure until the ,

trip setpoint is reached. '

l The Pressurizer Pressure - Low trip and the SIAS Function may be simultaneously bypassed when RCS pressure is below 400 psia, when neither the reactor trip nor an inadvertent SIAS actuation are desirable and these Functions are no longer needed to protect the plant. The bypass is automatically removed as RCS pressure exceeds 500 psia (the corresponding b1 stable allowable value is s 4721sia). The s 472 psia value represents an a'lowable value which includes margin to account for instrument loop uncertainties and ensures the 500 psia analytical limit will not be exceeded.

Doeratina Bvoass Removal This LC0 requires four channels of bypass removal for Pressurizer Pressure-Low to be OPERABLE in MODES 1, 2, and 3.

(continued)

SAN ON0FRE--UNIT 3 8 3.3-87 Amendment No. 116 02/24/99

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.2 and SR 3.3.5.3 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed every 30 days on a STAGGERED TEST BASIS for SR 3.3.5.2 to ensure the entire channel will perform its intended function when need(d.

1 LC0 3.3.5 Action A permits plant operation with one or more i Functions with one automatic ESFAS trip channel inoperable i until MODE 2 entry following the next MODE 5 entry (provided i the Functional Unit is placed in bypass or trip). During plant operation in that condition, CHANNEL FUNCTIONAL TESTS l on the inoperable Functions in that channel are not required (SR 3.0.1), and n remains at 4, where n is the total number of channels in the definition of STAGGERED TEST BASIS. 4 Therefore, tests on the affected Functions in the remaining 3 channels may continue to be performed such that each channel is tested every 4 Surveillance Frequency intervals.

Discussions with the NRC Technical Specifications Branch on l this clarification are documented in Action Request 980601488-1.

The CHANNEL FUNCTIONAL TEST is part of an overlapping test l sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.5.3, SR 3.3.6.1, and SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays. These overlapping tests are described in Reference 1. SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing.

SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized.

SR 3.3.5.3 is performed every 120 days to verify ESFAS channel bypass removal function.

These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components. SRs 3.3.6.1 and 3.3.6.2 are addressed in LC0 3.3.6. SR 3.3.5.2 includes bistable tests.

A test signal is superimposed on the input in one channel at I a time to verify that the bistable trips within the l specified tolerance around the setpoint. This is done with

the affected PPS trip channel bypassed.

I 1

(continued) 1 SAN ON0FRE--UNIT 3 B 3.3-101 Amendment No. 116 09/18/98 I

L

l ESFAS instrumentation B 3.3.5 l l

BASES SURVEILLANCE SR 3.3.5.4 and SR 3.3.5.5 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument I channel including the sensor, and the bypass removal I functions, if applicable. The Surveillance verifies that i the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

SR 3.3.5.6 This Surveillance ensures that the train actuation response times are within the maximum values assumed in the safety l analyses. ;

Response time testing acceptance criteria are included in Reference 9.

ESF RESPONSE TIME tests are conducted on a STAGGERED TEST BASIS of once every 24 months. The 24 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

SR 3.3.5.7 SR 3.3.5.7 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2 and SR 3.3.5.3, except SR 3.3.5.7 is performed within 120 days prior to startup and is only applicable to bypass functions. Since the Pressurizer Pressure-Low (continued) ,

SAN ON0FRE--UNIT 3 8 3.3-102 Amendment No. 116 09/18/98

ESFAS Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.7 (continued)

REQUIREMENTS bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13. !

The CHANNEL FUNCTIONAL TEST for proper operation of the bypass permissives is critical during plant heatups because the bypasses may be in place prior to entering MODE 3 but must be removed at the appropriate points during plant startup to enable the ESFAS Function. Consequently,just prior to startup is the appropriate time to verify bypass function OPERABILITY. Once the bypasses are removed, the bypasses must not fail in such a way that the associated ESFAS Function is inappropriately bypassed. This feature is verified by SR 3.3.5.2. The allowance to conduct this test once within 120 days prior to each reactor startup is based on a plant specific report based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended l Test Interval Evaluation" (Refs. 8 and 10).

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 7.3.

2. 10 CFR 50, Appendix A.

3. IEEE Standard 279-1971. )

4. SONGS Units 2 and 3 UFSAR, Chapter 15.

5. 10 CFR 50.49.

6. PPS Setpoint Calculation CE-NPSD-570.

7. SONGS Units 2 and 3 UFSAR, Section 7.2.

8. CEN-327, May 1986, including Supplement 1, March 1989.

9. Licensee Controlled Specification 3.3.100, "RPS/ESFAS l Response Times."

10. RPS/ESFAS Extended Test Interval Evaluation for 120 Days Staggered Testing at SONGS Units 2 and 3, Calculation Number 09/010-AS93-C-002, November 1993.

SAN ON0FRE--UNIT 3 8 3.3-103 Amendment No. 116 02/24/99

CRES B 3.3.9 BASES (continued)

APPLICABLE The CRIS, in conjunction with the Control Room Emergency Air SAFETY ANALYSES Cleanu) System (CREACUS), maintains the control room atmosplere within conditions suitable for prolonged occupancy throughout the duration of any one of the accidents discussed in Reference 1. The radiation exposure of control room personnel, through the duration of any one of the postulated accidents discussed in " Accident Analysis," SONGS Units 2 and 3 UFSAR, Chapter 15 (Ref.1),

does not exceed the limits set by 10 CFR 50, Appendix A, GDC 19 (Ref. 3).

LC0 LC0 3.3.9 requires one channel of CRIS to be OPERABLE. The required channel consists of Actuation Logic, Manual Trip, and gaseous radiation monitors. The specified value for the setpoint of the CRIS is listed in the SR.

The Bases for the LC0 on the CRIS are discussed below for each Function:

a. Manual Trio The LC0 on Manual Trip backs up the automatic trips and ensures operators have the capability to rapidly initiate the CRIS Function if any parameter is trending toward its setpoint. One channel must be OPERABLE. This considers that the Manual Trip capability is a backup and that other means are available to actuate the redundant train if required, including manual SIAS.

b. Airborne Radiation One channel of Airborne Radiation detection in the required train is required to be OPERABLE to ensure the control room isolates on high gaseous concentration.

c. Actuation Loaic One train of Actuation Logic must be OPERABLE, since there are alternate means available to actuate the redundant train, including SIAS.

The CRIS function actuates the CREACUS system. Therefore, if a train of CREACUS is inoperable, the associated train of CRIS is not capable of performing its specified function and must also be considered inoperable.

(continued)

SAN ON0FRE--UNIT 3 B 3.3-146 Amendment No. 116 03/19/98

FHIS B 3.3.10 1-

'B . 3'. 3 INSTRUMENTATION

> B 3.3.10 Fuel Handling Isolation Signal (FHIS)

BASES BACKGROUND This LC0 encompasses FHIS actuation, an instrumentation channel that performs an actuation Function for plant protection but is not otherwise included in LC0 3.3.6,

" Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip," or LC0 3.3.7, " Diesel Generator (DG)-Undervoltage Start." This is a non-Nuclear Steam l Supply System ESFAS Function that, because of differences in purpose, design, and operating requirements, is not included in'LC0 3.3.6 and LC0 3.3.,7.

The FHIS provides protectfon from radioactive contamination in the spent fuel pool area in the event that a spent fuel element ruptures. l The FHIS will detect radioactivity from fission products in the fuel and will initiate a'ppropriate actions so the release to the environment is limited. More detail is provided in Reference 1.

The FHIS includes two independent, redundant subsystems, including actuation trains. Each train employs a separate sensor to detect gaseous activity. If the bistable l monitoring the sensor indicates an unsafe condition, that train will be actuated-(one-out-of-two logic). The two trains actuate separate equipment.

-Trio Setooints and Allowable Values The bistable trip setpoints are set sufficiently high to prevent spurious alarm / trips yet sufficiently low to assure an alarm / trip should a fuel rupture accident occur (Reference 2). The Allowable value specified in SR 3.3.10.2 appears in Reference 3.

The actual nominal trip setpoints entered into the bistables I

are more conservative than that-specified by the Allowable Value. If a measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

(continued)

SAN ON0FRE--UNIT 3 B 3.3-152 Amendment No. 116 12/17/98 I

l l l

FHlS !

B 3.3.10 l BASES i

BACKGROUND Trio Setooints and Allowable Values (continued)

A setpoint in accordance with the Allowable Value will help mitigate the consequences of a fuel rupture accident.

I APPLICABLE The FHIS isolates the Fuel ' Handling Building normal SAFE 1Y ANALYSES ventilation system and automatically initiates the l recirculation and filtration systems in the event of a fuel rupture accident in the Fuel Handling Building. The FHIS helps mitigate the consequences for the dropping of a spent fuel bundle breaching up to 60 fuel pins, or dropping a Spent Fuel Pool gate, breaching up to 236 fuel pins.

The FHIS satisfies the requirements of Criterion 3 of the NRC Policy Statement.

a LC0 LC0 3.3.10 requires one channel of FHIS to be OPERABLE. The required channel consists of Actuation Logic, Manual Trip, and gaseous radiation monitor. The specific Allowable Value for the setpoint of the FHIS is listed in the SRs.

Only the Allowable Value is specified for the trip Function l in the SRs. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that the difference between the nominal trip setpoint and the Allowable Value is equal to or greater than the drift allowance assumed for each trip in the transient and accident analyses.

l The Bases for the LC0 on the Fi!IS are discussed below for each Function:

a. Manual Trio The LC0 on Manual Trip ensures that the FHIS Function can easily be initiated if any parameter is trending rapidly toward its setpoint. Components can be actuated independently of the FHIS. l (continued)

SAN ON0FRE--UNIT 3 B 3.3-153 Amendment No. 116 12/17/98

1 FHIS l

1 B 3.3.10 {

BASES LC0 b. Airborne Radiation (continued)

The LC0 on the gaseous radiation monitor channel requires that the channel be OPERABLE for automatic initiation capability and for Control Room indication in support of the Manual Trip function.

c. Actuation Loaic The LC0 on the Actuation Logic ensures manual and automatic actuation capability.

l APPLICABILITY One FHIS channel is required to be OPERABLE during movement of irradiated fuel in the fuel building. The FHIS isolates the Fuel Handling Building and automatically initiates the recirculation and filtration systems in the event of a fuel rupture accident.

ACTIONS An FHIS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the Allowable Value. Typically, the drift is not large and l would result in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it within specification. If the trip setpoint is not consistent with the Allowable Value in SR 3.3.10.2, the l channel must be declared inoperable immediately and the appropriate Conditions must be entered.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the sensor, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel are required to be declared inoperable and the LC0 Condition entered for the particular protective function affected.

(continued)

SAN ON0FRE--UNIT 3 B 3.3-154 Amendment No. 116 12/17/98

FHTS B 3.3.10 BASES ACTIONS A.1 and A.2 (continued)

Condition A applies to FHIS Manual Trip, Actuation Logic, and required gaseous radiation monitor inoperable during movement of irradiated fuel in the fuel handling building.

The Required Actions are to place one OPERABLE PACU train in l operation, or suspend movement of irradiated fuel in the fuel building. These Required Actions are required to be completed immediately. The Completion Time accounts for the higher likelihood of releases in the Fuel Handling Building l during fuel handling.

SURVEILLANCE SR 3.3.10.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. Jt is based on the assumption that instrument channels monitoring the same parameter should read approxim6tely the same value.

Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A l CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the transmitter or the sigral processing equipment has drifted outside its limit.

The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure.

Thus, performance of the CHANNEL CHECK guarantees that undetected overt channel failure is limited to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

Since the probability of two random failures in redundant channels in any 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period is low, the CHANNEL CHECK minimizes the chance of loss of protective function due to (continued)

SAN ON0FRE--UNIT 3 B 3.3-155 Amendment No. 116 12/17/98

FHIS B 3.3.10 l

BASES SURVEILLANCE- SR 3.3.10.1 (continued)

REQUIREMENTS failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LC0 required channels.

SR 3.3.10.2-A CHANNEL FUNCTIONAL TEST is performed on the required fuel building radiation monitoring channel to ensure the entire channel will perform its intended function.

.The setpoint shall be left set consistent with the Allowable Value.

l The Frequency of 92 days is based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 92 day Frequency is a rare event.

SR 3.3.10.3 Proper operation of the individual initiation relays is verified by actuating these relays during the CHANNEL FUNCTIONAL TEST of the Actuation Logic every 18 months.

This will actuate the Function, operating all associated equipment. Proper operation of the equipment actuated by l each train is thus verified. The Frequ.ency of 18 months is-

! based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of 1 more than one channel of a given Function during any j 18 month Frequency is a rare event. '

A Note to the SR indicates that this Surveillance includes l verification of operation for each initiation relay.

SR 3.3.10.4 :

L Every 18 months, a CHANNEL FUNCTIONAL TEST is performed on the FHIS Manual Trip channel. .

l This-Surveillance verifies that the trip push buttons are capable of opening contacts in the Actuation Logic as 1

(continued)

SAN.0N0FRE--UNIT 3 B 3.3-156 Amendment No. 116 12/17/98 l

FHIS B 3.3.10 BASES SURVEILLANCE SR 3.3.10.4 (continued)

REQURIEMENTS designed, de-energizing the initiation relays and providing Manual Trip of the Function. 0]erating experience has shown these components usually pass tie Surveillance when performed at a Frequency of once every 18 months.

SR 3.3.10.5 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies i that the channel responds to a measured parameter within the i necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current )

plant specific setpoint analysis.

As found and as left channel calibration values are recorded. If the as found calibration is outside its Allowable Value, the plant s)ecific setpoint analysis may be revised as appropriate, if tie history of this setpoint and all other pertinent information indicate a need for setpoint revision. The setpoint analysis shall be revised before the next time this channel is calibrated.

The Frequency is based upon the assumption of an 24 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis.

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Chapter 9.

2. SONGS Unit 3 Technical Specification Amendment No. 45. l

3. Combustion Engineering Owners' Group Standard Technical Specifications, NUREG-1432.

i i

I I

SAN ONOFRE--UNIT 3 B 3.3-157 Amendment No. 116 12/17/98

T l

l 1

l This page intentionally blank ,

SAN ONOFRE--UNIT 3 B 3.3-158 Amendment No. 116 12/17/98

PAM Instrumentation B 3.3.11 BASES i

BACKGROUND =

Provide information regarding the release of (continued) radioactive materials to allow for early indication of the need to initiate action necessary to protect the public as well as to obtain an estimate of the magnitude of any impending threat.

These key variables are identified by plant specific Regulatory Guide 1.97 analyses (Ref. 1). These analyses identified the plant specific Type A variables and provided justification for deviating from the NRC proposed list of Category I variables.

Two channels are required to be OPERABLE for all but five Functions. Two OPERABLE channels ensure that no single failure within the PAMI or its auxiliary supporting features or power sources, concurrent with failures that are a ;

condition of or result from a specific accident, prevents operators from being presented the information necessary for them to determine the safety status of the plant and to bring the plant to and maintain it in a safe condition following that accident.

In Table 3.3.11-1, the exceptions to the two channel requirement are Containment Isolation Valve Position, Auxiliary Feedwater Flow, Pressurizer Safety Valve Position, HPSI Flow Cold Leg, Te, T, and HPSI Flow Hot Leg.

Two OPERABLE core exit thermocouples are required for each channel in each quadrant to provide indication of the coolant temperature rise across separate quadrants of the core. Power distribution symmetry was considered in determining the specific number and locations provided for diagnosis of local core problems. Plant specific l evaluations in response to Item II.F.2 of NUREG-0737 (Ref. 3) have concluded that specific thermocouple pairings within a core quadrant are not necessary to satisfy these requirements.

(continued)

SAN ON0FRE--UNIT 3 8 3.3-160 Amendment No. 116 02 0 99 Reissued on 06 2 99

7 PAM Instrumentation L B 3.3.11 i

l' BASES.

l l

l SURVEILLANCE SR 3.3.11.4 l

REQUIREMENTS A CHANNEL-CALIBRATION.isfperformed every 18 months. CHANNEL l CALIBRATION is a complete check of the instrument channel including the sensor.1The Surveillance verifies the channel L responds to the measured-parameter within the necessary range and accuracy.

The Frequency is based upon operating experience and l consistency with the typical industry. refueling cycle and is justified by the assumption of an 18 month calibration interval.for the' determination of the magnitude of equipment drift.

l SR 3.3.11.5 A CHANNEL CALIBRATION'is performed every 24 months for the Containment Area Radiation Monitor.

REFERENCES 1.. SONGS Units 2 and 3 Regulatory Guide 1.97 l

Instrumentation Report #90065, Rev. O, dated October 1, 1992.

2. Regulatory Guide 1.97, Revision 2.

3. NUREG-0737, Attachment 1. l l

I I SAN ON0FRE--UNIT 3 8 3.3-175 Amendment No. 116 02 99 '

l Reissued on 06 99

p- ]

]

Remote Shutdomn System B 3.3.12 l

B 3.3 INSTRUMENTATION B 3.3.12 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation:to place and maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. .With the unit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator safety valves or the steam generator atmospheric dump valves can be used to. remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the' control room allow extended operation in MODE 3.

In the event that the control room becomes inaccessible, the operators can establish control using the remote shutdown l system and place and maintain the unit in MODE 3. The unit I automatically reaches MODE 3 following a unit shutdown and I can be maintained safely in MODE 3 for an' extended period of time. Note: Not all of the Remote Shutdown System instrumentation and controls are located on the remote shutdown panel.

The OPERABILITY of the Remote Shutdown System instrumentation Functions ensures that there is sufficient information available on selected plant parameters to bring the plant to, and maintain it in, MODE 3 should the control room become inaccessible.

APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a l capability to promptly shut down the plant and maintain it i in a safe condition in MODE 3. j The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in (continued)

SAN ON0FRE - UNIT 3 B 3.3-176 Amendment No. 116 10/30/98 l

F Remote Shutdown System l B 3.3.12 l

t BASES APPLICABLE 10 CFR 50, Appendix A, GDC 19 (Ref. 1) l ,

SAFETY ANALYSES (continued). The Remote Shutdown System has been identified as an inaortant contributor to the reduction of plant accident risk and, therefore, has been retained in the Technical ,

l Specifications, as indicated in the NRC Policy Statement.

l LC0 The Remote Shutdown System LC0 provides the requirements for l the OPERABILITY of the instrumentation necessary to place ;

l and maintain the plant in MODE 3 from a location other than the control room. The instrumentation required are listed

! in Table 3.3.12-1 in the accompanying LC0. The number of l channels that fulfill GDC-19 requirements for the number of OPERABLE channels required is part of the licensing basis as described in the Safety Evaluation Report (Ref. 2)

Instrumentation is required for:

. Reactivity Control (initial and long term);

. Vital Auxiliaries

. RCS Inventory Control; i

. RCS Pressure Control;

Decay Heat Removal; and

. Safety support systems for the above Functions, component cooling water, and onsite power including the diesel generators.

A Function of a Remote Shutdown System is OPERABLE if all instrument channels needed to support the remote shutdown l Functions are OPERABLE. In some cases, Table 3.3.12-1 may indicate that the required information is available from 1 several alternative sources. In these cases, the Remote Shutdown System is OPERABLE as long as one channel of any of the alternative information for each Function is OPERABLE.

The Remote Shutdown System instrumentation circuits covered by this LC0 do not need to be energized to be considered OPERABLE. This LC0 is intended to ensure that the l

I (continued) l SAN ON0FRE - UNIT 3 8 3.3-177 Amendment No. 116 10/30/98 1

i- .

Remote Shutdown System B 3.3.12 BASES ACTIONS Al (continued) operating experience and the low probability of an event that would require evacuation of the control room.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.12.1 REQUIREMENTS

. Performance of the CHANNEL CHECK once every 31 days ensures l that a gross failure of instrumentation has not occurred. A l CHANNEL CHECK for normally energized instrumentation is a l !

comparison of the parameter indicated on one channel to a I similar parameter on other channels. It is based on the l assumption that instrument channels monitoring the same 1 parameter should read approximately the same value.

Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK i will detect gross channel failure; thus, it is key to l verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, ,

including indication and readability. If a channel is outside the match criteria, it may be an indication that the l sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a ;

CHANNEL CHECK is only required for those channels that are t normally energized.

For Essential Plant Parameter Monitoring panel L-411, the following instruments are not normally energized. For these instruments, the CHANNEL CHECK consists of verifying that (continued)

SAN ONOFRE - UNIT 3 B 3.3-179 Amendment No. 116 9/24/98

E 1 Remote Shutdown System B 3.3.12 I BASES SURVEILLANCE SR 3.3.12.1 -(continued)

REQUIREMENTS (continued) the instrument reads as expected for the deenergized condition, thereby verifying that no easily recognized gross physical damage has occurred.

LI-1106 Steam Generator E-088 Narrow Range Level PI-0100A Pressurizer High Range Pressure LI-0103A Pressurizer Level LI-1105 Steam Generator E-089 Narrow Range level The Frequency is based on plant operating experience that demonstrates channel failure is rare. !

l SR 3.3.12.2 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies !

that the channel responds to the measured parameter within the necessary range and accuracy. i The 24 month Frequency is based on the need to perform this i Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

REFIRENCES 1. 10 CFR 50, Appendix A, GDC 19.

2. NUREG-0712 NRC Safety Evaluation Report (SER), dated February 1981.

(continued)

SAN ON0FRE - UNIT 3 B 3.3-180 Amendment No. 116 9/24/98

n RCS DNB (Pressure, Temperature, and Floa) Limits !

B 3.4.1 1 B 3.4 REACTOR COOLANT SYSTEN (RCS)

B 3.4.1 RCS DNB (Pressure, Temperature, and Flow) Limits BASES.

- _ _ . . . - . - - . . . . . . ~ - . _ - . . . _ . _ _ . _ _ _ _ _

BACKGROUND These Bases address requirements for maintaining RCS pressure, temperature, and flow rate within limits assumed .

in the safety analyses. The safety analyses (Ref. 1) of l anticipated operational occurrences and design basis I accidents assume initial conditions within the normal steady state envelope. The limits placed on DNB related parameters ensure that these parameters will not be less conservative than were assumed in the analyses and thereby provide assurance that the minimum departure from nucleate boiling ratio (DNBR) will meet the required criteria for each of the transients analyzed.

The LC0 limits for minimum and maximum RCS pressures as measured at the pressurizer are consistent with operation within the nominal operating envelope and are bounded by those used as the initial pressures in the analyses.

The LCO limits for minimum and maximum RCS cold leg temperatures are consis+ent with operation at the indicated power level and are bounded by those used as the initial temperatures in the analyses.

The LC0 limit for minimum RCS volumetric flow rate bounds that used as the initial flow rate in the analyses. The RCS volumetric flow rate is not expected to vary during plant operation with all pumps running.

APPLICABLE The requirements of LC0 3.4.1 represent the initial SAFETY ANALYSES conditions for DNB limited transients analyzed in the safety analyses (Raf.1). The safety analyses have shown that transients initiated from the limits of this LC0 will meet the DNBR criterion of 2 1.31. This is the acceptance limit for the RCS DNB parameters. Changes to the facility that could impact these parameters must be assessed for their impact on the DNBR criterion. The transients analyzed for !

include loss of coolant flow events and dropped or stuck control element assembly (CEA) events. A key assumption for the analysis of these events is that the core is operated I

l (continued) I l

SAN _ON0FRE--UNIT 3' B 3.4-1 Amendment No. 116 02/24/99 l

r RCS DNB (Pressure, Temperature, and Flow) Limits !

j B 3.4.1 BASES APPLICABLE within the limits of LC0 3.1.7, " Regulating CEA Insertion SAFETY ANALYSES Limits"; LC0 3.1.8, "Part Length CEA Insertion Limits";

(continued) LC0 3.2.3, " AZIMUTHAL POWER TILT (T,)"; and LC0 3.2.5,

" AXIAL SHAPE INDEX (ASI)". The safety analyses are ;

performed over the following range of initial values: RCS pressure 2000 - 2300 psia, core inlet temperature 533 -

560F(for>30% power),and 520 - 560 F (for s 30% power) and reactor vessel inlet coolant volumetric flow rate 2 95%.

The RCS Pressure, Temperature, and Flow limits satisfy Criterion 2 of the NRC Policy Statement.

l l

l LC0 This LC0 specifies limits on the monitored process l variables-RCS pressurizer pressure, RCS cold leg temperature-to ensure that the core operates within the limits assumed for the plant safety analyses. Operating within these limits will result in meeting the DNBR criterion in the event of a DNB limited transient.

The LC0 numerical values for pressure and temperature are given for the measurement location but have not been l adjusted for instrument error. The uncertainties for pressure and temperature are accounted for in the CPC and COLSS overall uncertainty analyses. The RCS flow uncertainty must be applied to the value stated in this LCO. l l

APPLICABILITY In MODE 1, the limits on RCS pressurizer pressure, RCS cold ,

leg temperature, and RCS flow rate must be maintained during l l steady state operation in order to ensure that DNBR criteria l will be met in the event of an unplanned loss of forced I coolant flow or other DNB limited transient. In all other I

MODES, the power level is low enough so that DNBR is not a concern.

A Note has been added to indicate the limit on pressurizer pressure may be exceeded during short term operational transients such as a THERMAL POWER ramp increase of > 5% RTP per minute or a THERMAL POWER step increase of > 10% RTP.

(continued)

SAN ON0FRE--UNIT 3 B 3.4-2 Amendment No. 116 02/24/99

y _

f RCS DNB (Pressure, Temperature, and Flow) Limits B 3.4.1

(

BASES SURVEILLANCE- SR 3.4.1.2

' REQUIREMENTS (continued) Since Required Action A.1 allows a Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to restore parameters that are not within limits, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for cold leg temperature is sufficient to ensure that the'RCS coolant temperature can be restored to a normal operation, steady state condition following load changes and other expected transient operations. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval has been shown by '

operating practice to be sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.

SR 3.4.1.3 The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for RCS total flow rate l has been shown by operating experience to be sufficient to assess for potential degradation and to verify operation is within safety analysis assumptions.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for RCS total flow rate is normally performed usin Supervisory System (COLSS)g the Core generated flow.Operating Limits COLSS utilizes sensor inputs of RCP speed, RCP differential pressure, cold leg temperature, and Pressurizer pressure to calculate the l volumetric flow through each RCP. Total RCS flow is then- ,

calculated by COLSS as the sum of the flows of each of the '

four RCPs.

When COLSS is out of service, RCS Volumetric Flowrate is l determined manually. An evaluation of the heat balance between primary and secondary-plant powers is the preferred method. The heat balance involves first determining the RCS mass flow rate and then converting it to volumetric flow rate using the RCS fluid conditions at the discharge of the Reactor Coolant Pumps (RCPs). Another acceptable methodology is to determine RCS Volumetric Flowrate by performing an evaluation of the differential pressure across each RCP.

(continued)

SAN ON0FRE--UNIT 3 8 3.4-5 Amendment No. 116 02/24/99

1 LTOP System RCS Temperature s 246*F B 3.4.12.1 BASES SURVEILLANCE SR 3.4.12.1.3 (continued)

REQUIREMENTS

b. Once every 31 days for a valve that is locked, sealed, or otherwise secured open and once every 31 days for open flanged RCS penetrations.

The passive vent arrangement must only be open to be OPERABLE. This Surveillance need only be performed if the vent is being used to satisfy the requirements of this LCO.

The Frequencies consider operating experience with mispositioning of unlocked and locked vent valves, respectively.

SR 3.4.12.1.4 and SR 3.4.12.1.5 When one or both SDCS Relief Valve isolation valve (s) in one ,

isolation valve pair becomes inoperable, the other OPERABLE j SDCS Relief Valve isolation valve pair is verified in a 1 power-lock open condition every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to preclude a single failure which might cause undesired mechanical motion of one or both of the OPERABLE SDCS Relief Valve isolation valve (s) in a single isolation valve pair and result in loss of system function.

4 This. surveillance requirement, SR 3.4.12.1.4, is modified by two notes. Note 1 requires to perform this SR when the SDCS !

Relief Valve isolation valve pair is inoperable. Note 2 specifies that the power lock-open requirement is satisfied i either with the AC breakers open for valve pair 3HV9337 and 3HV9339 or the regulating transformer output breakers open l for valve pair 3HV9377 and 3HV9378, whichever valve pair is OPERABLE.

When both pairs of SDCS Relief Valve isolation valves are OPERABLE and the SDCS Relief Valve is used for overpressure protection, the isolation valves are verified open every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

SR 3.4.12.1.6 The SDCS Relief Valve Setpoint is verified periodically in accordance with the Inservice Testing Program.

(continued)

SAN ON0FRE--UNIT 3 8 3.4-63 Amendment No. 116 03/30/99

RCS Operational LEAKAGE B 3.4.13 BASES (continued)

APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses SAFETY ANALYSES do not address operational LEAKAGE. However, other operational' LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The safety analysis for an event resulting in steam discharge to the atmosphere assumes a 1 gpm primary to secondary LEAKAGE as the initial condition.

Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a steam line break (SLB) accident. To a lesser extent, other accidents or transients involve secondary steam release to the atmosphere, such as a steam generator tube rupture (SGTR).

The leakage contaminates the secondary fluid.

The UFSAR (Ref. 3) analysis for SGTR assumes the contaminated secondary fluid is only briefly released via safety valves and the majority is steamed to the condenser.

The 1 gpm primary to secondary LEAKAGE is relatively inconsequentit.1.

The SLB is more limiting for site radiation releases. The safety analysis for the SLB accident assumes 1 gpm primary to secondary LEAKAGE in one generator as an initial condition. The dose consequences resulting from the SLB accident are well within the limits defined in 10 CFR 50 or the staff approved licensing basis (i.e., a small fraction oftheselimits). ,

RCS operational LEAKAGE satisfies Criterion 2 of the NRC Policy Statement.

LC0 RCS operational LEAKAGE shall be limited to:

a. Pressure Boundarv LFAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE.

Violation of this LC0 could result in continued degradation of the RCPB. With the exception of LEAKAGE past a mechanical nozzle seal assembly, l LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

(continued)

SAN ON0FRE--UNIT 3 B 3.4-71 Amendment No. 116 01/27/98

RCS Operational LEAKAGE B 3.4.13 BASES LC0 b.. Unidentified LEAKAGE (continued)

One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LC0 could result in continued degradation of the RCPB, if the LEAKAGE is from the pressur e boundary.

c. Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of identified LEAKAGE and is well within the capability of the RCS makeup system. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a normal function not considered LEAKAGE).

Violation of this LC0 could result in continued degradation of a component or system.

LC0 3.4.14, "RCS Pressure Isolation Valve (PIV)

Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is i leaktight. If both valves leak and result in a loss i of mass from the RCS, the loss must be included in the i allowable identified LEAKAGE. !

d. Primarv to Secondarv LEAKAGE throuah All Steam Generators (SGs) ,

Total primary to secondary LEAKAGE amounting to 1 gpm I through all SGs produces acceptable offsite doses in the SLB accident analysis. Violation of thir LC0 could exceed the offsite dose limits for this accident !

analysis. A more conservative LC0 limit of 150 Gallons per day (GPD) through each steam generator is imposed to address steam generator tube sleeving and steam generator tube degradation. This limit is imposed on both SGs in Unit 3 following installation of a steam generator tube sleeve in either SG. The I (continued)

SAN ON0FRE--UNIT 3 B 3.4-72 Amendment No. 116 9/24/98

I RCS Operational LEAKAGE B 3.4.13 BASES LC0 relationship between leakage limits and tube (continued) degradation and sleeving is discussed in the following section f. Primary to secondary LEAKAGE must be included in the total allowable limit for identified LEAKAGE.

e. Primarv to Secondarv LEAKAGE throuah Anv One SG The 720 gallon per day limit on primary to secondary LEAKAGE through any one SG allocates the total 1 gpm allowed primary to secondary LEAKAGE equally between the two generators. A limit of 150 Gallons per day through any one steam generator is inposed on Unit 3 following installation of steam generator tube sleeves.

f. Steam generator tube degradation such as stress corrosion cracking defects may occur and propagate from inside or from the outside of the tubes, particularly in the areas within the tubesheet and immediately above the tubesheet. Stress corrosion cracking is also seen in U-bends and in the tubes within the tube support eggcrates. Crack-like indications shall be removed from service by plugging or repaired by sleeving. The technical bases for sleeving is described in the current NRC approved ABB-CE Technical report - CEN-630 P Revision 2 " Repair of3/4"0.D.SteamGeneratorTubesUsingLeakTight Sleeves." This includes the installation process and heat treatment process. Heat treatment at 1300*F to 1425 F will be performed for 3 to 5 minutes to reduce residual stresses. The qualification of the sleeves foreddycurrentexaminationofthesleeve/ tube pressure boundary is described in ABB-CE report 96-0SW-003-P Revision 00, "EPRI Steam Generator Examination Guidelines Appendix H Qualification for Eddy Current Plus-Point Probe Examination of ABB-CE Welded Sleeves."

The periods between inspections account for the growth of incipient cracking to ensure that cracks do not develop in service and grow to a size that would risk tube burst or sleeve burst during normal operating conditions or during accident or faulted conditions.

This methodology and the structural margin criteria are stated in Regulatory Guide 1.121.

(continued)

SAN ONOFRE--UNIT 3 8 3.4-73 Amendment No. 116 9/24/98

RCS Operational LEAKAGE 8 3.4.13 BASES LC0 In spite of-steam generator repair and analysis to (continued) restore and demonstrate adequate margins against tube rupture, leakage has been experienced from tubes and sleeves in PWR steam generators. Active steam generator tube degradation increases the probability of leakage. Active steam generator tube leakage has been seen in the industry to be a frequent precursor to tube rupture. As an effort to reduce the frequency and consequences of tube ruptures, Regulators and the industry have, as a conservative measure, developed primary-to-secondary steam generator tube leakage guidelines that entail lower primary-to-secondary leakage limits from steam generator tubes. These lower limits are documented in EPRI TR-104788, "PWR Primary-to-Secondary Leak Guidelines" which describes leak measurement methods and limitations. A primary- to-secondary leakage limit of 150 GPD per steam generator is a conservative and achievable detection limit. Leakage in excess of this limit will require plant shutdown and an unscheduled inspection, during which the leaking tube will be located and plugged or repaired by sleeving.

APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

1 ACTIONS L_1.

Unidentified LEAKAGE, identified LEAKAGE, or primary to secondary LEAKAGE in excess of the LC0 limits must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion l Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

l B.1 and B.2 l

If any pressure boundary LEAKAGE exists or if unidentified, identified, or primary to secondary LEAKAGE cannot be l

1 (continued)

SAN ON0FRE--UNIT 3 B 3.4-74 Amendment No. 116 9/24/98

RCS Operational LEAKAGE B 3.4.13 BASES ACTIONS B.1 and B.2 (continued) reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE:and its potential consequences. The reactor must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.

The allowed Completion Times are reasonable, based on operating experience, to reach the required conditions from full power conditions in an orderly manner and without challenging plant systems. In MODE 5, the pressure stresses acting on the RCPB are much lower, and further deterioration is much less likely.

SURVEILLANCE SR 3.4.13.1 REQUIREMENTS Verifying RCS LEAKAGE to be within the LC0 limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE and can only be positively identified by inspection.

Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance. Primary to secondary LEAKAGE is also measured by performance of an RCS water inventory balance in conjunction with effluent monitoring within the secondary steam and feedwater systems.

This requirement is typically satisfied continuously by a radiation annunciator which detects primary to secondary leakage not being in the alarm state.

The RCS water inventory balance must be performed with the reactor at steady state operating conditions. Therefore, this SR is not required to be performed in MODES 3 and 4, until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of steady state operation have elapsed.

Steady state operation is required to perform a proper water inventory balance; calculations during maneuvering are not useful and a Note requires the Surveillance to be met when steady state is established. For RCS operational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows.

(continued)

SAN ON0FRE--UNIT 3 B 3.4-75 Amendment No. 116 9/24/98

RCS Operational LEAKAGE B 3.4.13 l BASES .

l SURVEILLANCE SR 3.4.13.1 (continued)

REQUIREMENTS An early warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and the containment sump level. These leakage detection systems are specified in LC0 3.4.15, "RCS Leakage Detection Instrumentation."

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Frequency is a reasonable interval to trend LEAKAGE and recognizes the importance of early leakage detection in the prevention of accidents. A Note under the Frequency column states that this SR is required to be performed during steady state operation.

If a transient evolution is occurring 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from the last water inventory balance, then a water inventory balance shall be performed within 120 hours0.00139 days 0.0333 hours 1.984127e-4 weeks 4.566e-5 months of the last water inventory balance. I SR 3.4.13.2 This SR provides the means necessary to determine SG OPERABILITY in an operational MODE. The requirement to demonstrate SG tube integrity in accordance with the Steam Generator Tube Surveillance Program emphasizes the importance of SG tube integrity, even though this Surveillance cannot be performed at normal operating conditions.

REFERENCES l '. 10 CFk 50,~ Appendix A, GDC 30.

2. Regulatory Guide 1.45, May 1973.

3. UFSAR, Section 15.

SAN ON0FRE--UNIT 3 B 3.4-75a Amendment No. 116 9/24/98

SITS B 3.5.1 BASES .

)

ACTIONS L1 (continued) during reflood concentrates the boron in the saturated liquid that remains in the core. In addition, the volume of the SIT is still available for injection. Since the boron requirements are based on the average boron concentration of the total volume of three SITS, the consequences are less severe than they would be if an SIT were not available for

injection. Thus, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to return the boron l -concentration to within limits.

fL1 Section 7.4 of Reference 5, NUREG-1366, discusses surveillance requirements in technical specifications for l the instrument channels used in the measurement of water

. level and pressure in SITS.

l Section 7.4 of Reference 5 states in part:

"The combination of redundant level and pressure i instrumentation for any single SIT may provide sufficient i information so that it may not be worthwhile to always attempt to correct drift associated with one instrument

[with resulting radiation exposures during entry into containment] if there were sufficient time to repair one in

'the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage for them. The

[NRC] staff, therefore, recommends that an additional 1

(continued)

, SAN ON0FRE--UNIT 3 B 3.5-7 Amendment No. 116 07/15/98 l

SITS B 3.5.1 BASES ACTIONS IL1 (continued) condition be accumulator water levelndSIT] is inoperable due a[pressure established for to thethespecific inoperability case,of where "On 1

channels," in which the completion i time to restore the accumulator to operable status will be !

72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . While technically inoperable, the accumulator would be available to fulfill its safety function during this time,and, thus, this change would have a negligible increase in risk." !

Although Action B.1 has a risk-informed Completion Time, i imple entation of the Configuration Risk Management Program (CRMP described in Administrative Controls Section 5.5.2.14 1s no required as stated in Reference 8. i f.d If one SIT is inoperable for a reason other than boron !

concentration or the inability to verify level or pressure, i the SIT must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . l In this Condition the required contents of three SITS i cannot be assumed,to reach the core during a LOCA as is I assumed in Appendix K to 10CFR50. j Reference 7 provides series of deterministic and probabilistic findings that support 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months as being either " risk beneficial" or " risk neutral" in comparison to shorter periods for restoring the SIT to OPERABLE status.

Reference 7 discusses a best-estimate analysis that confirmed can that,d bduring large-break LOCA scenarios core melt be prevente Safety Injection (yLPSI either pum operation of one Low Pr, essure Pressure Safety Inject) ion (p or the HPSI operation pump of oneSIT.

and a sinole High Reference 7 also discusses a pla)nt-specific pro 6abilistic analysis that evaluated the risk-impact of the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months recovery period in comparison to shorter recovery periods.

Although Action C.1 has a risk-informed Completion Time, imple entation of the Configuration Risk Management Program (CRMP described in Administrative Controls Section 5.5.2.14 1s no required as stated in Reference 8.

D.1 and D.2 If the SIT cannot be restored to OPERABLE status within the associated Completion Time the plant must be brought to a MODE in which the LC0 does,not apply. To achieve this status 6 hours, and the plant must be broughtreduced to at least pressurizer pressure to <MODE 3 within 715 psia (continued)

SAN ON0FRE--UNIT 3 B 3.5-8 Amendment No. 116 07/15/98

SITS B 3.5.1 ;

BASES ,

1 ACTIONS D.1 and D.2 (continued)

(continued) l within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable based on operating experience, to reach the recuired piant conditions from full power conditions in an orc erly manner and without challenging plant systems.

u I If more than one SIT is inoperable the conditionoutsidetheaccidentanalyses.unitisina Therefore, LC0 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that each SIT isolation valve is fully open, as indicated in the control room, ensures that SITS are available for injection and ensures timely discovery if a valve should be partially closed. If an the rate of injection to isolation the valve be RCS would is not fully open,h reduced. Althoug a motor operated valve should not change position with power removed, a closed valve could result in not meeting accident analysis assumptions. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered reasonable in view of other administrative controls that ensure the unlikelihood of a mispositioned isolation valve.

l SR 3.5.1.2 and SR 3.5.1.3 .

I SIT borated water volume and nitrogen cover pressure should be verified to be within specified limits every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months in order to ensure adequate injection during a LOCA. Due to the static design of the SITS, a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency usually allows the operator sufficient time to identify changes before the limits are reached. Operating experience has shown this Frequency to be appropriate for early detection and correction of off normal trends.

SR 3.5.1.4 Thirty-one days is reasonable for verification to determine that each SIT's boron concentration is within the required (continued) ,

i SAN ON0FRE--UNIT 3 B 3.5-9 Amendment No. 116 07/15/98

)

SITS B 3.5.1 1

BASES l

SURVEILLANCE SR 3.5.1.4 (continued) l REQUIREMENTS limits, because the static design of the SITS limits the ways in which the concentration can be changed. The 31 day Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage. A preferred method to sampling is permitted for verifying the

_ boron concentration in the SIT after a greater than or equalto 1% volume increase in the SIT not caused by deliberate filling of the SIT from the RWST. This method requires, within six hours, that the new boron concentration of the affected SIT shall be calculated.using the volume change of the SIT and the results of the recent RCS boron analysis. If the result of the calculation indicates the boron concentration of the affected SIT is within the limits specified in this SR the surveillance verification is satisfied. It is not necessary to verify boron concentration if the added water is from the RWST, because the water contained in the RWST is within the SIT boron concentration requirements. This is consistent with the recommendations of NUREG-1366 (Ref. 5), Reference 6, and Reference 7.

SR 3.5.1.5 Verification every 31 days that power is removed from each SIT isolation valve operator when the pressurizer pressure is :: 715 psia ensures that an active failure could not result in the undetected closure of an SIT motor operated isolation valve. If this were to occur, only two SITS would be available for injection, given a single failure coincident with a LOCA. Since installation and removal of power to the SIT isolation valve operators is conducted 4 under administrative control, the 31 day Frequency was chosen to provide additional assurance that power is removed.

This SR allows power to be supplied to the motor operated isolation valves when RCS pressure is < 715 psia, thus allowing operational flexibility by avoiding ur.necessary delays to manipulate the breakers during unit startups or l

shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure ;

interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal l_ provided to the valves would open a closed valve in the event of a LOCA.

(continued)

SAN ON0FRE--UNIT 3 B 3.5-10 Amendment No. 116 07/15/98

SITS B 3.5.1 BASES (continued)

REFERENCES' 1. IEEE Standard 279-1971.

l

2. UFSAR, Section 6'.3.

3. 10 CFR 50.46.

4. UFSAR, Chapter 15.

5. NUREG-1366, December 1992. l

6. NRC Generic Letter 93-05, "Line-Item Technical Specification Improvements to Reduce Surveillance

, Requirements for Testing During Power Operations," .

September 27, 1993.

7. CE NPSD-994, "CE0G Joint Application Report for Safety Injection Tank A0T/STI Extension," April 1995.

I 8. NRC Safety, Evaluation Report, June 19, 1998.

l l

. l (continued)

SAN ON0FRE--UNIT 3 B 3.5-10a Amendment No. 116 07/15/98 i

i

7-ECCS - Operating B 3.5.2 B 3.5 EMERGENCY CORE' COOLING SYSTEMS (ECCS) l B 3.5.2 ECCS - Operating .

1 i

l .. BAS ES l

BACKGROUND .The function of the ECCS is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents:

a. Loss of coolant accident (LOCA);

b. Control Element Assembly (CEA) ejection accident;

c. Loss of secondary coolant accident, including uncontrolled steam release; and

d. Steamgeneratortuberupture(SGTR).

The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where primary cooldown could add enough positive reactivity to achieve criticality and return to significant power.

There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is initially added to the Reactor Coolant System (RCS) via the l cold legs. After the refueling water storage tank (RWST) l l has been depleted, the ECCS recirculation phase is entered as the ECCS suction is automatically transferred to the containment sump. During the later portions of the recirculation phase, the injection flow is split approximately equally between the hot and cold legs.

Two redundant, 100% capacity trains are provided. In MODES 1, 2, and 3, with pressurizer pressure 2 400 psia, each train consists of high pressure safety injection (HPSI), low pressure safety injection (LPSI), and charging subsystems. In MODES 1, 2, and 3, with pressurizer pressure 2 400 psia, both trains must be OPERABLE. This ensures that 100% of the core cooling requirements can be provided in the event of a single active failure.

A suction header supplies water from the RWST or the containment sump to the ECCS pumps. Separate piping

)

supplies each train. The discharge headers from each HPSI l pump divide into four supply lines. Both HPSI trains feed l

(continued)

SAN ONOFRE--UNIT 3- B 3.5-11 Amendment No. 116 4/30/98 ;

1

ECCS - Operating 8 3.5.2 BASES BACKGROUND into each of the four injection lines. The discharge header (continued) from LPSI pumps divides into two supply lines, each feeding the injection line to two RCS cold legs. Orifices are set to balance the flow to the RCS. This flow balance directs sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs.

g Credit is taken for the inventory provided by the charging system only for certain small break LOCAs. The charging pumps take suction from the RWST or the Boric Acid Makeup Tanks (BAMUs) on a safety injection actuation signal (SIAS) l and discharge directly to the RCS through a common header. l The normal supply source for the charging pumps is isolated '

on an SIAS to prevent noncondensible gas (e.g., air, nitrogen, or hydrogen) from being entrained in the charging pumps. The charging pumps deliver water through the charging header to the RCS Loops 1A and 2A injection lines. 1 An ECCS train charging subsystem includes the train's respective charging pump, P-190 for Train A and P-192 for Train B, and the two RCS injection lines. The charging header and injection lines are common to both ECCS trains charging subsystems. The swing charging pump, P-191, can provide support to either Train A or B.

l Except under emergency operating conditions (e.g., natural circulation cooldown) motor-operated auxiliary spray valve HV-9201 and manual auxiliary spray bypass valve MU-130 are required to remain locked closed whenever the unit is operating in Modes 1, 2, or 3 (with pressurizer pressure greater than or equal to 400 psia). This is to ensure the flow of one charging pump is not further diverted from the charging flow path to the auxiliary sprays during the initial automated response to a LOCA.

The above condition is established to ensure consistency with the assumptions made in the accident analyses regarding charging system flow to the RCS cold legs during the initial automated response to a LOCA. Considering single failure, 15.8 gpm is the charging flow through one injection line credited in the small break LOCA analysis. Considering the worst case flow split in both Units 2 and 3, a charging pump flow rate of 36.2 gpm is required to ensure a flow rate of 15.8 gpm to the RCS.

(continued)

SAN ON0FRE--UNIT 3 8 3.5-12 Amendment No. 116 4/30/98

ECCS-Operating ,

B 3.5.2 j i

BASES I i

BACKGROUND In addition, all valves in the charging flow path between '

(continued) the discharge header of the charging pumps and RCS Loot 1A and 2A shall remain open when operating in Modes 1 cnd 2, and in Mode 3 (with pressuri,zer pressure > 400 psia).

During this period, the steam generators (SGs) must provide the core cooling function. l During low temperature conditions in the RCS, limitations are placed on the maximum number of HPSI pumps that may be OPERABLE. Refer to the Bases for LCO 3.4.12, " Low Temperature Overpressure Protection (LTOP) System," for the basis of these-requirements.

During a large break LOCA, RCS pressure will decrease to

< 200 psia in < 20 seconds. The safety injection (SI) systems are actuated upon receipt of an SIAS. The actuation of safeguard loads is accomplished in a programed time sequence. If offsite power is available, the safeguard loads start imediately in the programed sequence. If offsite Featurep(ower is notshed ESF) buses available, normal the Engineered Safety operatin connected to the diesel generators (DGs)g .

loads and Safeguard are loads are then actuated in the programed time sequence. The time l delay associated with diesel starting, sequenced loading,and pump starting determines the time required before pumped flow is available to the core following a LOCA.

The active ECCS components, along with the passive safety injectiontanks(SITS)coveredinLC03.5.1," Safety ,

Injection Tanks (SITS)," and the RWST covered in LC0 3.5.4, "RefuelingWaterStorageTank(RWST),"

water necessary to meet GDC 35 (Ref. 1) provide the cooling l

APPLICABLE The LC0 helps to ensure that the following acceptance SAFETY ANALYSES criteria, established by 10 CFR 50.46 (Ref. 2) for ECCSs, will be met following a LOCA:

a. Maximum fuel element cladding temperature is s 2200*F;

b. Maximum cladding oxidation is s 0.17 times the total cladding thickness before oxidation;

c. Maximum hydrogen generation from a zirconium water reaction is s 0.01 times the hypothetical amount '

(continued)

SAN ON0FRE--UNIT 3 8 3.5-13 Amendment No. 116 4/30/98

ECCS - Operating B 3.5.2 BASES APPLICABLE generated if all of the metal in the cladding i SAFETY ANALYSES cylinders surrounding the fuel, excluding the cladding (continued) surrounding the plenum volume, were to react;

d. Core is maintained in a coolable geometry; and !

l

e. Adequate long term core cooling capability is maintained.

The LC0 also limits the potential for a post trip return to l power following a steam line break (SLB) and ensures that containment temperature limits are met.

Both HPSI and LPSI subsystems are assumed to be OPERABLE in the large break LOCA analysis at full power (Ref. 3). This analysis establishes a minimum required runout flow for the HPSI and LPSI pumps, as well as the maximum required i response time for their actuation. The HPSI pumps and charging pumps are credited in the small break LOCA analysis. This analysis establishes the flow and discharge i head requirements at the design point for the HPSI pump.

The SGTR and SLB analyses also credit the HPSI pumps, but are not limiting in their design.

The large break LOCA event with a loss of offsite power and a single failure (disabling one ECCS train) establishes the OPERABILITY requirements for the ECCS. During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. The nuclear reaction is terminated either by moderator voiding during large breaks or control element assembly (CEA) insertion during small breaks. Following depressurization, emergency cooling water is injected into the cold legs, flows into the downcomer, fills the lower plenum, and refloods the core.

On smaller breaks, RCS pressure will stabilize at a value dependent upon break size, heat load, and injection flow.

I The LCO ensures that an ECCS train will deliver sufficient water to match decay heat boiloff rates soon enough to minimize core uncovery for a large LOCA. It also ensures that the HPSI and charging pumps will deliver sufficient water during a small break LOCA, and that the HPSI pumps will provide sufficient boron to maintain the core subcritical following an SLB. The SGs continue to serve as the heat sink pr:widing core cooling during a small break LOCA.

(continued)

SAN ONOFRE--UNIT 3 B 3.5-14 Amendment No. 116 4/30/98

ECCS - Operating B 3.5.2 BASES APPLICABLE ECCS-Operating satisfies Criterion 3 of the NRC Policy SAFEfY ANALYSES Statement.

(continued)

I LC0 In MODES 1, 2, and 3, with pressurizer pressure 2 400 psia, 1 two independent (and redundant) ECCS trains are required to ensure that sufficient ECCS flow is available, assuming ,

there is a single failure aftet. ting either train. l Additionally, individual components within the ECCS trains i may be called upon to mitigate the consequences of other '

transients and accidents.

In MODES I and 2, and in MODE 3 with pressurizer pressure !

2 400 psia, an ECCS train consists of a HPSI subsystem, a !

LPSI subsystem, and a charging subsystem. l Each train includes the piping, instruments, and controls to l ensure the availability of an OPERABLE flow path capable of taking suction from the RWST on a SIAS and automatically transferring suction to the containment sump upon a recirculation actuation signal (RAS).

During an event requiring ECCS actuation, a flow path is provided to ensure an abundant supply of water from the RWST

-to the RCS, via the HPSI and LPSI pumps and their respective supply headers, to each of the four cold leg injection nozzles. In the long term, this flow path may be switched !

to take its supply from the containment sump and to supply part of its flow to the RCS hot legs via the shutdown cooling (SDC) suction nozzles. The charging pump flow 3ath takes suction from the RWST or the BAMUs and supplies tie RCS via the normal charging lines.

The flow path for each train must maintain its designed independence to ensure that no single failure can disable both ECCS trains.

APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS pressure 2 400 psia, the ECCS OPERABILITY re limiting Design Basis Accident (DBA)quirements large break LOCAforare the based on full power operation. Although reduced power would not require the same level of performance, the accident (continued)

SAN ONOFRE--UNIT 3 B 3.5-15 Amendment No. 116 4/30/98

l ECCS - Operating 8 3.5.2 I BASES l

APPLICABILITY analysis does not provide for reduced cooling requirements

! (continued) in the lower MODES. The HPSI pump performance is based on the small break LOCA, which establishes the pump performance curve and has less dependence on power. The charging pump performance requirements are based on a small break LOCA.

The requirements of MODES 2, and 3 with RCS pressure 2 400 psia, are bounded by the MODE 1 analysis.

The ECCS functional requirements of MODE 3, with RCS

! pressure < 400 psia, and MODE 4 are described in LC0 3.5.3,

" ECCS - Shutdown. "

In MODES 5 and 6, unit conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LC0 3.4.7, "RCS Loops MODE 5, Loops filled,"

and LC0 3.4.8, "RCS Loops-MODE 5, Loops Not Filled."

MODE 6 core cooling requirements are addressed by LC0 3.9.4,

" Shutdown Cooling (SDC) and Coolant Circulation-High Water Level," and LCO 3.9.5, " Shutdown Cooling (SDC) and Coolant Circulation-Low Water Level."

ACTIONS A.1 and B 1 l An ECCS train is inoperable if it is not capable of delivering the design flow to the RCS. The individual components are inoperable if they are not capable of performing their design function, or if supporting systems are not available.

The LC0 requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of function for the ECCS. The intent of each of Condition A and Condition B is to maintain a l combination of OPERABLE equipment such that 100% of the ECCS flow equivalent to 100% of a single OPERABLE train remains available. This allows increased flexibility in plant operations when components in opposite trains are inoperable.

l I

(continued) l SAN ON0FRE--UNIT 3 8 3.5-16 Amendment No. 116 7 5 98 Re-issued 08 4 98

ECCS - Operating B 3.5.2 BASES-ACTIONS A.1 and B.1 (continued) l Each of Condition A and Condition B includes a combination of OPERABLE equipment such that at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train remains available.

Condition A addresses the specific condition where the only affected ECCS. subsystem is a single LPSI subtrain. The availability of a least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train is implicit in the definition of Condition A.

If LC0 3.5.2 requirements are not met due only to the existence of Condition A, then the inoperable LPSI subtrain components must be returned to OPERABLE status within 7 days of discovery of Condition A. A Configuration Risk Management Program (CRMP) defined in Administrative Controls section 5.5.2.14 is implement in the event of Condition A.

This 7-day Completion Time is based on the findings of the deterministic and probabilistic analysis that are discussed in Reference 6. Seven days is a reasonable amount of time to perform many corrective and preventative maintenance items on the affected LPSI subtrain. Reference 6 concluded that the overall risk impact of this Completion Time was either risk-beneficial or risk-neutral.

Condition B addresses other scenarios where the availability of at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train exists but the full requirements of LC0 3.5.2 are not met. If Condition B exists, then inoperable components must be restored such that Condition B does not i exist within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of discovery. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion i Time is based on an NRC reliability study (Ref. 4) and is a reasonable amount of time to effect many repairs.

Because of the configuration of each train's charging subsystem, which includes common injection lines, an ,

inoperable charging line will render the charging subsystem l for both ECCS trains inoperable. With both HPSI trains operable more than 100% of the ECCS flow equivalent is available. Therefore, with the charging . subsystems inoperable and both HPSI trains operable, the allowable completion time for the affected charging line to be returned to operable status is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

(continued) l SAN ON0FRE--UNIT 3 B 3.5-17 Amendment No. 116 7 5 98 Re-issued 08 4 98

ECCS -Operating B 3.5.2 BAS'ES ACTIONS A.1 and 8.1 (continued)

An event accompanied by a loss of offsite power and the failure of an emergency DG can disable one ECCS train until power is restored. A reliability analysis (Ref. 4) has shown that the impact with one full ECCS train inoperable is sufficiently small to justify continued operation for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

Reference 5 describes situations in which one component, such as a shutdown cooling total flow control valve, can disable both ECCS trains. With one or more components l inoperable, such that 100% of the equivalent flow to a single OPERABLE ECCS train is not available, the facility is in a condition outside the accident analyses. In such a situation, LCO 3.0.3 must be imediately entered.

C.1 and C.2 If the inoperable train cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to

< 400 psia within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.5.2.1 and 3.5.2.2 REQUIREMENTS SR 3.5.2.1 verification of proper valve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves could render both j ECCS trains inoperable. Securing these valves in position j by removing power or by key locking the control in the correct position ensures that the valves cannot be inadvertently misaligned or change position as the result of an active failure. These valves are of the type described in Reference 5, which can disable the function of both ECCS 1

(continued)

SAN ON0FRE--UNIT 3 B 3.5-18 Amendment No. 116 07/15/98 l

l

ECCS-Operating B 3.5.2 BASES SURVEILLANCE. SR 3.5.2.1 and 3.5.2.2 (continued)

REQUIREMENTS trains and invalidate the accident analysis. SR 3.5.'2.2 ,

verification of the proper positions of the Containment '

Emergency Sump isolation valves and ECCS pumps / containment spray pumps miniflow valves ensures that ECCS operability and containment integrity are maintained. Securing these valves in position with power available will provide I additional assurance that these valves will operate on a RAS. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered reasonable in view

~

of other administrative controls ensuring that a mispositioned valve is an unlikely possibility.

SR 3.5.2.3 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified-to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This Surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The 31 day Frequency is appropriate because the valves are operated under procedural control and an improper valve position would only affect a single train. This Frequency has been shown to be acceptable through operating experience.

(continued)

SAN ON0FRE--UNIT 3- B 3.5-19 Amendment No. 116 07/15/98

ECCS -Operating B 3.5.2 BASES ,

' SURVEILLANCE SR 3.5.2.4 REQUIREMENTS l

'(continued) With the exception of systems in operation, the ECCS pumps are normally in a standby, nonoperating mode. As such, flow path piping has the potential to develop voids and pockets

. of entrained gases. Maintaining the piping from the ECCS pumps to the RCS full of water ensures that the system will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent water hammer, pump cavitation, and pumping of noncondensible gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel following an 4 SIAS or during SDC. The 31 day Frequency takes into consideration the gradual nature of gas accumulation in the ECCS piping and the adequacy of the procedural controls governing system operation.

SR 3.5.2.5 i

Periodic surveillance testing of ECCS pumps to detect gross !

degradation caused by impeller structural damage or other hydraulic component problems is required by Section XI of the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the 1 performance assumed in the unit safety analysis. SRs are '

specified in the Inservice Testing Program, which encompassesSection XI of the ASME Code.Section XI of the ASME Code provides the activities and Frequencies necessary to satisfy the requirements.

SR 3.5.2.6 Discharge head at design flow is a normal test of charging pump performance required by Section XI of the ASME Code. A quarterly Frequency for such tests is a Code requirement.

Such inservice inspections detect component degradation and incipient failures. For positive displacement charging pumpsSection XI of the ASME Code allows an alternate testing for design flow only.

~

(continued)

SAN ON0FRE--UNIT 3 B 3.5-20 Amendment No. 116 07/15/98

l ECCS - Opera ting B 3.5.2 i

BASES SURVEILLANCE SR 3.5.2.7. SR 3.5.2.8. and SR 3.5.2.9

' REQUIREMENTS (continued) These SRs demonstrate that each automatic ECCS valve actuates to the required position on an actual or simulated ;

SIAS and/or an actual or simulated RAS as appropriate to l

each. valve that each ECCS pump starts on receipt of an actual or simulated SIAS, and that the LPSI pumps stop on receipt of an actual or simulated RAS. As a part of SR safety3.5.2.8, subgroup injection relay' actuation K108,l and disables non-safetywhich s signa related pump trips on low suction pressure and high pressurizer level, needs to be tested to verify these trips i

are disabled. The 24 month Frequency is based on the need l

to perform these Surveillances under the conditions that apply during a plant outage and the potential for unplanned transients if the Surveillances were performed with the reactor at power. The 24 month Frequency is also acceptable based on consideration of the design reliability (and confirming operating experience) of the equipment. The i actuation logic is tested as part of the Engineered Safety i Feature Actuation System (ESFAS) testing and equipment l

3erformanceismonitoredaspartoftheInserviceTesting

)rogram.

SR 3.5.2.10' l Periodic inspection of the containment sump ensures that it l 1s unrestricted and stays in proper operating condition.

l The 24 month Frequency is based on the need to perform this Surveillance under the condition's that apply during an outage, on the need to have access to the location. This L

Frequency is sufficient to detect. abnormal degradation and is co'nfirmed by operating experience. !

REFERENCES 1. 10 CFR 50, Appendix A, GDC 35.

2. 10 CFR 50.46.

I

3. UFSAR, Section 6.3.

4. NRC Memorandum to V. Stello, Jr., from R. L. Baer,

" Recommended Interim Revisions to LCOs for ECCS j Components," December 1, 1975.

5. IE Information Notice No. 87-01, January 6, 1987.

6. CE NPSD-995, "CE0G' Joint Applications Report for Low Pressure Safety Injection System A0T Extension," May 1995.

l l

l L

SAN ONOFRE--UNIT 3 B 3.5-20a Amendment 11607/15/98 Reissued on 06/23/99 l

Containment B 3.6.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment BASES BACKGROUND The containment consists of the concrete reactor building (RB), its steel liner, and the penetrations through this structure. The structure.is designed to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA). Additionally, this structure provides shielding from the fission products that j may be present in the containment atmosphere following accident conditions.

i The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a shallow dome roof. The cylinder wall is prestressed with a post tensioning system in the vertical and horizontal directions, and the dome roof is prestressed utilizing a three way post tensioning system. The inside surface of the containment is lined with a carbon steel liner to ensure a high degree of leak tightness during operating and accident conditions.

The concrete RB is required for structural integrity of the containment under DBA conditions. The steel liner and its penetrations establish the leakage limiting boundary of the containment. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment. SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J, Option B l (Ref.1), as modified Dy approved exemptions.

.The isolation devices for the penetrations in the containment boundary are a part of the containment leak i tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accident <

conditions are either: '

1. capable of being closed by an OPERABLE automatic containment isolation system, or (continued) i SAN ON0FRE--UNIT 3 B 3.6-1 Amendment No. 116,12/1/98

l Containment !

( B 3.6.1 1

BASES-BACKGROUND 2. closed by manual valves, blind flanges, or (continued) de-activated automatic valves secured in their closed gositions,exceptasprovidedinLC03.6.3, Containment Isolation Valves."

b. Each air lock is OPERABLE, exce]t as provided in LC0 3.6.2, " Containment Air Loc ks."

APPLICABLE The safety design basis for the containment is that the SAFETY ANALYSES containment must withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.

The DBAs that result in a release of radioactive material within containment are a loss of coolant accident, a main '

steam line break (MSLB), and a control element assembly ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leaka 0.10's of containment air weight per day (Ref. 3)ge This rate of leakage rate is defined in 10 CFR 50, Appendix J, Option B l (Ref.1), as L,: the maximum allowable containment leakage rate at the calculated maximum 3eak containment internal pressure related to the design aasis loss-of-coolant accident, P , at 55.1 psig (Ref. 5). P, will conservatively be assumed to be equal to the calculated peak containment internal pressure of the design basis Main Steam Line Break, 56.6 psig (Ref. 5), for the purpose of containment testing in accordance with this Technical Specification.

Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of the NRC Policy Statement.

LC0 Containment OPERABILITY is maintained by limiting leakage to s 1.0 L except prior to the first startup after performing a requir.,d e Containment Leakage Rate Testing Program leakage test. At this time, the applicabic leakage limits must be met.

Individual leaka lock (LC0 3.6.2)ge andrates specified purge valves for withthe containment resilient seals air (continued)

SAN ON0FRE--UNIT 3 B 3.6-2 Amendment No. 116,12/1/98 i

]

Containment B 3.6.1 BASES LCO (LC0 3.6.3) are not specifically part of the acceptance (continued) criteria of 10 CFR 50, Ap)endix J Option B. Therefore. l 1eakage rates exceeding tiese individual limits only result in the containment being inoperable when the leakage results in exceeding the overall acceptance criteria of 1.0 L,. l APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, containment is not required to be OPERABLE in MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LC0 3.9.3, " Containment Penetrations."

ACTIONS L.1 In the event containment is inocerable, containment must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Com)1etion Time provides a 3eriod of time to correct the proalem commensurate with tie importance of maintaining 3, and 4. This time period l containment during also ensures that MODES 1, 2,lity of an accident (requiring the probabi containment OPERABILITY) occurring during periods when containment is inoperable is minimal.

B.1 and B.2 If containment cannot be restored to OPERABLE status within the requirEJ Completion Time, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full.

power conditions in an orderly manner and without challenging plant systems.

l l

(continued)

SAN ON0FRE--UNIT 3 8 3.6-3 Amendment No. 116,12/1/98

Containment B 3.6.1 BASES (continued) 1 SURVEILLANCE SR 3.6.1.1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Failure to meet air lock and purge valve with resilient seal leakage limits s aecified in LC0 3.6.2 and LC0 3.6.3 does not invalidate tie acceptability of these overall leakage determinations unless their contribution to overall Type A, B, and C leakage causes that to exceed limits. As left leakage prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test is required to be s 0.6 L, for combined Type B and C leakage following an outage or shutdown that included Type B and C testing only, and s 0.75 L for overall Type A leakage following an outage or shutdown that included Type A testing. At all other times between required leakage rate tests, the acceptance criteria is based on an overall Type A leakage limit of s 1.0 L . At s 1.0 L, the offsite dose consequences are bounded by the assumptions of the safety analysis. SR Frequencies are as s)ecified in the Containment Leakage Rate Testing Program.

T1us, SR 3.0.2 (which allows Frequency extensions) does not apply. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.

SR 3.6.1.2 For ungrouted, post tensioned tendons, this SR ensures that the structural integrity of the containment vill be maintained in accordance with the provisions of the Containment Tendon Surveillance Program. Testing and Frequency are consistent with the recommendations of Regulatory Guide 1.35 (Ref. 4).

REFERENCES 1. 10 CFR 50, Appendix J, Option B. l

2. SONGS Units 2 and 3 UFSAR, Section 15.1

3. SONGS Units 2 and 3 UFSAR, Section 15.4

4. Regulatory Guide 1.35, Revision 3.

5. SONGS Units 2 and 3 UFSAR, Section 6.2 SAN ON0FRE--UNIT 3 B 3.6-4 Amendment No. 116,12/1/98

Containment Air Locks B 3.6.2 8 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Air ~ Locks BASES BACKGROUND Containment air locks form part of to containment pressure

' boundary ~and provide a means for personnel access during all MODES of operation.

Each air lock is nominally a right circular cylinder,10 ft in diameter, with a door at each end. The' doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an increase in containment internal pressure results in increased sealing force on each door).

The containment air locks form part of the containment pressure boundary. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not maintaining air. lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the safety analysis. SR 3.6.2.1 leakage rate requirements are in conformance with 10 CFR 50, Appendix J, Option B (Ref. 1), l as modified by approved exemptions.

i l

(continued)

SAN ON0FRE--UNIT 3 8 3.6-5 Amendment No. 116 12/1/98

Containment Air Locks B 3.6.2 BASES (continued)

APPLICABLE For atmospheric containment, the DBAs that result in a SAFETY ANALYSES release of radioactive material within containment are a loss of coolait accident (LOCA), a main steam line break (MSLB) and a control element assembly (CEA) ejection accident (Ref. 2). In the analysis of each of these accidents, it'is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.10% of containment air weight per day (Ref. 2). This leakage rate is defined in 10 CFR 50, Appendix J, Option B l (Ref.1), as L.: the maximum allowable containment leakage rate at the calculated maximum peak containment internal pressure related to the design basis loss-of-coolant accident, P., at 55.1 psig (Ref. 3). P, will conservatively be assumed to be equal to the calculated peak containment internal pressureof the design basis Main Steam Line Break, 56.6 psig (Ref. 3), for the purpose of containment testing in accordance with this Technical Specification. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock.

The containment air locks satisfy Criterion 3 of the NRC Policy Statement.

LC0 Each containment air lock forms aart of the containmant 3ressure boundary. As part of tie containment pressure

>oundary, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. 'For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The door seals and sealing surface are considered a part of the air lock. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provido a leak tight barrier following postulated events. heverthaless, both doors are kept closed when the air lock is not being used for normal entry into or l exit from containmen:.

(continued)

SAN ON0FRE--UNIT 3 B 3.6-6 Amendment No. 116 12/1/98 l

l

1 Containment Air Locks 1 B 3.6.2 {

l BASES I SURVEILLANCE SR 3.6.2.1 (continued) 1 REQUIREMENTS '

the Containment Leakage Rate Testing Program. This SR l reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests). The acceptance criteria were established during initial air lock and containment OPERABILITY testing. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall containment leakage rate. The Frequency is as specified in the Containment Leakage Rate Testing Program.

The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test.

This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR requiring the results to be evaluated against the acceptance criteria of which is applicable to SR 3.6.1.1. This ensures that air l lock leakage is properly accounted for in determining the combined Type B and C containment leakage rate. l SR 3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containment OPERABILITY while the air lock is being used for i personnel transit into and out of containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of the inner and outer doors will not inadvertently occur. Due to the purely mechanical nature of this interlock, and given )

that the interlock mechanism is only challenged when I containment is entered, Note 1 specifies that this test is only required to be performed upon entering containment but is not required more frequently than every 184 days. The second note states that SR 3.0.4 is not applicable. The 184 day Frequency is based on engineering judgment and is (continued)

SAN ON0FRE--UNIT 3 8 3.6-11 Amendment No. 11612/1/98

Containment Air Locks B 3.6.2 BASES l

SURVEILLANCE SR 3.6.2.2 (continued) i REQUIREMENTS (

considered adequate in view of other indications of door and interlock mechanism status available to operations personnel.

REFERENCES 1. 10 CFR 50, Appendix J, Option B l l

2. UFSAR, Section 15.1, 15.4.

3. UFSAR, Section 6.2.

l t

I t

SAN ONOFRE--UNIT 3 B 3.6-12 Amendment No. 11612/1/98

Containment Isolation Valves

. B 3.6.3 i

BASES

)

l SURVEILLANCE SR 3.6.3.5 l i

. REQUIREMENTS (continued) Verifying that the isolation time of each power operated and automatic containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analysis. The isolation time and Frequency of this SR are in accordance with the Inservice Testing Program.

SR L6.3.6 For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10_ CFR 50, Appendix J, Option B (Ref. 5), is required to l ensure OPERABILITY. Operating experience has demonstrated that this type of seal has the potential to degrade in a shorter _ time period than do other seal types.

Based on this observation and the importance of maintaining this penetration leak tight (due to the direct path between containment and the environment), a Frequency of 184 days was established as part of the NRC resolution of Generic Issue B-20, " Containment Leakage Due to Seal Deterioration" (Ref. 3).

' Additionally, this SR must be performed within 92 days after opening the valve. The 92 day Frequency was chosen recognizing that cycling the valve could introduce additional seal' degradation (beyond that occurring to a valve that has not been opened). Thus, decreasing the interval (from 184 days) is a prudent measure after a valve has been opened.

A Note to this SR requires the results to be evaluated against the acceptance criteria of SR 3.6.1.1. This ensures that excessive containment purge valve leakage is properly accounted for in determining the overall containment leakage rate to verify containment OPERABILITY.

(continued)

SAN ON0FRE--UNIT 3 8 3.6-25 Amendment No. 11612/1/98 l

o 1 Containment Isolation Valves !

B 3.6.3 BASES ~

SURVEILLANCE SR 3.6.3.7 l REQUIREMENTS. l (continued) The containment isolation valves covered by'this SR are required to be demonstrated OPERABLE at the indicated frequency.This SR is modified by two notes. Note 1 specifies that the provisions of the Inservice Testing Program are not applicable when the valves are secured open.

The second note indicates that SR 3.0.4 is not applicable.

SR 3.6.3.8 Automatic containment. isolation valves close on an actuation signal to prevent leakage of radioactive material from l containment following a DBA. This SR ensures each automatic containment isolation valve will actuate to its isolation position on an actuation signal. The 24 month Frequency was developed considering it is prudent that this SR be performed only during a unit outage, since isolation of penetrations would eliminate cooling water flow and disrupt normal operation of many critical components. Operating ,

experience has shown that these components usually pass this SR when performed on the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

i

(

REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 6.2. !

2. SONGS Units 2 and 3 UFSAR, Section 6.

3. Generic Issue B-20.

4. Generic Issue B-24.

5. 10 CFR 50, Appendix J, Option B. l 1

SAN ONOFRE--UNIT 3 8 3.6-26 Amendment No. 11612/1/98 4

j

r MSSVs B 3.7.1 BASES (continued)

APPLICABLE The design basis for the MSSVs comes from Reference 2; its SAFETY ANALYSES purpose is to limit secondary system pressure to s 110% of design pressure when passing 100% of design steam flow.

This design basis is sufficient to cope with any anticipated operational occurrence (A00) or accident considered in the Design Basis Accident (DBA) and transient analysis.

The events that challenge the MSSV relieving capacity, and thus RCS pressure, are those characterized a: decreased heat removal events, and are presented in the UFSAR, Section 15.2 (Ref. 3). Of these, the full power loss of condenser vacuum (LOCV) event is the limiting A00. An LOCV isolates the turbine and condenser, and terminates normal feedwater flow to the Steam Generators. Before delivery of auxiliary feedwater to the Steam Generators, RCS pressure reaches s 2750 psig. This peak pressure is less than or equal to 110% of the design pressure of 2500 psia, but high enough to actuate the pressurizer safety valves. The maximum relieving rate of the MSSVs during the LOCV event (Ref. 3, Fig. 15.2-10), is within the rated capacity of the MSSVs.

The limiting accident for peak RCS pressure is the full power feedwater line break (FWLB), inside containment, with the failure of the backflow check valve in the feedwater line from the affected Steam Generator. Water from the affected Steam Generator is assumed to be lost through the break with minimal additional heat transfer from the RCS.

With heat removal limited to the unaffected Steam Generator, the reduced heat transfer causes an increase in RCS temperature, and the resulting RCS fluid expansion causes an increase in pressure. The RCS pressure increases to s 3000 psia (Ref. 3, Fig.15.2-40), with the pressurizer l safety valves providing relief capacity. The maximum relieving rate of the MSSVs during the Feedwater Line Break event (Ref. 3, Fig. 15.2-51), is within the rated capacity of the MSSVs.

The MSSVs satisfy Criterion 3 of the NRC. Policy Statement.

(continued)

SAN ON0FRE--UNIT 3 B 3.7-2 Amendment No. 11608/18/98

MSSVs B 3.7.1 BASES '(continued)

LCO This LC0 requires all MSSVs to be OPERABLE in compliance with Reference 2, even though this is not a requirement of the DBA analysis. This is because operation with less than the full number of MSSVs requires limitations on allowable THERMAL POWER (to meet Reference 2 requirements) and adjustment to Reactor Protection System trip setpoints.

These limitations are according to those shown in Table 3.7.1-1, Required Action A.1, and Required Action A.2. An MSSV is considered inoperable if it fails to open upon demand.

The OPERABILITY of the MSSVs is defined as the ability to open in accordance with Lift Settings specified in Table 3.7.1-2, relieve Steam Generator overpressure, and reseat when pressure has been reduced. The OPERABILITY of the MSSVs -is determined by periodic surveillance testing in accordance with the inservice testing program.

The Lift Settings specified in Table 3.7.1-2 correspond to ambient conditions of the valve at nominal operating temperature and pressure.

This LC0 provides assurance that the MSSVs will perform their designed safety function to mitigate the consequences of accidents that could result in a challenge to the Reactor Coolant Pressure Boundary.

APPLICABILITY In MODE 1, the accident analysis requires a minimum of five MSSVs per Steam Generator which is limiting and bounds all lower MODES. In MODES 2 and 3, both the ASME Code and the accident analysis require only one MSSV per Steam Generator to provide overpressure protection.

In MODES 4 and 5, there are no credible transients requiring the MSSVs.

(continued)

SAN ON0FRE--UNIT 3 8 3.7-3 Amendment No. 11608/18/98

MSIVs B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Main Steam Isolation Valves (MSIVs)

BASES BACKGROUND The MSIVs isolate steam flow from the secondary side of the steam generators following a high energy line break (HELB).

MSIV closure terminates flow from the unaffected (intact) steam generator.

One MSIV is located in each main steam line outside, but close to, containment. The MSIVs are downstream from the main steam safety valves (MSSVs), atmospheric dump valves, and auxiliary feedwater pump turbine steam supplies to prevent them from being isolated from the steam generators by MSIV closure. Closing the MSIVs isolates each steam generator from the other, and isolates the turbine, Steam Bypass System, and other auxiliary steam supplies from the steam generators.

The valves are held in the open position by a hydraulic system which exerts pressure on the bottom of a piston actuator. Nitrogen pressure on top of the piston actuator acts as the driving force for valve closure. For these valves to shut and perform their safety function, redundant actuation solenoids, powered trum separate 1E power sources, open.and dump hydraulic c'.I from the bottom of the piston actuator through two separate dump lines.

l MSIVs are capable of performing their specified function in !

their closed position.

The MSIVs close on a main steam isolation signal generated !

by low steam generator !

Actuation Signal (CIAS)by pressure and on Containment high containment pressure. TheIsolation ,

MSIVs fail closed on loss of control or actuation power. i MSIS and CIAS also actuate the main feedwater isolation valves (MFIVs). to close. The MSIVs may also be actuated manually.

I A description of the MSIVs is found in the UFSAR, Section 10.3 (Ref. 1).

(continued)

SAN 0N0FRE--UNIT 3 B 3.7-7 Amendment No. 116 04/16/99

MSIVs B 3.7.2 BASES (Continued)

APPLICABLE The design basis of the MSIVs is established by the SAFETY ANALYSES containment analysis for the large steam line break (SLB) inside containment, as discussed in the UFSAR, Section 6.2 (Ref. 2). It is also influenced by the accident analysis of the SLB events presented in the UFSAR, Section 15.1.5 (Ref.3). The design precludes the blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSIV to close on demand).

The limiting case for the. containment analysis is the hot zero power SLB inside containment with a loss of offsite power following turbine trip, and failure of the MSIV on the affected steam generator to close. At zero power, the steam generator inventory and temperature are at their maximum, maximizing the analyzed mass and energy release to the containment. Due to reverse flow, failure of the MSIV to close contributes to the total release of the additional mass and energy in the steam headers, which are downstream of the other MSIV. With the most reactive Single Control Element Assembly assumed stuck in the fully withdrawn position, there is an increased possibility that the core will become critical and return to power. The core is ultimately shut down by the borated water injection delivered by the Emergency Core Cooling System. Other failures considered are the failure of an MFIV to close, and failure of an emergency diesel generator to start.

The accident analysis compares several different SLB events against different acceptance criteria. The large SLB outside containment upstream of the MSIV is limiting for offsite dose, although a break in this short section of main steam header has a very low probability. The large SLB inside containment at hot zero power is th'e limiting case for a post trip return to power. The analysis included scenarios with offsite power available and with a loss of ,

offsite power following turbine trip. j i

i l;

i (continued)

SAN ON0FRE--UNIT 3 B 3.7-8 Amendment No. 116 04/16/99 Reissued 06/23/99 .

1

' MF1Vs B 3.7.3 BASES l

l BACKGROUND The Main Feedwater Isolation Valves (MFIVs) have body (continued) drains which are either blind flanged or closed by a manual l valve and capped. These body drain isolation valves are not I

subject to the requirements that all manual containment isolation valves be verified closed monthly in MODES 1 through 4, because they drain a volume in the MFIV body l which is isolated from in-containment piping whenever the MFIV's double disk gate is closed. These. drain valves are an integral part of tne MFIVs and are not credited with affecting containment isolation in the UFSAR.

A description of the MFIVs is found in the UFSAR, Section 10.4.7 (Ref. 1).

APPLICABLE The design basis of the MFIVs is established by the SAFETY ANALYSES analysis for the large SLB. It is also influenced by the accident analysis for the large FWLB. Closure of the MFIVs may also be relied on to terminate a steam break for core response analysis and an excess feedwater flow event upon receipt of a MSIS on low steam generator pressure.

Failure of an MFIV to close following an SLB, FWLB, or excess feedwater flow event can result in additional mass and energy to the steam generators contributing to cooldown.

This f611ure also results in additional mass and energy '

re bases following an SLB or FWLB event. -

The MFIVs satisfy Criterion 3 of the NRC Policy Statement.

I LC0 Tnic LC0 ensures that the MFIVs will isolate MFW flow to the steam generators. Following an FWLB or SLB, these valves will. also isolate the nonsafety related portions from the safety related portions of the system. This LC0 requires that the one MFIV in each feedwater line be OPERABLE. The MFIVs are considered OPERABLE when the isolation times are within limits, and will close on MSIS and CIAS.

(continued)

SAN ON0FRE--UNIT 3 8 3.7-14 Amendment No. 116 04/16/99

AFW System B 3.7.5 EASES SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the AFW water and steam supply flow paths provides assurance that the proper flow paths exist for AFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since

, these valves are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such.as check valves. This Surveillance does not require any testing or valve manipulations; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.5.2 This SR verifies that the AFW pumps develop sufficient discharge pressure to deliver the required flow at the full open pressure of the MSSVs. Because it is undesirable to introduce cold AFW into the steam generators while they are operating, this testing is performed on recirculation flow.

Periodically comparing the reference differential pressure developed at this reduced flow detects trends that might be indicative of incipient failures. Performance of inservice testing, discussed in NUREG 1366 (Ref. 2), on a STAGGERED TEST BASIS satisfies this requirement.

LC0 3.7.5 permits plant operation in MODE 4 with one motor driven AFW pump and/or the turbine driven AFW pump inoperable. During plant operation in MODE 4, the turbine driven AFW pump does not have to be surveilled because steam generator pressure is less than 800 psig (NOTE for SR 3.7.5.2). During plant operation in MODE 4 with one motor driven AFW pum) inoperable, SR 3.7.5.2 does not have

.to be performed on tie inoperable motor driven pump (SR 3.0.1), and n remains at 3, where n is the total number of designated components in the definition of STAGGERED TEST BASIS. Therefore, performance of SR 3.7.5.2 on the OPERABLE motor driven AFW pump is only required every 3 Surveillance Frequency intervals. Discussions with the NRC Technical Specifications Branch on this clarification are documented in Action Request 980601488-1.

(continued)

SAN ON0FRE--UNIT 3 B 3.7-31 Amendment No. 116 09/18/98

AFW System B 3.7.5 BASES SURVEILLANCE ~ SR 3.7.5.2 (continued)

REQUIREMENTS

.This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established.

This deferral is required because there is an insufficient' steam pressure to perform the test.

This SR ensures that AFW can be delivered to the appropriate steam generator, in the event of any accident or transient that generates an EFAS signal, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal.

Although testing of some of the components of this circuit may, be accomplished during normal operations, the 24 month Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

SR 3.7.5.4 This SR ensures that the AFW pumps will start in the event of any accident or transient that generates an EFAS signal by demonstrating that each AFW pump starts automatically on an actual or simulated actuation signal. Although testing of some of the components of this circuit may be accomplished during normal operations, the 24 mor.th Frequency is based on the need to complete this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency is acceptable, based on the design reliability and operating experience of the equipment.

This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions have been established. This deferral is required because there is an insufficient steam pressure to perform the test.

(continued)

SAN ONOFRE--UNIT 3 B 3.7-32 Amendment No. 116 09/18/98 1

r AFB System B 3.7.5 BASES SURVEILLANCE SR 3.7.5.5 REQUIREMENTS (continued) This SR ensures that the AFW System is properly aligned by verifying the flow path to 'each steam generator prior to entering MODE 2 operation, after 30 days in MODE 5 or 6.

OPERABILITY of AFW flow paths must be verified before sufficient' core heat is generated that would require the operation of the AFW System during a subsequent shutdown.

The Frequency is reasonable, based on engineering judgment,and other administrative controls to ensure that flow paths. remain OPERABLE. To further ensure AFW System OPERABILITY, the OPERABILITY of the normal flow paths from the CST through the AFW pump to the Steam Generators is verified following extended outages. This SR ensures that the normal paths from the CST to the Steam Generators are OPERABLE by raising Steam Generator level by 2% using AFW flow from the CST.

REFERENCES 1. UFSAR, Section 10.4.9.

2. NUREG 1366, " Improvements to Technical Specifications Surveillance Requirements," Section 9.1 I

l l

i 1

l l

SAN ON0FRE--UNIT 3 B 3.7-33 Amendment No. 116 09/18/98

1

)

CCW System B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Component Cooling Water (CCW) System BASES I

BACKGROUND The CCW System provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis Accident (DBA) or transient. During normal operation, the CCW System also provides this function for various nonessential components, as well as the spent fuel pool. The CCW System serves as a barrier to the release of radioactive byproducts between potentially radioactive systems and the Salt Water Cooling System, and l thus to the environment.

The CCW System is arranged as two independent full capacity cooling loops, and has isolatable nonsafety related I components. Each safety related train includes a full capacity pump, surge tank, heat exchanger, piping, valves, and instrumentation. Each safety related train is powered from a separate bus. A pressurized surge tank in the system ensures sufficient net positive suction head is available.

The pump in each train is automatically started on receipt of a safety injection actuation signal, and all nonessential components are isolated, l Following a Design Basis Event, both the non-safety related .

Auxiliary Gas System and Nuclear Service Water system are assumed to be unavailable. A postulated Design Basis Event could rasult in CCW system voiding and a subsequent water hammer. The Backup Nitrogen Supply (BNS) system is an independent, safety related, Seismic Category I source of pressurized nitrogen to prevent high-point voiding by maintaining the CCW critical loops water-solid during Design ;

Basis Event mitigation.

Additional information on the design and operation of the system, along with a list of the components served, is >

presented in the UFSAR, Section 9.2.2, Reference 1. The principal safety related function of the CCW System is the removal of decay heat from the reactor via the Shutdown Cooling (SDC) System heat exchanger. This may utilize the SCS heat exchanger, during a normal or post accident cooldown and shutdown, or the Containment Spray System during the recirculation phase following a loss of coolant accident (LOCA).

(continued)

SAN ON0FRE--UNIT 3 8 3.7-39 Amendment No. 116 Reissued 06/23/99

CREACUS B 3.7.11 B 3.7 PLANT SYSTEMS B 3.7.11 Control Room Emergency Air Cleanup System (CREACUS)

BASES BACKGROUND The CREACUS provides a protected environment from which operators can control the plant following an uncontrolled release of radioactivity.

The CREACUS consists of two independent, redundant trains that recirculate and filter the control room air. Each CREACUS train consists of emergency air conditioning unit, emergency ventilation air supply unit, emergency isolation l dam)ers, and cooling coils and two cabinet coolers per Unit.

Eac1 emergency air conditioning unit includes a prefilter, a ,

high efficiency particulate air (HEPA) filter, an activated carbon adsorber section for removal of gaseous activity (principally iodine), and a fan. A second bank of HEPA filters follows the adsorber section to collect carbon fi n~es. Each emergency ventilation air supply unit includes prefilter, HEPA filter, carbon adsorber and fan. Ductwork, motor-operated dampers, and instrumentation also form part of the system. Air and motor-operated dampers are provided for air volume control and system isolation purposes.

Upon receipt of the actuating signal, normal air supply to the control room is isolated, and the stream of ventilation air is recirculated through the system's filter trains. The prefilters remove any large particles in the air to prevent excessive loading of the HEPA filters and charcoal adsorbers. Continuous operation of each train for at least 15 minutes per month verifies proper system operability.

There are two CREACUS operational modes. Emergency mode is an operational mode when the control room is isolated to protect operational personnel from radioactive exposure through the duration of any one of the postulated limiting faults discussed in Chapter 15 UFSAR (Ref. 2). Isolation mode is an operational mode when the control room is isolated to protect operational personnel from toxic gasses and smoke.

Actuation of the CREACUS places the system into either of two separate states of operation, depending on the initiation signal. Actuation of the system to either the emergency mode or isolation mode of CREACUS operation (continued)

SAN ONOFRE--UNIT 3 8 3.7-56 Amendment No. 116 06/28/99

i CREACUS B 3.7.11 BASES BACKGROUND close6 the unfiltered-outside-air intake and unfiltered (continued) exhaust dampers, and aligns the system for recirculation of control room air through the redundant trains of HEPA and charcoal filters. l The emergency mode initiates pressuriza' tion of the control room. Outside air is added to the air being recirculated from the control room. Pressurization of the control room prevents infiltration of unfiltered air from the surrounding areas of the building.

The control room supply and the outside air supply of the normal control room HVAC are monitored by radiation and toxic-gas detectors respectively. One detector output above the setpoint will cause actuation of the emergency mode or isolation mode as required. The actions of the isolation mode are more restrictive, and will override the actions of the emergency mode of operation. However, toxic gas and radiation events are not considered to occur concurrently.

A single train will pressurize the control room to at least 0.125 inches water gauge, and provides an air exchange rate in excess of 45% per hour. The CREACUS operation in maintaining the control room habitable is discussed in Reference 1.

Redundant recirculation trains provide the required filtration should an excessive pressure drop develop across the other filter train. Normally-open isolation dampers are arranged in series pairs so that one damper's failure to shut will not result in a breach of isolation. The CREACUS is designed in accordance with Seismic Category I requirements.

The CREACUS is designed to maintain the control room environment for 30 days of continuous occupancy after a l Design Basis Accident (DBA) without exceeding a 5-rem whole-body dose.

< l APPLICABLE The CREACUS components are arranged in redundant safety SAFETY ANALYSES related ventilation trains. The location of components and ducting within the control room envelope ensures an adequate supply of filtered air to all areas requiring access.

The CREACUS provides airborne radiological protection for the control room operators, as demonstrated by the control (continued)

SAN ON0FRE--UNIT 3 8 3.7-57 Amendment No. 116 06/28/99

i- CREACUS B 3.7.11 BASES APPLICABLE room accident dose analyses for the most limiting design SAFETY-ANALYSES basis loss of coolant accident fission product release (continued) presented in the UFSAR, Chapter 15 (Ref. 2).

Dose calculations, as specified in Unit 2/3 UFSAR (Table 15B-5 and cbarcoal adsorb)rs e of the emergency recirculation airAppendix 15 conditioning unit. The emergency ventilation supply unit is credited only with contributing to the pressurization of the control room to 1/8 inch water gauge positive pressure (minimum Unit 2/3)UFSAR.to prevent unfiltered inleakage as indicated in The analysis'of toxic gas releases demonstrates that the toxicity limits are not exceeded in the control room following a toxic chemical release, as presented in Reference 1.

The worst case single active failure of a component of the CREACUS assuming a loss of offsite power, does not impair theabilityofthesystemtoperformitsdesignfunction.

The CREACUS satisfies Criterion 3 of the NR Fujicy Statement.

LC0 Two independent and redundant trains of the CREACUS are required to be OPERABLE to ensure that at least one is available, assuming that a single failure disables the other trai n.- Total system failure could result in a control room operator receiving a dose in excess of 5 rem in the event of a large radioactive release.

The CREACUS is considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both trains. A CREACUS train is considered OPERABLE when the associated:

a. Fan.is OPERABLE;

b. HEPA filters and charcoal adsorber are not excessively restricting flow, and are capable of performing their filtration functions; and

c. Ductwork, valves, and dampers are OPERABLE, and air i

circulation can be maintained. If an Emergency Isolation Damper is stuck open, the associated train of CREACUS may still be considered OPERABLE if the redundant damper in series with the inoperable damper is closed with power removed.

(continued)

SAN ON0FRE--UNIT 3 8 3.7-58 Amendment No. 116 3/19/98 !

i

1 Fuel Handling Building Post-Accident Cleanup Filter System B 3.7.14 8 3.7 PLANT SYSTEMS B 3.7.14 Fuel Handling Building Post-Accident Cleanup Filter System BASES BACKGROUND The Fuel Handling Building Post-Accident Cleanup Filter System filters airborne radioactive particulates and gases from the area of the fuel pool following a fuel rupture l accident. The Fuel Handling Building Post-Accident Cleanup Filter System, in conjunction with normally operating l systems, also provides environmental control of temperature in the fuel pool area.

The Fuel Handling Building Post-Accident Cleanup Filter System consists of two independent, redundant trains. Each train consists of a prefilter, two banks of high efficiency particulate air (HEPA) filters, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), a Component Cooling Water cooling coil, and a fan. Ductwork, dampers, and instrumentation also form part of the system, as well as duct heaters which function to reduce the relative humidity of the air stream.

The second bank of HEPA filters follows the adsorber section to collect carbon fines and provide backup in case of failure of the main HEPA filter bank. The downstream HEPA filter is not credited in the analysis, but serves to collect charcoal fines, and to back up the upstream HEPA filter should it develop a leak. The system initiates filtered ventilation of the fuel handling building following receipt of a high radiation signal.

The Fuel Handling Building Post-Accident Cleanup Filter System is a standby system, part of which may also be operated during normal unit operations. Upon receipt of the actuating signal, the fuel handling building is isolated, and the stream of ventilation air discharges through the system filter trains. The prefilters remove any large particles in the air, to prevent excessive loading of the HEPA filters and charcoal adsorbers.

Operation of the FHB normal HVAC system in parallel with one operating PACFS unit and the other unit inoperable is permissible provided both radiation monitors RT-7823 and 7822 and their associated circuitry remain OPERABLE.

(continued) )

l

{

SAN ONOFRE--UNIT 3 B 3.7-63 Amendment No. 116 12/17/98 I

l l

Fuel Handling Building Post-Accident Cleanup Filter System B 3.7.14 BASES BACKGROUND The Fuel Handling Building Post-Accident Cleanup Filter (continued) System is discussed in the UFSAR, Sections 6.5.1, 9.4.3.1 and 15.7.3.4 (Pefs.1, 2, and 3, respectively).

APPLICABLE. The Fuel Handling Building Post-Accident Cleanup Filter SAFETY ANALYSES System is designed to mitigate the consequences of a fuel handling accident in which 60 pins in a fuel assembly are assumed to be _dancged, or a Spent Fuel Pool gate drop accident in which 236 pins are assumed to be damaged. The analyses of the fuel handling accidents are given in References 3 and 6. The analyses take no credit for the j Fuel Hr.ndling Building Post-Accident Cleanup Filter System.

The a:nount of fission products available for release from the fuel Handling Building is determined for a fuel rupture l accident. These assumptions and the analysis follow the guidance provided in Regulatory Guide 1.25 (Ref. 4).

The Fuel Handling Building Post-Accident Cleanup Filter System satisfies Criterion 3 of the NRC Policy Statement.

LC0 Two independent and redundant trains of the Fuel Handling Building Post-Accident Cleanup Filter System are required to be OPERABLE to ensure that at least one is available, assuming a single failure that disables the other train coincident with a loss of offsite power. ,

1 The Fuel Handling Building Post-Accident Cleanup Filter l System is considered OPERABLE when the individual components necessary to control exposure in the fuel handling building are OPERABLE in both trains. A Fuel Handling Building Post- l Accident Cleanup Filter System train is considered OPERABLE l when its associated: :

a. Fan is OPERABLE;

b. HEPA filters and charcoal adsorber are not excessively l restricting flow, and are capable of performing their ;

filtration functions; and

c. Heater, ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

(continued)

SAN ON0FRE--UNIT 3 B 3.7-64 Amendment No. 116 12/17/98

Fuel Handling Building Post-Accident Cleanup Filter System B 3.7.14 i

BASES I

APPLICABILITY During movement of irradiated fuel assemblies in the fuel }

building, the Fuel Handling Building Post-Accident Cleanup j Filter System is required to be OPERABLE to mitigate the

{

consequences of a fuel rupture accident. l ACTIONS a.d !

If one Fuel Handling Building Post-Accident Cleanup Filter System train is inoperable, action must be taken to restore OPERABLE status within 7 days. During this time aeriod, the {

i remaining OPERABLE train is adequate to perform tie Fuel Handling Building Post-Accident Cleanup Filter System {

4 function. The 7 day Completion Time is reasonable, based on the risk from an event occurring requiring the inoperable Fuel Handling Building Post-Accident Cleanup Filter System train, and ability of the operable train to provide the l required protection.

B.1 and B.2 When Required Action A.1 cdanot be completed within the required Comoletion Time during movement of irradiated fuel in the fuel building, the OPERABLE Fuel Handling Building Post-Accident Cleanup Filter System train must be started immediately or fuel movement suspended. This action ensures that the remaining train is OPERABLE, that no undetected failures preventing system operation will occur, and that any active failure will be readily detected.

Operation of the FHB normal HVAC system in parallel with one operating PACFS unit and the other unit inoperable is permissible provided both radiation monitors RT-7823 and 7822 and their associated circuitry remain OPERABLE.

If the system is not placed in operation, this action requires suspension of fuel movement, which 3recludes a fuel handling accident. This does not preclude tie movement of fuel to a safe position.

(continued) l SAN ON0FRE--UNIT 3 B 3.7-65 Amendment No. 116 12/17/98 l

Fuel Handling Building Post-Accident Cleanup Filter System B 3.7.14

~ BASES SURVEILLANCE SR 3.7.14.3 REQUIREMENTS

'(continued) This SR verifies that each Fuel Handling Building Post-Accident Cleanup Filter System train starts and operates on !

an actual or simulated actuation signal. The 24 month Frequency is consistent with that specified in Reference 5. {;

i REFERENCES ~1. UFSAR, Section 6.5.1. !

1

2. UFSAR,.Section 9.4.3.1.

3. UFSAR, Section 15.7.3.4.

4. Regulatory Guide 1.25. l

5. Regulatory Guide 1.52.

6. UFSAR, Section 15.7.3.6. l l

)

i I

i i

l I

i SAN ON0FRE--UNIT 3. B 3.7-67 Amendment No. 116 12/17/98

r 3

)

I Fuel Storage Pool Water Level B 3.7.16 8 3.7 PLANT SYSTEMS B 3.7.16 Fuel Storage Pool Water Level BASES-BACKGROUND The minimum water level in the fuel storage pool meets the assumptions of iodine decontamination factors following a fuel hedling accident. The specified water level shields and minimizes the general area-dose when the storage racks

^ are' filled to their maximum capacity. The water also provides shielding during the movement of spent fuel.

A general description of the fuel storage pool design is given in the UFSAR, Section 9.1.2, Reference 1, and the '

Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section 9.1.3 (Ref. 2). The assumptions of the fuel handling accident are given in the UFSAR, Section 15.7.3.4 and 15.7.3.6 (Ref. 3 and Ref. 6).

APPLICABLE The minimum water level in the fuel storage pool meets the SAFETY ANALYSES assumptions of the fuel handling accident described in Regulatory Guide 1.25 (Ref. 4). The resultant 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months thyroid dose to a person at the exclusion area boundary is a small fraction of the 10 CFR 100 (Ref. 5) limits.

According to Reference 4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface for a fuel handling accident. With this 23 ft of water, the assumptions of Reference 4 can be used directly. In practice, this LC0 preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle, dropped and lying horizontally on top of the spent fuel racks, there would be < 23 ft of water above the top of the bundle.

However, when the potential of a dropped fuel assembly exists (which is when fuel is being moved) a water level is maintained that would ensure that there would be >23 feet above the fuel assembly laying on top of the racks. This increased water level is required by LC0 3.9.6 when the fuel storage pool is connected to the refueling cavity and by station procedures whenever fuel is being moved. j (continued)

SAN ON0FRE--UNIT 3 B 3.7-68 Amendment No. 116 10/13/98

Fuel Storage Pool Mater Level '

B 3.7.16 BASES (continued)

APPLICABLE The fuel storage pool water level satisfies Criterion 3 of SAFETY ANALYSES the NRC Policy Statement.

(continued)

LC0 The specified water level preserve., the assumptions of the fuel handling accident analysis (Ref. 3). As such, it is the minimum required for fuel storage and movement within the fuel storage pool.

APPLICABILITY This LC0 applies during movement of irradiated fuel assemblies in the fuel storage pool since the potential for a release of fission products exists.

ACTIONS L_1.

Required Action A.1 is modified by a Note indicating that LC0 3.0.3 does not apply.

When the initial conditions for an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended. This effectively precludes a spent fuel handling accident from occurring. This does not preclude moving a fuel assembly to a safe position.

If moving irradiated fuel assemblies while in MODE 5 or 6, LC0 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations.

Therefore, in either case, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

J (continued)

SAN ONOFRE--UNIT 3 B 3.7-69 Amendment No. 116 10/13/98

1 1

Fuel Storage Pool Water Level B 3.7.16 BASES SURVEILLANCE SR 3.7.16.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The water level in the fuel storage pool must be checked periodically. The 7 day Frequency is appropriate because the volume in the pool is normally stable. Lter level changes are controlled by unit procedures and are acceptable, based on operating experience.

During refueling operations, the level in the fuel storage pool is at equilibrium with that of the refueling canal, and the level in the refueling canal is checked daily in accordance with LC0 ?.9.6, " Refueling Water Level."

REFERENCES 1. UFSAR, Section 9.1.2.

2. UFSAR, Section 9.1.3.

3. UFSAR, Section 15.7.3.4.

4. Regulatory Guide 1.25 5 10 CFR 100.11.

6. UFSAR, Section 15.7.3.6 1

(continued)

SAN ONOFRE--UNIT 3 B 3.7-70 Amendment No. 116 10/13/98

AC Sources-Operating B 3.8.1 BASES ACTIONS L2 (continued) systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The ?2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.2 establishes a limit on the maximum time allowed for any combination of required AC power sources to be' inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LC0 may already have been not met for up to 14 days. 'is could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of_ the LC0. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "e E " connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 17 day Completion Time means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." This will result in establishing the " time zero" at the time that the LC0 was l initially not met, instead of at the time Condition A was

-entered.

As required by Section 5.5.2.14, a Configuration Risk Management Program is implemented in the event of Condition A.

IL1 To ensure a highly reliable power source remains when one of the required DGs is inoperable, it is necessary to verify (continued) j SAN ON0FRE--UNIT 3 B 3.8-6 Amendment No. 11609/28/98 L

l AC Sources -Operating B 3.8.1 '

BASES ACTIONS JLA (continued)

An auc.nented analysis using the meth,dology set forth in Refe ence 16 provides a series of duerministic and probabilistic justifications and sup ssrts continued operations in Condition B for a period that should not (xceed 14 days.

In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 14 day Completion Time takes into account the capacity and capability of the !

remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently returned OPERABLE, the LC0 may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 20 days) allowed prior to complete restoration of the LC0. The 17 day Completion

{

Time provides a limit on time allowed in a specified i condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which .

Conditions A and B are entered concurrently. The "A!iD." j connector between the 14 day and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met. J As in Required Action B.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed time " clock." This will result in establishing the

" time zero" at the time that the LC0 was initially not met, instead of at the time Condition B was entered.

As required by Section 5.5.2.14, a Configuration Risk Management Program is implemented in the event of Condition B.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-9 Amendment No. 11609/28/98

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS The Frequency of 24 months is consistent with Regulatory f Guide.1.9 (Ref. 3), takes into consideration unit conditions -

required to perform the Surveillance, and is intended to be '

consistent with the ex)ected fuel cycle lengths. Operating experience has shown tlat these components usually pass the SR when performed at the 24 month Frequency. Therefore, the !

Frequency was concluded to be acceptable from a reliability standpoint.

i This SR is modified by two Notes. The reason for Note 1 is i to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.1.13 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature) are bypassed on a loss of voltage signal concurrent with an ESF actuation' test signal in accordance with Reference 3.

The critical protective functions (engine overspeed, )

generator differential current, and low-low lube oil l pressure), which trip the DG to avert substantial damage to i the DG unit, are not bypassed. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The 24 month Frequency is based on engineering judgment, taking into consideration unit conditions required to l perform the Surveillance, and is intended to be consistent with ex)ected fuel cycle lengths. Operating experience has shown tlat these components usually pass the SR when i performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

I (continued)

SAN ONOFRE--UNIT 3 B 3.8-22 Amendment No. 116 12 1 96 Reissued 01 0 98

I.

AC Sources-0perating 8 3.8.1

. BASES REFERENCES 5. UFSAR, Chapter 15.

(continued)

6. Regulatory Guide 1.93, Rev. O.

7. Generic Letter 84-15.

8. 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.108, Rev. 1.

10. Regulatory Guide 1.137, Rev. 1.

11. ANSI C84.1-1982.

12. ASME, Boiler and Pressure Vessel Code,Section XI.

13. IEEE Standard 308-1978.

14. Draft Regulatory Guide DG-1021, April 1992.

15. . ~10 CFR 50.63(a)(3)(ii) as published in Federal Register Vol. 57, No. 77 page 14517, April 21,1992.

16. CE NPSD-996, "CE0G Joint Applications Report for Emergency Diesel Generator A0T Extension," May 1995.

SAN ON0FRE--UNIT 3 B 3.8-29 Amendment No. 11609/28/98

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 ,

BASES BACKGROUND Each DG is equipped with two air start systems which are (continued) independent and redundant. Each air start system has adequate capacity for five successive start attempts on the DG without recharging the air start receivers.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 4), and in the UFSAR, Chapter 15 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and containment design limits are not exceedeo. These limits are discussed in more detail in the Bases for LC0 Section 3.2, Power Distribution Limits; Section 3.4,' Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, and the air start subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of the NRC Policy Statement.

LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of tull load operation. It is also required to meet specific standards for quality. Additionally, sufficient lubricating oil supply must be available to ensure the capability to operate at full load for 7 days.

This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (A00) or a postulated DBA with loss of offsite power. DG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources-0perating," and LC0 3.8.2, "AC Sources -Shutdown. "

The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers.

(continued)

SAN ONOFRE--UNIT 3 8 3.8-37 Amendment No. 116 1/21/98

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3

)

BASES ACTIONS D.d (continued) l l

acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend.

Since the presence of particulates does not mean failure of the fuel oil to burn properly it, the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil.

Ed '

With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil {

properties. This period provides sufficient time to test 1 the stored fuel oil to determine that the new fuel oil, when 1

mixed with previously stored fuel oil, remains acceptable, or restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of" performing its intended function.

Ed With starting air receiver pressure < 175 psig, sufficient capacity for five successive DG start attempts does not exist. However, as long as the receiver pressure is a 136 psig, there is adequate capacity for at least one start attempt. In the event the redundant air start system is out of service, the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit.

A period of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts (continued)

SAN ON0FRE--UNIT 3 B 3.8-40 Amendment No. 116 1/21/98 o

DC Sources-0perating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources-0perating BASES BACKGROUND The station DC electrical power system provides the AC sergency power system with control power. It also provides both motive and control power to selected safety related equipment and preferred AC vital bus power (via inverters).

As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3).

The 125 VDC electrical power system consists of four independent and redundant safety related Class 1E DC electrical power subsystems (Train A, Train B, Train C and TrainD). Each subsystem consists of one 125 VDC battery, a l battery charger for the battery, and all the associated control equipment and interconnecting cabling.

During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the 1 station batteries. 1 Train A and Train B 125 VDC electrical power subsystems provide control power for the 4.16 KV switchgear and 480 V load center AC load groups A and B, Diesel generator A and B control systems, and Train A and B control systems, respectively. Train A and Train B DC subsystems also i provide DC power to the Train A and Train B inverters, as l well as to Train A and Train B DC valve actuators, respectively.

Train C and Train D 125 VDC electrical power subsystems i provide power for NSSS control power and DC power to Train C i and Train D inverters, respectively, as well as to the inverters for the two redundant shutdown cooling system l suction valves. Train C DC subsystem also provides DC power to the Auxiliary Feedwater Pump inlet valve HV-4716 and the AFWP electric governor.

(continued)

SAN ON0FRE--UNIT 3 B 3.8-46 Amendment No. 116 01/22/99

DC Sources-Operating B 3.8.4 BASES BACKGROUND Train C DC subsystem also provides DC power to both Train A l (continued) and Train C loads wt.en Trains A and C are manually cross-connected during Modes 5 and 6 to allow the Train A DC bus to be operable during Train A battery replacement and/uc testing, or when required during a station blackout event.

With two DC subsystems manually cross-connected, only Train C subsystem consists of its battery and charger, Train A subsystem has been stripped of its battery to meet the operability of the combined crosstie. During cross-connection operation either Train A or Train C battery charger can be used to power Train A and Train C DC Buses with Train C battery breaker closed.

Train D DC subsystem also provides DC power to both Trains B and D subsystem loads when Trains B and D DC subsystems are manually cross-connected during Modes 5 and 6 to allow the Train B DC bus to be operable during Train B battery replacement and/or testing, or when required during a station blackout event. With two DC subsystems manually cross-connected, only Train D subsystem consists of its battery and charger, Train B subsystem has been stripped of its battery to meet the operability of the combined crosstie. During cross-connection operation either Train B or Train D battery charger can be used to power Train B cnd l Traia D DC Buses with Train D battery breaker closed. !

The DC power distribution system is described in more detail in the Bases for LC0 3.8.9, " Distributions System Operating," and for LCO 3.8.10, " Distribution Systems -

Shutdown."

The batteries for Trains A and B each has adequate storage capacity to carry the required loads continuously for at least 90 minutes without support of a battery charger. The I batteries for Trains C and D can carry the required loads continuously for at least 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months as discussed in the UFSAR, Chapter 8 (Ref. 4).

Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area e narated physically and electrically from the other subsysten to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between 1

l l

l (continued)

SAN ON0FRE--UNIT 3 8 3.8-47 Amendment No. 116 01/22/99

1 DC Sources-0perating B 3.8.4 {

l

-BASES l

BACKGROUND l redundant Class 1E subsystems, such as batteries, battery l (continued) chargers, or distribution panels except when 125 VDC {

' Trains A and C or B and D are manually cross-connected I during Modes 5 and 6, or when required during a station )

blackout event.

l The batteries for Trains A, B, C, and D DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end '

of life cycles and the 100% design demand. Battery size is based on 125% of required capacity. The voltage limit is j 2.13 V per cell. The criteria for sizing large lead storage batteries are defined in IEEE-485 (Ref. 5).

l L

(continued)

SAN ON0FRE--UNIT 3 8 3.8-47a Amendment No. 116 01/22/99

l I

DC Sources-Operating B 3.8.4 BASES LC0 An OPERABLE DC electrical power subsystem requires the 4 (continued) required battery and charger to be operating and connected l to the associated DC bus.

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:

f 1

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of A00s or abnormal transients; and .

1

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in (

the event of a postulated DBA.

The DC electrical power requirements for MODES 5 and 6 are

- addressed in the Bases for LC0 3.8.5, "DC Sources-Shutdown."

ACTIONS /L.1 l Condition A represents one train with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore, imperative that the operator's attention focus on i stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for an inoperable DC distribution system train.

If one of the required battery banks is inoperable, then its associated DC electrical power subsystems is inoperable.

The remaining DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure would, however, result in the loss of two of the remaining 125 VDC electrical power subsystems with attendant loss of ;

ESF functions, continued power operation should not exceed ;

2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is based on Regulatory i Guide 1.93 (Ref. 8) and reflects (continued)

SAN ON0FRE--UNIT 3 8 3.8-49 Amendment No. 116 01/22/99

r.

DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.4 and SR 3.8.4.5 (continued)

REQUIREMENTS l

These Surveillances are consistent with IEEE-450 (Ref. 9),

I which recommend cell to cell and terminal connection resistance measurement. The 24 month surveillance frequency is consistent with the existing licensing basis and is intended to be consistent with expected fuel cycle lengths.

i SR 3.8.4.6 This SR requires that each battery charger be capable of supplying at least 300 amps and 2 129 V for 2 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . l These requirements are based on the design capacity of the chargers (Ref. 4). According to Regulatory Guide 1.32 (Ref. 10), the battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration t:nsure that these requirements can be satisfied.

The Surveillance Frequency is acceptable, given the unit conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR.

SR 3.8.4.7 A battery service test is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the

, design duty cycle requirements.

The Surveillance Frequency of 24 mnnths is consistent with the recommendations of Regulatory t tide 1.32 (Ref. 10) and Regulatory Guide 1.129 (Ref.11), which state that the battery service test should be performcd during refueling (continued)

SAN ON0FRE--UNIT 3 B 3.8-53 Amendment No. 116 01/22/99

w DC Sources-Operating B 3.8.4

-BASES SURVEILLANCE SR 3.8.4.7 (continued)

REQUIREMENTS-operations, or at some other outage, with intervals between tests not to exceed 24 months.

This SR is modified by three Notes. Note 1 allows the once per 48 months aerformance of SR 3.8.4.8 in lieu of SR 3.8.4.7. T11s substitution is acceptable because SR 3.8.4.8 represents a more severe test of battery capacity than does SR 3.8.4.7. The reason for Note 2 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. Note 3 acknowledges that credit may be taken for unplanned events that satisfy this SR.

If for any reason a battery has to undergo both service and performance tests, one following the other during a refueling outage, then the battery shall complete the service test first. Recharging of the battery is required before the performance test is conducted. The "as found" condition prior to the performance test will be the state the battery is in immediately before the performance test.

Here at SONGS, two spare cells are normally maintained qualified by installing them on the same seismic rack where 58 active cells reside, kept on float charge and inspected by regular Preventive Maintenance (PM). These spare cells are included in the main bank during service and performance tests to demonstrate their adequacy under the configuration conditions that would be present if they were required for use. Adding the spare _ cell (s) to the tests may create a 59 or 60 cell configuration and the service test results are adjusted by subtracting the spare cell (s) voltage contribution to the overall bank voltage at the end of discharge. This voltage adjustment is not necessary for the performance test. In addition, to meet the definition of "as found" for the test configuration and further demonstrate that the test results are not affected by the addition of the spare cells, "before" and "after" micro-ohmmeter readings of the intercell connections at the insertion point will be taken. It is expected there will be a change in the connection resistance. As it was stated above, however, it will have a negligible effect on the test results.

(continued)

SAN ONOFRE--UNIT 3 B 3.8-54 Amendment No. 11608/05/98

DC Sources -Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 REQUIREMENTS (continued) A battery performance test is a test of constant current capacity of a battery, normally done in the "as found" condition, after having been in service, to detect any change in the capacity determined by the acceptance test.

The test is intended to determine overall battery degradation due to age and usage.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

1 The Surveillance Frequency for this test is 60 months, or every 12 months if the battery shows degradation or has reached 85% of its expected life. Degradation is indicated, according to IEEE-450 (Ref. 9), when the battery capacity i drops by more than 10% re htive to its capacity on the (

previous performance test or when it is below 90% of the manufacturer's rating. These frequencies are consistent with the recommendations in liEE-450 (Ref. 9).

This SR is modified by two Notes. The reason for Note 1 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems.

Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR.

If for any reason a battery has to undergo both service and I performance tests, one following the other during a l refueling outage, then the battery shall complete the service test first. Recharging of the battery is required before the performance test is conducted. The "as found" condition prior to the performance test will be the state the battery is in immediately before the performance test.

Here at SONGS, two spare cells are normally maintained qualified by installing them on the same seismic rack where ;

58 active cells reside, kept on float charge and inspected by regular Preventive Maintenance (PM). These spare cells are included in the main bank during service and performance tests to demonstrate their adequacy under the configuration conditions that would be present if they were (continued)

SAN ON0FRE--UNIT 3 B 3.8-55 Amendment No. 11608/05/98

DC Sources-Operating B 3.8.4 BASES (continued)

SURVEILLANCE SR 3.8.4.8' (continued)

REQUIREMENTS.

required for use. Adding the spare cell (s) to the tests may create a 59 or 60 cell configuration and the service test results are adjusted by subtracting the spare cell (s) voltage contribution to the overall bank voltage at the end of discharge. :This voltage adjustment is not necessary for the performance test. In addition, to meet the definition of "as found" for the test configuration and further demonstrate that the test results are not affected by the addition of the spare cells, "before" and "after" micro-ohmmeter readings of the intercell connections at the insertion point will be taken. It is expected there will be a change in the connection resistance. As it was stated above, however, it will have a negligible effect on the test results.

REFERENCES 1. 10 CFR.50, Appendix A, GDC 17.

2. Regulatory Guide 1.6, March 10,1971.

3. IEEE-308-1978.

4. UFSAR,' Chapter 8.

5. IEEE-485-1983, June 1983.

6. UFSAR, Chapter 6.

7. UFSAR, Chapter 15.

8. Regulatory Guide 1.93, December 1974.

9. IEEE-450-1980.

10. Regulatory Guide 1.32, February 1977.

11. Regulatory Guide 1.129, April 1977.

SAN ON0FRE--UNIT 3 8 3.8-55a Amendment No. 11608/05/98

N Containment Penetrations B 3.9.3

'B 3.9 REFUELING OPERATIONS

~

B 3.9.3 Containment Penetrations BASES i

' BACKGROUND During CORE ALTERATIONS or movement of fuel assemblies within containment with irradiated fuel in containment, a release of fission product radioactivity within the containment will be restricted from escaping to the environment when the LC0 requirements are met. In MODES 1, 2, 3, and 4, this is accomplished by maintaining containment OPERABLE as described in LC0 3.6.1, " Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containment from the outside atmosphere can be less stringent. The LC0 requirements are referred to as

" containment closure" rather than " containment OPERABILITY "

Containment closure means that all potential escape paths are closed or capable of being closed. Since there is no potential for containment pressurization, the Appendix J, Option B leakage criteria and tests are not required.

The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained well within the requirements of 10 CFR 100.

Additionally, the containment structure provides radiation shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containment.

During CORE ALTERATIONS or movement of irradiated fuel )

assemblies within containment, the equipment hatch must be j held in place by at least four bolts. Good engineering '

practice dictates that the bolts required by this LC0 be approximately equally spaced.

The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1, 2, 3, and 4 operation in'accordance with LC0 3.6.2, " Containment Air Locks." Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of shutdown when containment (continued)

SAN ON0FRE--UNIT 3 8 3.9-9 Amendment No. 11612/1/98

p 1,

SDC and Coolant Circulation-High Water Level B 3.9.4 BASES .(continued)

. APPLICABLE If the reactor coolant temperature is not maintained below l SAFETY ~ ANALYSES 200'F, boiling of the reactor coolant could result. This L

' could lead to inadequate cooling of the reactor fuel due to a resulting loss of coolant in the reactor vessel.

i Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the baron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration l'

than is required to keep the reactor subcritical. The loss of reactnr coolant and the reduction of boron concentration in the actor coolant would eventually challenge the i integr, of the fuel cladding, which is a fission product barrier One loop of the SDC System is required to be i operational in MODE 6, with the water level a 20 ft above I the. top of the reactor vessel flange, to prevent this challenge. The LC0 does permit de-energizing of the SDC pump for short durations under the condition that the boron concentration is not diluted. This conditional de-energizing of the SDC pump does not result in a challenge to the fission product barrier.

SDC and Coolant Circulation-High Water Level satisfies Criterion 3 of the NRC Policy Statement.

LC0 ,0nly one SDC loop is required for decay heat removal in MODE 6, with water level a 20 ft above the top of the I reactor vessel flange. Only one SDC loop is required i

because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one SDC loop must be in operation to provide:

a. Removal of decay heat;

b. Mixing of borated coolant to minimize the possibility of a criticality; and

c. Indication of reactor coolant temperature.

An OPERABLE SDC loop includes an SDC pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end temperature.

(continued)

SAN ON0FRE--UNIT 3_ B 3.9-17 Amendment No. 116 06/03/99 i

SDC and Coolant Circulation-High Water Level B 3.9.4 BASES l LCO The flow path starts in one of the RCS hot legs and is (continued) returned to the RCS cold legs.

The LC0 is modified by two Notes. With the upper guide 1 structure removed from the reactor vessel Note 1 allows the I required operating.SDC loop to be removed from service for i up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in each 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period, provided that: I ;

a. The maximum RCS temperature is maintained s 140*F. l l

b. No operations are permitted that would cause a I ;

reduction of the RCS boron concentration. I !

c. The capability to close the containment penetrations I with direct access to the outside temperature within I

.the calculated time to boil is maintained. I l

d. The reactor cavity water level is maintained a 20 feet I above the top of the reactor pressure vessel flange, I or, for core alterations, a 23 feet above the top of I the reactor pressure vessel flange.

I i This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles, RCS to SDC isolation valve testing, and inservice testing of I LPSI system components. During this 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period, decay I heat is removed by natural convection to the large mass of water in the refueling canal.

Note 2 allows Operations to use a containment spray pump in place of a low pressure safety injection pump to provide shutdown cooling flow.

APPLICABILITY One SDC loop must be in operation in MODE 6, with the water level a 20 ft above the top of the reactor vessel flange, I to provide decay. heat removal. Requirements for the SDC System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS), and Section 3.S, Emergency Core Cooling Systems (ECCS). SDC loop requirements in MODE 6, with the water level < 20 ft above the top of the I reactor vessel flange, are located in LC0 3.9.5, " Shutdown Cooling (SDC) and Coolant Circulation-Low Water Level."

ACTIONS SDC loop requirements are met by having one SDC loop OPERABLE and in operation, except as permitted in the Note to the LCO.

(continued)

SAN.ON0FRE--UNIT 3 8 3.9-18 Amendment No. 116 06/03/99 I L

SDC and Coolant Circulation-High Water Level B 3.9.4 BASES (continbed)

ACTIONS L1 (continued)

If SDC loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations can occur through the addition of water with a lower boron concentration than that contained in the RCS. Therefore, actions that reduce boron concentration shall be suspended immediately.

LZ If SDC loop requirements are not met, actions shall be taken immediately to suspend loading. irradiated fuel assemblies in the core.- With no forced circulation cooling, decay heat j removal from the core occurs by natural convection to the (

heat sink provided by the water above the core. A minimum i refueling water level of 20 ft above the reactor vessel I flange provides an adequate available heat sink. Suspending any operation that would increase the decay heat load, such as loading a fuel assembly, is a prudent action under this condition.

L3.

If SDC loop requirements are not met, actions shall be i initiated and continued in order to satisfy SDC loop requirements.

4.4 If SDC loop requirements are not met, all containment penetrations to the outside atmosphere must be closed to prevent fission products, if released by a loss of decay heat event, from escaping the containment building. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or within the calculated time to boil Completion Time I allows fixing most SDC problems without incurring the j additional action of violating the containment atmosphere. :

I I

(continued)

SAN ON0FRE--UNIT 3 B 3.9-19 Amendment No. 116 06/03/99 1

l SDC and Coolant Circulation-Lou Bater Level B 3.9.5 i BASES (continued) l APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200*F, boiling of the reactor coolant.could result. This ]1 could lead to inadequate cooling of the reactor fuel due to the resulting loss of coolant in the reactor vessel.

Additionally, boiling of the reactor coolant could lead to a reduction in baron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction of baron concentration in the' reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two loops of the SDC System are required to be i OPERABLE, and one loop is required to be in operation in 1 MODE 6, with the water level < 20 ft above the top of the I reactor vessel flange, to prevent this challenge.

With the reactor vessel head removed and 12 feet of water I above the reactor vessel flange and all the specified I recuirements met, a heat sink is available for core cooling i anc. a method is available to restore the reactor cavity I level to 20 feet above the reactor vessel flange. l Therefore, in the event of a failure of the operating I shutdown cooling loop, adequate. time is provided to initiate i emergency procedures to cool the core. I i

SDC and Coolant Circulation-Low Water Level satisfies Criterion 3 of the NRC Policy Statement.

LC0 In MODE 6, with the water level < 20 ft e$ove the top of the I reactor vessel flange, both SDC loops must be OPERABLE.

Additionally, one loop of the SDC System must be in operation in order to provide:

a. Removal of decay heat;

b. Mixing of borated coolant to minimize the possibility of a criticality; and

c. Indication of reactor coolant temperature.

An OPERABLE SDC loop consists of an SDC pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end (continued)

SAN ON0FRE--UNIT 3 B 3.9-22 Amendment No. 116 06/03/99 I

SDC and Coolant Circulation-Lou Bater Level B 3.9.5 J 1

BASES (continued)

LC0 temperature. The flow path starts in one of the RCS hot (continued) legs and is returned to the RCS cold legs.

This LC0 is modified by the Note that allows Operations to use a containment spray pump in place of a low pressure safety injection pump to provide shutdown cooling flow. j or i

1) The reactor has been shutdown for at least 6 days. I

2) The water level above the reactor vessel flange is 12 i feet or greater. I

3) The associated loop of Salt Water Cooling (SWC) is i OPERABLE and operating. I

4) The associated Component Cooling Water (CCW) pump and I the CCW swing pump are OPERABLE, and the associated l CCW loop is OPERABLE and operating. I I

5) The Shutdown Cooling system is operating using the I containment spray pump, and the associated high I pressure safety injection pump and the low pressure i safety injection pump are OPERABLE and at ambient I temperature, available for injection from the RWST. I I

6) The RWST contains the volume of water required to I raise the level to 20 feet above the reactor vessel I flange. I

7) The associated Emergency Diesel Generator is Operable. I

, 8) The water temperature of the SDC system is maintained I less than 120*F. l APPLICABILITY Two SDC loops are required to be OPERABLE, and one SDC loop must be in operation in MODE 6, with the water level < 20 ft i above the top of the reactor vessel flange, to provide decay heat removal. Requirements for the SDC System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System. MODE 6 requirements, with a water level 2 20 ft I above the reactor vessel flange, are covered in LCO 3.9.4,

" Shutdown Cooling and Coolant Circulation-High Water Level . "

(continued)

SAN ON0FRE--UNIT 3 B 3.9-23 Amendment No. 116 06/03/99 I u

SDC and Coolant Circulation-Lou Water Level B 3.905 BASES (continued)

ACTIONS A.1 and A.2 i When two SDC loops are operable and if one SDC loop becomes 1 1 inoperable, actions shall be immediately initiated and I continued until the SDC loop is restored to OPERABLE status and to o)eration, or until 2 20 ft of water level is I i establisled above the reactor vessel flange. When the water l level is established at 2 20 ft above the reactor vessel I flange, the Applicability will change to that of LC0 3.9.4,

" Shutdown Cooling and Coolant Circulation-High Water 1 Level," and only one SDC loop is required to be OPERABLE and )

in operation. An immediate Completion Time is necessary for I an operator to initiate corrective actions.

4 L1 When one loop of the SDC is operable with requirements 1-8 I satisfied and the SDC loop becomes inoperable or any of the 1 8 requirements are not met, actions shall be immediately I initiated to establish a water level > 20 feet above the 1 l reactor flange. When the water level is established at > 20 I feet above the reactor vessel flange, the applicability will l

)

l change to that of LC0 3.9.4, " Shutdown Cooling and Coolant I Circulation-High Water Level," and only one SDC loop is I required to be OPERABLE and in operation. An immediate I Completion Time is necessary for an operator to initiate I ,

corrective actions. I L1 1 If no SDC loop is in operation or no SDC 160ps are OPERABLE, there will be no forced circulation to provide mixing to establish uniform baron concentrations. Reduced boron concentrations can occur by the addition of water witt lower baron concentration than that contained in the RCS.

Therefore, actions that reduce boron concentration shall be i suspended immediately. j L1 1 If no SDC loop is in operation or no SDC loops are OPERABLE, actions shall be initiated immediately and continued without interruption to restore one SDC loop to OPERABLE status and operation. Since the unit is in Conditions A and B j (continued)

SAN ON0FRE--UNIT 3 B 3.9-24 Amendment No. 116 06/03/99 I i

SDC and Coolant Circulation-Loc Water Level B 3.9.5 BASES (continued)

ACTIONS C.,2 (continued) I concurrently, the restoration of two OPERABLE SDC loops and one operating SDC loop should be accomplished expeditiously.

C.J. I If SDC loops requirements are not met, all containment penetrations to the outside atmosphere must be closed to prevent fission products, if released by a loss of decay heat event, from escaping the containment building. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or within the calculated time to boil Completion Time I allows fixing most SDC problems without incurring the additional action of violating the containment atmosphere.

SURVEILLANCE SR 3.9.5.1 i REQUIREMENTS j This Surveillance demonstrates that one SDC loop is i operating and circulating reactor coolant. The flow rate is I determined by the flow rate necessary to provide sufficient !

decay heat removal capability and to prevent thermal and l boron stratification in the core. In addition, this l Surveillance demonstrates that the other SDC loop is l OPERABLE.

-In addition, during operation of the SDC loop with the water level in the vicinity of the reactor vessel nozzles, the SDC loop flow rate determination must also consider the SDC pump suction requirements. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is )

sufficient, considering the flow, temperat6re, pump control, '

l and alarm indications available to the operator to monitor the SDC System in the control room.

Verification that the required loops are OPERABLE and in operation ensures that loops can be placed in operation as needed, to maintain decay heat and retain forced ,

circulation. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is considered I reasonable, since other administrative controls are available and have proven to be acceptable by operating experience.

REFERENCE 1. UFSAR, Section 7.4.

SAN ON0FRE--UNIT 3 B 3.9-24a Amendment No. 116 06/03/99 l

Refueling Water Level B 3.9.6 BASES (continued)

APPLICABLE The applicability statement is modified by a note which SAFETY ANALYSES allows that the water level may be lowered to a minimum of (continued) 23 feet above the top of the fuel for movement of four finger CEAs, coupling and uncoupling of CEA extension shafts or for verifying the coupling and uncoupling.

LC0 A minimum refueling water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits as provided by the guidance of Reference 3.

APPLICABILITY LC0 3.9.6 is applicable during movement of fuel assemblies or CEAs within the reactor pressure vessel when either the fuel assemblies being moved or the fuel assemblies seated with the reactor pressure vessel are irradiated, and during movement of irradiated fuel assemblies within containment.

A note provides an exception that the water level may be lowered to a minimum of 23 feet above the top of the fuel for movement of four finger CEAs, coupling and uncoupling of CEA extension shafts or for verifying the coupling and uncoupling. The LC0 minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present in containment, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the s aent fuel pool are covered by LC0 3.7.16, " Fuel Storage 2001 Water Level ."

ACTIONS A.1 and A.2 With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving CORE ALTERATIONS or movement of irradiated fuel assemblies shall be suspended immediately to ensure that a fuel handling accident cannot occur.

The suspension of CORE ALTERATIONS and fuel movement shall not preclude completion of movement of a component to a safe position.

(continued)

SAN ONOFRE--UNIT 3 B 3.9-26 Amendment No. 116 10/13/98 L

I Refueling Water Level 1 B 3.9.6

/

BASES l

SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top '

of the reactor vessel flange ensures that the design basis for the postulated fuel handling accident analysis during

. refueling operations is met. Water at the required level -

above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated to j result from a fuel handling accident inside containment 1 (Ref.2). l The Frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is based on engineering judgment i and is considered adequate in view of the large volume of I' water and the normal procedural controls of valve positions, which make significant unplanned level changes unlikely.

REFERENCES 1. Regulatory Guide 1.25, March 23, 1972. l

2. UFSAR, Section 15.7.3.9.

3. NUREG-0712, Safety Evaluation Report related to the )

operation of San Onofre Nuclear Generating Station, '

Units 2 and 3, February 1981.

4. 10 CFR 100.10.

I 1

1 SAN ON0FRE--UNIT 3 8 3.9-27 Amendment No. 116 10/13/98 l

ML20210N512

Text

Navigation menu

Search