Text

Technical Specification Bases Pages
	ML051810150
Person / Time
Site:	Millstone
Issue date:	06/28/2005
From:	; Office of Nuclear Reactor Regulation
To:	;
References
	LBDCR 04-MP2-016
	Download: ML051810150 (43)
	v • d • e

LBDCR 04-MP2-016 February 24, 2005 SAFETY LIMITS BASES:

The conditions for the Thermal Margin Safety Limit curves in figure 2.1-1 to be valid are shown on the figure.

The reactor protective system in combination with the Limiting Conditions for Operation, is designed to prevent any anticipated combination of transient conditions for reactor coolant system temperature, pressure, and THERMAL POWER level that would result in a DNBR below the 95/95 limit for DNB correlation. and preclude the existence of flow instabilities.

2.1.2 REACTOR COOLANT SYSTEM PRESSURE The restriction of this Safety Limit protects the integrity of the Reactor Coolant System from overpressurization and thereby prevents the release of radionuclides contained in the reactor coolant from reaching the containment atmosphere.

The reactor pressure vessel and pressurizer are designed to Section III of the ASME Code for Nuclear Power Plant Components which permits a maximum transient pressure of 110%

(2750 psia) of design pressure. The Reactor Coolant System piping, valves and fittings, are designed to ANSI B3 1.7, Class I which permits a maximum transient pressure of 110% (2750 psia) of component design pressure. The Safety Limit of 2750 psia is therefore consistent with the design criteria and associated code requirements.

The entire Reactor Coolant System is hydrotested at 3125 psia to demonstrate integrity prior to initial operation.

MILLSTONE - UNIT 2 B 2-3 Amendment No. 4, 5 A, 439, 22,

LBDCR 04-MP2-016 February 24, 2005 3/4.0 APPLICABILITY BASES (Con't) limits of ACTION requirements are applicable when this limit expires if the surveillance has not been completed. When a shutdown is required to comply with ACTION requirements, the plant may have entered a MODE in which a new specification becomes applicable. In this case, the time limits of the ACTION requirements would apply from the point in time that the new specification becomes applicable if the requirements of the Limiting Condition for Operation are not met.

Specification 3.0.2 establishes that noncompliance with a specification exists when the requirements of the Limiting Condition for Operation are not met and the associated ACTION requirements have not been implemented within the specified time interval. The purpose of this specification is to clarify that (1) implementation of the ACTION requirements within the specified time interval constitutes compliance with a specification and (2) completion of the remedial measures of the ACTION requirements is not required when compliance with a Limiting Condition of Operation is restored within the time interval specified in the associated ACTION requirements.

Specification 3.0.3 establishes the shutdown ACTION requirements that must be implemented when a Limiting Condition for Operation is not met and the condition is not specifically addressed by the associated ACTION requirements. The purpose of this specification is to delineate the time limits for placing the unit in a safe operation defined by the Limiting Conditions for Operation and its ACTION requirements. It is not intended to be used as an operational convenience which permits (routing) voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable. This time permits the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the cooldown capabilities of the facility assuming only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the primary coolant system and the potential for a plant upset that could challenge safety systems under conditions for which this specification applies.

If remedial measure permitting limited continued operation of the facility under the provisions of the ACTION requirements are completed, the shutdown may be terminated. The time limits of the ACTION requirements are applicable from the point in time it is identified that a Limiting Condition for Operation is not met. Therefore, the shutdown may be terminated if the ACTION requirements have been met or the time limits of the ACTION requirements have not expired, thus providing an allowance for the completion of the required ACTIONS.

MILLSTONE - UNIT 2 D 3/4 0-2 Amendment Nos. Q, 4-54-,

LBDCR 04-MP2-016 February 24,2005 APPLICABILITY BASES (Con't)

When a shutdown is required to comply with ACTION requirements, the provisions of Specification 3.0.4 do not apply because they would delay placing the facility in a lower MODE of operation.

Specification 3.0.5 delineates what additional conditions must be satisfied to permit operation to continue, consistent with the ACTION statements for power sources, when a normal or emergency power source in not OPERABLE. It specifically prohibits operation when one division is inoperable because its normal or emergency power source is inoperable and a system, subsystem, train, component or device in another division is inoperable for another reason.

The provisions of this specification permit the ACTION statements associated with individual systems, subsystems, trains, components, or devices to be consistent with the ACTION statements of the associated electrical power source. It allows operation to be governed by the time limits of the ACTION statement associated with the Limiting Condition for Operation for the normal or emergency power source, not the individual ACTION statements for each system, subsystem, train, component or device that is determined to be inoperable solely because of the inoperability of its normal emergency power source.

For example, Specification 3.8.1.1 requires in part that two emergency diesel generators be OPERABLE. The ACTION statement provides for a 72-hour out-of-service time when one emergency diesel generator is not OPERABLE. If the definition of OPERABLE were applied without consideration of Specification 3.0.5, all systems, subsystems, trains, components and devices supplied by the inoperable emergency power source would also be inoperable. This would dictate invoking the applicable ACTION statement for each of the applicable Limiting Conditions for Operation. However, the provisions of Specification 3.0.5 permit the time limits for continued operation to be consistent with the ACTION statement for the inoperable emergency diesel generator instead, provided the other specified conditions are satisfied. In this case, this would mean that the corresponding normal power source must be OPERABLE, and all redundant systems, subsystems, trains, components, and devices must be OPERABLE, or otherwise satisfy Specification 3.0.5 (i.e., be capable of performing their design function and have at least one normal or one emergency power source OPERABLE). If they are not satisfied, ACTION is required in accordance with this specification.

As a further example, Specification 3.8.1.1 requires in part that two physically independent circuits between the offsite transmission network and the onsite Class IE distribution system be OPERABLE. The ACTION statement provides a 24-hour out-of-service time when both required offsite circuits are not OPERABLE. If the definition of OPERABLE were applied without consideration of Specification 3.0.5, all systems, subsystems, trains, components and devices supplied by the inoperable normal power sources, both of the oftsite circuits, would also be inoperable. This would dictate invoking the applicable ACTION statements for each of the applicable LCOs. However, the provisions of Specification 3.0.5 permit the time limits for continued operation to MILLSTONE - UNIT 2 B 3/4 0-4 Amendment Nos. -M,4-I5,

LBDCR 04-MP2-016 February 24, 2005 BASES (Con't) be consistent with the ACTION statement for the inoperable normal power sources instead, provided the other specified conditions are satisfied. In this case, this would mean that for one division the emergency power source must be OPERABLE (as must be the components supplied by the emergency power source) and all redundant systems, subsystems, trains, components and devices in the other divisions must be OPERABLE, or likewise satisfy Specification 3.0.5 (i.e., be capable of performing their design functions and have an emergency power source OPERABLE).

In other words, both emergency power sources must be OPERABLE and all redundant systems, subsystems, trains, components and devices in both divisions must also be OPERABLE. If these conditions are not satisfied, ACTION is required in accordance with this specification.

In MODES 5 and 6 Specification 3.0.5 is not applicable, and thus the individual ACTION statements for each applicable Limiting Condition for Operation in these MODES must be adhered to.

Specification 3.0.6 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required ACTION(s)) to allow the performance of surveillance requirements to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the allowed surveillance requirements. The Specification does not provide time to perform any other preventive or corrective maintenance.

An example of demonstrating the OPERABILITY of equipment being returned to service is reopening a containment isolation valve that has been closed to comply with the Required ACTIONS and must be reopened to perform the surveillance requirements.

An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of a surveillance requirement on another channel in the other trip system.

A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of a surveillance requirement on another channel in the same trip system.

MILLSTONE - UNIT 2 B 3/4 0-5 Amendment No. 4151, i4, 234,

LBDCR No. 04-MP2-016 February 24, 2005 BASES ( Con't) possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

Some examples of this process are:

a. Auxiliary feedwater (AFW) pump turbine maintenance during refueling that requires testing at steam pressure > 800 psi. However, if other appropriate testing is satisfactorily completed, the AFW System can be considered OPERABLE. This allows startup and other necessary testing to proceed until the plant reaches the steam pressure required to perform the testing.

b. High pressure safety injection (HPSI) maintenance during shutdown that requires system functional tests at a specified pressure. Provided other appropriate testing is satisfactorily completed, startup can proceed with HPSI considered OPERABLE.

This allows operation to reach the specified pressure to complete the necessary post maintenance testing.

Specification 4.0.2 This specification establishes the limit for which the specified time interval for Surveillance Requirements may be extended. It permits an allowable extension of the normal surveillance interval to facilitate surveillance scheduling and consideration of plant operating conditions that may not be suitable for conducting the surveillance; e.g., transient conditions or other ongoing surveillance or maintenance activities. It also provides flexibility to accommodate the length of a fuel cycle for surveillances that are performed at each refueling outage and are specified with an 18-month surveillance interval. It is not intended that this provision be used repeatedly as a convenience to extend surveillance intervals beyond that specified for surveillances that are not performed during refueling outages. The limitation of Specification 4.02 is based on engineering judgment and the recognition that the most probable result of any particular surveillance being performed is the verification of conformance with the Surveillance Requirements. This provision is sufficient to ensure that the reliability ensured through surveillance activities is not significantly degraded beyond that obtained from the specified surveillance interval.

Specification 4.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified surveillance interval. A delay period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified surveillance interval, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with Specification 4.0.2, and not at the time that the specified surveillance interval was not met.

This delay period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with ACTION requirements or other remedial measures that might preclude completion of the Surveillance.

MILLSTONE - UNIT 2 .B 3/4 0-5b Amendment No. 2M, 247,

LBDCR 04-MP2-016 February 24, 2005 BASES (Con't)

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance. with a surveillance interval based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations, (e.g., prior to entering MODE I after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, Specification 4.0.3 allows for the full delay period of up to the specified surveillance interval to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

Specification 4.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by ACTION requirements.

Failure to comply with specified surveillance intervals for the Surveillance Requirements is expected to be an infrequent occurrence. Use of the delay period established by Specification 4.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified surveillance interval is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the entry into the ACTION requirements for the applicable Limiting Condition for Operation begins immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and entry into the ACTION requirements for the applicable Limiting Condition for Operation begins immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Allowed Outage Time of the applicable ACTIONS, restores compliance with Specification 4.0.1.

MILLSTONE - UNIT 2 B 3/4 0-6 Amendment No. 2;+,

LBDCR 04-MP2-016 February 24, 2005 BASES 3/4.1.3 MOVEABLE CONTROL ASSEMBLIES (Continued)

The CEA motion inhibit permits CEA motion within the requirements of LCO 3.1.3.6, "Regulating Control Element Assembly (CEA) Insertion Limits," and the CEA deviation circuit prevents regulating CEAs from being misaligned from other CEAs in the group. With the CEA motion inhibit inoperable, a time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed for restoring the CEA motion inhibit to OPERABLE status, or placing and maintaining the CEA drive switch in either the "off' or "manual" position, fully withdrawing all CEAs in group 7 to < 5% insertion. Placing the CEA drive switch in the "off' or "manual" position ensures the CEAs will not move in response to Reactor Regulating System automatic motion commands. Withdrawal of the CEAs to the positions required in the Required ACTION B.2 ensures that core perturbations in local bumup, perking factors, and SHUTDOWN MARGIN will not be more adverse than the Conditions assumed in the safety analyses and LCO setpoint determination. Required ACTION B.2 is modified by a Note indicating that performing this Required ACTION is not required when in conflict with Required ACTIONS A.l or C.1.

Continued operation is not allowed in the case of more than one CEA misaligned from any other CEA in its group by 2 20 steps, or one or more CEAs untrippable. This is because these cases are indicative of a loss of SHUTDOWN MARGIN and power distribution changes, and a loss of safety function, respectively.

OPERABILITY of the CEA position indicators (Specification 3.1.3.3) is required to determine CEA positions and thereby ensure compliance with the CEA alignment and insertion limits and ensures proper operation of the CEA Motion Inhibit and CEA deviation block circuit.

The CEA "Full In" and "Full Out" limit Position Indicator channels provide an additional independent means for determining the CEA positions when the CEAs are at either their fully inserted or fully withdrawn positions. Therefore, the ACTION statements applicable to inoperable CEA position indicators permit continued operations when the positions of CEAs with inoperable position indicators can be verified by the "Full In" or "Full Out" limit Position Indicator channels.

CEA positions and OPERABILITY of the CEA position indicators are required to be verified on a nominal basis of once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months with more frequent verifications required if an automatic monitoring channel is inoperable. These verification frequencies are adequate for assuring that the applicable LCO's are satisfied.

The maximum CEA drop time permitted by Specification 3.1.3.4 is the assumed CEA drop time used in the accident analyses. Measurement with Tavg 2 515'F and with all reactor coolant pumps operating ensures that the measured drop times will be representative of insertion times experienced during a reactor trip at operating conditions.

NULLSTONE - UNIT 2 B 3/4 1-4a Amendment No. , I46, I,

LBDCR 04-MP2-016 February 24, 2005 3/4.2 POWER DISTRIBUTION LIMITS BASES 314.2.1 LINEAR HEAT RATE The limitation on linear heat rate ensures that in the event of a LOCA, the peak temperature of the fuel cladding will not exceed 2200'F.

Either of the two core power distribution monitoring systems, the Excore Detector Monitoring System and the Incore Detector Monitoring System, provide adequate monitoring of the core power distribution and are capable of verifying that the linear heat rate does not exceed its limits. The Excore Detector Monitoring System performs this function by continuously monitoring the AXIAL SHAPE INDEX with two OPERABLE excore neutron flux detectors and verifying that the AXIAL SHAPE INDEX is maintained within the allowable limits specified in the CORE OPERATING LIMITS REPORT using the Power Ratio Recorder. The power dependent limits of the Power Ratio Recorder are less than or equal to the limits specified in the CORE OPERATING LIMITS REPORT. In conjunction with the use of the excore monitoring system and in establishing the AXIAL SHAPE INDEX limits, the following assumptions are made: I) the CEA insertion limits of Specifications 3.1.3.5 and 3.1.3.6 are satisfied, 2) the AZIMUTHAL POWER TILT restrictions of Specification 3.2.4 are satisfied, and 3) the TOTAL UNRODDED INTEGRATED RADIAL PEAKING FACTOR does not exceed the limits of Specification 3.2.3.

The Incore Detector Monitoring System continuously provides a direct measure of the peaking factors and the alarms which have been established for the individual incore detector segments ensure that the peak linear heat rates will be maintained within the allowable limits specified in the CORE OPERATING LIMITS REPORT. The setpoints for these alarms include allowances, set in the conservative direction. The Incore Detector Monitoring System is not used to monitor linear heat rate below 20% of RATED THERMAL POWER. The accuracy of the neutron flux information from the incore detectors is not reliable at THERMAL POWER < 20%

RATED THERMAL POWER.

3/4.2.3 AND 3/4.2.4 TOTAL UNRODDED INTEGRATED RADIAL PEAKING FACTORS FTr..

AND AZIMUTHAL POWER TILT - Tg The limitations on FT r and Tq are provided to 1) ensure that the assumptions used in the analysis for establishing the Linear Heat Rate and Local power Density - High LCOs and LSSS setpoints remain valid during operation at the various allowable CEA group insertion limits, and,

2) ensure that the assumptions used in the analysis establishing the DNB Margin LCO, and Thermal Margin/Low Pressure LSSS setpoints remain valid during operation at the various allowable CEA group insertion limits. If FTr or Tq exceed their basic limitations, operation may continue under the additional restrictions imposed MILLSTONE - UNIT 2 B 3/4 2-1 Amendment No. 39, 52, 422,49, 44, 415,494, 23, -,

LBDCR 04-MP2-016 February 24, 2005 3/4.3 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (ESF) INSTRUMENTATION The OPERABILITY of the protective and ESF instrumentation systems and bypasses ensure that 1) the associated ESF action and/or reactor trip will be initiated when the parameter monitored by each channel or combination thereof exceeds its setpoint, 2) the specified coincidence logic is maintained, 3) sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance, and 4) sufficient system functional capability is available for protective and ESF purposes from diverse parameters.

The OPERABILITY of these systems is required to provide the overall reliability, redundance and diversity assumed available in the facility design for the protection and mitigation of accident and transient conditions. The integrated operation of each of these systems is consistent with the assumptions used in the accident analyses.

ACTION Statement 2 of Tables 3.3-1 and 3.3-3 requires an inoperable Reactor Protection System (RPS) or Engineered Safety Feature Actuation System (ESFAS) channel to be placed in the bypassed or tripped condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The inoperable channel may remain in the bypassed condition for a maximum of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . While in the bypassed condition, the affected functional unit trip coincidence will be 2 out of 3. After 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , the channel must either be declared OPERABLE, or placed in the tripped condition. If the channel is placed in the tripped condition, the affected functional unit trip coincidence will become 1 out of 3. One additional channel may be removed from service for up to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , provided one of the inoperable channels is placed in the tripped condition.

Plant operation with an inoperable pressurizer high pressure reactor protection channel in the tripped condition is restricted because of the potential inadvertent opening of both pressurizer power operated relief valves (PORVs) if a second pressurizer high pressure reactor protection channel failed while the first channel was in the tripped condition. This plant operating restriction is contained in the Technical Requirements Manual.

The reactor trip switchgear consists of eight reactor trip circuit breakers, which are operated in four sets of two breakers (four channels). Each of the four trip legs consists of two reactor trip circuit breakers in series. The two reactor trip circuit breakers within a trip leg are actuated by separate initiation circuits. For example, if a breaker receives an open signal in trip leg A, an identical breaker in trip leg B will also receive an open signal. This arrangement ensures that power is interrupted to both Control Element Dnve Mechanism buses, thus preventing a trip of only half of the control element assemblies (a half trip). Any one inoperable breaker in a channel will make the entire channel inoperable.

The surveillance requirements specified for these systems ensure that the overall system functional capability is maintained comparable to the original design standards. The periodic surveillance tests performed at the minimum frequencies are sufficient to demonstrate this capability.

The surveillance testing verifies OPERABILITY of the RPS by overlap testing of the four interconnected modules: measurement channels, bistable trip units, RPS logic, and reactor trip circuit breakers. When testing the measurement channels or bistable trip units that provide an automatic reactor trip function, the associated RPS channel will be removed from service, MILLSTONE - UNIT 2 B 3/4 3-1 Amendment No. 467,4-8,498,224, 292

LBDCR 04-MP2-016 February 24, 2005 3/4.3 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (ESF) INSTRUMENTATION (continued' declared inoperable, and ACTION Statement 2 of Technical Specification 3.3.1.1 entered. When testing the RPS logic (matrix testing), the individual RPS channels will not be affected. Each parameter within each RPS channel supplies three contacts to make up the 6 different logic ladders/ matrices (AB, AC, AD, BC, BD, and CD). During matrix testing, only one logic matrix is tested at a time. Since each RPS channel supplies 3 different logic ladders, testing one ladder matrix at a time will not remove an RPS channel from the overall logic matrix. Therefore, matrix testing will not remove an RPS channel from service or make the RPS channel inoperable. It is not necessary to enter an ACTION statement while performing matrix testing. This also applies when testing the reactor trip circuit breakers since this test will not remove an RPS channel from service or make the RPS channel inoperable.

The ESFAS includes four sensor subsystems and two actuation subsystems for each of the functional units identified in Table 3.3-3. Each sensor subsystem includes measurement channels and bistable trip units. Each of the four sensor subsystem channels monitors redundant and independent process measurement channels. Each sensor is monitored by at least one bistable.

The bistable associated with each ESFAS Function will trip when the monitored variable exceeds the trip setpoint. When tripped, the sensor subsystems provide outputs to the two actuation subsystems.

The two independent actuation subsystems each compare the four associated sensor subsystem outputs. If a trip occurs in two or more sensor subsystem channels, the two-out-of-four automatic actuation logic will initiate one train of ESFAS. An Automatic Test Inserter (ATI), for which the automatic actuation logic OPERABILITY requirements of this specification do not apply, provides automatic test capability for both the sensor subsystems and the actuation subsystems.

The provisions of Specification 4.0.4 are not applicable for the CHANNEL FUNCTIONAL TEST of the Engineered Safety Feature Actuation System automatic actuation logic associated with Pressurizer Pressure Safety.Injection, Pressurizer Pressure Containment Isolation, Steam Generator Pressure Main Steam Line Isolation, and Pressurizer Pressure Enclosure Building Filtration for entry into MODE 3 or other specified conditions. After entering MODE 3, pressurizer pressure and steam generator pressure will be increased and the blocks of the ESF actuations on low pressurizer pressure and low steam generator pressure will be automatically removed. After the blocks have been removed, the CHANNEL FUNCTIONAL TEST of the ESF automatic actuation logic can be performed. The CHANNEL FUNCTIONAL TEST of the ESF automatic actuation logic must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing the appropriate plant conditions, and prior to entry into MODE 2.

The measurement ofresponse time at the specified frequencies provides assurance that the protective and ESF action function associated with each channel is completed within the time limit assumed in the accident analyses. No credit was taken in the analyses for those channels with response times indicated as not applicable. The Reactor Protective and Engineered Safety Feature response times are contained in the Millstone Unit No. 2 Technical Requirements Manual.

Changes to the Technical Requirements Manual require a IOCFR50.59 review as well as a review by the Plant Operations Review Committee.

MILLSTONE - UNIT 2 B 3/43-la Amendment No. 225,20, 24, 2,

LBDCR 04-MP2-016.

February 24, 2005 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (EUSF INSTRUMENTATION (Continued)

SRAS LOGIC MODIFICATION ACTION Statement 4 of Table 3.3-3, which applies only to the SRAS logic, specifies that during surveillance testing the second inoperable channel must also be placed in the bypassed condition. For the SRAS logic, placing the second inoperable channel in the tripped condition (as in ACTION Statement 2) could result in the false generation of a SRAS signal due to an additional failure which causes a trip signal in either of the remaining channels at the onset of a LOCA. The false generation of the SRAS signal leads to unacceptable consequences for LOCA mitigation.

With ACTION Statement 4, during the two-hour period when two channels are bypassed, no additional failure can result in the false generation of the SRAS signal. However, an additional failure that prevents a trip of either of the two remaining channels may prevent the generation of a true SRAS signal while in this ACTION Statement. If no SRAS is generated at the appropriate time, operating procedures instruct the operator to ensure that the SRAS actuation occurs when the refueling water storage tank level decreases. Due to the limited period of vulnerability, and the existence of operator requirements to manually initiate an SRAS if an automatic initiation does not occur, this risk is considered acceptable.

STEAM GENERATOR BLOWDOWN ISOLATION Automatic isolation of steam generator blowdown will occur on low steam generator water level. An auxiliary feedwater actuation signal will also be generated at this steam generator water level. Isolation of steam generator blowdown will conserve steam generator water inventory following a loss of main feedwater.

SENSOR CABINET POWER SUPPLY AUCTIONEERING The auctioneering circuit of the ESFAS sensor cabinets ensures that two sensor cabinets do not de-energize upon loss of a D.C. bus, thereby resulting in the false generation of an SRAS.

Power source VA-10 provides normal power to sensor cabinet A and backup power to sensor cabinet D. VA-40 provides normal power to sensor cabinet D and backup power to cabinet A.

Power sources VA-20 and VA-30 and sensor cabinets B and C are similarly arranged.

If the normal or backup power source for an ESFAS Sensor Cabinet is lost, two sensor cabinets would be supplied from the same power source, but would still be operating with no subsequent trip signals present. However, any additional failure associated with this power source would result in the loss of the two sensor cabinets, consequently generating a false SRAS.

The 48-hour ACTION Statement ensures that the probability of a ACTION Statement and an additional failure of the remaining power source, while in this ACTION Statement is sufficiently small.

MILLSTONE - UNIT 2 B 3/4 3-2 Amendment No. i, A, 26, I,

LBDCR 04-MP2-016 February 24, 2005 BASES(Continued) 3/4.3.3 MONITORING INSTRUMENTATION 3/4.3.3.1 RADIATION MONITORING INSTRUMENTATION The OPERABILITY of the radiation monitoring channels ensures that 1) the radiation levels are continually measured in the areas served by the individual channels and 2) the alarm or automatic action is initiated when the radiation level trip setpoint is exceeded.

The analysis for a Steam Generator Tube Rupture Event and for a Millstone Unit No. 3 Loss of Coolant Accident credits the control room ventilation inlet duct radiation monitors with closure of the Unit 2 control room isolation dampers. In the event of a single failure in either channel (1 per train), the control room isolation dampers automatically close. The response time test for the control room isolation dampers includes signal generation time and damper closure.

The response time for the control room isolation dampers is maintained within the applicable I facility surveillance procedure.

The containment airborne radiation monitors (gaseous and particulate) provide early indication of leakage from the Reactor Coolant System as specified in Technical Specification 3.4.6.1.

MILLSTONE - UNIT 2 B3/43-2a Amendment No. 4-5, 4-, 2I, 2, 24 2K, 2M,

LBDCR 04-MP2-016 February 24, 2005 INSTRUMENTATION BASES 3/4.3.3.9 - DELETED 3/4.3.3.10 - DELETED 3/4.3.4 Containment Purge Valve Isolation Signal A high airborne radioactivity level inside containment will be detected by the containment airborne radiation monitors (gaseous and particulate). The actuation logic for this function is one out of four. High radioactivity inside containment,'detected by any one of the four radiation detectors (two gaseous and two particulate), will automatically isolate containment PURGE.

An OPERABLE system consists of at least one gaseous and particulate radiation detector and the associated automatic logic train. An actuation logic train consists of the detectors, associated microprocessors, and the associated logic circuits up to and including the Engineered Safeguards Actuation System system actuation module.

These radiation monitors provide an automatic closure signal to the containment purge valves upon detection of high airborne radioactivity levels inside containment. The maximum allowable trip value for these monitors corresponds to calculated concentrations at the site boundary which would not exceed the concentrations listed in 10 CFR Part 20, Appendix B, Table II. Exposure for a year to the concentrations in 10 CFR Part 20, Appendix B, Table II, corresponds to a total body dose to an individual of 500 mrem, which is well below the guidelines of 10 CFR Part 100 for an individual at any point on the exclusion area boundary for two hours.

Determination of the monitor's trip value in counts per minute, which is the actual instrument response, involves several factors including: 1) the atmospheric dispersion (x/Q), 2) isotopic composition of the sample, 3) sample flow rate, 4) sample collection efficiency, 5) counting efficiency, and 6) the background radiation level at the detector. The x/Q of 5.8 x 10-6 sec/m3 is the highest annual average x/Q estimated for the site boundary (0.48 miles in the NE sector) for vent releases from the containment and 7.5 x 10-8 sec/m3 is the highest annual average x/Q estimated for an off-site location (3 miles in the NNE sector) for releases from the Unit 1 stack. This calculation also assumes that the isotopic composition is xenon-133 for gaseous radioactivity and cesium-I 37 for particulate radioactivity (Half Lives greater than 8 days). The upper limit of 5 x 105 cpm is approximately 90 percent of full instrument scale.

MILLSTONE - UNIT 2 B 3/43-6 Amendment No. 4-04,45, M2, 284,

LBDCR 2-4-03 May 20, 2004 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued)

In MODE 5, two OPERABLE SDC trains require 2 SDC pumps, 2 SDC heat exchangers, 2 RBCCW pumps, 2 RBCCW heat exchangers, and 2 SW pumps. In addition, 2 RBCCW headers are required to provide cooling to the SDC heat exchangers, but only 1 SW header is required to support the SDC trains. The equipment specified is sufficient to address a single active failure of the SDC System and associated support systems.

The operation of one Reactor Coolant Pump or one shutdown cooling pump provides adequate flow to ensure mixing, prevent stratification and produce gradual reactivity changes during boron concentration reductions in the Reactor Coolant System. The reactivity change rate associated with boron reductions will, therefore, be within the capability of operator recognition and control.

The restrictions on starting a Reactor Coolant Pump in MODE 4 with one or more RCS cold legs < 2750 F and in MODE 5 are provided to prevent RCS pressure transients, caused by energy additions from the secondary system, which could exceed the limits of Appendix G to 10 CFR Part 50. The RCS will be protected against overpressure transients and will not exceed the limits of Appendix G by:

1. Restricting pressurizer water volume to ensure sufficient steam volume is available to accommodate the insurge;

2. Restricting pressurizer pressure to establish an initial pressure that will ensure system pressure does not exceed the limit; and

3. Restricting primary to secondary system delta-T to reduce the energy addition from the secondary system.

If these restrictions are met, the steam bubble in the pressurizer is sufficient to ensure the Appendix G limits will not be exceeded. No credit has been taken for PORV actuation to limit RCS pressure in the analysis of the energy addition transient.

The limitations on pressurizer water level, pressurizer pressure, and primary to secondary delta-T are necessary to ensure the validity of the analysis of the energy addition due to starting an RCP.

The values for pressurizer water level and pressure can be obtained from control room indications. The primary to secondary system delta-T can be obtained from Shutdown Cooling (SDC) System outlet temperature and the saturation temperature for indicated steam generator pressure. If there is no indicated steam generator pressure, the steam generator shell temperature indicators can be used. If these indications are not available, other appropriate instrumentation can be used.

The RCP starting criteria values for pressurizer water level, pressurizer pressure, and primary to secondary delta-T contained in Technical Specifications 3.4.1.3, 3.4.1.4 and 3.4.1.5 have not been adjusted for instrument uncertainty. The values for these parameters contained in the procedures that will be used to start an RCP have been adjusted to compensate for instrument uncertainty.

MILLSTONE - UNIT 2 B 3/4 4-lb Amendment No. 0, 66,69, 49,214-,

248,24,

LBDCR No. 2-4-03 May 20,2004 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued)

The value of RCS cold leg temperature (* 275 0F ) used to determine if the RCP start criteria applies, will be obtained from SDC return temperature if SDC is in service. If SDC is not in service, or natural circulation is occurring, RCS cold leg temperature will be used.

Average Coolant Temperature (Tavg) values are derived under the following 3 plant conditions, using the designated formula as appropriate for use in Unit 2 operating procedures.

RCP Operation: (Tcoldi + TCold2 + Thoti + Thot2) / 4 = Tavg e Natural circulation only flow: (Tcoldl + Tcold2 + Thoti + Thot2) / 4 = T avg

SDC flow greater than 1000 gpm: (SDCoutlet + SDCinlet) /2 = Tavg (exception: Tavg is not expected to be calculated by this definition during the initial portion of the initiation phase of SDC. The transition point from loop temperature average to SDC system average during cooldowns is when T351Y decreases below Loop Tcold)

During operation with one or more Reactor Coolant Pumps (RCPs) providing forced flow and during natural circulation conditions, the loop Resistance Temperature Detectors (RTDs) represent the inlet and outlet temperatures of the reactor and hence the average temperature of the water that the reactor is exposed to. This holds during concurrent RCP/SDC operation also.

During Shutdown Cooling (SDC) only operation, there is no significant flow past the loop RTDs. Core inlet and outlet temperatures are accurately measured during those conditions by using T351Y, SDC return to RCS temperature indication, and T351X, RCS to SDC temperature indication. The average of these two indicators provides a temperature that is equivalent to the average RCS temperature in the core.

During the transition from Steam Generator (SG) and SDC heat removal to SDC only heat removal, actual core average temperature results from a mixture of both SDC flow and loop flow from natural circulation. This condition occurs from the time SDC cooling is initiated until SG steaming process stops removing heat. The temperature of this mixture cannot be measured or calculated. However, the average of the SDC temperatures is still appropriate for use. This provides a straightforward process for determining Tavg.

MILLSTONE - UNIT 2 B 3/4 4-lc Amendment No. , 66, 69, 49, 24-l,

-248,2-49,

LBDCR 04-MP2-016 February 24, 2005 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued)

During some transient conditions, such as heatups on SDC, the value calculated by this average definition will be slightly higher than the actual core average. During other transients, such as cooldowns where SG heat removal is still taking place causing some natural circulation flow, the value calculated by the average definition will be slightly lower than actual core average conditions. For the purpose of determining MODE changes and technical specification I applicability, these transient condition results are conservative.

Technical Specification 3.4.1.6 limits the number of reactor coolant pumps that may be operational during MODE 5. This will limit the pressure drop across the core when the pumps are operated during low-temperature conditions. Controlling the pressure drop across the core will maintain maximum RCS pressure within the maximum allowable pressure as calculated in Code Case No. N-5 14. Limiting two reactor coolant pumps to operate when the RCS cold leg temperature is less than 1200 F, will ensure that the requirements of 10 CFR 50 Appendix G are not exceeded. Surveillance 4.4.1.6 supports this requirement.

3/4.4.2 SAFETY VALVES The pressurizer code safety valves operate to prevent the RCS from being pressurized above its Safety Limit of 2750 psia. Each safety valve is designed to relieve 296,000 lbs per hour of saturated steam at the valve setpoint. The relief capacity of a single safety valve is adequate to relieve any overpressure condition which could occur during shutdown. If any pressurizer code safety valve is inoperable, and cannot be restored to OPERABLE status, the ACTION statement I requires the plant to be shut down and cooled down such that Technical Specification 3.4.9.3 will become applicable and require the Low Temperature Overpressure Protection System to be placed in service to provide overpressure protection.

MILLSTONE - UNIT 2 B 3/4 4-ld Amendment No. -O,66, 69, 49, 24-9, 4, 249,

LBDCR 04-MP2-016 February 24, 2005 3/4.4 REACTOR COOLANT SYSTEM BASES During operation, all pressurizer code safety valves must be OPERABLE to prevent the RCS from being pressurized above its safety limit of 2750 psia. The combined relief capacity of these valves is sufficient to limit the Reactor Coolant System pressure to within its Safety Limit of 2750 psia following a complete loss of turbine generator load while operating at RATED THERMAL POWER and assuming no reactor trip until the first Reactor Protective System trip setpoint (Pressurizer Pressure-High) is reached (i.e., no credit is taken for a direct reactor trip on the loss of turbine) and also assuming no operation of the pressurizer power operated relief valve or steam dump valves.

3/4.4.3 RELIEF VALVES The power operated relief valves (PORVs) operate to relieve RCS pressure below the setting of the pressurizer code safety valves. These relief valves have remotely operated block valves to provide a positive shutoff capability should a relief valve become inoperable. The electrical power for both the relief valves and the block valves is capable of being supplied from an emergency power source to ensure the ability to seal this possible RCS leakage path.

The PORVs are also used for low temperature overpressure protection when the RCS is cooled down to or below 275'F. This is covered by Technical Specification 3.4.9.3 and discussed in the respective Bases section. The discussion below only addresses the PORVs in MODES 1, 2 and 3.

With the PORV inoperable and capable of being manually cycled, either the PORV must be restored, or the flow path isolated within I hour. The block valve should be closed, but the power must be maintained to the associated block valve, since removal of power would render the block valve inoperable. Although the PORV may be designated inoperable, it may be able to be manually opened and closed and in this manner can be used to perform its function. PORV inoperability may be due to seat leakage, instrumentation problems, automatic control problems, or other causes that do not prevent manual use and do not create a possibility for a small break LOCA. Operation of the plant may continue with the PORV in this inoperable condition for a limited period of time not to exceed the next refueling outage, so that maintenance can be performed on the PORVs to eliminate the degraded condition. The PORVs should normally be available for automatic mitigation of overpressure events when the plant is at power.

Quick access to the PORV for pressure control can be made when power remains on the closed block valve.

If one block valve is inoperable, then it must be restored to OPERABLE status, or the associated PORV prevented from opening automatically. The prime importance for the capability to maintain closed the block valve is to isolate a stuck open PORV. Therefore, if the block valve cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the required ACTION is to prevent the associated PORV from automatically opening for an overpressure event and to avoid the potential for a MILLSTONE - UNIT 2 B 3/4 4-2 Amendment No. 50, 66,69, 49, 24-,

LBDCR 04-MP2-016 February 24, 2005 REACTOR COOLANT SYSTEM BASES evidence of mechanical damage or progressive degradation due to design, manufacturing errors, or inservice conditions that lead to corrosion. Inservice inspection of steam generator tubing also provides a means of characterizing the nature and cause of any tube degradation so that corrective measures can be taken.

The plant is expected to be operated in a manner such that the secondary coolant will be maintained within those chemistry limits found to result in negligible corrosion of the steam generator tubes. If the secondary coolant chemistry is not maintained within these limits, localized corrosion may likely result in stress corrosion cracking.

The extent of cracking during plant operation would be limited by the limitation of steam generator tube leakage between the primary coolant system and the secondary coolant system (primary-to-secondary leakage = 0.035 GPM, per steam generator). Cracks having a primary-to-secondary leakage less than this limit during operation will have an adequate margin of safety to withstand the loads imposed during normal operation and by postulated accidents. Operating plants have demonstrated that primary-to-secondary leakage of 0.035 gallon per minute can readily be detected by radiation monitors of steam generator blowdown. Leakage in excess of this limit will require plant shutdown and an unscheduled inspection, during which the leaking tubes will be located and plugged.

Wastage-type defects are unlikely with proper chemistry treatment of the secondary coolant. However, even if a defect should develop in service, it will be found during scheduled inservice steam generator tube examinations. Plugging or sleeving will be required for all tubes with imperfections exceeding the plugging limit of 40% of the tube nominal wall thickness.

Sleeving repair will be limited to those steam generator tubes with a defect between the tube sheet and the first eggcrate support. Tubes containing sleeves with imperfections exceeding the plugging limit will be plugged. Steam generator tube inspections of operating plants have demonstrated the capability to reliably detect degradation that has penetrated 20% of the original tube wall thickness.

Whenever the results of any steam generator tubing inservice inspection fall into Category C-3, these results will be promptly reported to the Commission pursuant to 10 CFR 50.72. Such cases will be considered by the Commission on a case-by-case basis and may result in a requirement for analysis, laboratory examinations, tests, additional eddy-current inspection, and revision of the Technical Specifications, if necessary.

MILLSTONE - UNIT 2 B 3/4 4-2b Amendment No. 2X, -3, A, 66, ,9, 441,424,43,9494,

LBDCR 04-MP2-016 February 24, 2005 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.1 LEAKAGE DETECTION SYSTEMS The RCS leakage detection systems required by this specification are provided to monitor and detect leakage from the Reactor Coolant Pressure Boundary. These detection systems are consistent with the recommendations of Regulatory Guide 1.45, "Reactor Coolant Pressure Boundary Leakage Detection Systems."

3/4.4.6.2 REACTOR COOLANT SYSTEM LEAKAGE Industry experience has shown that while a limited amount of leakage is expected from the RCS the unidentified portion of this leakage can be reduced to a threshold value of less than I GPM. WThis threshold value is sufficiently low to ensure early detection of additional leakage.

The 10 GPM IDENTIFIED LEAKAGE limitation provides allowance for a limited amount of leakage from known sources whose presence will not interfere with the detection of UNIDENTIFIED LEAKAGE by the leakage detection systems.

The steam generator tube leakage limit of 0.035 GPM per steam generator ensures that the dosage contribution from the tube leakage will be less than the limits of General Design Criteria 19 of IOCFR50 Appendix A in the event of either a steam generator tube rupture or steam line break The 0.035 GPM limit is consistent with the assumptions used in the analysis of these accidents.

PRESSURE BOUNDARY LEAKAGE of any magnitude is unacceptable since it may be indicative of an impending gross failure of the pressure boundary. Therefore, the presence of any PRESSURE BOUNDAR? LEAKAGE requires the unit to be promptly placed in COLD SHUTDOWN.

The IDENTIFIED LEAKAGE and UNIDENTIFIED LEAKAGE limits listed in LCO 3.4.6.2 only apply to the reactor coolant system pressure boundary within the containment.

In accordance with 10 CFR 50.2 "Definitions" the RCS Pressure Boundary means all those pressure-containing components such as pressure vessels, piping, pumps and valves which are (1) Part of the Reactor Coolant System, or 2 Connected to th&Reac or Coolant System, up to and including any and all of the following: (i) The outermost containment isolation valve in system piping which penetrates primary reactor containment, (ii) The second of two valves normay closed in system piping which does not penetrate primary reactor containment, or (iii)

The reactor coolant safety and relief valves.

The definitions for IDENTIFIED LEAKAGE and UNIDENTIFIED LEAKAGE are provided in the Technical Specifications definitions section, definitions 1.14 and 1.15 respectively.

Leakage outside of the second isolation valve for containment which is included in the RCS Leak Rate Calculation is not considered RCS leakage and can be subtracted from RCS UNIDENTIFIED LEAKAGE.

The safety significance of RCS leakage varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS leakage into the containment area is necessary. Quickly separating IDENTIFIED LEAKAGE from the UNIDENTIFIED LEAKAGE is necessary to provide quantitative information to the operators allowing them to take corrective action should a leak occur. LCO 3.4.6.2 deals with protection otthe reactor coolant pressure boundary from degradation and the core from inadequate cooling, in addition accident analysis radiation release assumptions from being exceeded.

MILLSTONE - UNIT 2 B 3/4 4-3 Amendment Nos. 42, 4S, 2I,

LBDCR 04-MP2-016 February 24, 2005 REACTOR COOLANT SYSTEM BASES 3/4.4.7 DELETE 3/4.4.8 SPECIFIC ACTIVITY The limitations on the specific activity of the primary coolant ensure that the resulting 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months doses at the SITE BOUNDARY will not exceed an appropriately small fraction of Part 100 limits following a steam generator tube rupture accident.

The ACTION statement permitting POWER OPERATION to continue for limited time periods with the primary coolant's specific activity > 1.0 uCi/gram DOSE EQUIVALENT I-131, but within the allowable limit shown on Figure 3.4-1, accommodates possible iodine spiking phenomenon which may occur following changes in THERMAL POWER.

MILLSTONE - UNIT 2 B 3/4 4-4 Amendment No. 145, 4-94, I,

LBDCR 04-MP2-016 February 24, 2005 REACTOR COOLANT SYSTEM BASES The Low Temperature Overpressure Protection (LTOP) System provides a physical barrier against exceeding the IOCFR50 Appendix G pressure/temperature limits during low temperature RCS operation either with a steam bubble in the pressurizer or during water solid conditions. This system consists of either two PORVs (each PORV is equivalent to a vent of approximately 1.4 square inches) with a pressure setpoint *415 psia, or an RCS vent of sufficient size. Analysis has confirmed that the design basis mass addition transient discussed below will be mitigated by operation of the PORVs or by establishing an RCS vent of sufficient size.

The LTOP System is required to be OPERABLE when RCS cold leg temperature is at or below 2750 F (Technical Specification 3.4.9.3). However, if the RCS is in MODE 6 and the reactor vessel head has been removed, a vent of sufficient size has been established such that RCS pressurization is not possible. Therefore, an LTOP System is not required (Technical Specification 3.4.9.3 is not applicable).

The LTOP System is armed at a temperature which exceeds the limiting 1/4t RTNDT plus 90'F as required by NUREG-0800 (i.e., SRP), Branch Technical Position RSB 5-2. For the operating period up to 20 EFPY, the limiting 1/4t RTNDT is 145 0 F which results in a minimum LTOP System enable temperature of at least 2631F when corrected for instrument uncertainty.

The current value of 2751F will be retained.

The mass input analysis performed to ensure the LTOP System is capable of protecting the reactor vessel assumes that all pumps capable of injecting into the RCS start, and then one PORV fails to actuate (single active failure). Since the PORVs have limited relief capability, certain administrative restrictions have been implemented to ensure that the mass input transient will not exceed the relief capacity of a PORV. The analysis has determined two PORVs (assuming one PORV fails) are sufficient if the mass addition transient is limited to the inadvertent start of one high pressure safety injection (HPSI) pump and two charging pumps when RCS temperature is at or below 2751F and above 190'F, and the inadvertent start of one charging pump when RCS temperature is at or below 190'F.

The assumed active failure of one PORV results in an equivalent RCS vent size of approximately 1.4 square inches when the one remaining PORV opens. Therefore, a passive vent of at least 1.4 square inches can be substituted for the PORVs. However, a vent size of at least 2.2 square inches will be required when VENTING the RCS. If the RCS is depressurized and vented through at least a 2.2 square inch vent, the peak RCS pressure, resulting from the maximum mass input transient allowed by Technical Specification 3.4.9.3, will not exceed 300 psig (SDC System suction side design pressure).

When the RCS is at or below 190'F, additional pumping capacity can be made capable of injecting into the RCS by establishing an RCS vent of at least 2.2 square inches. Removing a pressurizer PORV or the pressurizer manway will result in a passive vent of at least 2.2 square inches. Additional methods to establish the required RCS vent are acceptable, provided the proposed vent has been evaluated to ensure the flow characteristics are equivalent to one of these.

Establishing a pressurizer steam bubble of sufficient size will be sufficient to protect the reactor vessel from the energy addition transient associated with the start of an RCP, provided the restrictions contained in Technical Specification 3.4.1.3 are met. These restrictions limit the heat MILLSTONE - UNIT 2 B 3/4 4-7a Amendment No. 24-9,

LBDCR 04-MP2-016 February 24, 2005 REACTOR COOLANT SYSTEM BASES These methods prevent inadvertent pump injections while allowing manual actions to rapidly restore the makeup capability if conditions require the use of additional charging or HPSI pumps for makeup in the event of a loss of RCS inventory or reduction in SHUTDOWN MARGIN.

If a loss of RCS inventory or reduction in SHUTDOWN MARGIN event occurs, the appropriate response will be to correct the situation by starting RCS makeup pumps. If the loss of inventory or SHUTDOWN MARGIN is significant, this may necessitate the use of additional RCS makeup pumps that are being maintained not capable of injecting into the RCS in accordance with Technical Specification 3.4.9.3. The use of these additional pumps to restore RCS inventory or SHUTDOWN MARGIN will require entry into the associated ACTION statement. The ACTION statement requires immediate action to comply with the specification.

The restoration of RCS inventory or SHUTDOWN MARGIN can be considered to be part of the immediate action to restore the additional RCS makeup pumps to a not capable of injecting status.

While recovering RCS inventory or SHUTDOWN MARGIN, RCS pressure will be maintained below the Appendix G limits. After RCS inventory or SHUTDOWN MARGIN has been restored, the additional pumps should be immediately made not capable of injecting and the ACTION statement exited.

An exception to Technical Specification 3.0.4 is specified for Technical Specification 3.4.9.3 to allow a plant cooldown to MODE 5 if one or both PORVs are inoperable. MODE 5 conditions may be necessary to repair the PORV(s).

3/4.4.10 DELETED MILLSTONE - UNIT 2 B 3/4 4-7c Amendment No. 2°14, 20, 24, 264,

LBDCR 04-MP2-016 February 24, 2005 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued)

Each Emergency Core Cooling System (ECCS) subsystem required by Technical Specification 3.5.2 for design basis accident mitigation includes an OPERABLE high pressure safety injection (HPSI) pump and a low pressure safety injection (LPSI) pump. Each of these pumps requires an OPERABLE flow path capable of taking suction from the refueling water storage tank (RWST) on a safety injection actuation signal (SIAS). Upon depletion of the inventory in the RWST, as indicated by the generation of a Sump Recirculation Actuation Signal (SRAS), the suction for the HPSI pumps will automatically be transferred to the containment sump. The SRAS will also secure the LPSI pumps. The ECCS subsystems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) as design basis accident mitigation equipment.

Flow from the charging pumps is no longer required for design basis accident mitigation. The loss of coolant accident analysis has been revised and no credit is taken for charging pump flow.

As a result, the charging pumps no longer meet the first three criteria of 10CFR 50.36 (c)(2)(ii) as design basis accident mitigation equipment required to be controlled by Technical Specifications.

In addition, risk evaluations have been performed to demonstrate that the charging system is not risk significant as defined in 10CFR 50.36(c)(2)(ii) Criterion 4. However, the charging system is credited in the PRA model for mitigating two beyond design basis events, Anticipated Transients Without Scram (ATWS) and Complete Loss of Secondary Heat Sink. On this basis, the requirements for charging pump OPERABILITY will be retained in Technical Specification 3.5.2. Consistent with the surveillance requirements, only the charging pump will be included in determining ECCS subsystem OPERABILITY.

As a result of the risk insight, the charging pump will be included as an Emergency Core Cooling System subsystem required by Technical Specification 3.5.2. That is, an ECCS subsystem will include one OPERABLE charging pump. The charging pump credited for each ECCS subsystem must meet the surveillance requirements specified in Section 4.5.2. Consistent with the risk insights, automatic start of the charging pump is not required for compliance to TS 3.5.2. Thus, Section 4.5.2 does not specify any testing requirements for the automatic start of the credited charging pump. Similarly, since the ECCS flow path is not credited in the risk evaluation, there are no charging flow path requirements included in TS 3.5.2.

The requirements for automatic actuation of the charging pumps and the associated boration system components (boric acid pumps, gravity feed valves, boric acid flow path valves), which align the boric acid storage tanks to the charging pump suction on a SIAS have been relocated to the Technical Requirements Manual. These relocated requirements do not affect the OPERABILITY of the charging pumps for Technical Specification 3.5.2 MILLSTONE - UNIT 2 B 3/4 5-2a Amendment No. 6, 4,4-i24-7, 220, 236,28,

LBDCR 04-MP2-016 February 24, 2005 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued Only one ECCS subsystem is required by Technical Specification 3.5.3 for design basis accident mitigation. This ECCS subsystem requires one OPERABLE HPSI pump and an OPERABLE flow path capable of taking suction from the RWST on a SIAS. Upon depletion of the inventory in the RWST, as indicated by the generation of a SRAS, the suction for the HPSI pump will automatically be transferred to the containment sump. This ECCS subsystem satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) as design basis accident mitigation equipment.

Surveillance Requirement 4.5.3.1 specifies the surveillance requirements of Technical Specification 3.5.3 that are required to demonstrate that the required ECCS subsystem of Technical Specification 3.5.3 is OPERABLE. The required ECCS subsystem of Technical Specification 3.5.3 does not include any LPSI components. LPSI components are not required when Technical Specification 3.5.3 is applicable to allow the LPSI components to be used for SDC System operation.

In MODE 4 the automatic safety injection signal generated by low pressurizer pressure and high containment pressure and the automatic sump recirculation actuation signal generation by low refueling water storage tank level are not required to be OPERABLE. Automatic actuation in MODE 4 is not required because adequate time is available for plant operators to evaluate plant conditions and respond by manually operating engineered safety features components. Since the manual actuation (trip pushbuttons) portion of the safety injection and sump recirculation actuation signal generation is required to be OPERABLE in MODE 4, the plant operators can use the manual trip pushbuttons to rapidly position all components to the required accident position.

Therefore, the safety injection and sump recirculation actuation trip pushbuttons satisfy the requirement for generation of safety injection and sump recirculation actuation signals in MODE 4.

In MODE 4, the OPERABLE HPSI pump is not required to start automatically on a SIAS.

Therefore, the pump control switch for this OPERABLE pump may be placed in the pull-to-lock position without affecting the OPERABILITY of the pump. This will prevent the pump from starting automatically, which could result in overpressurization of the Shutdown Cooling System.

Only one HPSI pump may be OPERABLE in MODE 4 with RCS temperatures less than or equal to 2750 F due to the restricted relief capacity with Low-Temperature Overpressure Protection System. To reduce shutdown risk by having additional pumping capacity readily available, a HPSI pump may be made inoperable but available at short notice by shutting its discharge valve with the key lock on the control panel.

MILLSTONE - UNIT 2 B 3/4 5-2d Amendment No. 4-, 4.59, 4., 244, p46, I4., 22, 2247, 26, 2I,

04-MP2-016 February 24, 2005 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES:

3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued The provision in Specification 3.5.3 that Specifications 3.0.4 and 4.0.4 are not applicable for entry into MODE 4 is provided to allow for connecting the HPSI pump breaker to the respective power supply or to remove the tag and open the discharge valve, and perform the subsequent testing necessary to declare the inoperable HPSI pump OPERABLE. Specification 3.4.9.3 requires all HPSI pumps to be not capable of injecting into the RCS when RCS temperature is at or below 190'F. Once RCS temperature is above 190'F one HPSI pump can be capable of injecting into the RCS. However, sufficient time may not be available to ensure one HPSI pump is OPERABLE prior to entering MODE 4 as required by Specification 3.5.3. Since Specifications 3.0.4 and 4.0.4 prohibit a MODE change in this situation, this exemption will allow Millstone Unit No. 2 to enter MODE 4, take the steps necessary to make the HPSI pump capable of injecting into the RCS, and then declare the pump OPERABLE. If it is necessary to use this exemption during plant heatup, the appropriate ACTION statement of Specification 3.5.3 should be entered as soon as MODE 4 is reached.

3/4.5.4 REFUELING WATER STORAGE TANK (RWST)

The OPERABILITY of the RWST as part of the ECCS ensures that a sufficient supply of borated water is available for injection by the ECCS in the event of a LOCA. The limits on RWST minimum volume and boron concentration ensure that 1) sufficient water is available within containment to permit recirculation cooling flow to the core, and 2) after a LOCA the reactor will remain subcritical in the cold condition following mixing of the RWST and the RCS water volumes. Small break LOCAs assume that all control rods are inserted, except for the control element assembly (CEA) of highest worth, which remains withdrawn from the core. Large break LOCAs assume that all CEAs remain withdrawn from the core.

MILLSTONE - UNIT 2 B 3/4 5-2e Amendment No. I,

LBDCR 04-MP2-016 February 24, 2005 3/4.6 CONTAINMENT SYSTEMS BASES 3/4.6.1 PRIMARY CONTAINMENT 3/4.6.1.1 CONTAINMENT INTEGRITY Primary CONTAINMENT INTEGRITY ensures that the release of radioactive materials from the containment atmosphere will be restricted to those leakage paths and associated leak rates assumed in the accident analyses. This restriction, in conjunction with the leakage rate limitation, will limit the SITE BOUNDARY radiation doses to within the limits of 10 CFR 100 during accident conditions.

Primary CONTAINMENT INTEGRITY is required in MODES 1 through 4. This requires an OPERABLE containment automatic isolation valve system. In MODES 1, 2, and 3 this is satisfied by the automatic containment isolation signals generated by low pressurizer pressure and high containment pressure. In MODE 4 the automatic containment isolation signals generated by low pressurizer pressure and high containment pressure are not required to be OPERABLE.

Automatic actuation of the containment isolation system in MODE 4 is not required because adequate time is available for plant operators to evaluate plant conditions and respond by manually operating engineered safety features components. Since the manual actuation (trip pushbuttons) portion of the containment isolation system is required to be OPERABLE in MODE 4, the plant operators can use the manual pushbuttons to rapidly position all automatic containment isolation valves to the required accident position. Therefore, the containment isolation trip pushbuttons satisfy the requirement for an OPERABLE containment automatic isolation valve system in MODE 4.

3/4.6.1.2 CONTAINMENT LEAKAGE The limitations on containment leakage rates ensure that the total containment leakage volume will not exceed the value assumed in the accident analyses at the peak accident pressure of Pa. As an added conservatism, the measured overall integrated leakage rate is further limited to

< 0.75 La during performance of the periodic tests to account for possible degradation of the containment leakage barriers between leakage tests.

The surveillance testing for measuring leakage rates is in accordance with the Containment Leakage Rate Testing Program.

The Millstone Unit No. 2 FSAR contains a list of the containment penetrations that have been identified as secondary containment bypass leakage paths.

3/4.6.1.3 CONTAINMENT AIR LOCKS The limitations on closure and leak rate for the containment air locks are required to meet the restrictions on CONTAINMENT INTEGRITY and leak rate given in Specifications 3.6.1.1 and MILLSTONE - UNIT 2 B 3/46-1 Amendment No. 424, 2O3,-245, 234,

LBDCR 04-MP2-016 February 24, 2005 CONTAINMENT SYSTEMS BASES 3/4.6.2 DEPRESSURIZATION AND COOLING SYSTEMS 3/4.6.2.1 CONTAINMENT SPRAY AND COOLING SYSTEMS The OPERABILITY of the containment spray system ensures that containment depressurization and cooling capability will be available in the event of a LOCA. The pressure reduction and resultant lower containment leakage rate are consistent with the assumptions used in the accident analyses.

The OPERABILITY of the containment cooling system ensures that 1) the containment air temperature will be maintained within limits during normal operation, and 2) adequate heat removal capacity is available when operated in conjunction with the containment spray system during post-LOCA conditions.

To be OPERABLE, the two trains of the containment spray system shall be capable of taking a suction from the refueling water storage tank on a containment spray actuation signal and automatically transferring suction to the containment sump on a sump recirculation actuation signal. Each containment spray train flow path from the containment sump shall be via an OPERABLE shutdown cooling heat exchanger.

The containment cooling system consists of two containment cooling trains. Each containment cooling train has two containment air recirculation and cooling units. For the purpose of applying the appropriate ACTION statement, the loss of a single containment air recirculation and cooling unit will make the respective containment cooling train inoperable.

Either the containment spray system or the containment cooling system is sufficient to mitigate a loss of coolant accident. The containment spray system is more effective than the containment cooling system in reducing the temperature of superheated steam inside containment following a main steam line break. Because of this, the containment spray system is required to mitigate a main steam line break accident inside containment. In addition, the containment spray system provides a mechanism for removing iodine from the containment atmosphere. Therefore, at least one train of containment spray is required to be OPERABLE when pressurizer pressure is 2 1750 psia, and the allowed outage time for one train of containment spray reflects the dual function of containment spray for heat removal and iodine removal.

Surveillance Requirement 4.6.2.1.1 .a verifies the correct alignment for manual, power operated, and automatic valves in the Containment Spray System flow paths to provide assurance that the proper flow paths will exist for containment spray operation. This surveillance does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position. The 31 day frequency is appropriate because the valves are operated under procedural control and an improper valve position would only affect a single train. This frequency has been shown to be acceptable through operating experience.

MILLSTONE - UNIT 2 B 3/4 6-3 Amendment No. 2, 64,2140,244, 224, 26, 2,

LBDCR 04-MP2-016 February 24, 2005 CONTAINMENT SYSTEMS BASES 3/4.6.3 CONTAINMENT ISOLATION VALVES (continued)

Type N penetrations are lines that neither connect to the reactor coolant pressure boundary nor are open to the containment internal atmosphere, but do form a closed system within the containment structure (Criterion 57 of 10CFR50, Appendix A). These lines are provided with single containment isolation valves outside containment. These valves are either remotely operated or locked closed manual valves.

With one or more penetration flow paths with one containment isolation valve inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration.

If the containment isolation valve on a closed system becomes inoperable, the remaining barrier is a closed system since a closed system is an acceptable alternative to an automatic valve.

However, ACTIONS must still be taken to meet Technical Specification ACTION 3.6.3.1 .d and the valve, not normally considered as a containment isolation valve, and closest to the containment wall should be put into the closed position. No leak testing of the alternate valve is necessary to satisfy the ACTION statement. Placing the manual valve in the closed position sufficiently deactivates the penetration for Technical Specification compliance. Closed system isolation valves applicable to Technical Specification ACTION 3.6.3. .d are included in FSAR Table 5.2-1 1, and are the isolation valves for those penetrations credited as General Design Criteria 57, (Type N penetrations). The specified time (i.e., 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) of Technical Specification ACTION 3.6.3.1.d is reasonable, considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3, and 4. In the event the affected penetration is isolated in accordance with 3.6.3.1.d, the affected penetration flow path must be verified to be isolated on a periodic basis, (Surveillance Requirement 4.6.1.1.a). This is necessary to assure leak tightness of containment and that containment penetrations requiring isolation following an accident are isolated. The frequency of once per 31 days in this surveillance for verifying that each affected penetration flow path is isolated is appropriate considering the valves are operated under administrative controls and the probability of their misalignment is low.

For the purposes of meeting this LCO, neither the containment isolation valve, nor any alternate valve on a closed system have a leakage limit associated with valve OPERABILITY.

MILLSTONE - UNIT 2 B 3/4 6-3c Amendment No. 240, 2145, 26, 28, 284,

LBDCR 04-MP2-016 February 24, 2005 CONTAINMENT SYSTEMS BASES 3/4.6.3 CONTAINMENT ISOLATION VALVES (continued!

Containment isolation valves may be opened on an intermittent basis provided appropriate administrative controls are established. The position of the NRC concerning acceptable administrative controls is contained in Generic Letter 91-08, "Removal of Component Lists from Technical Specifications," and includes the following considerations:

(1) stationing an operator, who is in constant communication with the control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valve and that this action will prevent the release of radioactivity outside the containment.

The appropriate administrative controls, based on the above considerations, to allow containment isolation valves to be opened are contained in the procedures that will be used to operate the valves. Entries should be placed in the Shift Manager Log when these valves are opened and closed. However, it is not necessary to log into any Technical Specification ACTION Statement for these valves, provided the appropriate administrative controls have been established.

If a containment isolation valve is opened while operating in accordance with Abnormal or Emergency Operating Procedures (AOPs and EOPs), it is not necessary to establish a dedicated operator. The AOPs and EOPs provide sufficient procedural control over the operation of the containment isolation valves.

Opening a closed containment isolation valve bypasses a plant design feature that prevents the release of radioactivity outside the containment. Therefore, this should not be done frequently, and the time the valve is opened should be minimized. As a general guideline, a closed containment isolation valve should not be opened longer than the time allowed to restore the valve to OPERABLE status, as stated in the ACTION statement for LCO 3.6.3.1 "Containment Isolation Valves."

A discussion of the appropriate administrative controls for the containment isolation valves, that are expected to be opened during operation in MODES 1 through 4, is presented below.

Manual containment isolation valve 2-SI463, safety injection tank (SIT) recirculation header stop valve, is opened to fill or drain the SITs and for Shutdown Cooling System (SDC) boron equalization. While 2-SIA63 is open, a dedicated operator, in continuous communication with the control room, is required.

MILLSTONE - UNIT 2 B 3/4 6-3d Amendment No. 240, I24, 236, 2&,

23;'

LBDDCR 04-MP2-016 February 24, 2005 CONTAINMENT SYSTEMS BASES 3/4.6.3 CONTAINMENT ISOLATION VALVES (continued)

When SDC is initiated, SDC suction isolation remotely operated valves 2-SI-652 and 2-SI-651 (inside containment isolation valve) and manual valve 2-SI-709 (outside containment isolation valve) are opened. 2-SI-651 is normally operated from the control room. While in MODES 1, 2 or 3, 2-SI-651 is closed with manual disconnect switch NS1651 locked open to satisfy Appendix R requirements. It does not receive an automatic containment isolation closure signal, but is interlocked to prevent opening if Reactor Coolant System (RCS) pressure is greater than approximately 275 psia. When 2-SI-651 is opened from the control room, either one of the two required licensed (Reacior Operator) control room operators can be credited as the dedicated operator required for administrative control. It is not necessary to use a separate dedicated operator.

When valve 2-SI-709 is opened locally, a separate dedicated operator is not required to remain at the valve. 2-SI-709 is opened before 2-SI-651. Therefore, opening 2-SI-709 will not establish a connection between the RCS and the SDC System. Opening 2-SI-651 will connect the RCS and SDC System. If a problem then develops, 2-SI-651 can be closed from the control room.

The administrative controls for valves 2-SI-651 and 2-SI-709 apply only during preparations for initiation of SDC, and during SDC operations. They are acceptable because RCS pressure and temperature are significantly below normal operating pressure and temperature when 2-SI-651 and 2-SI-709 are opened, and these valves are not opened until shortly before SDC flow is initiated. The penetration flowpath can be isolated from the control room by closing either 2-SI-652 or 2-SI-651, and the manipulation of these valves, during this evolution, is controlled by plant procedures.

The pressurizer auxiliary spray valve, 2-CH-517, can be used as an alternate method to decrease pressurizer pressure, or for boron precipitation control following a loss of coolant accident. When this valve is opened from the control room, either one of the two required licensed (Reactor Operator) control room operators can be credited as the dedicated operator required for administrative control. It is not necessary to use a separate dedicated operator.

The exception for 2-CH-5 17 is acceptable because the fluid that passes through this valve will be collected in the Pressurizer (reverse flow from the Pressurizer to the charging system is prevented by check valve 2-CH-43 1), and the penetration associated with 2-CH-517 is open during accident conditions to allow flow from the charging pumps. Also, this valve is normally operated from the control room, under the supervision of the licensed control room operators, in accordance with plant procedures.

A dedicated operator is not required when opening remotely operated valves associated with 'ype N fluid penetrations (Criterion 57 of 10CFR50, Appendix A). Operating these valves from the control room is sufficient. The main steam isolation valves (2-MS-64A and 64B),

atmospheric steam dump valves (2-MS-190A and 190B), and the containment air recirculation cooler RBCCW discharge valves (2-RB-28.2A-D) are examples of remotely operated containment isolation valves associated with Type N fluid penetrations.

MILLSTONE - UNIT 2 B 3/4 6-3e Amendment No. 24-0, 24, 21-6, 2I, 2;9, 283,

LBDCR 04-MP2-016 February 24, 2005 CONTAINMENT SYSTEMS BASES:

3/4.6.3 CONTAINMENT ISOLATION VALVES (continued)

The nitrogen header drain valve, 2-SI-045, is o ened to depressurize the containment side of the nitrogen supply header stop valve, 2-SI-312. When 2-SI-045 is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of this valve is only expected after using the high pressure nitrogen system to raise SIT nitrogen pressure.

The containment waste gas header test connection isolation valve, 2-GR-63, is opened to sample the primary drain tank for oxygen and nitrogen. When 2-GR-63 is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of this valve is expected during plant startup and shutdown.

The upstream vent valves for the steam generator atmospheric dump valves, 2-MS-369 and 2-MS-371, are opened during steam generator safety valve set point testing to allow steam header pressure instrumentation to be placed in service. When either 2-MS-369 or 2-MS-371 is opened, a dedicated operator in continuous communication with the control room is required.

The determination of the appropriate administrative controls for these containment isolation valves included an evaluation of the expected environmental conditions. This evaluation has concluded environmental conditions will not preclude access to close the valve, and this action will prevent the release of radioactivity outside of containment through the respective penetration.

The containment purge supply and exhaust isolation valves are required to be sealed closed during plant operation since these valves have not been demonstrated capable of closing during a LOCA or steam line break accident. Such a demonstration would require justification of the mechanical OPERABILITY of the purge valves and consideration of the appropriateness of the electrical override circuits. Maintaining these valves closed during plant operations ensures that excessive quantities of radioactive materials will not be released via the containment purge system. The containment purge supply and exhaust isolation valves are sealed closed by removing power from the valves. This is accomplished by pulling the control power fuses for each of the valves. The associated fuse blocks are then locked. This is consistent with the guidance contained in NUREG-0737 Item II.E.4.2 and Standard Review Plan 6.2.4,

'Containment Isolation System," Item II.f.

Surveillance Requirement 4.6.3.l.a verifies the isolation time of each power operated automatic containment isolation valve is within limits to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analysis. The isolation time and surveillance frequency are in accordance with the Inservice Testing Program.

Surveillance Requirement 4.6.3.1.b demonstrate that each automatic containment isolation valve actuates to the isolation position on an actual or simulated containment isolation signal [containment isolation actuation signal (CIAS) or containment high radiation actuation signal (containment purge valves only)]. This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The 18 month frequency is based on the need to perform these surveillances under the conditions that apply during a plant outage and the potential for unplanned transients if the surveillance was performed with the reactor at power. The 18 month frequency is also acceptable based on consideration of the design reliability (and confirming operating experience) of the equipment.

The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

MILLSTONE - UNIT 2 B 3/4 6-3g Amendment No. i,

LBDCR 04-MP2-016 February 24, 2005 CONTAINMENT SYSTEMS BASES 3/4.6.5 SECONDARY CONTAINMENT 3/4.6.5.1 ENCLOSURE BUILDING FILTRATION SYSTEM The OPERABILITY of the Enclosure Building Filtration System ensures that containment leakage occurring during LOCA conditions into the annulus will be filtered through the HEPA filters and charcoal adsorber trains prior to discharge to the atmosphere. This requirement is necessary to meet the assumptions used in the accident analyses and limit the SITE BOUNDARY radiation doses to within the limits of 10 CFR 100 during LOCA conditions.

Tle laboratory testing requirement for the charcoal sample to have a removal efficiency of 295% is more conservative than the elemental and organic iodine removal efficiencies of 90%

and 70%, respectively, assumed in the DBA analyses for the EBFS charcoal adsorbers in the Millstone Unit 2 Final Safety Analysis Report. A removal efficiency acceptance criteria of 2 95%

will ensure the charcoal has the capability to perform its intended safety function throughout the length of an operating cycle.

Surveillance Requirement 4.6.5.1.b.1 dictates the test frequency, method and acceptance criteria for the EBFS trains (cleanup trains). These criteria all originate in the Regulatory Position sections of Regulatory Guide 1.52, Rev. 2, March 1978 as discussed below:

Section C.5.a requires a visual inspection of the cleanup system be made before the following tests, in accordance with the provisions of section 5 of ANSI N510-1975:

in-place air flow distribution test

DOP test

activated carbon adsorber section leak test Section C.5c requires the in- place Dioctyl phthalate (DOP) test for HEPA filters to conform to section 10 of ANSI N510-1975. The HEPA filters should be tested in place (1) initially, (2) at least once per 18 months thereafter, and (3) following painting, fire, or chemical release in any ventilation zone communicating with the system. The testing is to confirm a penetration of less than 0.05%* at rated flow. A filtration system satisfying this criteria can be considered to warrant a 99% removal efficiency for particulates.

Section C.5.d requires the charcoal adsorber section to be leak tested with a gaseous halogenated hydrocarbon refrigerant, in accordance with section 12 of ANSI N510-1975 to ensure that bypass leakage through the adsorber section is less than 0.05%.** Adsorber leak testing should be conducted (1) initially, ( 2 ) at least once per 18 months thereafter, (3) following removal of an adsorber sample for laboratory testing if the integrity of the adsorber

Means that the HEPA filter will allow passage of less than 0.05% of the test concentration injected at the filter inlet from a standard DOP concentration injection.

- Means that the charcoal adsorber sections will allow passage of less than 0.05% of the injected test concentration around the charcoal adsorber sections.

MILLSTONE - UNIT 2 B 3/4 6-5 Amendment No. 2N,

LBDCR 04-MP2-016 February 24, 2005 CONTAINMENT SYSTEMS BASES Section C.5.d (Continued) section is affected, and (4) following painting, fire, or chemical release in any ventilation zone communicating with the system.

3/4.6.5.2 ENCLOSURE BUILDING The OPERABILITY of the Enclosure Building ensures that the releases of radioactive materials from the primary containment atmosphere will be restricted to those leakage paths and associated leak rates assumed in the accident analyses. This restriction, in conjunction with operation of the Enclosure Building Filtration System, will limit the SITE BOUNDARY radiation doses to within the limits of 10 CFR 100 during accident conditions.

One Enclosure Building Filtration System train is required to establish a negative pressure of 0.25 inches W.G in the Enclosure Building Filtration Region within one minute after an Enclosure Building Filtration Actuation Signal is generated. The one minute time requirement does not include the time necessary for the associated emergency diesel generator to start and power Enclosure Building Filtration System equipment.

To enable the Enclosure Building Filtration System to establish the required negative pressure in the Enclosure Building, it is necessary to ensure that all Enclosure Building access openings are closed. For double door access openings, only one door is required to be closed and latched, except for normal passage. For single door access openings, that door is required to be closed and latched, except for normal passage.

If a required door that is designated to automatically close and latch is not capable of automatically closing and latching, the door shall be maintained closed and latched, or personnel shall be stationed at the door to ensure that the door is closed and latched after each transit through the door. Otherwise, the access opening (door) should be declared inoperable and appropriate technical specification ACTION statement entered.

MILLSTONE - UNIT 2 B 314 6-5a Amendment No. M,

LBDCR 04-MP2-016 February 24, 2005 3/4.7 PLANT SYSTEMS BASES 3/4.7.1 TURBINE CYCLE 3/4.7.1.1 SAFETY VALVES (Continued)

The OPERABILITY of the MSSVs is defined as the ability to open within the setpoint tolerances, relieve steam generator overpressure. and reseat when pressure has been reduced. The lift setpoints for the MSSVs are listed in Table 4.7-1. This table allows a + 3% setpoint tolerance (allowable value) on the lift setting for OPERABILITY to account for drift over a cycle. Each MSSV is demonstrated OPERABLE, with lift settings as shown in Table 4.7-1, in accordance with Specification 4.0.5. A footnote to Table 4.7-1 requires that the lift setting be restored to within i 1% of the setpoint (trip setpoint) following testing to allow for drift. While the lift settings are being restored to a tolerance of + 1%, the MSSV will remain OPERABLE with lift settings out of tolerance by as much as i 3%.

MILLSTONE - UNIT 2 B 3/4 7-la Amendment No. A2, 6-, 2-14, 275,

LBDCR 04-MP2-016 February 24, 2005 3/4.7 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS The OPERABILITY of the auxiliary feedwater pumps ensures that the Reactor Coolant System can be cooled down to less than 3000 F from normal operating conditions in the event of a total loss of off-site power.

The FSAR Chapter 14 Loss ofNormal Feedwater: (LONF) analysis evaluates the event occurring with and without offsite power available, and a single active failure. This analysis has determined that one motor driven AFW pump is not sufficient to meet the acceptance criteria.

Therefore, two AFW pumps (two motor-driven AFW pumps, or one-motor driven AFW pump and the steam-driven AFW pump) are required to meet the acceptance criteria for this moderate frequency event. To meet the requirement of two AFW pumps available for mitigation, all three pumps must be OPERABLE to accommodate the failure of one pump. This is consistent with the limiting condition for operation and ACTION statements of Technical Specification 3.7.1.2.

Although not part of the bases of Technical Specification 3.7.1.2, the less conservative FSAR Chapter 10 Best Estimate Analysis of the LONF event was performed to demonstrate that one motor-driven AFW pump is adequate to remove decay heat, prevent steam generator dryout, maintain Reactor Coolant System (RCS) subcooling, and prevent pressurizer level from exceeding acceptable limits. From this best estimate analysis of the LONF event, an evaluation was performed to demonstrate that a single motor-driven AFW pump has sufficient capacity to reduce the RCS temperature to 3007F (in addition to decay heat removal) where the Shutdown Cooling System may be placed into operation for continued cooldown. As a result of these evaluations, one motor-driven AFW pump (or the steam-driven AFW pump which has twice the capacity of a motor-driven AFW pump) can meet the requirements to remove decay heat, prevent steam generator dryout, maintain RCS subcooling, prevent the pressurizer from exceeding acceptable limits, and reduce RCS temperature to 3001F.

The Auxiliary Feed Water (AFW) system is OPERABLE when the AFW pumps and flow paths required to provide AFW to the steam generators are OPERABLE. Technical Specification 3.7.1.2 requires three AFW pumps to be OPERABLE and provides ACTIONS to address inoperable AFW pumps. The AFW flow path requirements are separated into AFW pump suction flow path requirements, AFW pump discharge flow path to the common discharge header requirements, and common discharge header to the steam generators flow path requirements.

There are two AFW pump suction flow paths from the Condensate Storage Tank to the AFW pumps. One flow path to the turbine driven AFW pump, and one flow path to both motor driven AFW pumps. There are three AFW pump discharge flow paths to the common discharge header, one flow path from each of the three AFW pumps. There are two AFW discharge flow paths from the common discharge header to the steam generators, one flow path to each steam generator. With 2-FW-44 open (normal position), the discharge from any AFW pump will be supplied to both steam generators through the associated AFW regulating valves.

MILLSTONE - UNIT 2 B 3/4 7-2 Amendment No. A, A-6, , 2414, 22, 46, M,

LBDCR 04-MP2-016 February 24, 2005 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS (Continued!

2-FW-44 should remain open when the AFW system is required to be OPERABLE (MODES 1, 2, and 3). Closing 2-FW-44 places the plant in a configuration not considered as an initial condition in the Chapter 14 accident analyses. Therefore, if 2-FW-44 is closed while the plant is operating in MODES 1, 2, or 3, two AFW pumps should be considered inoperable and the appropriate ACTION requirement of Technical Specification 3.7.1.2 entered to limit plant operation in this configuration.

A flow path may be considered inoperable as the result of closing a manual valve, failure of an automatic valve to respond correctly to an actuation signal, or failure of the piping. In the case of an inoperable automatic AFW regulating valve (2-FW-43A or B), flow path OPERABILITY can be restored by use of a dedicated operator stationed at the associated bypass valve (2-FW-56A or B) as directed by OP 2322. Failure of the common discharge header piping will cause both discharge flow paths to the steam generators to be inoperable.

An inoperable suction flow path to the turbine driven AFW pump will result in one inoperable AFW pump. An inoperable suction flow path to the motor driven AFW pumps will result in two inoperable AFW pumps. The ACTION requirements of Technical Specification 3.7.1.2 are applicable based on the number of inoperable AFW pumps.

An inoperable pump discharge flow path from an AFW pump to the common discharge header will cause the associated AFW pump to be inoperable. The ACTION requirements of Technical Specification 3.7.1.2 for one AFW pump are applicable for each affected pump discharge flow path.

AFW must be capable of being delivered to both steam generators for design basis accident mitigation. Certain design basis events, such as a main steam line break or steam generator tube rupture, require that the affected steam generator be isolated, and the RCS decay heat removal safety function be satisfied by feeding and steaming the unaffected steam generator.

If a failure in an AFW discharge flow path from the common discharge header to a steam generator prevents delivery of AFW to a steam generator, then the design basis events may not be effectively mitigated. In this situation, the ACTION requirements of Technical Specification 3.0.3 are applicable and an immediate plant shutdown is appropriate.

Two inoperable AFW System discharge flow paths from the common discharge header to both steam generators will result in a complete loss of the ability to supply AFW flow to the steam generators. In this situation, all three AEW pumps are inoperable and the ACTION requirements of Technical Specification 3.7.1.2. are applicable. Immediate corrective action is required.

However, a plant shutdown is not appropriate until a discharge flow path from the common discharge header to one steam generator is restored.

MILLSTONE - UNIT 2 B 3/4 7-2a Amendment No. M,

LBDCR 04-MP2-016 February 24, 2005 PLANT SYSTEMS BASES 3/4.7.1.4 ACTIVITY (Continued) of 10 CFR Part 100 limits in the event of a steam line rupture. The dose calculations for an assumed steam line rupture include the effects of a coincident 1.0 GPM primary to secondary tube leak in the steam generator of the affected steam line and a concurrent loss of offsite electrical power. These values are consistent with the assumptions used in the accident analyses.

3/4.7.1.5 MAIN STEAM LINE ISOLATION VALVES The OPERABILITY of the main steam line isolation valves ensures that no more than one steam generator will blowdown in the event of a steam line rupture. This restriction is required to

1) minimize the positive reactivity effects of the Reactor Coolant System cooldown associated with the blowdown, and 2) limit the pressure rise within containment in the event the steam line rupture occurs within containment. The OPERABILITY of the main steam isolation valves within the closure times of the surveillance requirements are consistent with the assumptions used in the accident analyses.

The ability of the main steam line isolation valves (MSIVs) to close is verified after the plant has been heated up. Since it is necessary to establish a high Reactor Coolant System temperature before the surveillance test can be performed, on exception to Technical Specification 4.0.4 has been added to SR 4.7.1.5 to allow entry into MODE 3. This is necessary to allow plant startup to proceed with equipment that is believed to be OPERABLE, but that cannot be verified by performance of the surveillance test until the appropriate plant conditions have been established. After entering MODE 3 and establishing the necessary plant conditions (Tavg 2 5151), the MSIVs will be declared inoperable if SR 4.7.1.5 has not been performed within the required frequency, plus 25%, in accordance with Technical Specifications 4.0.2 and 4.0.3. The ACTION statement for MODES 2 and 3 would then be entered. However, the required ACTIONS can be deferred for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Technical Specification 4.0.3) to allow performance of SR 4.7.1.5. If the surveillance test is not performed within this 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time period, the requirements of the ACTION statement for MODES 2 and 3 apply, and the MSIV(s) must be either restored to OPERABLE status or closed. Closing the MSIV(s) put the valve(s) in the required accident condition. However, the MSIV(s) may be opened to perform SR 4.7.1.5. If the MSIV(s) cannot be closed, the plant must be shut down to MODE 4.

3/4.7.1.6 MAIN FEEDWATER ISOLATION COMPONENTS MFICS)

Feedwater isolation response time ensures a rapid isolation of feed flow to the steam generators via the feedwater regulating valves, feedwater bypass valves, and as backup, feed pump discharge valves. The response time includes signal generation time and valve stroke. Feed line block valves also receive MILLSTONE - UNIT 2 B 3/4 7-3 Amendment No. 2, i , 249,

LBDCR 04-MP2-016 February 24, 2005 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM (Continued)

Currently there are some situations where the CREV System may not automatically start on an accident signal, without operator action. Under most situations, the emergency filtration fans will start and the CREV System will be in the accident lineup. However, a failure of a supply fan (F21A or B) or an exhaust fan (F31A or B), operator action will be required to return to a full train lineup. Also, if a single emergency bus does not power up for one train of the CREV System, the opposite train filter fan will automatically start, but the required supply and exhaust fans will not automatically start. Therefore, operator action Is required to establish the whole train lineup.

This action is specified in the Emergency Operating Procedures. The radiological dose calculations do not take credit for CREV System cleanup action until 10 minutes into the accident to allow for operator action.

When the CREV System is checked to shift to the recirculation mode of operation, this will be performed from the normal mode of operation, and from the smoke purge mode of operation.

With both control room emergency ventilation trains inoperable due to an inoperable control room boundary, the movement of irradiated fuel assemblies within the spent fuel pool must be immediately suspended. The control room boundary must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , or the unit must be in HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

If the control room boundary is inoperable in MODES 1, 2, 3, and 4, the control room emergency ventilation trains cannot perform their intended functions. ACTIONS must be taken to restore an OPERABLE control room boundary within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . During the period that the control room boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC 19) should be utilized to protect control room operators from potential hazards such as radioactive contamination, toxic chemicals, smoke, temperature and relative humidity, and physical security. Preplanned measures should be available to address these concerns for intentional and unintentional entry into this condition. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed outage time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed outage time is a typically reasonable time to diagnose, plan, and possibly repair, and test most problems with the control room boundary.

Surveillance Requirement 4.7.6.1 .c. 1 dictates the test frequency, methods and acceptance criteria for the Control Room Emergency ventilation System trains (cleanup trains). These criteria all originate in the Regulatory Position sections of Regulatory Guide 1.52, Rev. 2, March 1978 as discussed below.

Section C.5.a requires a visual inspection of the cleanup system be made before the following tests, in accordance with the provisions of section 5 of ANSIN510-1975:

in-place air flow distribution test

DOP test

activated carbon adsorber section leak test MILLSTONE - UNIT 2 B 3/4 74b Amendment No. 22, 236, 245, 24&,

254, 284,

LBDCR 04-MP2-016 February 24, 2005 PLANT SYSTEMS BASES 3/4.7.10 DELETED 3/4.7.11 ULTIMATE HEAT SINK The limitations on the ultimate heat sink temperature ensure that sufficient cooling capacity is available to either,

1) provide normal cooldown of the facility, or 2) to mitigate the effects of accident conditions within acceptable limits.

The limitations on maximum temperature are based on a 30-day cooling water supply to safety related equipment without exceeding their design basis temperature.

Various indications are available to monitor the temperature of the ultimate heat sink (UHS). The following guidelines apply to ensure the UHS Technical Specification limit is not exceeded.

The control room indications are normally used to ensure compliance with this specification.

Control room indications are acceptable because of the close correlation between control room indications and local Service Water System (SWS) header indications (historically within approximately 20 F). The highest reading valid temperature obtained from the Unit 2 intake structure and the inlets to the Circulating Water System water boxes shall be used to verify the UHS temperature limit of 751F is not exceeded.

When the highest reading valid control room indication indicates the temperature of the UHS is >

70'F, local SWS header indications must be used. The highest reading valid local SWS header temperature shall be used to verify' the UHS temperature limit of 750 F is not exceeded. Normally, local SWS header temperature will be taken at the inlet to the vital AC switchgear room cooling coils. If the local SWS header temperature cannot be taken at the inlet to the vital AC switchgear room cooling coils, the inlet to the Reactor Building Closed Cooling Water heater exchangers, or other acceptable instrumentation should be used to determine SWS header temperature.

If the UHS temperature exceeds 750 F, plant operations may continue provided the LCO recorded water temperastures, averaged over the previous 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, are at or below 750 F. This verification is required to be performed once per hour when the water temperatire exceeds 750 F.

If the UHS temperature, averaged over the previous 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, exceeds the 75 0 F Technical Specification limit, or if the UHS temperature exceeds 770 F, a plant shutdown in accordance with the ACTION requirements will be necessary.

MILLSTONE - UNIT 2 B 3/4 7-7 Amendment No. 44-5, 4-9+, 2I4, 24I, 2-5'4

LBDCR 04-MP2-016 February 24, 2005 3/4.8 ELECTRICAL POWER SYSTEMS BASES The OPERABILITY of the A.C. and D.C. power sources and associated distribution systems during operation ensures that sufficient power will be available to supply the safety related equipment required for 1) the safe shutdown of the facility and 2) the mitigation and control of accident conditions within the facility. The minimum specified independent and redundant A.C. and D.C. power sources and distribution systems satisfy the requirements of General Design Criteria 17 of Appendix "A" to 10 CFR 50.

The required circuits between the offsite transmission network and the onsite Class IE distribution system (Station Busses 24C, 24D, and 24E) that satisfy Technical Specification 3.8.1.1.a (MODES 12,3, and 4) consist of the following circuits from the switchyard to the onsite electrical distribution system:

a. Station safeguards busses 24C and 24D via the Unit 2 Reserve Station Service Transformer and bus 24G; and

b. Station bus 24E via the Unit 3 Reserve Station Service Transformer or Unit 3 Normal Station Service Transformer (energized with breaker 13T and associated disconnect switches open) and bus 34A or34B.

If the plant configuration will not allow Unit 3 to supply power to Unit 2 from the Unit 3 Reserve Station Transformer or Unit 3 Normal Station Service within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months Unit 2 must consider the second offsite source inoperable and enter the appropriate ACTI6N statement of Technical Specification 3.8.1.1 for an inoperable offsite circuit.

This is consistent with the GDC 17 requirement for two offsite sources. Each offsite circuit is required to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded.

The first source is required to be available with in a few seconds to supply power to safety related equipment following a loss of coolant accident. The second source is not required to be available immediately and no accident is assumed to occur concurrently with the need to use the second source. However, the second source is required to be available in sufficient time to assure the reactor remains in a safe condition The 3 hour3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months time period is based on the Millstone Unit No. 2 Appendix R analysis. This analysis has demonstrated that the reactor will remain in a safe condition (i.e., the pressurizer will not empty) if charging is restored within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

In MODES 1 through 4 (Technical Specification 3.8.1.1), the Unit 2 Normal Station Service Transformer can be used as the second offsite source after the main generator disconnect links have been removed and the backfeed line up established.

The required circuit between the offsite transmission network and the onsite Class 1 E distribution system (Station Busses 24C 24D and 24E) that satisfies Technical Specification 3.8.1.2.a (MODES 5 and 6) consists of the foilowing circuit from the switchyard to the onsite electrical distribution system:

a. Station safeguards bus 24C or 24D via the Unit 2 Reserve Station Service Transformer and bus 24G; or

b. Station safeguards bus 24C or 24D via the Unit 2 Normal Station Service Transformer and bus 24A or 24B after the main generator disconnect links have been removed and the backfeed lineup established; or

c. Station bus 24E via the Unit 3 Reserve Station Service Transformer or Unit 3 Normal Station Service Transformer (energized with breaker 13T and associated disconnect switches open) and bus 34A or34B.

MILLSTONE - UNIT 2 B 3/4 8-1 Amendment No. i, 492, 231,

LBDCR 04-MP2-016 February 24, 2005 3/4.8 ELECTRICAL POWER SYSTEMS BASES When the plant is operating with the main generator connected to the grid, the output of the main generator will normally be used to supply the onsite Class 1E distribution system.

During this time the required offsite circuits will be in standby, ready to supply power to the onsite Class lE distribution system if the main generator is not available. When shut down, only one of the offsite circuits will normally be used to supply the onsite Class 1E distribution system.

The other offsite circuit, if required, will be in standby. Verification of the required offsite circuits consists of checking control power to the breakers (breaker indicating lights), proper breaker position for the current plant configuration, and voltage indication as appropriate for the current plant configuration.

The ACTION requirements specified for the levels of degradation of the power sources provide restriction upon continued facility operation commensurate with the level of degradation.

The OPERABILITY of the power sources are consistent with the initial condition assumptions of the accident analyses and are based upon maintaining at least one of each of the onsite A.C. and D.C. power sources and associated distribution systems OPERABLE during accident conditions coincident with an assumed loss of offsite power and single failure of the other onsite A.C.

source.

Technical Specification 3.8.1.1 ACTION Statements b and c provide an allowance to avoid unnecessary testing of the other OPERABLE diesel generator. If it can be determined that the cause of the inoperable diesel generator does not exist on the OPERABLE diesel generator, Surveillance Requirement 4.8.1.1.2.a.2 does not have to be performed. If the cause of inoperability exists on the other OPERABLE diesel generator, the other OPERABLE diesel generator would be declared inoperable upon discovery, ACTION Statement e would be entered, and appropriate ACTIONS will be taken. Once the failure is corrected, the common cause failure no longer exists, and the required ACTION Statements (b, c, and e) will be satisfied.

If it cannot be determined that the cause of the inoperable diesel generator does not exist on the remaining diesel generator, performance of Surveillance Requirement 4.8.1.1.2.a.2, within the allowed time period, suffices to provide assurance of continued OPERABILITY of the diesel generator. If the inoperable diesel generator is restored to OPERABLE status prior to the determination of the impact on the other diesel generator, evaluation will continue of the possible common cause failure. This continued evaluation is no longer under the time constraint imposed while in ACTION Statement b or c.

The determination of the existence of a common cause failure that would affect the remaining diesel generator will require an evaluation of the current failure and the applicability to the remaining diesel generator. Examples that would not be a common cause failure include, but are not limited to:

1. Preplanned preventive maintenance or testing, or

2. An inoperable support system with no potential common mode failure for the remaining diesel generator, or MILLSTONE - UNIT 2 B 3/4 8-1 a Amendment No. *8, 492,,231,

LBDCR 04-MP2-016 February 24, 2005 3/4.8 ELECTRICAL POWER SYSTEMS BASES

3. An independently testable component with no potential common mode failure for the remaining diesel generator.

If one Millstone Unit No. 2 diesel generator is inoperable in MODES 1 though 4, ACTION Statements b.3 and c.3 require verification that the steam-driven auxiliary feedwater pump is OPERABLE (MODES 1, 2, and 3 only). If the steam-driven auxiliary feedwater pump is inoperable, restoration within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is required or a plant shutdown to MODE 4 will be necessary. This requirement is intended to provide assurance that a loss of offsite power event will not result in degradation of the auxiliary feedwater safety function to below accident mitigation requirements during the period one of the diesel generators is inoperable. The term verify, as used in this context, means to administratively check by examining logs or other information to determine if the steam-driven auxiliary feedwater pump is out of service for maintenance or other reasons. It does not mean to perform Surveillance Requirements needed to demonstrate the OPERABILITY of the steam-driven auxiliary feedwater pump.

If one Millstone Unit No. 2 diesel generator is inoperable in MODES I through 4, a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed outage time is provided by ACTION Statement b.5 to allow restoration of the diesel generator, provided the requirements of ACTION Statements b.l, b.2, and b.3 are met. This allowed outage time can be extended to 14 days if the additional requirements contained in ACTION Statement b.4 are also met. ACTION Statement b.4 requires verification that the Millstone Unit No. 3 diesel generators are OPERABLE as required by the applicable Millstone Unit No. 3 Technical Specification (2 diesel generators in MODES 1 through 4, and I diesel generator in MODES 5 and 6) and the Millstone Unit No. 3 SBO diesel generator is available.

The term verify, as used in this context, means to administratively check by examining logs or other information to determine if the required Millstone Unit No. 3 diesel generators and the Millstone Unit No. 3 SBO diesel generator are out of service for maintenance or other reasons. It does not mean to perform Surveillance Requirements needed to demonstrate the OPERABILITY of the required Millstone Unit No. 3 diesel generators or availability of the Millstone Unit No. 3 SBO diesel generator.

When using the 14 day allowed outage time provision and the Millstone Unit No. 3 diesel generator and/or the Millstone Unit No. 3 SBO diesel generator requirements are not met, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed for restoration of the required Millstone Unit No. 3 diesel generators and the Millstone Unit No. 3 SBO diesel generator. If any of the required Millstone Unit No. 3 diesel generators and/or the Millstone Unit No. 3 SBO diesel generator are not restored within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and one Millstone Unit No. 2 diesel generator is still inoperable, Millstone Unit No. 2 is required to shut down.

MILLSTONE - UNIT 2 B 3/4 8-lb Amendment No. 4-A, 415, 2-, 2, 264-,

LBDCR 04-MP2-016 February 24, 2005 3/4.8 ELECTRICAL POWER SYSTEMS BASES The OPERABILITY of the minimum specified A.C. and D.C. power sources and associated distribution systems during shutdown and refueling ensures that 1) the facility can be maintained in the shutdown or REFUELING condition for extended time periods and 2) sufficient instrumentation and control capability is available for monitoring and maintaining the facility status. If the required power sources or distribution systems are not OPERABLE in MODES 5 and 6, operations involving CORE ALTERATIONS, positive reactivity changes, or movement of irradiated fuel assemblies are required to be suspended. The required ACTION to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory provided the boron concentration of the makeup water source is greater than or equal to the boron concentration for the required SHUTDOWN MARGIN. In addition, suspension of these activities does not preclude completion of actions to establish a safe conservative plant condition.

Each 125-volt D.C. bus train consists of its associated 125-volt D.C. bus, a 125-volt D.C. battery bank, and a battery charger with at least 400 ampere charging capacity. To demonstrate OPERABILITY of a 125-volt D.C. bus train, these components must be energized and capable of performing their required safety functions. Additionally, at least one tie breaker between the 125-volt D.C. bus trains must be open for a 125-volt D.C. bus train to be considered OPERABLE.

Footnote (a) to Technical Specification Tables 4.8-1 and 4.8-2 permits the electrolyte level to be above the specified maximum level for the Category A limits during equalizing charge, provided it is not overflowing. Because of the internal gas generation during the performance of an equalizing charge, specific gravity gradients and artificially elevated electrolyte levels are produced which may exist for several days following completion of the equalizing charge. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. In accordance with the recommendations of IEEE 450-1980, electrolyte level readings should be taken only after the battery has been at float charge for at least 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

Based on vendor recommendations and past operating experience, seven (7) days has been determined a reasonable time frame for the 125-volt D.C. batteries electrolyte level to stabilize and to provide sufficient time to verify battery electrolyte levels are with in the Category A limits.

Footnote (b) to Technical Specification Tables 4.8-1 and 4.8-2 requires that level correction is not required when battery charging current is < 5 amps on float charge. This current provides, in general, an indication of overall battery condition.

MILLSTONE - UNIT 2 B 3/4 8-lo Amendment No. 4-A&, 4A-2, 2 248, 2,64-, 2" 249,

ML051810150

Text

Navigation menu

Search