ML20069F459
| ML20069F459 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 06/03/1994 |
| From: | SOUTHERN CALIFORNIA EDISON CO. |
| To: | |
| Shared Package | |
| ML20069F448 | List: |
| References | |
| NUDOCS 9406080297 | |
| Download: ML20069F459 (579) | |
Text
{{#Wiki_filter:c l ATTACHMENT "A" (Marked-Up Proposed Specifications) Unit 2 I l 9406080297 940603 PDR ADOCK 05000361 P PDR m_..
Definitions 1.1 1.1 Definitions CORE ALTERATION within the reactor vessel with the vessel head (continued) removed and fuel in the vessel. Suspension of CORE ALTERATIONS shall not preclude completion of movement of a component to a safe position. CORE OPERATING LIMITS The COLR is the unit specific. document that REPORT (COLR) provides cycle specific parameter limits for the current reload cycle. These cycle specific parameter limits shall be determined for each reload cycle in accordance with Specification 5.7.1.5. Plant operation within these limits is addressed in individual Specifications. DOSE EQUIVALENT I-131 DOSE EQUIVALENT I-131 shall be that concentration of I-131 (microcuries/ gram) that alone would produce the same thyroid dose as the quantity and isotopic mixture of I-131, I-132, I-133, 1-134, and 1-135 actually present. The thyroid dose conversion factors used for this calculation shall be those listed in Table 4:I ef !!0-14044, AT, we , ,, r..,,w -~.u.. e..~-- - - --
. ad 2;$[Mi 'eTkM N m E- AVERAGE E shall be the average (weighted in proportion
) DISINTEGRATION ENERGY to the concentration of each radionuclide in the
~
reactor coolant at the time of sampling) of the sum of the avera disintegration (ge beta and gamma energies perin Me iodines, with half lives > ~15 minutes, making up at least 95% of the total noniodine activity in the coolant. ENGINEERED SAFETY The ESF RESPONSE TIME shall be that time interval FEATURE (ESF) RESPONSE from when the monitored parameter' exceeds its ESF TIME actuation setpoint at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.). Times shall include diesel generator starting and sequence loading delays, where applicable. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. (continued) O SAN ON0FRE--UNIT 2 1.1-3 AMENDMENT NO. <- -_ - J
Definitions 1.1 1.1 Definitions (continued) LEAKAGE LEAKAGE shall be:
- a. Identified LEAKAGE
- 1. LEAKAGE, such as that from pump seals or valve (RCP) packing),(except- reactorand leakoff that is captured coolant pump .
conducted to collection systems or a sump l or collecting tank;
- 2. LEAKAGE into the containment atmosphere from sources that are both specifically~
located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary LEAKAGE; or
- 3. Reactor Coolant System (RCS) LEAKAGE through a steam generator (SG) to the Secondary System.
9
- b. Unidentified LEAKAGE All LEAKAGE that is not identified LEAKAGE.
. c. Pressure Boundary LEAKAGE LEAKAGE (except SG LEAKAGE) through a nonisolable fault in an RCS component body, pipe wall, or vessel wall.
- 4. C=tralld LEAXAGE L' y aco]. .ter-fh suppMed te er fre;. U u' mr seau. u MODE A MODE shall correspond to any one inclusive- ,
combination of core reactivity condition, power , level, average reactor coolant temperature, and reactor vessel head closure bolt tensioning , specified in Table 1.1-1 with fuel 'in the reactor vessel. (continued) N SAN ONOFRE--UNIT 2 1.1-4 AMENDMENT NO. J
Completion Times 1.3 1.3 Completion Times r~)
/
EXAMPLES EXAMPLE 1.3-3 (continued) ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One A.1 Restore 7 days Function X Function X tr in train to OPERABLE AND inoperable. status. 10 days from discovary of failure to meet the LCO B. One B.1 Re tore 72 hours Function Y F nction Y train train o OPERABLE AND inoperable. status. 10 days from discovery of failure to meet the LCO n%/ C. )ne C.1 Restore 72 hours Function X Function X train train to OPERABLE inoperable. status. AND QR One C.2 Restore 72 hours function Y Function Y train - train to OPERABLE inoperable, status. i (continued)
)
l S ONOFRE--UNIT 2 1.3-6 AMENDMENT NO. dI l l l
r ~ ! Completion Times 1.3 1.3 Completion Times
] ,
EXAMPLES EXAMPLE 1.3-3 (continued) f When one Function X train and one Functio Y train are inoperable, Condition A and Condition B e concurrently , l applicable. The Completion Times for Co dition A and Condition B are tracked separately for ach train starting from the time each train was declared noperable and the Condition was entered. A separate C .pletion Time is established for Condition C and tra ed from the time the second train was declared inoperab (i.e., the time the l situation described in Condition was discovered). If Required Action C.2 is comp ted within'the specified Completion Ti onditions and C are exited. If the Completion T e f Requir Action A.1 has not expired, operation ma cont' nue i ccordance with Condition A. The remaining Cc pletion ' e in Condition A is measured from the time the train was declared inoperable (i.e., , initial entry int ConditionA). The Completion T mes of Conditions A and B are modified by a logical connect r, with a separate 10 day Completion Time measured from he time it was discovered the LC0 was not m met. In this example, without the separate Completion Time, d it would be assible to alternate between Conditions A, B, and C in su h a manner that operation could continue indefinite y without ever restoring systems to meet the LCO. The separ te Completion Time modified by the phrase "from discover of failure to meet the LC0" is designed to prevent indefi te continued operation while not meeting the LCO. , This mpletion Time allows for an exception to the normal :
" tim zero" for beginning the Completion Time " clock." In thi instance, the Completion Time " time zero" is specified a commencing at the time the LC0 was initially not met,
' stead of at the time the associated Condition was. entered.
h' (continued) i SAN ON0FRE--UNIT 2 1.3-7 AMENDMENT NO. 1
Completion Times 1.3 l 1.3 Completion Times
-)
EXAMPLES EXAMPLE 1.3-/ (continued) ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME i A. One or more A.1 Restorevalve(s) 4 hours valves to OPERABLE l inoperable. status. , I I l B. Required B.1 Be in MODE 3. 6 hours l Action and ) associated AND i Completion ; Time not B.2 Be in MODE 4. 12 hours l met. l l J A single Completion Time is used for any number of valves I inoperable at the same time. The Completion Time associated with Condition A is based on the initial entry into Condition A and is not tracked on a per valve basis. Declaring subsequent valves inoperable, while Condition A is still in effect, does not trigger the tracking of separate Completion Times. Once one of the valves has been restored to OPERABLE status, the Condition A Completion Time is not reset, but ;entinues from the time the first' valve was declared inorarable. The Completion Time may be extended if the valve restored to OPERABLE status was the first inoperable valve. The Condition A Completion Time may be extended for up to 4 hours provided this does not result in any subsequent valve being inoperable for > 4 hours. - If the Completion Time of 4 hours (including any extensions) expires while one or more valves are still inoperable, Condition B is entered.
.(continued)
SAN ON0FRE--UNIT 2 1.3-8 AMENDHENT NO. ,)
Completion Times 1.3 1.3 Completion Times
/
EXAMPLES EXAMPLE 1.3-I (continued) ACTIONS
----------------------------NOTE----------------------------
Separate Condition entry is allowed for each inoperable valve. CONDITION REQUIRED ACTION COMPLETION TIME A. One or more A.1 Restore valve to 4 hours valves OPERABLE status. inoperable. B. Required B.1 Be in MODE 3. 6 hours Action and associated AND Completion Time not B.2 Be in MODE 4. 12 hours
]x met.
The Note above the ACTIONS table is a method of modifying how the Completion Time is tracked. If this method of modifying how the Completion Time is tracked was applicable only to a specific condition, the Note would appear in that Condition rather than at the top of the ACTIONS Table. The Note allows Condition A to be entered separately for each inoperable valve, and Completion Times tracked on a per valve basis. When a valve is declared inoperable, Condition A is entered and its Completion Time: starts. If subsequent valves are declared inoperable, Condition A is entered for each valve and separate Completion Times start and are tracked for each valve. (continued) SAN ONOFRE--UNIT 2 1.3-9 AMENDMENT NO.
i Completion Times 1.3 1.3 Completion Times - EXAMPLES EXAMPLE 1.3 I (continued) If the Completion Time associated with a valve in Condition A expires, Condition B is entered for that valve. If the Completion Times associated with subsequent valves in Condition A expire, Condition B is entered separately for each valve and separate Completion Times start and are tracked for each valve. If a valve that caused entry into Condition B is restored to OPERABLE status, Condition B is exited for that valve. Since the Note in this example allows multiple Condition entry and tracking of separate Completion Times, Completion Time extensions do not apply. GI EXAMPLE 1.3-/ ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One channel A.1 Perfonn Once per inoperable. SR 3.x.x.x. 8 hours 03 , A.2 Reduce THERMAL 8 hours + POWER to s 50% RTP. B. Required B.1 Be in MODE 3. 6 hours Action and associated Completion __- Time not met. (continued) SAN ONOFRE--UNIT 2 1.3-10 AMENDMENT NO. ...) i
~ !
Completion Times ' 1.3 1.3 Completion Times EXAMPLES EXAMPLE 1.3-/ -(continued) Entry into Condition A offers a choice between Required Action A.1 or A.2. Required Action A.1 has a "Once per" Completion Time, which qualifies for the 25% extension, per SR 3.0.2, to each performance after the initial performance. If Required Action A.1 is followed and the Required Action , is not met within the Completion ~ Time (including the 25% extension allowed by SR 3.0.2), Condition B is entered. If : Required Action A.2 is followed and the Completion Time of i 8 hours is not met, Condition B is entered. : If after entry into Condition B, Required Action A.1 or A.2 is met, Condition B is exited and operation may then continue in Condition A. 4 1
.. I (continued) i 4
k SAN ONOFRE--UNIT 2 1.3-11 AMENDMENT NO. l
- _ . . j
Completion Times , 1.3 l 1.3 Completion Times q' EXAMPLES EXAMPLE 1.3 (continued) ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One A.1 Verify affected 1 hour subsystem subsystem inoperable. isolated. AND l Once per 8 hours thereafter AND A.2 Restore subsystem 72 hours to OPERABLE status. B. Required B.1 Be in MODE 3. 6 hours Action and associated AND Completion Time not B.2 Be in MODE 5. 36 hours met. Required Action A.1 has two Completion Times. The 1 hour Completion Time begins at the time the Condition is entered and each "Once per 8 hours thereafter" interval begins upon perfonnance of Required Action A.1. If after Condition A is entered, Required Action A.1is not met within either the initial I hour or any subsequent 8 hour interval from the previous perfonnance (including the 25'4 extension allowed by SR 3.0.2), Condition B is entered. (continued) SAN ONOFRE--UNIT 2 1.3-12 AMENDMENT NO. 1J
O Completion Times 1.3 1.3 Completioa Times EXAMPLES EXAMPLE 1.3/ (continued) The Completion Time clock for Condition A does not stop after Condition B is entered, but continues from the time Condition A was initially entered. If Required Action A.1 is met after Condition B is entered, Condition B is exited and operation may continue in accordance with Condition A, provided the Completion Time for Required Action A.2 has not expired. IMMEDIATE When "Immediately" is used as a Completion Time, the COMPLETION TIME Required Action should be pursued without delay and in a controlled manner. ME
%s.
i __ SAN ONOFRE--UNIT 2 1.3-13 AMENDMENT NO.
Frequency 1.4 1.4 Frequency ,3 EXAMPLES EXAMPLE 1.4-3 (continued) SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY
------------------NOTE------------------
Not required to be performed until 12 hours after a 25% RTP. Perform channel adjustment. 7 days The inter 1 continues, whether or not the unit operation is < 25% RTP between performances. As the Note modifies the required performance of the Surveillance, it is construed to be part of the "specified Frequency." Should the 7 day interval be exceeded while operation is < 25% RTP, this Note allows 12 hours after power reaches a 25% RTP to perform the Surveillance. The Surveillance is still considered to be performed within the "specified Frequency." Therefore, if the Surveillance were not performed within the 7 day (plus 25% per SR 3.0.2) interval, but operation was < 25% RTP, it would not constitute a failure of the SR or failure to meet the LCO. Also, no violation of SR 3.0.4 occurs when changing MODES, even with the 7 day Frequency not met, provided operation does not exceed 12 hours with power a 25% RTP. Once the unit reaches 25% RTP, 12 hours would be allowed for completing the Surveillance. If the Surveillance were not performed within this 12 hour interval, there would then be e failure to perfom a Surveillance within the specified Frequency; MODE changes then would be restricted in accordance with SR 3.0.4 and the provisions of SR 3.L3 would apply. SAN ON0FRE--UNIT 2 1.4-4 AMENDMENT NO. J
SLs 3 2.0 2.0. SLs ..
- 2.2 SL yiolations (continued) o (M.,1 ~.4 2.) C) 2.2.6;,CHth:1 A$eratiogof the unit shall not be resumed until authorized by the NRC.
i
)
-i I
i l 1 I 1 i l 2.0-2 AMENOMENT N01 .. SAN ONOFRE--UNIT 2 4 l i
LCO Applicability 3.0 3.0 LCO APPLICABILITY , I LC0 3.0.4 Specification shall not prevent changes in MODES or other (continued) specifid conditions in the Applicability that are required to comply Qith ACTIONS. Exceptions m 'his Specification are stated in the : individual Specifications. These exceptions allow entry. into MODES or other specified conditions in the , Applicability when the associated ACTIONS to be entered < allow unit operation in the MODE or other specified l condition in the Applicability only for a limited period of time. LCO 3.0.5 Equipment removed from service or declared inoperable to comply with ACTIONS may be returned to service under administrative control solely to perfonn testing required to demonstrate its OPERABILITY or the OPERABILITY of other ' equipment. This is an exception to LCO 3.0.2 for the system returned to service under administrative control to perform the testing required to demonstrate OPERABILITY. i' " " When a supported system LC0 is not met solely due to a LC0 3.0.6 support system LC0 not being met, the Conditions and Required Actions associated with this supported system are ' not required to be entered. Only the support system LC0 ACTIONS are required to be entered. This is an exception to LCO 3.0.2 for the supported system. In this event, i dditional evaluations and 1,imita ions may be required in ; h(,accordancewithSpecificauon ., " Safety Function j Determination-Program (SFDi>)." If a loss of safety function i is determined to exist by this program, the appropriate l Conditions and Required Actions of the LCO in which the loss of safety. function exists are required to be entered. ' When a sup) ort system's Req W ed Action directs:.a supported system to )e declared inoperable or directs entry into , Conditions and Required Actions for.a supported system, the ! applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2. I h (continued) SAN ONOFRE UNIT--2 3.0-2 AMENDMENT NO.
l l LC0 Applicability l B 3.0 l BASES LCO 3.0.6 However, there are instances where a support system's. (continued) Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, whec 3 support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required ; Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LC0 3.0.2. 4 Specification 5g, " Safety Function Detemination Program ' (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon failure to meet two or more LCOs concurrently, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering . supported system Conditions and Required Actions. The SFDP implements the requirements of LC0 3.0.6.
) Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support -
system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and : Required Actions of the LCO in which the loss of safety function exists are required to be entered. , i LCO 3.0.7 Special tests and operations are required at various times over the unit's life to demonstrate performance characteristics, to perform maintenance activitiis, and to perform special evaluations. Because TS normally preclude ; these tests and operations, special test exceptions (STEs) allow specified requirements to be changed or suspended i under controlled conditions. STEs are included in applicable sections of the Specifications. Unless otherwise specified, all other TS requirements remain unchanged and in i L v : SAN ONOFRE UNIT--2' B 3.0-8 AMENDMENT NO. l. E _.----a . . _ .--
SDM - T.vg > 200* F 3.1.1 3.1 REACTIVITY CONTROL SYSTEMS 3.1.1 SHUTDOWN MARGIN (SDM)-T, > 200*F f LCO 3.1.1 SDM shall be a 5.15% Ak/k. APPLICABILITY: MODES 3 and 4. ACTIONS REQUIRED ACTION COMPLETION TIME
' CONDITION A.1 Initiate boration to 15 minutes A. SDM not within limit.
restore SDM to within limit. SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.1.1 Verify SDM is a 5.15% Ak/k. 24 hours @ t 1 I h.oc R 34.I.1 W.rICy SOM % we%k. aA S Nrd euras mere ^5u1 h< e Ser the s AJrwa ef iner m wls cortA og en%gt. C.E.As, C W sad e.very~ _ 12. hown
~
~
AMew-f- : i b 3.1-1 AMENDMENT NO. SAN ONOFRE--UNIT 2 e 9
MTC 3.1.4 3.1 REACTIVITY CONTROL SYSTEMS n., 3 3.1.4 Moderator Temperature Coefficient (MTC)
'The MTC shall be maintained within the limits specified in LC0 3.1.4 the COLR, and a maximum positive limit as specified below:
en THERMAL POWER is s 70% RTP; and
- a. 0.5 E-4
- b. 0.0 hen THERMAL POWER is > 70% RTP.
APPLICABILITY: MODES 1 and 2 with K,,,a 1.0 ACTION COMPLETION TIME CONDITION REQUIRED ACTION A.1 Be in MODE 3. 6 hours A. MTC not within limits. e SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE
-------------------NOTE------------------d SR 3.1.4.1 is not required to be performe prior to entry into MODE 2.
Verify MTC within the upper limit. Prior to SR 3.1.4.1 entering MODE 1 after each fuel loading (continued) 1 4 AMENDHENT NO. j
< SAN ONOFRE--UNIT 2 3.1-5 . l G
CEA Alignment 3.1.5 3.1 REACTIVITY CONTROL SYSTEMS [j) 3.1.5 Control Element Assembly (CEA) Alignment LCO 3.1.5 hll full length CEAs shall be OPERABLE and all full and part length CEAs shall be aligned to within 7 inches ('-ff::t;J;-
' -- -- with 2 of 3 position indicators available) of all other CEAs in its group.
APPLICABILITY: MODES 1 and 2. ACTIONS COMPLETION TIME CONDITIdN. REQUIRED ACTION A.1 Reduce THERMAL POWER 15 minutes A. One regulating CEA trippable and in accordaned with misaligned from its LCS requirements. group by > 7 inches. AND A.2.1 Verify SOM is 1 hour a 5.15% Ak/k. M A.2.2 Initiate boration to 1 hour restore SDM to within limit. AND A.3.1 Restore the 2 hours misaligned CEA(s) to within 7 inches
- :..J:,_t:f ;;;it:.c.)
;'fo its group. h M
(continued) e 3.1-7 AMENOMENT NO. SAN ONOFRE--UNIT 2
CEA Alignment 3.1.5 ACTIONS - REQUIRED ACTION COMPLETION TIME CONDITION A.3.2 Align the remainder 2 hours A. (continued)- of the CEAs in the group to.within 7 inches ',i.f-%.. JJ 0;::iti::} of the misalignedCEA(s) while maintaining the insertion limit of LC0 3.1.7,
" Regulating Control Element Assembly (CEA) Insertion Limits."
B. One shutdown CEA trippable and B.1 ReduceTHERMALMOWER ! ':1. f in accordance with jg m tf W tt,5 h misaligned from its LCS requirements group by > 7 inches. AND B.2.1 Verify SDH is I hour 2: 5.15% Ak/k. OH B.2.2 Initiate boration to 1 hour restore SDM to within limit. AND B.3 Restore the 2 hours misaligned CEA(s) to wi, 1 thin as..7 i,nchessa w of its group. (continued) 4 3.1-8 AMENDMENT NO. SAN ONOFRE--UNIT 2
~
CEA Alignment 3.1.5 l l ACTIONS (continued) COMPLETION TIME CONDITION REQUIRED ACTION f] One part len'gth CEA C.1 Reduce THERMAL POWER !54 C. misaligned from its in accordance with LCS requirements (5mm group by > 7 inches. AND C.2.1 Restore the 2 hours misaligned CEA(s) to withi
; y .n 7.a2 inches
_ m __s , of its group. , E C.2.2 Align the remainder 2 hours of the CEAs in the group to within' ( 7' inchesd'^1.4 i...o) of the
;m;:s:
i aligned CEA(s), while maintaining the insertion , limit of - LCO 3.148 NrL S " Element AssemblyA 4 1au m/ Control (CEA) Insertion Limits."
-v r r - r , a v , ,,
-w v.
Restore inoperable 6 hours D. Required position ((D.1 position indicator indication inoperable. j'
. b o channel to OPERABLE status, b
l kb.:; .. . /(Msse_*_wwr>- 9:.
.W ;_e D.e4 . Align the CEA 6 hours i group (s) with the inoperable position indicator (s) at the fully withdrawn position.
(continued) AMENDMENT NO. SAN ONOFRE--UNIT 2 3.1-9 9
CEA AhgnmeAL 3.1.5 ACTIONS (continued) COMPLETION TIME s CONDITION REQUIRED ACTION ) E.1 Be in MODE 3. 6 hours
- E. Required Action and associated Completion Time of Condition A, B, C or D not met QB One full length CEA untrippable. -
QB . More than one full length CEA trippable, but misaligned from any other CEA in its group by > 7 inches. 2B More than one part length CEA misaligned from any other CEA in its group by > 7 ! inches. SURVEILLANCE REQUIREMENTS 4 SURVEILLANCE FREQUENCY Verify the ':._':....;Iposition of each full 12 hours SR 3.1.5pf
.and part length CEA is within 7 inches of
.]'?
QW
'n all other CEAs in its group.
(continued)
?
S 3.1-10 AMENDHENT NO. SAN ONOFRE--UNIT 2
', ..) '
~
g_ . Part-Length CEA Insertion Limits ! 3.1.8 3.1 REACTIVITY CONTROL SYSTEMS
' Part length Control Element Assembly (CEA) Insertion Limits 3.1.8 The part length CEA groups shall be limited to the insertion LC0 3.1.8 limits specified in of the COLR.
APPLICABILITY: MODE 1 > 20% RTP.
-NOTE----------------------------
--------------------------il This LCO not applicable wh e exe rci si ng part l ength CEAs .
( ACTIONS ND m 0N COMPLETION TIME REQUIRED ACTION . Restore part length 2 hours A. Part length CEA groups A.1 inserted beyond the CEA groups to within transient insertion the limit. limit. 95 r 2 hours A.2 Reduce THERMAL POWER to less than or equal to the fraction of ; RTP allowed by the ~ CEA group position and insertion limits specified in the COLR. Restore part length 2 hours B. Part length CEA groups B.1 , CEA groups to within inserted between the the long tern steady long tem steady state insertion limit and state insertion the transient- limit. insertion limit for intervals
> 7 effective full
' power days (EFPD) per ,
30 EFPD or > 14 EFPD ! per 365 EFPD interval. . (wes'we4) , AMENDMENT NO. SAN ONOFRE--UNIT 2 3.1-18 l i
Part-Length CEA Insertion Lioits 301.8 ACTIONS (continued) COMPLETION TIME
+- ) CONDITION REQUIRED ACTION
(;;; tin;;d) " () C.1 Reduce THERMAL POWER 4 hours C. Required Action and associated Completion to 5 20% RTP. Time of Condition B not met. l J l SURVEILLANCE REQUIREMENTS l SURVEILLANCE FREQUENCY Verify part length CEA group position. 12 hours SR 3.1.8.1 Verify the accumulated time during which 24 hours
.- SR 3.1.8.2 the part length CEA groups are inserted beyond the long term steady state insertion limit but within the transient insertion limit.
e E e t 3.1-19 AMENDHENT NO.
< SAN ONOFRE--UNIT 2
Boration Systems - Operating 3.1.9 j . MINIMUM STORED BOR!C ACID VOLUME AS A FUNCTION OF CONCENTRATION (Gallons) 12,000 Region of Acceptable Operation 10,000 N N w RWST at 2,350 ppm 37 l l k h 8,000 'x- . RWST at 2,500 ppm o.E I I 5m \ '4N\.' . RWST at 2,650 ppm iS 3!$ x\\ \'N
\ M 4 ,\
I RWST at 2,800 ppm I oo s \ \ 6,000 xN y x 'N N' N
$$ \ '
x 'N N'N \ N N N
\ N'N_' l 4,000 Region of Unacceptable Operation 2,000 2.30 2.50 2.75 3.00 2.25 2.50 (4,021) (4,371) (4,808) (5,245) (5,682) (6,119)
Boric Acid Concentration WT% (ppm) 1 Figure 3.1.9-1 )
)
I 3.1-21a ' SAN ON0FRE--UNIT 2 AMENDMENT N0. j
*~
1 Boration SystGms - Shutcown l 3.1.10 l 3 l SURVEILLANCE REQUIREMENTS
.s .)
SURVEILLANCE FREQUENCY l l Verify that at least one of the above 31 days SR 3.1.10.1 required flow paths is OPERABLE and W
,el.e (.,a, T T aal, pa r :p:r:t:d :r ::t:::tf:)f is in its correct position.
r r w, r,~ - rv -
,,.,,,r , .
fk%v tm:.h> vaadvs.(mnan I, Ww ofvdd **" l* awtom.#/s, 4hr 6 not La < Ka.4 5* al*4 *r q' e+hsrJew s ure l) ;ft 4._ %4.a s. r%virs..k Cl.w rstN
'l l
l l
]
I i l 3.1-23 AMENDHENT NO. SAN ONOFRE--UNIT 2 l
. - - j
STE - MCOES 2 and 3 3.1.12 3.1 REACTIVITY CONTROL SYSTEMS 3.1.12 Special Test Exception (STE) - HODES 2 and 3 D'uring perfonnance of PHYSICS TESTS the following LCOs may be LCO 3.1.12 suspended:
> 200* F:"
LCO 3.1.1 "SHUTDOWNMARGIN(SDH)-T,Tivityavailablefor (Provided the shutdown reac"
' ^^' ' ' ' '^ " # 4 gu m al u W -to d trip insertion is ""' :ti: ; tw h ug 1.,_: ..' .nt : r ' ' tt::: 4*T%g MAT M
' ' " ' -)
LCO 3.1.4, " Moderator Temperature Coefficient (HTC);" LCO 3.1.5, " Control Element Assembly (CEA) Alignment;" LCO 3.1.6, " Shutdown Control Eleraent Assembly (CEA) Insertion Limits;" LCO 3.1.7, " Regulating Control Element Assembly (CEA) Insertion Limits;" LCO 3.1.8, "Part length CEA Insertion Limits;" LCO 3.3.1, "RPS Instrumentation - Operating," Table 3.3.1 1, ALLOWABLE VA UE for FUNCTION 2 and footnote (d) forj FUNCTIONS and pf.8 11 12. APPLICABILITY: MODES 2 and 3 during PHYSICS TESTS. ____...................--.N0TE----------------------hours. Operation in MODE 3 shall be limited to 6 consecutive
- 4
- 5 AMENDHENT NO.,
SAN ONOFRE--UNIT 2 3.1-26 -
- 4
-=~~---n.,_
STE - Center CEA Hisalignment and Regulating CEA Insertion Limits 3.1.14 REACTIVITY CONTROL SYSTEH; I 3 '.1 3.1.14 Special Test Exceptions (STE) - Center CEA Hisalignment and Regulating CEA Insertion Limits LCO 3.1.14 During perfonnance of PHYSICS TESTS the following LCOs may be suspended: LCO 3.1.5, " Control Element Assembly (CEA) Alignment;" and LCO 3.1.7, " Regulating CEA Insertion Limits;" provided that:
'a . Only the center CEA (CEA #1) is misaligned, or only regulating CEA Group 6 is inserted beyond the transient insertion Limit of LCO 3.1.7; and
- b. The LHR and DNBR do not exceed the limits specified in the COLR. ."
APPLICABILITY: H0DE 1. ACTIONS REQUIRED ACTION COMPLETION TIME CONDITION , 15 minutes A. LHR or DNBR outside A.1 [ Reduce THERMAL POWER the limits specified to restore LHR and in the COLR. DNBR to within limits. B. W A.twa comyc.4 h~se in H00E 3. s hours (.om1.stemme or 3--yonn pq
- e t
3.1-30 AMENDMENT NO. SAN ONOFRE--UNIT 2
m, . - - RPS Instrumentation-Operating 3.3.1 h 3.3 INSTRUMENTATION 3.3.1 Reactor Protective System (RPS) Instrumentation-Operating LC0 3.3.1 Four RPS trip and operating bypass removal channels for each Function in Table 3.3.1-1 shall be OPERABLE. APPLICABILITY: According to Table 3.3.1-1. ACTIONS
-------------------------------------NOTES------------------------------------
- 1. Separate Condition entry is allowed for each RPS Function.
- 2. If a channel is placed in bypass, continued operation with the channel in the bypassed condition for the Completion Time specified by Required Action A.2 or C.2.2 shall be reviewed by the Onsite Review Committee.
REQUIRED ACTION COMPLETION TIME CONDITION ckME r]' A. One or more Functions A.1 Place @ ::! "#"T h r ! with one automatic RPS ef T:bl: 2.2.1 2 in trip channel bypass or trip. inoperable. AND
- Prior to A.2 Restore channel to entering MODE 2 OPERABLE status, following next MODE 5 entry (continue 1) i O .
3.3-1 AMENDMENT NO. SAN ON0FRE--UNIT 2'
RPS Instrumentation _-Operating 3.3.1 l l Table 3.7.1 1 (page 1 of 2) I Reactor Protective System Instrumentation ,} ' APPLICABLE MODES OR OTHER SPECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIREMENTS ALLOWABLE VALUE l l
- 1. Linear Power Level - High 1,2 SR 3.3.1.1 s 111.0% RTP 1 SR 3.3.1.4 1 SR 3.3.1.6 SR 3.3.1.7 SR 3.3.1.8 SR 3.3.1.9 NO i
SR 3.3.1.13 .
- 2. Logarithmic Power Level - High(a) 2(b) SR 3.3.1.1 -
RTP SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.12 SR 3.3.1.13
- 3. Pressurizer Pressure - High 1,2 SR 3.3.1.1 5 2385 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13
- 4. Pressurizer Pressure - Low (c) 1,2 SR 3.3.1.1 a 1700 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.12 SR 3.3.1.13
- 5. Containment Pressure - High 1,2 SR 3.3.1.1 s 3.4 psig SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13
- 6. Steam Generator 1 Pressure-Low 1,2 SR 3.3.1.1 e 729 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13
- 7. Steam Generater 2 Pressure-Low 1,2 SR 3.3.1.1 t 729 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13 (continued)
(a) Trip may be bypassed when THERMAL POWER is > IE-4% RTP. Bypass shall be automatically removed when THERMAL POWER is < 1E-4% RTP. Trip may be manually bypassed during physics testing pursuant to LCO.3.4.40, (b) When any RTCB is closed. (c) The setpoint may be decreased to a minimum value of 300 psia, as pressurizer pressure is reduced, provided the margin between pressurizer pressure and the setpoint is maintained s 400 psia. Trips may be bypassed when pressurizer pressure is < 472 psia. Bypass shall be automatically removed when pressurizer pressure is e 472 psia. The setpoint shall be automatically increased to the normal setpoint as pressurizer pressure is increased. l SAN ON0FRE--UNIT 2 3.3-8 AMENDMENT NO. v'
.n.
" " * . _.-...7..._,..-. - . . . . - - - _ . . . - - .
RPS Instrumentation-Operating 3.3.1 Table 3.3.1 1 (page 2 of 2) (O) Reactor Protective System Instrumentation APPLICABLE M00E5 OR OTHER $PECIFIED SURVEILLANCE FUNCTION CONDITIONS REQUIREMENTS ALLOWABLE VALUE
- 8. Steam Generator 1 Level - Low i, SR 3.3.1.1 t 20%
SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13
- 9. Steam Generator 2 Level - Low 1,2 SR 3.3.1.1 e 20%
SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13
- 10. Reactor Coolant Flow - Low (d) 1,2 SR 3.3.1.1 Ramp: s 0.231 psid/sec.
SR 3.3.1.7 Floor: e 12.1 psid SR 3.3.1.9 Step: 7.25 psid SR 3.3.1.12 SR 3.3.1.13
- 11. Local Power Density - High(d) 1,2 SR 3.3.1.'1 s 21.0 kW/ft SR 3.3.1.3 SR 3.3.1.4 SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.10 SR 3.3.1.11 SR 3.3.1.12 SR 3.3.1.13
- 12. DepartureFromNuq1gateBoiling 1,2 SR 3.3.1.1 e 1.31 Ratio (DNBR) - Low $R 3.3.1.2 SR 3.3.1.3 SR 3.3.1.4 SR 3.3.1.5 SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.10 SR 3.3.1.11 SR 3.3.1.12 SR 3.3.1.13 (d) Trip may be bypassed when THERMAL POWER is < 1E.4% RTP. Bypass shall be automatically removed when THERMAL POWER is t 1E.4% RTP. During testing pursuant to LCD ? ' P. trip may be bypassed below M RTP. Bypass shall be automatically removed when THERMAL POWER is a RTP.
3.% . Il SAN ON0FRE--UNIT 2 3.3-9 AMENDHENT N0.
RPS Instrumentation-Operating 3.3.1 Table 3.3.1-2 (page 1 of 1) A Functional Units ( . , .
)
Required Action A.1 J Process Measurement Circuit Functional Unit Bypassed
- 1. Linear Power Linear Power Level - High !
(SubchannelorLinear) Local Power Density - High DNBR - Low Pressurizer Pressure - High Pressuriter Pressure - High
- 2. Local Fower Density - High DNBR - Low ;
i
- 3. Containment Pressure - High ContainmentPressure-High(RPS)
Containment Pressure High (ESF)
- 4. Steam Generator Pressure - Low Steam Generator Pressure - Low ,
Steam Generator AP 1 AND 2 (EFAS 1 and 2)
- 5. Steam Generator Level Steam Generator Level - Low
- 5 team Generator Level - High Steam Generator AP (EFAS)
- 6. Core Protection Calculator Local Power Density - High ,
DNBR - Low Required Action A.2 Process Measurement Circuit Functional Unit Bypassed )
- 1. Linear Power Linear Power Level - High *
(SubchannelorLinear) Local Power Density - High DNBR - Low ,
- 2. Pressurizer Pressure - High Pressuriter Pressure - High Local Power Density - High '
DNBR - Low f
- 3. Containment Pressure - High ContainmentPressure-High(RPS)
Containment Pressure - High (ESF)
- 4. Steam Generator Pressure - Low Steam Generator Pressure - Low Steam Generator AP 1 and 2 (EFAS1and2) 1' S. Steam Generator Level Steam Generator - Low Steam Generator - High SteamGeneratorAP(E5FAS)
Local Power Density - High l
- 6. Core Protection Calculator DNBR - Low L ,
i i i i SAN ON0FRE--UNIT 2 3.3-10 AMENDMENT NO. I
RPS Instrumentation-Shutdown 3.3.2 2 3.3 INSTRUMENTATION 3.3.2 Reactor Protective System (RPS) Instrumentation-Shutdown 9rei LCO 3.3.2 Four RPS Logarithmic Power Level-High tria channels and associated instrument an bypass removal clannels shall be OPERABLE. Trip channels shall have an Allowable Value of s .93% RTP. APPLICABILITY: MODES 3, 4, and 5, with any reactor trip circuit breakers (RTCBs) closed and any control element assembly capable of being withdrawn.
------ - ------------NOTE-------------------------
e bypassed when THERMAL POWER is > 1E-4% RTP Bypass shall be automatically removed when THERMAL POWER is s 1E-4% RTP. - ________ ACTIONS 1 If a channel is placed in bypass, continued operation with the channe in the _________________________________----NOTE----------------------------l bypassed condition fo. the Completion Time specified by Required Action A.2 or C.2.2 shall be reviewed by the Onsite Review Committee. 1 REQUIRED ACTION COMPLETION TIME CONDITION One RPS logarithmic A.1 Place channel in 1 hour l A. power level trip bypass or trip. l channel inoperable. AND 1 A.2 Restore channel to Prior to i OPERABLE status. entering MODE 2 i following next MODE 5 entry (continued)'
~
3.3-11 AMENDMENT NO. SAN ONOFRE--UNIT 2
CEACs 3.3.3
^
)
ACTIONS REQUIRED ACTION. COMPLETION TIME CONDITION B.2 Verify all full 4 hours B. (continued) length and part length control element assembly (CEA) groups are fully withdrawn and maintained fully withdrawn, except during Surveillance testing pursuant to , SR 3.1.5.3 and SR 3.1.5.4 or for l control, when CEA group #6 may be inserted to a maximum of 127.5 inches. AND B.3 Verify the "RSPT/CEAC 4 hours Inoperable" addressable constant in each core rotection calculator p(CPC) is set to indicate that h e e *PP LI
'* N i CEA O ppe inoperable.
15 %) AND B.4 Verify the Control 4 hours ; Element Drive Mechanism Control System is placed in "0FF" and maintained , in "0FF," except l l during CEA motion pemitted by Required i Action B.2. AND B.5 Perfom SR 3.1.5.1. Once per 4 hours (continued) ] AMENDMENT NO. l SAN ONOFRE--UNIT 2 3.3-16
RPS Logic and Trip Initiation 3.3.4 'h ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME E. Required Action and E.1 Be in MODE 3. 6 hours associated Completion Time of Condition A, AND B, or D not met. E.2 Open all RTCBs. 6 hours DE One or more Functions with more than one ' Manual Trip, Matrix Logic, Initiation Logic, or RTCB channel inoperable for reasons other than Condition A or D. i r SURVEILLANCE REQUIREMENTS
} SURVEILLANCE FREQUENCY l
[ SR 3.3.4.1 Perform a CHANNEL FUNCTIONAL TEST on each 31 days n"S L^f r 9-- ' =d RTCB channel . ;
~
r- -? ' SR 3.3.4./3 Perfonn a CHANNEL FUNCTIONAL TEST, 18 months including separate verification of the undervoltage and shunt trips, on each RTCB. Perform a CHANNEL FUNCTIONAL TEST on each Once within SR 3.3.4./4 RPS Manual Trip channel. 7 days prior to , each reactor . startup I l g 2 ,% a- CH FWe TEST 92 MjS 5
.. ~u a>s c ge na. .
x- A- - .] ' SAN ON0FRE--UNIT 2 3.3-21 AMENDMENT NO.
ESFAS Instrumentation 3.3.5 ACTIONS -) CONDITION REQUIRED ACTION COMPLETION TIME D. (continued) D.2 Place one affected I hour automatic trip channel in bypass and place the other in trip. E. Required Action and E.1 Be in MODE 3. 6 hours associated C mpletion Timevnot met AND y Solo e.ti n An k
- W >
c,,,+ u 486 4~ M E.2 Be in MODE 4. 12 hours J ~W kW SW % &,{n h E%seswf
,. a;aMu~.a v., w ~ u..a >. u u~n
% GW~
e Sime,. A s t) Ca % ~ AM M oog 6, % Arball* S M W wt. p, g Se, i $ ' SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.5.1 Perform a CHANNEL CHECK of each ESFAS 12 hours channel. SR 3.3.5.2 Perform a CHANNEL FUNCTIONAL TEST of each 92 days ESFAS channel, including bypass removal functions. < SR 3.3.5.3 Perfom a CHANNEL CALIBRATION of Function 18 months 5, Recirculation Actuation Signal, , including bypass removal functions. (continued) 9 SAN ON0FRE--UNIT 2 3.3-24 AMENDMENT NO.
ESFAS Instrumentation 3.3.5 Table 3.3.5-1 (page 1 of 1) d.
,. ) ;
6 Engineered Safety Features Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED . FUNCTION CONDITIONS ALLOWABLE VALUE i
- 1. SafetyInjectionActuationSignal(s) ,
- s. Containment Pressure - Higg) 1,2,3 s 3.7 psig
- b. Pressurizer Pressure - Low a 1700 psia
- 2. Containment Spray Actuation Signal
- a. Containment Pressure - High-High 1,2,3 s 15.0 psig ;
- 3. Containment Isolation Actuation Signal
- a. Containment Pressure - High 1,2,3 s 3.7 psig l
- 4. Pain Steam Isolation Signal
- a. Steam Generator Pressure - LowIC) 1.2Id)3,Id) a 729 psia ,
I S. Recirculation Actuation Signal ;
- a. Refueling Water Storage Tank Level - Low 1,2,3,4 19.27% e tap span t 17.73% ,
- 6. Emergency Feedwater Actuation Signal SG f '
(EFAS-1) .I
- a. Steam Generator Level - Low 1,2,3 a 20% -'I( ;
- b. SG Pressure Difference - High 5 140 psid :
- c. Steam Generator Pressure - Low a 729 psia l
- 7. Emergency Feedwater Actuation Signal SG i 4 I (EFAS-2) ,
- s. Steam Generater Level - Low 1,2,3 e 20% .
- b. SG Pressure Difference - High s 140 psid l
- c. Steam Generator Pressure - Low M t 729 psia !
(a) Automatic $1AS also initiates a Containment Cooling Actuation Signal (CCAS). 3 1 (b) The setpoint may be decretsed to a minimum value of 300 psia, as pressurizer pressure is reduced, provided , the margin between pressurizer pressure and the setpoint is maintained s 400 psia. Trips may be bypassed i when pressurizer pressure is < 472 psia decreasing. Bypass shall be automatically removed when pressurizer pressure is a 472 psia increasing. The setpoint shall be automatically increased to the norms 1 setpoint as i pressurizer pressure is increased. , (c) The setpoint may be decreased as steam pressure is reduced, provided the margin between steam pressure and the setpoint is maintained s 200 psi. The setpoint shall be automatically increased to the normal setpoint as steam pressure is increased. (d) The Main Steam Isolation Signal Function (Steam Generator Pressure- Low)-is not required to be CPERABLE when i all associated valves isolated by the MSIS Function are c?osed and de-activated. , l 4c.h.* W ~ Sf C 5). SAN ON0FRE--UNIT 2 3.3-26 AMENDMENT NO. I r .- , ,- - , -f
ESFAS Instrumentation 3.3.5 Table 3.3.5-2 (page 1 of 1) Functional Units ; i Action A.1 Functional Unit Bypassed Process Measurement Ch-cuit ( Containment Pressure - High ContainmentPressure-High(E5F)
- 1. Containment Pressure - High (RPS) l Steam Generator Pressure - Low Steam Generator Pressure Low J
- 2. '
Steam Generator 6P 1 and 2 (EFAS) ;
- 3. Steam Generator Level Steam Generator Level - Low Steam Generator Level . High !
SteamGeneratorAP(EFAS) , i r Action 8.1 functional Unit Bypassed / Tripped Process Measurement Circuit ContainmentPressure-High(ESF) !
- 1. Containment Pressure w Containment Pressure - High (RPS) [
f 2, Steam Generator Pressure - Low Steam Generator Pressure - Low Steam Generator Pressure AP (EFA$) l
- 3. Steam Generator Level - Low Steam Generator Level . Low Steam Generator Level - High SteamGeneratorAP(EFAS) l t
7 ; i) L [ i i I l l SAN ONOFRE--UNIT 2 3.3-27 AMENDHENT NO. , F I
l ESFAS Logic and Manual Trip 3.3.6 ACTIONS (continued)
- ] COMPLETION TIME !
CONDITION REQUIRED ACTION lathh. as.h'em te C.1 / pen at least one Immediately C. One or more Functions 4 with two Initiation contact in the Logic channels affected trip leg of affecting the same both ESFAS Actuation trip leg inoperable. Logics. ; AND . C.2 Restore channels to 48 hours OPERABLE status. D. One or more Functions D.1 --------NOTE--------- with one Actuation One channel of~ Logic channel Actuation Logic may inoperable. be bypassed for up to I hour for Surveillances, provided the.other ' channel is OPERABLE. Restore inoperable 48 hours ' channel to OPERABLE status. Required Action and- E.1 Be in MODE 3. 6 hours 'l E. ' associated Completion ! Time of Conditions for AND l Main Steam Isolation . 12 hours 'j Signal, Containment E.2 Be in MODE 4. Spray Actuation J Signal,. or Emergency l Feedwater Actuation Signal not met. (continued)
' ' SAN ON0FRE--UNIT 2 3.3-29 AMENDMENT NO.
i l J
ESFAS Logic and Manual Trip 3.3,6 Table 3.3.61(page1of1) ' Engineered Safety Features Actuation System Logic and Manual Trip Applicability FUNCTION APPLICABLE MODES
- 1. Safety Injection Actuation Signal Matrix Logic 1,2,3
- a. 1,2,3,4(C)
- b. Initiation Logic 1,2,3,4
- c. Actuation Legic 1,2,3,4
- d. Manual Trip
- 2. Containment Isolation Actuation Signal Matrix Logic 1,2,3 i
- a. 1,2,3,4(0)
- b. Initiation Logic 1,2,3,4
- c. Actuation Logic 1 Manual Trip 1,2,3,4 j d.
- 3. Containment Cooling Actuation SignalI *) l 1,2,3,4 (N l
- a. Initiation Logic 1,2,3,4
- b. Actuation Logic 1,2,3,4
- c. Manual Trip l
- 4. Recirculation Actuation Signal Matrix Logic 1,2,3,4
- a. 1,2,3,4
- b. Initiation Logic 1,2,3,4
- c. Actuation Logic
- 5. Containment Spray Actuation $lgnal(b)
- a. Matrix Logic 1,2,3 1,2,3 j
- b. Initiation Logic 1,2,3
- c. Actuation Logic 1,2,3
- d. Manual Trip
- 6. Main Steam Isolation Signal
- a. Matrix Logic 1,2,3 1,2,3
- b. Initiation Logic 1,2,3
- c. Actuation Logic 1,2,3
- d. Manual Trip
- 7. Emergency Feedwater Actuation Signal SG #1 (EFAS.1)
Matrix Logic 1,2,3
- a. 1,2,3
- b. Initiation Logic 1,2,3
- c. Actuation Logic
- d. Manual Trip 1,2,3
- 8. Emergency Feedwater Actuation Signal SG #2 (EFAS-2)
Matrix Logic 1,2,3
- a. 1,2,3
- b. Initiation Logic 1,2,3
- c. Actuation Logic
- d. Manual Trip 1,2,3 (a) Autow ttc SIAS also initiates CCAS.
(b) Automatic $1AS also required for automatic CSAS initiation. , (t,) % M som,s ed Ideben, bgIC. 64C6444 m- i4 %, Mn96 4 4 i 3.3-32 AMENDMENT NO, SAN ONOFRE--UNIT 2
- - ~
DG-Undervoltage Start 3.3.7 i l ) SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY ! Perform CHANNEL CHECK. 12 hours SR 3.3.7.1 24 months SR 3.3.7.2 Perfonn CHANNEL FUNCTIONAL TEST. SR 3.3.7.3 Perform CHANNEL CALIBRATION with setpoint Allowable Values as follows: 24 months 1
- a. Degraded Voltage Function a 4181 V and s 4275 V N Ti... d 6 y:
- 105 red =d d 125 ;mm,,d; et 0223 '.'; rd
- b. Loss of Voltage Function a 3554 V and 5 3796 V Time delay: a 0.95 seconds and l
s 1.05 seconds at 0 V. l Verify Response Time of required DG-LOV 24 months on a SR 3.3.7.4 STAGGERED TEST channel is within 1.05 seconds. BASIS l
- [ 5D V 55 ( Sustalud. gnM Gvid Wat.g4 )
h : 5 igg sa.ce d s
; Lessw % 1s nem W %bisk~of Q dt vo Lge, )
Si@) .
\ b&v% (D & GvM.L'ot.Nu w'u+L SIk.$
Tin : C (o .t4 sece4s MA biW'Co~ of Sf A5 ) C n 5 p 6
- Is w a r t /-
3.3-35 AMENDMENT NO.
- SAN ON0FRE--UNIT 2
/
x FHIS 3.3.10 3.3 INSTRUMENTATION 3.3.10 Fuel Handling Isolation Signal (FHIS) LC0 3.3.10 One FHIS channel shall be OPERABLE. During movement of irradiated fuel in the fuel hand ling APPLICABILITY: building. ACTIONS COMPL TION TIME CONDITION REQUIRED ACTION
'l Place one OPERABLE Imed ately Actuation Logic, A.1
} A. Fuel Handling Manual Trio, or i
required caannel of Building Post Accident Cleanup gaseous radiation System (PACU) train monitor inoperable during movement of in operation, Imediately irradiated fuel 0R assemblies. Suspend movement of A.2 l irradiated fuel l assemblies in the j fuel handling j building. i l 3.3-43 AMENDMENT NO. SAN ONOFRE--UNIT 2
rA* FHIS 3.3.10
")
SUR REQUIREMENTS SURVEILLANCE FREQUENCY f Perform a CHANNEL CHECK on required FHIS 12 hours SR 3.3.10.1 radiation monitor channel. / 92 days SF 3.3.10.2 Perform a CHANNEL FUNCTIONAL TEST on required FHIS radiation monitor channel. Verify radiation monitor setpoint Allowable Values: Airborne Gaseous: 5 6E4 cpm above background I t4 SR 3.3.10.3 -------------------NOTE-------------------- Testing of Actuation Logic shall include the actuation of each initiation relay and verification of the proper operation of each ignition relay. Perform a CHANNEL FUNCTIONAL TEST on 18 months required FHIS Actuation Logic channel. 18 months SR 3.3.10.4 Perform a CHANNEL FUNCTIONAL TEST on required FHIS Manual Trip logic. l I l . 18 months r l SR 3.3.10.5 Perform a CHANNEL CALIBRATION on required I ! FHIS radiation monitor channel. '
/
l i SAN ON0FRE--UNIT 2 3.3-44 AMENDMENT NO. i
PAM Instrumentation 3.3.11 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME ]l <
---------NOTE--------- C.1 Restore one channel 7 days ;
C. i Not applicable to to OPERABLE status. hydrogen monitor ; channels. , One or more Functions . with two required l l channels inoperable. i D. Two hydrogen monitor D.1 Restore one hydrogen 72 hours channels inoperable. monitor channel to ; OPERABLE statur. E. Required channel of E.1 Restore required 7 days Functions 18, 21, 24, channel to OPERABLE or 25 inoperable. status. L F. Required Action and F.1 Enter the Condition Immediately associated Completion referenced in Time of Condition C, D Table 3.3.11-1 for ! cr E not met. the channel. G. As required by G.1 Be in MODE 3. 6 hours Required Action F.1 ; and referenced in AND , Table 3.3.11-1. G.2 Be in MODE 4. 12 hours H. As required by H.1 Initiate action in Immediately Required Action F.1 accordance with and referenced in Specification 5.7.2. : t Table 3.3.11-1. N ' i
-5vnvt1LLAMLt KtyuanuncidQ S G TPE- 11NTT 7 3.3-46 AMENDMENT NO.
i _a________ _ _
l Source Range Monitoring Channels 3.3.13 3.3 INSTRUMENTATION ) 3.3.13 Source Range Monitoring Channels LCO 3.3.13 Two channels of source range monitoring instrumentation l shall be OPERABLE. APPLICABILITY: MODES 3, 4, and 5, with the reactor trip circuit breakers open or Control Element Assembly (CEA) Drive System not capable of CEA withdrawal. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Suspend all Immediately channels inoperable. operations involving , positive reactivity additions. AND A.2 Perform SDM 4 hours verification in accordance with AND SR 3.1. if T, 20Q*F, r Once per S 3.1.2.7, i 12 hours T ,,5 200*F. thereafter i U i l l l SAN ONOFRE--UNIT 2 3.3-52 AMENDMENT N0. s -- l l i
RCS Pressure, Tem;:erature and Flow Limits 3.4.1 3.4 REACTOR COOLANT SYSTEM (RCS) Q 3.4.1 RCS Pressure Temperature, and Flow limits LCO 3.4.1 RCS parameters for pressurizer pressure, cold leg temperature, and RCS total flow rate shall be within the limits specified below: ,
- a. Pressurizer pressure a 2025 psia and 5 2275 psia; ;
RCS cold leg temperature (T,):p .,6
- 1. For RTP s 30%,* " " x i S I D A S2 4 I CI I I 7 ,8
- b. _
- 2. For 30% < RTP < 70%, 535 F s T e s 557 F,
- 3. For RTP a 70%, 544*F s T, 5 557'F; and
- c. RCS total flow rate is specified by the COLR.
APPLICABILITY: MODE 1.
.__..___ _____ _______.....N0TE------------------------
Pressurizer pressure limit does not apply during:
- a. THERMAL POWER ramp > 5% RTP per minute; or
- b. THERMAL POWER step > 10% RTP.
)
ACTIONS CONDITION REQUIRED ACTION' COMPLETION TIME A. Pressurizer pressure A.1 Restoreparameter(s) 2 hours or RCS flow rate not to within limit. within limits.
@~ ontinued B. Required Action and B.1 Be in MODE 2. 6 hours associated Completion .
Time of Condition A not met. J SAN ONOFRE--UNIT 2 3.4-1 AMENDMENT NO.
RCS Pressure, Temperature, and Flow limits i 3.4.1 l ACTIONS (continued) COMPLETION TIME l CONDITION REQUIRED ACTION J RCS cold leg C.1 Restore cold leg 2 hours , C. j temperature not within temperature to within limits. ! limits. t r Required Action and 0.1 Reduce THERMAL POWER 6 hours . D. ! associated Completion to s 30% RTP. Time of Condition C i not met. . SURVEILLANCE REQUIREMENTS l SURVEILLANCE FREQUENCY , j i SR 3.4.1.1 Verify pressurizer pressure a 2025 psia and 12 hours ; 5 2275 psia. i i 3.4.1.2 Verify RCS cold leg temperature: 12 hours
@ SR ,4P3I. A For 30% < RTP < 70%, 535 F s Tc s 557 F, 3 ___
l W% For RTP = 70%, a c 544*F w r ec csr T, 5 557 F. r ,c e r A< so x: 7 >J 1 J
---------------------- ----NOTE--------------------------
Required to be met in MODE 1 with all RCPs running. 12 hours ! SR 3.4.1.3 Verify RCS total flow rate is within limit specified in the COLR. :- i 1 b SAN ONOFRE--UNIT 2 3.4-2 AMENDMENT NO. -
?
RC5 '.:::s wc E 3 3.4.5 h ACTIONS (continued) REQUIRED ACTION COMPLETION TIME CONotTION Suspend all Immediately C. No RCS loop OPERABLE. C.1 operations involving OR a reduction of RCS baron concentration. No RCS loop in operation. AND Initiate action to Inmediately C.2 restore one RCS loop to OPERABLE status and operation. SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY Verify required RCS loop is in operation. 12 hours SR 3.4.5.1 Verify secondary si e water level in each 12 hours SR 3.4.5.2 steam gener or a % (wide range).
- 50 Verify correct breaker alignment and 7 days SR 3.4.5.3 indicated power available to the required pump that is not in operation.
1 l i 3.4-10 AMENDMENT NO. SAN ONOFRE--UNIT 2 - m i
. _ _ . _ . ~ . _
RCS Loeps -MCOE L. 3.4.6 ; SURVEILLANCE REQUIREMENTS O SURVEILLANCE FREQUENCY
~
Verify at least one RCS loop or SDC train 12 hours ; SR 3.4.6.1 ; is in operation. Verity secondary side water level in 12 hours SR 3.4.6.2 (wide range). j require SG(s) is a d 50 i Verify correct breaker alignment and 7 days .: SR 3.4.6.3 i indicated power available to the required i pump that is not in operation. i I i
?
e
% ,p f,
i f i I 1 i i i O SAN ONOFRE--UNIT 2 3.4-13 AMENDNENT NO.
RCS ' Loops -MODE 5, Loops illed-3.4.7 , 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.7 RCS Loops-MODE 5, Loops Filled , t f LCO 3.4.7 'At least one of the following loop (s)/ trains listed below ' shall be OPERABLE and in operation:
- a. Reactor Coolant Loop 1 and its associated steam l generator and at least one associated Reactor Coolant j Pump !
- b. Reactor Coolant Loop 2 and its associated steam generator and at least one associated Reactor Coolant Pump
- c. Shutdown Cooling Train A l
- d. Shutdown Cooling Train B ,
One additional Reactor Coolant Loop / shutdown cooling train ~ shall be OPERABLE, or I i The secondary sid water level of each steam generator shal1 g be greater than (wide range). 50
----------------------------NOTES-------------------- ------ i All reactor coolant pumps (RCPs) and pumps providing 1.
shutdown cooling may be de-energized for 51 hour per ; 8 hour period, provided !
- a. No operations are permitted that would cause reduction of the RCS boron concentration; and Core outlet temperature is maintained at least 10*F f' b.
below saturation temperature.
- 2. One required SDC train may be inoperable for up to 2 hours for_ surveillance testing provided that the other ;
SDC train or RCS loop is OPERABLE and in operation. j
- 3. One required RCS loop may be inoperable for up te_2 f hours for surveillance testing provided that the other j RCS loop or SDC train is OPERABLE and in operation..
. . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - (c o n t i n u e d )
3.4-14 AMENOMENT NO. SAN ONOFRE--UNIT 2
- i
RCS Locos -HCCE 5, Loops Filled 3.4.7 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME No SDC train'/RCS loop B.1 Suspend all Immediately B. in operation operations involving reduction in RCS boron concentration AND B.2 Initiate action to Immediately ! restore required SDC .i i train /RCS loop to operation ! SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.4.7.1 Verify at least one RCS loop or SDC train 12 hours is in operation. SR 3.4.7.2 Verify required SG secondary side' water 12 hours level is a (wide range). SR 3.4.7.3 Verify correct breaker alignment and 7 days indicated power available to the required pump that is not in operation. ! P SAN ONOFRE--UNIT 2 3.4-16 AMENDMENT NO. 1 . 9 j
LTOP Sy5:0m 3.4.12.1 3.4 REACTOR COOLANT SYSTEM (RCS) O' 3.4.12.1 Low Temperature Overpressure Protection (LTOP) System RCS Temperature s LTOP Enable Temperature or degregurka,ig, Less i ed [/ Pn2 LCO 3.4.12.1 No more than two high pressure safety injection pumps sha 1 4/e1// be OPERABLE, the safety injection tanks shall be isolated and at least one of the following overpressure protection systems shall be OPERABLE:
- a. The Shutdown Cooling System Relief Valve (PSV9349) with:
- 1) A lift setting of 406 1 10 psig 2)
Relief Valve isolation valves 2HV9337, 2HV9339, 2HV9377, and 2HV9378 open, 4 or,
- b. The Reactor Coolant System depr'essurized with an RCS -
vent of greater than or equal to 5.6 square inches. APPLICABILITY: MODE 4 when the temperature of any one RCS cold leg is less than or equal to the enable temperatures specified in the
] PTLR,
' MODE 5, and MODE 6 when the head is on the reactor vessel. M ---------------------------NOTES----------------.---.-.----- FY 1. The SDCS Relief Valve lift setting assumes valve temperatures less than or equal to 130 F.
- 2. SIT isolationl si only required when SIT pressure is g jg g o d / p fs'e y greater than or equal to the maximum RCS pressure for 4 ONE b.M8 the existing RCS cold leg temperature allowed by the P/T 4 Les5 Mb88 limit curves provided in the PTLR. .
J 0 4 . enum.
,t
LTOP System : 3.4.12.1 ACTIONS COMPLETION TIME CONDITION REQUIRED ACTION f A.1 Initiate action to Imediately A. With more than two HPSI pumps capable of verify a maximum of injecting into the two HPSI pumps RCS. capable of injecting r into the RCS i SIT pressure is B.1 Isolate affected SIT. I hour B. ! greater than or equal to the maximum RCS pressure for existing 12 hours cold leg temperature pse 'lDepressurize affected allowed in the PTLR. SIT to less than the maximum RCS pressure for existing col,d leg l C, [eyd' /e//ce P temperature allowed ac;mia va' C W h84
- D'#8- in the PTLR.
9 c b c/f 4'cw 4 f; d /n d 7 M ; 1).1hOpentheclosed 24 hours ,
@ 9. With Reliefone Valveor both isolation valves in a single SDCS valve (s).
SDCS Relief Valve QB isolation valve pair p.2 Power-lock open the 24 hours (valve pair 2HV9337 and 2HV9339 or valve OPERABLE SDCS Relief I pair 2HV9377 and Valve isolation valve 2HV9378) closed. pair. i (continued) I e 1 3.4-24 AMENOMENT NO. _ SAN ONOFRE--UNIT 2
LTOP System , 3.4.12.1 ' ACTIONS (continued) \- REQUIRED ACTION COMPLETION TIME CONDITION 8 hours E / SDCS Relief Valve ReduceT,7,toless than 200 inoperable. E. depressurize RCS and OR establish RCS vent of a 5.6 square inches. ; Required Action and associated Completion Time o Condition A, O ,g, or not met , 01 LTOP System inoperable for any reason other than Condition A, ( > Od ~ c ct D h t G 3.4-25 AMENDMENT NO. SAN ONOFRE--UNIT 2
. I I
LTOP System 3.4.12.1 SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE i
------------.-----NOTE-------------------
SR 3.4.12.1.1 A HPSI pump is secured by verifying that its motor circuit breaker is not racked-in, or its discharge valve is locked closed. The requirement to rack out the , HPSI pump breaker is satisfied with the ' pump breaker racked out to its disconnected or test position. - Verify a maximum of two HPSI pumps are 12 hours capable of injecting into the RCS. SR 3.4.12.1.2 ------------------NOTE------------------- Required to be performed when complying with LCO 3.4.12.1 Note 2. Fh W"k Verify each SIT is isolate 12 hours lesG Hwn 44:1- P72e liini Verify RCS vent t 5.6 square inches is 12 hours for l SR 3.4.12.1.3 unlocked open open when in use for overpressure protection. ventvalve(s) ; A!sD 31 days for locked, sealed, or otherwise secured open ventvalve(s), or open flanged RCS _ penetrations (continued) i 3.4-26 AMENDMENT NO. SAN ONOFRE--UNIT 2
LTOP System ~ 3.4.12.2 ACTIONS '] COMPLETION TIME l CONDITION REQUIRED ACTION A.1 Be in MODE 5 and vent 8 hours A. No pressurizer code safety valves the RCS through a OPERABLE. greater than or equal to 5.6 square inch AND vent. The SOCS Relief Valve INOPERABLE. P w y SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY t
------------------- Note-------.-----
Only required when the SDCS Relief Valve is being used for overpressure protection.
. .t ...______...............................___
Verify that the SDCS Relief Valve 72 hours SR 3.4.12.2.1 isolation valves 2HV9337, 2HV9339, 2HV9377, and 2HV9378 are open. f Verify relief valve setpoint. In accordance SR 3.'.12.2.2 4 with the Inservice Testing Program ; s . pj is ga ng; a v gas m s pMS %4) MlOh h f.'i tq; 1, gz"g:)hu$;7m'.,g'ek[va$;
.2 H V 9 3 78 c f> M r81
.,g. y, ya i
_ AMENDMENT NO. V SAN ONOFRE--UNIT 2 j 3.4-29 ,
RCS P!V Leakago 3.4.14 Table 3.4.14-1 ' '. REACTOR COOLANT SYSTEM PRESSURE ISOLATION VALVES SECTION A , VALVE NUMBER VALVE DESCRIPTION S21204HU018 HPSI Check to Loop #1A S21204MU019 HPSI Check to Loop #1B S21204MUO20 HPSI Check to Loop #2A 521204MUO21 HPSI Check to Loop #2B S21204MU152 Hot leg injection to loop #1 521204MU156 Hot leg injection to loop #2 S21204MU157 Hot leg injection check
- S21204MU158 Hot leg injection check ;
f27HV-9337 SDC Suction Isolation 2 V-9339 SDC Suction. Isolation , V-9377 SDC Suction Isolation HV-9378 SDC Suction Isolation . SECTION B VALVE NUMBER VALVE DESCRIPTION
'S21204HUO72 LPSI Check to Loop f1A '
S21204MUO73 LPSI Check to Loop #1B S21204MUO74 LPSI Check to Loop #2A S21204MUO75 LPSI Check to Loop #2B S21204MUO27* Cold leg injection to loop #1A ' S21204MUO29* Cold leg injection to loop #1B S21204MUO31* Cold leg injection to loop #2A
$21204MUO33* Cold leg injection to loop #25-
$21204MUO40 SIT T008 Check i
521204MU041 SIT T007 Check S21204MUO42 SIT T009 Check S21204MUO43 SIT T010 Check
- Redundant to LPSI and SIT checks )
SAN ONOFRE--UNIT 2 3.4-36 AMENDMENT NO. ,_ l
RCS Specific Activity 3.4.16 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.16 RCS Specific Activity The specific iodine activity of the reactor coolant shall b LCO 3.4.16 limited to: a. DOSE EQUIVALENT I-131 specific activity s 1.0 pCi/gm; and , b. Gross specific activity 5100/E yci/gm. HODES 1 and 2, APPLICABILITY: MODE 3 with RCS average temperature (T,y) m 500'F ACTIONS COMPLETION TIME REQUIRED ACTION , CONDITION
- - - NOTE .
A. DOSE EQUIVALENT I-131 The provisions of
> 1.0 pCi/gm. Specification 3.0.4oare not
(. applicable. g - Once per 4 hours A.1 Verify DOSE EQUIVALENT I-131 within the acceptable region of Figure 3.4.16-1. l I
' S '
.- 48 hours A.2 Restore DOSE EQUIVALENT I-131 to within limit.
i (coninued) l AMENDHENT NO. i 3.4-40 SAN ONOFRE--UNIT 2 l ._ I
g- - = .- - . . -. . . -. Containment Air Locks 3.6.2 ACTIONS ) COMPLETION TIME CONDITION . REQUIRED ACTION i A.1 Verify the OPERABLE 1 hour I
-A. (continued) door is closed in the '
affected air lock. AND A.2 Lock the OPERABLE 24 hours door closed in the affected air lock. AND A.3 --------NOTE--------- Air lock doors in , high radiation areas may be verified ; locked closed by administrative means. Verify the OPERABLE Once per 31 days door is locked closed in the affected air lock.
------------NOTES------------
B. One or more containment air locks 1. Required Actions B.1, with containment air B.2, and B.3 are not ; lock interlock applicable if both doors r mechanism inoperable. in the same air lock are inoperable and Condition C is entered. ,
- 2. Entry and exit of containment is S~ permissible under the control of a dedicated a s individual.
3.% %4 ea wJ c._'_________.......... ______ W L4.0 3 0 4 0AA. (continued) Y d y bled Sta. -
~_
3.6-4 AMENDMENT NO. s . SAN ONOFRE--UNIT 2
- 4
I I Containment Isolation Valves 3.6.3 ] ACTI0fiS CONDITION REQUIRED ACTION COMPLETION TIME 1 1 l D. (continued) D.2 --------NOTE--------- Valves and blind I flanges in high ' l radiation areas may be verified by use of administrative means. Verify the affected once per 31 days penetration flow path for isolation is isolated. devices outside containment AND Prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days
, for isolation i devices inside .
containment AND D.3 Perform SR 3.6.3.6 Once per , for the resilient 184 days seal purge valves closed to comply with Required Action D.1. 4 E. One or more Section E.1 Secure the inoperable 4 hours D.1 containment valve (s) in its ESFAS - isolationvalve(s) actuated position. l inoperable. AND E.2 Restore the Prior to 6 inoperable valve (s) ,,,mv =: :, v. if c4W to OPERABLE status. 30 days , skwMow+ 1 H :h:,m, b **&wnd 54.eeter. Wi +415 i so days, 1 puerwis& 1 W'M Ar
)
v SAN ONOFRE--UNIT 2 3.6-11 AMENDMENT NO. )
*w. . . ,
w as
Containment Isol.ation Valves 3.6.3 ] SURVEILLANCE REQUIREMENTS
------------------------------------NOTE-------------------------------------
- 1. Section A, B, C, D, and E isolation valves are located in the LCS.
SURVEILLANCE FREQUENCY SR 3.6,3.1 31 days CVerify each 42 inch purge valve is sealed closed except for one purge valve in a penetration flow path while in - Condition D of this LCO. SR 3A1 d 31 days C. Verify each 8 inch purge valve is closed except when the 8 inch purge valves are cptn for pressure control, ALARA or air quality considerations for personnel entry, or for Surveillances that require the valves to be open. i SR 3.6.3.3 g
-------------------NOTE--------------------
I 7 [ Valves and blind flanges in high radiation areas may be verified by use of administrative means. Verify each containment isolation manual valve and 31 days
! blind flange that is located outside containment and ;
} is required to be closed during accident conditions is ;
closed, except for containment isolation valves that I (are open under administrative controls. I 1 (continued) l u_ b SAN ONOFRE--UNIT 2 3.6-13 AMENDMENT NO.
"*D- ,eg..
l Containment Isolation Valves 1 3.6.3 1 1 SURVEILLANCE FREQUENCY i SR 3.6.3.4
-------------NOTE--------------------
[Valvesandblindflangesinhighradiationareasmay I i be verified by use of administrative means. Verify each containment isolation manual valve and Prior to blind flange that is located inside containment and entering MODE 4 required to be closed during accident conditions is from MODE 5 if closed, except for containment isolation valves that not performed are open under administrative controls. within the previous 92 days SR 3.6.3.5 In accordance ei he isolation time of each Section A and B with the l (power, operated and each automatic containment Inservice (isolation valve is within limits. Testing Program 3.6.3.6 i -------
-----------NOTE--------------------
[Results shall be evaluated against acceptance criteria I of SR 3.6.1.1 in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions. Perform leakage rate testing for containment purge 184 days Vvalveswithresilientseals. AND Within 92 days after opening the valve.--. (continued) i
.)
SAN ON0FRE--UNIT 2 3.6-14 AMENDMENT NO.
Containment Isol.ation Valves 3.6.3 ~ SURVEILLANCE FREQUENCY SR 3.6.3.7 $ ______________----NOTE-------------------- The provisions of the Inservice. Testing Program are not applicable when the valves are secured open. Verify each Section D1 and D2 containment isolation In accordance valve is OPERABLE. with the Inservice Testing Program and those SRS associated with those Specifications pertaining to each valve or system in which it is installed. SD 3 24 months h e.6.3.8 rity each1 Section A, B, C, and E automatic ' containment isolation valve actuates to the isolation
; position on an actual or simulated actuation signal.
I 1 l l l 1 SAN ONOFRE--UNIT 2 3.6-15 AMENDMENT NO. o 4use
ADVs 3.7.4-3.7 PLANT SYSTEMS
] 3.7.4 Atmospheric Dump Valves (ADVs)
One ADY per required Steam Generator (SG) shall be OPERABLE. LC0 3.7.4 APPLICABILITY: MODES 1, 2, and 3, MODE 4 when steam generator is being relied upon for heat removal. ACTIONS COMPLETION TIME CONDITION REQUIRED ACTION One required ADV A.1 --------NOTE--------- A. LC0 3.0.4 is not inoperable. applicable. Restore ADV to 72 hours OPERABLE status.
~.
Restore one ADV to 24 hours B. Two ADVs inoperable. B.1 OPERABLE status. Restore backup 72 hours C. Backup nitrogen gas C.1 nitrogen gas sup supply syst.em capacity / system capacity 5 8 hours pezch /M( each ADV (continued; AMENDMENT NO. SAN ONOFRE--UNIT 2 3.7-7
CCW Safety Related Makeup syster, 3.7.7.1 ACTIONS COMPLETION TIME REQUIRED ACTION 9-C CONDITION 6 hours '
~
C.1 Be in MODE 3. C. Required Actions and r associated Completion Times of Conditions A AND f. or B not met, gf hours C.2 Be in MODE 5. SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE J . 7 days SR 3.7.7.1.1 Verify the contained water volume in thePrimar its limits. ; In accordance Verify each CCW Safety Related Makeup pump with inservice ;
- SR 3.7.7.1.2 develops the required differential pressure testing program <
on recirculation flow. 24 months SR 3.7.7.1.3 Measure CCW Leakage. b 1 AMENDMENT NO. 3.7-19 b SAN ONOFRE--UNIT 2
CCW Safety Related Makeup System 3.7.7.1 l l TOTAL ALLOiNABLE CCW LEAKAGE ! VERSUS THE PPMU TANK LEVEL 76 1 60, I : 0 d 50 { g . a g 404 l . 4%O N. 30 I 20D ,, 3 , 10-7 , 5 6 7 8 9 101112131415161718 00 . 1 2 3 4
- ALLOWABLE LEAKAGE,in gpm 4
Figure 3.7.7.11 AMENDMENT NO. 3.7-20 SAN ONOFRE--UNIT 2 :
i Fuel Handling Building Post-Accident Cleanup Filter System 3.7.14 i 3.7 PLANT SYSTEM
~
3.7.14 Fuel Handli Building Post-Accident Cleanup Filter System LC0 3.7.14 'Two Fu Handling Building Post-Accident Cleanup Filter System ,. ains shall be OPERABLE. APPLICABILITY: During movem t of irradiated fuel assemblies in the fuel ' building. ACTIONS CONDITION QUIRED ACTION COMPLETION TIME A. One Fuel Handling A.1 Res ore Fuel Handling 7 days Building Post-Accident Build'ng 1 - Cleanup Filter System Accide t p train inoperable. Filter ; tem rain to OPERAB ttus.
~ ,
B. Required Action and B.1 Place OPERAB E Fuel Immediately Associated Completion Handling Buil ing Time of Condition A Post-Accident leanup not met during Filter System ain movement of irradiated in operation. fuel assemblies in the Immediately fuel building. Og B.2 Suspend movement of irradiated fuel assemblies in the fuel building. t U SAN ONOFRE--UNIT 2 p p 3.7-28 fe 2 0 AMENDMENT NO. E N 77 W M g W b t
^
Fuel Hanl ling Building Post-Accident Cleanup Filter System 3.7.14-ACTIONS (continued) (77} ' \ COMPLETION TIME CONDITION \ REQUIRED ACTION C. Two Fuel Ha'n'dling C.1 spe ovement of Immediatsly Building Post-Accident ir d ate fuel Cleanup-Filter System asse lies "n the trains inoperable fuel 'idiig. during movement of irradiated fuel . assemblies in the fuel building. t P4 s.- e U,I SAN ONOFRE--UNIT 2 3.7-29 AMENDMENT NO.
Fuel Handling Building Post-Accident Cleanup Filter System 3.7.14 SURVEILLANCE REQUIREMENTS SU EILLANCE FREQUENCY SR 3.7.14.1 Operate each el Handling Building Post- 31 days on a Accident Cleanu Filter System train for STAGGERED TEST a 10 continuous ours with the heaters BASIS operating. SR 3.7.14.2 Perform required Fuel ap ling Bu iding In accordance Post-Accident Cleanup Fil er Systdm filter with the VFTP testing in accordance with he V itilation Fiiter Testing Program (V TP . SR 3.7.14.3 Verify each Fuel Handling Bu ding Post- 24 months Accident Cleanup Filter Syste train-actuates on an actual or simul ted actuation signal.
)
l I
. ~ l SAN ONOFRE--UNIT 2 3.7-30 AMENDMENT NO.
1
AC ic -:e -::e 3 . . 3.3.5 l ACTIONS CON 0! TION REQUIRED ACTION COMPLETION TIME l 1 Required-Action and F.1 Be in MODE 3. 6 hours F. Associated Completion Time of Condition A, AND B, C, D, or E not met. 36 hours : F.2 Be in MODE 5. Three or more required G.1 Enter LCO 3.0.3. Immediately G. AC sources inoperable. ; SURVEILLANCE REQUIREMENTS ' SURYEILLANCs FREQUENCY SR 3.8.1.1 .-------.-.--------NOTES-------....-.-...-.
- 1. Buses 3A04 and 3D1 are required when unit crosstie breaker 3A0416 is used to provide a source of AC power.
- 2. Buses 3A06 and 302 are required when unit crosstie breaker 3A0603 is used to provide a source of AC power.
Verify correct breaker alignment and 7 days
'riaatcatea> power availability for each required offsite circuit.
(continued) SAN ONOFRE--UNIT 2 3.8 4 AMENOMENT NO. O F
2: 5:v:es - ::e t . ; i.5.'. SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY SR 3.8.1.3 -------------------NOTES-------------------
- 1. DG loadings may include gradual loading as recomended oy the manufacturer.
- 2. Momentary transients outside the load range do not invalidate this test.
- 3. This Surveillance shall be conducted on only one DG at a time.
- 4. This SR shall be preceded by, and imediately follow without shutdown, a successful performance of SR 3.8.1.2 or SR 3.8.1.7.
Verify each DG is synchronized and loaded, As specified in a rates for a 60 minutes at a load Table 3.8.1-1 kW and s 4700 kW. on a staggered test basis Verify each day tank contains a 25 ga of 31 days SR 3.8.1.4 fuel oil. g3c t'rirlie.s - Check for and remove accumulated water from 31 days SR 3.8.1.5 each day tank. Verify the fuel oil transfer system 31 days SR 3.8.1.6 operates to automatically transfer fuel oil from storage tank to the day tank. (continue: 3.8-6 AMENDMENT NO. SAN ONCFRE--UNIT 2 l
- 5:.-:e;-::+ ar ;
3 . a , '. SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY SR 3.8.1.9 -------------------NOTE------------------- Credit may be taken for unplanned events i that satisfy this SR. Verify each DG, when operating with design > basis kW loading and maximum kVAR loading permitted during testing, rejects a load a 682 kW, and: 24 months
- a. Following loa rejection, the ~ <h 6.'7di frequency is B 54 Hz and/s Hz;
'A
- b. Within 4 seconds following load rejection, the voltage is a 3924 V and 5 4796 V; and
- c. Within 4 seconds following load ,
rejection, the frequency is a 58.8 Hz and 5 61.2 Hz. SR 3.8.1.10 -------------------NOTE------------------- Credit may be taken for unplanned events that satisfy this SR. Verify each DG, when operating with design basis kW loading and maximus kVAR loading permitted during testing, does not trip and voltage is maintained 5 5450 V d and 24 months following a load :ej:-tion of a kW and s 4700 kW. 4NO (continued) SAN ONOFRE--UNIT 2 3.8-8 ANENDMENT NO. l i l
E E v :s: ~.: n : 3.5.. SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY SR 3.8.1.14 ---------- ..--.---NOTES------------------- i
- 1. Momentary transients outside the load and power factor ranges do not invalidate this test.
- 2. Credit may be taken for unplanned events that satisfy this SR.
Verify each DG, when operating with the maximum kVAR loading permitted during testing, operates for a 24 hours: 24 months
- a. For a 2 hours loaded a 4935 kW and s 5170 kW; and
- b. For the ining hours of the test loaded a kW and s 4700 kW. ,
SW SR 3.8.1.15 ---.---------------NOTES-------------------
- 1. This Surveillance shall be perfonned within 5 minutes of shutting down the DG after he DG has operated a 2 hours
)
loaded a (W and s 4700 kW. 4460 - Momentary transients outside of load range do not invalidate this test. .
- 2. All DG starts may be preceded by an engine prelube period.
Verify each DG starts and achieves, in 5 10 seconds, voltage a 3924 V and 24 months s 4796 V, and frequency a 58.8 Hz and 5 61.2 Hzjanci pynhs I 5 minuh5 (continue: SAN ONOFRE--UNIT 2 3.8-11 AMENDMENT NC
Diesei Feel 011, Luce Ot1, anc Starting 1 r 3.8.3 3.8 ELECTRIC ^L POWER SYSTEMS 3.8.3 Diesel fuel Oil, Lube Oil, and Starting Air LCO 3.8.3 The stored diesel fuel oil, lube oil, and starting air subsystem shall be within limits for each required diesel generator (DG). APPLICABILITY: When associated DG is required to be OPERABLE. f ACTIONS
....___. __..................__....--NOTE------------------------------------- i Separate Condition entry is allowed for each DG.
CONDITION REQUIRED ACTION COMPLETION TIME A. One or more DGs with A.1 Restore fuel oil 48 hours fuel level p Si fo level to within
< *^ *
,f. and limits.
,m .non m ;
storage tan gg y, D PWd B. On or more DGs with C.1 Restore lube oil 48 hours lub oil inventory inventory to within
,I limits.
and A i vv g i m h_,r;,'_ _ r; - _
,g . . . . . . 7 , . . _ ,
%iy m 7. _
g ..y . ... my -- _ ,i 1
/. One or more DGs with g.1 Restore fuel oil 7 days n stored fuel oil total total particulates to Y particulates not O within limits. '
within limits. _ i (continued,' I l SAN ON0FRE--UNIT 2 3.8-20 AMENDHENT NO. l l 1
1 l 1 0
-r c.
w, pr t 8 l l C. One required DG with C.1 Restore fuel oil 48 hours fuel level in the level to within storage tank <72% and limits.
>63% during Mode 5 or 6.
Diesel Fuel 011, Lute > !, anc h arr ,; 2.- 3.5.3 ACTIONS (continued) COMPLETION TIME CONDITION REQUIRED ACTION
$ $ Restore stored fuel 30 days g One or more DGs with g.1 new fuel oil oil properties to properties not within within limits.
limits. F F
#1 Restore starting air 48 hours g One or more DGs with receiver pressure to starting air receiver pressure < 175 psig a 175 psig.
and a 136 psig. G Immediately h / Required Action and /.1 Declare associated DG associated Completion inoperable. Time of Condition A, or not met. B,C,D,tg F 0_g One or more DGs with diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than Condition A, B, C, D,$ 3 o r g. F SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY 31 days SR 3.8.3.1 Verify each,fue,l oil, sgorage tank contains
, .. ,,~ ,__ -
M #[o ldvel to Modo 7 01/ 4 I,2.,3,dref.Q)(contin 6 or C , lk,,,12 */o ICVol t.1 3.8-21 AMENDMENT N0. SAN ONOFRE--UNIT 2
C:ese: F;el 344 , ..te :: , an: itarr n; A-3.3.3 $URVEILLANCE REQUIREMENTS (continued) 1 FREQUENCY l SURVEILLANCE 4 Verify lubricating oil inventory is $I=" 31 days SR 3.8.3.2 e IJ gai for tne tu cyeinues engine and 370 aal for the 16 cylinder enoine, b D imen lirMd. Verify fuel oil properties of new and In accordance SR 3.8.3.3 with the Diesel stored fuel oil are tested in accordance Fuel Oil with, and maintained within the limits of, the Diesel Fuel Oil Testing Program. Testing Program Verify each DG air start receiver pressure 31 days SR 3.8.3.4 is e 175 psig. 31 days , SR 3.8.3.5 Check for and remove accumulated water from each fuel oil storage tank. For each fuel oil storage tank: 10 years SR 3.8.3.6
- a. Drain the fuel oil;
- b. Remove the sediment; and
- c. Clean the tank.
3.8-22 AMENDMENT NO. SAN ONOFRE--UNIT 2
DC Sources -Operating j 3.B.4 i l 3.8 ELECTRICAL POWER SYSTEMS 3.8.4 DC Sources-Operating LCO 3.8.4 The Train A, Train B, Train C, and Train 0 DC electrical power subsystems shall be OPERABLE. APPLICABILITY: MODES 1, 2, 3, and 4. ACTIONS REQUIRED ACTION COMPLETION TIME CONDITION Pain A or Tnm & 2 hours A. battery or A.1 Restore DC electrical associated control power subsystem to equipment or cabling OPERABLE status. inoperable. m r C Be in MODE 3. 6 hours i d,,p. Required Action and )K1 Associated Completion Time not met. . AND k E' C0dMN Dp.2 Be in MODE 5. 36 hours A st &
------------NOTE------------
9 f. One required battery , charger or associated Entry into MODE 1, 2 or 3 per i control equipment or LCO 3.0.4 is not allowed, l cabling inoperable. except during power reductions. ! r .1 Verify battery cell 1 hour l
- ,.N W parameters meet Table 3.8.6-1 AND i
d et Category A limits. Once per 8 hours l l thereafter (continued) l SAN ON0FRE.-UNIT 2 3.8-23 AMENOMENT NO. 1
ft 4 INSEc.T C B. Train C or Train 8.1 Restore DC 72 hours D battery or electrical power associated subsystems to control equipment OPERABLE status. or cabling inoperable.
^C Scur:es - pe-n ;
3.3.4 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME Required Action and 1 Declare associated Immediately associated Completion battery inoperable. Time of Condition not met. SURVEILLANCE REQUIREMENTS , SURVEILLANCE FREQUENCY Verify battery teminal voltage is a 129 V 7 days , SR 3.8.4.1 on float charge. Verify no visible corrosion at terminals 92 days SR 3.8.4.2 and connectors. E , Verify connection resistance is s 150x10-8 ohm for inter-cell connections, s 150x10-' ohn for inter-rack connections, s 150x10-8 ohm for inter-tier connections, and s 150x10-' ohm for terminal connections. SR 3.8.4.3 Verify cells, cell plates, and battery 24 months racks show no visual indication of physical damage or abnormal deterioration. (continued) 3.8-24 AMENDMENT NO. SAN ON0FRE--UNIT 2
DC Scurces-Operating ; 3.a.4 ! l SURVEILLANCE REQUIREMENTS (continued) ; 6} SURVEILLANCE FREQUENCY SR 3.8.4.4 Remove visible terminal corrosion, verify 24 months cell to cell and terminal connections are clean and tight, and are coated with anti-corrosion material. SR 3.8.4.5 Verify connection resistance is 24 months s 150x10-8 ohm for inter-cell connections, s 150x10-8 ohm for inter-rack connections, s 150x10-8 ohm for inter-tier connections, and s 150x10-8 ohm for terminal connections. SR 3.8.4.6 --------------------NOTE------------------- Credit may be taken for unplanned events , that satisfy this SR. i 24 months ]- Verify each battery charger supplies a 300 amps at a 125 V for a 12 hours. SR 3.8.4.7 -------------------NOTES-------------------
- 1. SR 3.8.4.8 may be performed in lieu of SR3.8.4.7onceperQmonths.,(,g ,
- 2. Credit may be taken for unplanned events that satisfy this SR. ;
Verify battery capacity is adequate to 24 months supply, and maintain in OPERABLE status, the required emergency loads for the design duty cycle when subjected to a battery service test. . (continued) b SAN ONOFRE--UNIT 2 3.8-25 AMENDMENT NO.
OC Sc -:es -:tcei: ; 3.5.1 SURVEILLANCE RE0VIREMENTS (continued) SURVEILLANCE FREQUENCY i SR 3.8.4.8 ..-.................N0TE----------------... Credit may be taken for unplanned events l that satisfy this SR.
--....................................__ .. (,C) l 1
Verify battery capacity is a 80% of the months manufacturer's rating when subjected to a l performance discharge test. ANQ
-----NOTE------
Only applicable when battery shows degradation or has reached 85% of the expected life ; 12 months e i t P
?
SAN ONOFRE--UNIT 2 3.8-26 AMENDMENT NO
i
- m e~ e s -::e-w :
3.3.) 1 3.8 ELECTRICAL POWER SYSTEMS . . . 3.8.7 Inverters -0peratin9 g,h r frifM [ or W m 5 LCO 3.8.7 The required ain A, Train B, Train C, and Train D 1 I One inverter (either Train C or Train D) may ------------. ---------------NOTE---------------------------- j be disconnected from its One inverter (may be disconnected from its associated DC bus associated vital bus for for 5 24 hodrs to perform an equalizing charge on its s72 hours to perform an associated battery, provided: equalizing charge on its associated battery a. The associated AC vital bus is energized from the provided all other AC Class 1E constant voltage source transformer; and vital buses for the remaining trains are b. All other AC vital buses for the remaining trains are energized from their , energized from their associated OPERABLE inverters. associated OPERABLE ------------------------------------------------------------ inverters. L J 4 APPLICABILITY: MODES 1, 2, 3, and 4. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME
------------NOTE------------
KOI Enter applicable Conditions and Required Actions of
] @P e
LCO 3.8.9 with one AC vital bus de-energized. A. One required [ inverter A.1 Power AC vital bus 2 hours inoperable. A from its Class 1E constant voltage source transfonner. AND A.2 Restore inverter to 24 hours OPERABLE status. (continued) SAN ONOFRE--UNIT 2 3.8-34 AMENDMENT NO.
- n.er ers -:;e n ;
3.a.7 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME
- , 'f.
g Required Action and associated Completion g.1 C, Be in MODE 3. 6 hours Time not met. AND
/2 Be in MODE 5. 36 hours I[ Ggdikt5M A# C SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.8.7.1 Verify correct inverter voltage and 7 days '
alignment to required AC vital buses. _________ NOTE--------- Enter applicable Conditions and Required Actions of LC0 3.8.9 with one AC vital bus de-energized. B. One required B.1 Restore inverter 72 hours ' Train C or Train to OPERABLE D inverter status. l inoperable. l k ' SAN ONOFRE--UNIT 2 3.8-35 AMENDMENT NC
Distribution Systems -Operating 3.8.9 3.8 ELECTRICAL POWER SYSTEMS 3.8.9 Distribution Systems-Operating LC0 3.8.9 Train A and Train B AC; Trains A, B, C, and D DC; and Trains A, B, C, and D AC vital bus electrical power distribution subsystems shall be OPERABLE. APPLICABILITY: MODES 1, 2, 3, and 4. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One AC electrical A.1 Restore AC electrical 8 hours power distribution power distribution g{ subsystem inoperable, subsystem to OPERABLE status. o , (Temh A or Trmin S B. Ene.AC vital bus B.1 Restore AC vital bus 2 hours i inoperable, subsystem to OPERABLE I status. r- l Train A # Trein 5 g ME DC electrical p.1 Restore DC electrical 2 hours power distribution power distribution subsystem inoperable. subsystem to OPERABLE status.
. Required Action and 1 Be in MODE 3. 6 hours associated Completion Time of Condition A, AND B, / g ot met. # 36 hours Y.2 Be in MODE 5.
LD, ore (301512T7 ("F'} SAN ONOFRE--UNIT 2 3.8-38 AMENDMENT NO.
l
" ri !
.N5 Elk., E l, C. Train C or Train C.1 Restore AC vital 72 hours D AC vital bus bus subsystem to inoperable. OPERABLE status.
INSEgT Y' E. Train C or Train E.1 Restore DC 72 hours D DC electrical electrical power power distribution distribution subsystem to subsystem OPERABLE status, inoperabl e . O
3 .
, Design Features 4.0 4.0 DESIGN FEATURES ']
4 4.1 Site 4.1.1 Exclusion Area Boundary The exclusion area boundary shall be as shown in Figure 4.1-1. 4.1.2 low Poculation Zone (LPZ) The LPZ shall be as shown in Figure 4.1-2. 4.2 Reactor Core 4.2.1 Fuel Assemblies The reactor shall contain 217 fuel assemblies. Each assembly shall consist of a matrix of Zircaloy clad fuel rods with an initial com osition of natural or slightly enriched uranium dioxide (VO ) as fuel material. Integral or Discrete Burnable Absorber Ro s may be used.4 Limited substitutions of zirconium alloy or stainless steel filler rods for fuel rods, in accordance with approved applications of fuel rod configurations, may be used. Fuel assemblies shall be limited to those fuel designs that have been analyzed with applicable NRC staff approved codes and methods and shown by tests or analyses to comply with all fuel safety design bases. A limited number of lead test assemblies that have not completed representative testing may be placed in ( nonlimiting core regions. h 4.2.2 Control Element Assemblies gjp/ gy ,@ f 8 Thereactorcoreshallcontain83fulllengthhontrolelement assemblies (CEAs). The control material shall be silver indium cadmium, boron carbide, and inconel as approved by the NRC. Theyne inek/W9.' A0/~95/6'da??C }ldG5hk'<!-46hYb ' eenlido- ByC ziecewitim bonife- ZR82 , gnMimUm oxide -. g og, , e,c,y,,, oxide . gg 9, . - 1 y (continued) SAN ONOFRE--UNIT 2 4.0-1 AMENDMENT NO. ,
Organization 5.2 5.2 Organization 5.2.2 UNIT STAFF The unit' staff organization shall include the following: O
/_ M R e r Y a.
" fshiftcrewcompositionshownintheLCSgachonautys
- b. At least one licensed Reactor Operator (RO) shall be in the Control Room when fuel is in the reactor. In addition, while the unit is in MODE 1, 2, 3 or 4, at least one licensed Senior Reactor Operator (SRO) shall be in the Control Room Area.
T _Sep.J A/ "d g
- c.
S g A health physics technician shall be on site when fuel is in the reactor. The position may be vacant for not more than 2 hours, in order to provide for unexpected absence, provided immediate action is taken to fill the required position. g, [ Administrative procedures shall be developed and implemented to limit the working hours of unit staff who perform safety-related functions (e.g., licensed SR0s, licensed R0s, health physicists, nuclear plant equipment operators, and key maintenance personnel). t Adequate shift coverage shall be maintained without routine heavy use of overtime. The objective shall be to have operating personnel work an 8 or 12-hour day, nominal 40-hour week, while the unit is operating. However, in the event that unforeseen problems require substantial amounts of overtime to , be used, or during extended periods of shutdown for refueling, major maintenance, or major plant modification, on a temporary basis, the following guidelines shall be followed:
- 1) An individual should not be permitted to work more than 16 hours straight, excluding shift turnover time.
- 2) An individual shoul.d not be permitted to work more than 16 hours in any 24-hour period, nor more than 24 hours in any 48-hour period, nor more than 72 hours in any 7-day period, all excluding shift turnover time.
Personnel regularly assigned to 12-hour. shifts may work up to 26 hours in a 48-hour period.
- 3) A break of at least 8 hours should be allowed between work periods, including shift turnover time.
A (continued) SAN ON0FRE--UNIT 2 5.0-3 . Amendment No. I
-es (m. .e _ a _
j non likiped 6kedalon shatY/e assgne/ k each uacloe ed arta'on aaM' bawl' tieettsea' 6]6exadramJahig a ///e asegi' xed'lo, eaat poir J when a uacher is opera 4gix MOMS 644 kV an
& z;!: MM fog tAuk . shah'wn v e Mee of #Aree-apeAdn n 7a a:enanas acnp q ,% ho thuVs 4/S QY /B Clu 4' em compsi4'on d( Mee %
n(-um ueunas y %e eesro.sw-jA)( aa u.z.an4< p,a y , t q e,,e w & ueace Jo aa,msada eaegeekd
.Usaa s in '
$/Nfk dagco' nec,tw$$er$ftWt Q$S6#1d6 f 61~ $4C
,y w s - w n s q c+
i w a ae+ n cneas aoye4'ou to unSWx </ne macAuum pum4. I O P
- Mabw w e Organization 5.2 p%
x) 5.2 Organization 5.2.2 UNIT STAFF (continued)
- 4) Except during extended shutdown periods, the use of overtime should be considered on an individual basis and not for the entire staff on a shift.
. Any deviation from the above guidelines shall be authorized by the Vice President-Nuclear Generation or designee, in accordance with approved administrative procedures, or by higher levels of management, in accordance with established procedures and with documentation of the basis for granting.
the deviation. Controls shall be included in the procedures such that individual overtime shall be reviewed monthly by the Vice President-Nuclear Generation or designee to ensure that excessive hours have not been assigned. Routine deviation from the above guidelines is not authorized.
/, The Plant Superintendent (at time of appointment), the s Assistant Plant Superintendent-0perations, Shift Superintendents, and Control Room Supervisors shall hold a Senior Reactor Operator's license. The Control Operators and ' Assistant Control Operators shall hold a Reactor Operator's license or Senior Reactor Operator's license.
The Shift Technical Advisor (STA) shall provide advisory [' technical support to the Shift Superintendent in the areas of thermal hydraulics, reactor engineering, and plant analysis with regard to the safe operation of the unit. The STA shall have a Bachelor's Degree or equivalent in a scientific or engineering discipline with specific training in plant design and in the response and analysis of the plant for transients and accidents. $1_ .. l
. i SAN ON0FRE--UNIT 2 5.0-4 Amendment No.
Procedures, Programs, and Manuals 5.5 5.5 Procedures, Programs, and Manuals
'.9 -
5.5.2.7 Explosive Gas and Storage Tank Radioactivity Monitoring Program (continued) The program shall include:
- a. The limits for the concentrations of hydrogen and oxygen in the Gaseous Radwaste System and a surveillance program to ensure the limits are maintained. Such limits shall be appropriate to the system's design criteria (i.e., whether or not the system is designed to withstand a hydrogen explosion);
and
- b. A surveillance program to ensure that the quantity of radioactivity contained in each waste gas decay tank and fed into the gaseous radwaste vent system is less than the amount that would result in a whole body exposure of greater than or equal to 0.5 rem to any individual in the unrestricted area, in the event of an uncontrolled release of the tanks contents; and
- c. A surveillance program to ensure that the quantity of radioactivity contained in all outdoor liquid radwaste tanks that are not surrounded by liners, dikes, or walls, capable of holding the tanks' contents and that do not have tank overflows and surrounding area drains connected to the Liquid Waste Management System is less than the amount that would result in concentrations less than the limits of 10 CFR Part 20, Appendix B, Table II, Column 2, at the nearest potable water supply and the nearest surface water supply in an unrestricted area, in the event of an uncontrolled release of the tanks' contents.
The provisions of SR 3.0.2 and SR 3.0.3 are applicable to the Explosive Gas and Storage Tank Radioactivity Monitoring Program surveillance frequencies. _[ N6fA T "C " t SAN ON0FRE--UNIT 2 5.0-12 - Amendment No.
I 1 5S.2'8' S uneeS Ou. Iside. I p,."" G Coola,14
% h u n m ert+.
Es f>rgam jeovides eodrotS 4 nu'ditaye halage ' i from nse orkops of .skms oa tse'a'e amfaiumea + , M co d con +ain Idy sadicaehve- Wg l durin a serioug .1eansikn F or xe<We 4 .ets - aS ow as praeSeatte. pagam <VreifL<
&% % he wS .
G. S. 2.9. Pre %sseg Gnewle, 6iehakmed Tendon Gueveluanee Prof ram.
%s ovMe.S cordeslS M'u'N refram "I '*
m n adiON la e' l
'nd m hdhj e
,kabi 'um, 'Si"S 4 ensuze Y NSapulahd :
si-esu,, couwglpeEucp< pr.,- coy, aerp aded ;
>!o L C S.
6 S. 2 .l O .Jnsewict ksdry frofam ,
)) sis prgram froWs corthels for/,'2, ikServ!M RSME Code. Class eid 3 k.sM,g 4 l y ine/ad<hy sphab suf) ads. l y , sat; is sara a na iss. 1 ;
l l W
f52.// 5/.eam de' n & r ( K ) Tu fe Supve M aine Profrzwr l nee /feodt4g f / u 's y y / L t y& omt' & pre a ee.ed e. eam warnm/* ,prtW
/kw, de wg SC O M M B/U 7f Pf"*'
ilsey is uleealed to b MS _ Venj.eQ4on RUee TeSNnq K r. 2. /2.
% ?rffram cm & t&,
$S frfem provicleS treoef>%se. i htt)kdoQiet, swRkillance y w usw/5 eet'
%daliCM Corterning dudhg $
Sfi'uomeef Nalaw(ESf)/Z4e vedaabew .psws. Royn yupt it utaatea< to ,u.e ic.S
- 5. S. 2. t3 Desel fuel OL T&y h'"*'
% pyram i4na~ts upaus , tag. ag
$ fo A u w f u l # 2 a e d M Proyrm ik<y' is da- k ' + /* a's i
Reporting Requirements 5.7 5.7 Reporting Requirement! ] 5.7.2 Special Reports (continued)
- b. Following each inservice inspection of steam generator (SG) tubes, in tccordance with the SG Tube Surveillance Program, the number of tubes plugged and tubes sleeved in each SG shall be reported to the NRC within 15 days. The complete results of the SG tube inservice inspection shall be submitted to the NRC within 12 months following the completion of the inspection. The report shall include:
- 1. Number and extent of tubes inspected, and
- 2. Location and percent of wall-thickness penetration for each indication of an imperfection, and
- 3. Identification of tubes plugged and tubes sleeved.
Results of SG tube inspections which fall into Category C-3 shall be reported to the NRC prior to resumption of plant operation. This report shall provide a description of investigations conducted to determine cause of the tube degradation and corrective measures taken to prevent recurrence. NY : 1
)
i i
)
SAN ONOFRE--UNIT 2 5.0-19 Amendment Nt
.: u f%
k TN5MT O O'Sh "*di'*i a ^r"' q S8
/ 5.0 ADMINISTRATIVE CONTROLS High Radiation Area o #- I Pursuant to 10 CFR 20, paragraph 20.203(c)(5), in lieu of the I requirements of 10 CFR 20.203(c), each high radiation area, as j y' ' [ defined in 10 CFR 20, in which the intensity of radiation is
> 100 mrem /hr but < 1000 mrem /hr, shall be barricaded and hereto conspicuously posted as a high radiation area and entrance j} , 91 shall_be controlled by requiring issuance of a Radiation Individuals qualified in radiation protection EW(d F Cr) Pennir 'w .
roce ures (e.g.,$ealth Physics Technicians #) or personnel i ce tinuously escorted by such individuals maf%e exempt from the
~ issuance requirement during the performance of their assigned duties in high rsdiation areas with exposure rates 51000 mrem /hr, f j provided they are otherwise following plant radiation protection REP, proceeures for entry into such high radiation areas.
Any individual or group of individuals pemitted following:
- a. A radiation monitoring device that continuously indicates ,
the radiation dose rate in the area.
.n A radiation monitoring device that ' continuously integrates b.
h the radiation dose rate in the area and alarms when a preset integrated dose is received. Entry into such areas with , this monitoring device may be made after the dose rate h[ levels in the area have been established and personnel are ' aware of them.
- c. An individual qualified in radiation protection procedures with a radiation dose rate monitoring device, who is responsible for providing positive control over the activities within the area and shall perform periodic radiation surveillance at the frequency specified by the adiation Protection Manager in the gp areas o.11. In addition to the requirements of Specification S1000 mre with radiation levels 2:
I.b d. or continuously guarded doors to Doors preven '. the Shift Foreman on duty or health physics s
);
h (continued) l 3 , (6 . Y-Y
- g, ~
E0V'
- SANON0FRE--UNITj m
~~-
;n :-.3
' : p Ra:,3 w '
c.e S.$ t High' Radiation Area (continued) gp
' .that shall specify the dose rate levels in j [ [, b under an approved'the 'imediate work areas and the maximum allowab
' In lieu of the stay time f
individual's in those areas., direct or remote (such as closed circuit specification of the surveillance may be made by personnel f Ty.. cameras) 'cnntinuo qualifi'ed in radiet' n activities er the protectionbeingprocedures to provide perfarned within the positiv
) exposure, control area.
For individual high radiation areas with radiation levels of f 3.11.3 > 1000 mrem /hr, accessible to personnel, that are located w . large areas such as reactor containment, be continuouslywhere no/ enclo f* g*} for purposes) of locking, or that cannot guarded, and whe.re no enclosure can be reasonably constructed arou individual " area, that individual area shall be barricadedl; and conspicuously posted, and a flashing light shall be activate warning device. e W 5 e, . , 'q ' h o, og/28/9
' - .0-sTs
SFDP 5.6 5.0 ADMINISTRATIVE CONTROLS o) Safety Function Determination Program (SFDP) [ 5.6 5.6.1 This program ensures loss of safety function is detected and appropriate actions taken. Upon failure to meet two or more LCOs at the same time, an evaluation shall be made to determine if loss of safety function exists. Additionally, other appropriate limitations and remedial or compensatory actions may be identified to be taken as a result of the support system inoperability and corresponding exception to entering supported system Condition and Required Actions. This program implements the requirements of LCO 3.0.6. 5.6.2 The SFDP shall contain the following:
- a. Provisions for cross-train checks to ensure a loss of the-capability to perform the safety function assumed in the accident analysis does not go undetected,
- b. Provisions for ensuring the plant is maintained in a safe condition if a loss of function condition exists.
- c. Provisions to ensure that an inoperable supported system's Completion Time is not inappropriately extended as a result of multiple support system inoperabilities.
- d. Other appropriate limitations and remedial or compensatory actions.
5.6.3 A loss cf safety function exists when, assuming no concurrent single failure, a safety function assumed in the accident analysis cannot be performed. ~For the purpose of this program, a loss of safety function may exist when a support system is inoperable, and: ,
- a. A required system redundant to system (s) supported by the inoperable support system is also inoperab_lq; or (m ctSe 4!D
- b. A required system redundant to system (s) in turn supported by the inoperable supported system is also inoperabla; or_'
r(Case B) J $g,$,7 ,,[n c. Arequiredsystemredundanttosupportsystem(s)forth[es 5.6.4 The Safety Function Determination Program identifies where a loss of safety function exists. If a loss of safety function is determined to exist by this program, the appropriate Conditions and Required Actions of the LC0 in which the loss of safety function exists are required to be entered. l 1 _- 1 SAN ON0FRE--UNIT 2 5.0-13 , Amendment No. 1 I
l lA/. SERT ' Generic Example: Train A Train B . System i System i
- Case C 4 4 System ii -(SupportSystem System ii 4 Inoperable) &
System iii System iii ' +-Case A 4 4 System iv System iv .-Case B e
ATTACHMENT "B" (Marked-Up Proposed Spec .ations) Unit 3
+
Definitions l 1.1 l 1.1 0 .nitions l CORE ALTERATION within the reactor vessel with the vessel head l (continued) removed and fuel in the vessel. Suspension of ' CORE ALTERATIONS shall not preclude completion of i movement of a component to a safe position. . ! CORE OPERATING LIMITS The COLR is the unit specific document that t i REPORT (COLR) provides cycle specific parameter limits for the current reload cycle. These cycle specific , parameter limits shall be determined for each ; reload cycle in accordance with Specification 5.7.1.5. Plant operation within these limits is - addressed in individual Specifications. DOSE EQUIVALENT I-131 DOSE EQUIVALENT I-131 shall be that concentration of I-131 (microcuries/ gram) that alone would produce the same thyroid dose as the quantity and : isotopic mixture of I-131, I-132, I-133, 1-134, and 1-135 actually present. The thyroid dose conversion factors used for this calculation shall be those listed in Table !!! cf T:;-iso **, atu,-
!?52. "C & & tica a n % nc. rete : for re cr
= i T;;; ";;;t;r Sit;;."
- t. 8 09 ,
E-1 of 9 O'%%*1J ge E - AVERAGE E shall be the average (weighted in proportion
'>) DISINTEGRATION ENERGY to the concentration of each radionuclide in the reactor coolant at the time of sampling) of the ,
sum of the avera disintegration (ge beta and gamma energies perin MeV iodines, with half lives > 15 minutes, making up at least 95% of the total noniodine activity in . the coolant. ! ENGINEERED SAFETY The ESF RESPONSE TIME shall be th'at time interval FEATURE (ESF) RESPONSE from when the monitored parameter exceeds its ESF TIME actuation setpoint at the channel sensor until the ESF equipment is capable of perforu ng its safety ' function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.). Times shall include diesel generator starting and sequence loading delays, where applicable. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is' measured. h (continued) SAN ONOFRE--UNIT 3 1.1-3 AMENDMENT NO.
Definitions 1.1 1.1 Definitions (continued) LEAKAGE LEAKAGE shall be:
- a. Identified LEAKAGE
- 1. LEAKAGE, such as that from pump seals or valve (RCP)packing)(except reactorand leakoff , that is captured coolant pump conducted to collection systems or a sump or collecting tank;
- 2. LEAKAGE into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary LEAKAGE; or
- 3. Reactor Coolant System (RCS) LEAKAGE through a steam generator (SG) to the Secondary System,
- b. Unidentified LEAKAGE
) All LEAKAGE that is not identified LEAKAGE.
- c. Pressure Boundary LEAKAGE LEAKAGE (except SG LEAKAGE) through a nonisolable fault in an RCS component body, pipe wall, or vessel wall.
i Controlled LEAG6W The m' etei fic. 5uppliei--to ci f vm Uie 8fD 'e3 W - MODE A MODE shall correspond to any one inclusive combination of core reactivity condition, power , level, average reactor coolant temperature, and i reactor vessel head closure bolt tensioning ' specified in Table 1.1-1 with fuel in the reactor vessel. I i l (continued) SAN ONOFRE--UNIT 3 1.1-4 AMENDMENT NO.
Completion Times 1.3 1.3 Completion Times EXAMPLES EXAMPLE 1.3-3 (continued) ACTIONS CONDITION d COMPLETION TIME REQUIRED /TIGN A. One A.1 Res re 7 days Function X F ction X train train 6 OPERABLE AND inoperable. status. 10 days from discovery of failure to meet the LC0
/
B. B.1 Restore 72 hours Fu ction Y Function Y train tra'n to OPERABLE AND in erable. status. 10 days from ') discovery of m/ failure to meet
'the LC0 C. One C.1 Restore 72 hours function X Function X train train to OPERABLE inoperable. status.
AND OR
,/ One function Y 2 Restore Function Y train 72 hours train to OPERABLE inoperable. status.
(continued) SAN ONOFRE--UNIT 3 1.3-6 AMENDMENT NO. I
W Completion Times ; 1.3 - t 1.3 Completion Times EXAMPLES EXAMPLE 1.3-3 (continued) When one Function X train and one F ction Y train are inoperable, Condition A and Conditj n B are concurrently applicable. The Completion Times /for Condition A and Condition B are tracked separately for each train starting from the time each train was clared inoperable and the Condition was entered. A se rate Completion Time is _ nd tracked from the time the established' second train wasfordeclared Condition [ inoperable (i.e., the time the situation described in onditionCwasdiscovered). ; If Required Action C4 is completed within the specified , Completion Time, nditions B and C are exited. If the l Completion Time r Required Action A.1 has not expired, i operation may tinue in accordance with condition A. The remaining Comp 1etion Time in Condition A is measured from the time th/affected train was declared inoperable (i.e., initial e try into Condition A). The C pletion Times of Conditions A and B are modified by a Ig ical connector, with a separate 10 day Completion Time : - meaTured from the time it was discovered the LCO was not I In this example, without the separate Completion Time, "') met. it vould be oossible to alternate between Conditions A, B, i an C in such a manner that operation could continue i efinitely without ever restoring systems to meet the LCO. T e separate Completion Time modified by the phrase "from iscovery of failure to meet the LC0" is designed to prevent ndefinite continued operation while not meeting the LCO. This Completion Time allows for an exception to the normal
" time zero" for beginning the Completion Time " clock." In ,
this instance, the Completion Time " time zero" is specified as commencing at the time the LCO was initially not met, instead of at the time the associated Condition was entered. i i h i I (continued) ! SAN ON0FRE--UNIT 3 1.3-7 AMENDMENT NO. ; l
Completion Times 1.3 , l 1.3 Completion Times EXAMPLES EXAMPLE 1.3/ (continued) ACTIONS f CONDITION REQUIRED ACTION COMPLETION TIME j , A. One or more A.1 Restore valve (s) 4 hours valves to OPERABLE inoperable. status. P I B. Required B.1 Be in MODE 3. 6 hours Action and associated AND 1 Completion : Time not B.2 Be in MODE 4. 12 hours met. I
- A single Completion Time is used for any number of valves inoperable at the same time. The Completion Time associated ;
with Condition A is based on the initial entry into Condition A and is not tracked on a per valve basis. Declaring subsequent valves inoperable, while Condition A is still in effect, does not trigger the tracking of separate Completion Times. . Once one of the valves has been restored to OPERABLE status, the Condition A Completion Time is not reset', but continues from the time the first valve was declared inoperable. The i Completion Time may be extended if the valve restored to OPERABLE status was the first inoperable valve. The Condition A Completion Time may be extended for up to 4 hours provided this does not result in any subsequent valve being inoperable for > 4 hours. If the Completion Time of 4 hours (including any extensions) ' expires while one or more valves are still inoperable, Condition B is entered. (continued) v SAN ONOFRE--UNIT 3 1.3-8 AMENDMENT NO. i
Completion Times : 1.3 l 1.3 Completion Times EXAMPLES EXAMPLE 1.3-/ ( ; (continued) ACTIONS
----------------------------NOTE----------------------------
Separate Condition entry is allowed for each inoperable t valve. CONDITION REQUIRED ACTION COMPLETION TIME A. One or more A.1 Restore valve to 4 hours valves OPERABLE status, inoperable. B. Required B.1 Be in MODE 3. 6 hours Action and associated AND
'A Completion ..) Time not met.
B.2 Be in MODE 4. 12 hours The Note above the ACTIONS table is a method of modifying. how the Completion Time is tracked. If this method of modifying how the Completion Time is tracked was applicable , only to a specific Condition, the Note would appear in that : Condition rather than at the top of the ACTIONS Table. : The Note allows Condition A to be entered separately for , each inoperable valve, and Completion Times tracked on a per ; valve basis. When a valve is declared inoperable, Condition A is entered and its Completion Time starts. If su) sequent valves are declared inoperable, Condition A is : entered for each valve and separate Completion Times start ; and are tracked for each valve. : (continued) i SAN ONOFRE--UNIT 3 1.3-9 AMENDMENT NO. l l
Completion Times 1.3 1.3 Completion Times EXAMPLES EXAMPLE 1.3- (continued) ! i If the Completion Time associated with a valve in Condition A expires, Condition B is entered for that valve. ; If the Completion Times associated with subsequent valves in ; Condition A expire, Condition B is entered separately'for each valve and separate Completion Times start and are tracked for each valve. If a valve that caused entry into Condition B is restored to OPERABl.E status, Condition B is exited for that valve. Since the Note in this example allows multiple Condition entry and tracking of separate Completion Times, Completion Time extensions do not apply. . I i EXAMPLE 1.3-/ , ACTIONS j CONDITION REQUIRED ACTION COMPLETION TIME ~ , A. One channel A.1 Perfonn Once per Inoperable. SR 3.x.x.x. 8 hours , 0.8 ; A.2 Reduce THERMAL 8 hours POWER to s 50% RTP. B. Required B.1 Be in MODE 3. 6' hours Action and associated : Completion Time not met. 1 (continued) 9 - SAN ONOFRE--UNIT 3 1.3-10 AMENDMENT NO. l l I
Completion Times 1.3 1.3 Completion Times EXAMPLES EXAMPLE 1.3 (continued) Entry into Condition A offers a choice between Required Action A.1 or A.2. Required Action A.1 has a "Once per" Completion Time, which qualifies for the 25% extension, per SR 3.0.2, to each performance after the initial performance. If Required Action A.1 is followed and the Required Action is not met within the Completion Time (including the 25% extension allowed by SR 3.0.2), Condition B is entered. If Required Action A.2 is followed and the Completion Time of 8 hours is not met, Condition B is entered. If after entry into Condition B, Required Action A.1 or A.2 is met, Condition B is exited and operation may then continue in Condition A. (continued) O SAN ONOFRE--UNIT 3 1.3-11 AMENDMENT NO.
l Completion Times 1.3-1.3 Completion Times ! 6 EXAMPLES EXAMPLE 1.3/ (continued) ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One A.1 Verify affected I hour subsystem subsystem inoperable. isolated. AND Once per 8 hours thereafter AND A.2 Restore subsystem 72 hours to OPERABLE status.
- B. Required B.1 Be in MODE 3. 6 hours Action and associated AND Completion Time not B.2 Be in MODE 5. 36 hours met.
Required Action A.1 has two Completion Times. The 1 hour Completion Time begins at the time the Condition is entered and each "Once per 8 hours thereafter" interval begins upon perfomance of Required Action A.1. If after Condition A is entered, Required Action A.1 is not met within either the initial I hour or any subsequent 8 hour interval from the previous perfomance (including the 25% extension allowed by SR 3.0.2), Condition.B is entered. (continued) N SAN ONOFRE--UNIT 3 1.3-12 AMENDMENT N0.
Completion. Times 1.3~ () 1.3 Completion Times V EXAMPLES EXAMPLE 1.3-/ (continued) The Completion Time clock.for Condition A does not stop after Condition B is entered, but continues from the time' ' Condition A was initially entered. If Required Action A.1 is met after Condition B-is entered, Condition B is exited and operation may continue in accordance with Condition A, i provided the Completion Time for Required Action A.2 has not , expired. IMMEDIATE When "Immediately" is used as a Completion Time, the COMPLETION TIME Required Action should be pursued without delay and in a ' controlled manner. l I i
- l i
l l - l: L SAN ONOFRE--UNIT 3 1.3-13 AMENDMENT NO. i l 1 l i
Frequency 1.4
~ s.
1.4 Frequency EXAMPLES EXAMPLE 1.4-3 (continued) SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY
----------------.-NOTE--------------_-_-
Not required to be performed until 12 hours after e 25% RTP. Perfom channel adjustment. 7 days The inter 1 continues, whether or not the unit operation is < 25% RTP between performances. As the Note modifies the required performance of the Surveillance, it is construed to be part of the "specified Frequency." Should the 7 day interval be exceeded while cperation is < 25% RTP, this Note allows 12 hours afterThe power reaches a 25% RTP to perform the Surveillance. Surveillance is still considered to be perfomed within the "specified Frequency." Therefore, if the Surveillance were not performed within the 7 day (plus 25% per SR 3.0.2) interval, but operation was < 25% RTP, it would not constitute a failure of the SR or failure to meet the LCO. Also, no violation of SR 3.0.4 occurs when changing MODES, even with the 7 day Frequency not met, provided operation does not exceed 12 hours with power a 25% RTP. Once the unit reaches 25% RTP, 12 hours would be allowed for completing the Surveillance. If the Surveillance were not performed within this 12 hour interval, there would then be a failure to perform a Surveillance within the specified Frequency; MODE changes then would be restricted in accordance with SR 3.0.4 and the provisions of SR 3.0.3 would apply. 1.4-4 AMENDMENT NO. SAN ONOFRE--UNIT 3 s
Sts~ :
; 2.0 2.0 SLs -
- 2.2 SL Violations (continued) 0 (Modo l aa.L 2.) @
2.2.6 ecd ti;;l 4 eratiog of the unit shall not be resumed until . authorized by the NRC. l P 5 i i t I l 1
),
l SAN ON0FRE--UNIT 3 2.0-2 AMENOMENT NO.. v a f
~ ~ * ' * .#.
LC0 Applicability. 3.0 3.0 LCO APPLICABILITY LC0 3.0.4 Specification shall not prevent changes in MODES or other (continued) specified conditions in the Applicability that are required to comply with ACTIONS. Exceptions to this Specification are stated in the individual Specifications. These exceptions allow entry ' into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered allow unit operation in the MODE or other specified condition in the Applicability only for a limited period of time. LC0 3.0.5 Equipment removed from service or declared inoperable to comply with ACTIONS may be returned to service under administrative control solely to perform testing required to , demonstrate its OPERABILITY or the OPERABILITY of other equipment. This is an exception to LCO 3.0.2 for the system returned to service under administrative control to perform the testing required to demonstrate OPERABILITY.
~ ) When a supported system LC0 is not met solely due to a LC0 3.0.6 support system LCO not being met, the Conditions and Required Actions associated with this supported system are not required to be entered. Only the support system LCO ,
t ACTIONS are required to be entered. This is an exception to LCO 3.0.2 for the supported system. In this event, additional evaluations and limit ions may be required in accordance with Specification , " Safety function , Determination Program (SFDP)." If a loss of safety function is determined to exist by this prosram, the appropriate ; Conditions and Required Actions of the LCO in which the loss ; of safety function exists are required to be entered. , When a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2. ; (continued) SAN ON0FRE UNIT--3 3.0-2 AMENDMENT NO.
LCO Applicability B 3.0 BASES LCO 3.0.6 However, there are instances where a support system's (continued) Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perfom some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2. fr Specification 5/, " Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon failure to meet two or more LCOs concurrently, an evaluation shall be made to detemine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6. c)
" Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation detemines that a loss of safety function exists, the appropriate Conditions and Required Actions'of the LCO in which the loss of safety function exists are required to be entered.
LCO 3.0.7 Special tests and operations are required at various times over the unit's life to demonstrate performance characteristics, to perfom maintenance activities, and to perfom special evaluations. Because TS nomally preclude these tests and operations, special test exceptions (STEs) allow specified requirements to be changed or suspended under controlled conditions. STEs are included in applicable sections of the Specifications. Unless othenvise specified, all other TS requirements remain unchanged and in g f SAN ON0FRE UNIT--3 B 3.0-8 AMENDMENT NO. l l i
x -~: ., . . . . _. I l SDM- T vg > 200'F 3.1.1 jn 3.1 REACTIVITY CONTROL SYSTEMS l' ') 3.1.1 SHUTDOWN MARGIN (SDM)-T, > 200*F LCO 3.1.1 'SDM shall be 2 5.15% Ak/k. APPLICABILITY: MODES 3 and 4. ACTIONS REQUIRED ACTION COMPLETION TIME
' CONDITION A.1 Initiate boration to 15 minutes A. SDM not within limit.
restore SDM to within limit. SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.1.1.h verify SDM is a 5.15% Ak/k. 24 hours @ i I h.or 5 R 3 .l.).1 W.rify SDM is wetabl< A <~ a -,a
,_a ~_ u, & m.a_
cortA oc enombts c.EAs, 4 m et e ls CE$ And every e (2 has4
<ssessCese y
3.1-1 AMENDMENT N0. SAN ON0FRE--UNIT 3 f
_ _ _ - - ________ _ .. ._ ~.- l HTC 3.1.4 1 3.1 REACTIVITY CONTROL SYSTEMS 6- 3.1.4 Moderator Temperature Coefficient (MTC) LC0 3.1.4 "The MTC shall be maintained within the limits specified in the COLR, and a maximum positive limit as specified below: I
- a. 0.5 E-4 en THERMAL POWER is s 70% RTP; and
- b. 0.0 hen THERMAL POWER is > 70% RTP.
APPLICABILITY: MODES 1 and 2 with K,,,a 1.0 ACTION COMPLETION TIME CONDITION REQUIRED ACTION A.1 Be in MODE 3. 6 hours A. HTC not within limits.
=
- SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE
-------------------NOTE--------------------
SR 3.1.4.1 is not required to be perfomed , l prior to entry into MODE 2. e Verify MTC within the upper limit. Prior to i SR 3.1.4.1 entering MODE 1 , after each fuel l loading l l (continued) 9 AMEN 0 MENT NO. SAN ONOFRE--UNIT 3 3.1-5
CEA Alignment 3.1.5 I 3.1 REACTIVITY CONTROL SYSTEMS 3.1.5 Control Element Assembly (CEA) Alignment LCO 3.1.5 All full length CEAs shall be OPERABLE and all full and part length CEAs shall be aligned to within 7 inches (? fi xt;J # -
- '" , with 2 of 3 position indicators available) of all
; ;:her ot CEAs in its group.
APPLICABILITY: MODES 1 and 2. ACTIONS COMPLETION TIME CONDITION. REQUIRED ACTION A.1 Reduce "HERMAL POWER 15 minutes A. One regulating CEA trippable and in accardance with misaligned from its LCS requirements. group by > 7 inches. AND A.2.1 Verify SOM is I hour a 5.15% Ak/k. t M l A.2.2 Initiate boration to 1 hour restore SDM to within limit. AND
^
A.3.1 Restore the 2 hours ! misalignedCF.A(s)to l l within 7 inches
' :o A _t:f ; xit:a,'
&(f o its group.
M (continued) 4 3.1-7 AMENDMENT NO. SAN ON0FRE--UNIT 3 4
CEA Alignment 3.1.5 ACTIONS - COMPLETION TIME , CONDITION REQUIRED ACTION A.3.2 Align the remainder 2 hours A. (continued)- of the CEAs in the group to..within
- !!!) f misalignedCEA(s) kE while maintaining the insertion limit of LCO 3.1.7,
" Regulating Control ,
Element Assembly (CEA) Insertion Limits." B.1 Reduce,HERMALNOWER T 4-houg B. One shutdown CEA lg mmutu trippable and in accordance with misaligned from its LCS requirements, group by > 7 inches. AND B.2.1 Verify SDM is 1 hour a 5.15% Ak/k. 93 B.2.2 Initiate boration to I hour restore SDM to -sithin limit. AND B.3 Restore the 2 hours misalignedCEA(s)to within 7 inches
:!' c' M ;;;M h n%
of its group. (continued) 3.1-8 AMENDMENT NO. SAN ON0FRE--UNIT 3 m
- a. .
~CEA Alignment 3.1.5 ACTIONS (continued)
COMPLETION TIME REQUIRED ACTION {} CONDITION C. One part len'gth CEA C.1 Reduce THERMAL POWER 15 J , misaligned from its in accordance with gg, group by > 7 inches. LCS requirements AND i C.2.1 Restore the 2 hours , t misaligned CEA(s) to within 7 inches
;pjs a y ,4 1 -j of its group. ,
93 C.2.2 Align the remainder 2 hours of the CEAs in the " group to within' 7 ' inches 'i-M:tdC
- f'.....) of the g-;:isalignedCEA(s),
m while maintaining the insertion, limit of - LCO 3.148 M L q k" 4 b u. p Control
~
Element Assembly (CEA) Insertion ; Limits."
-,,,-r r r - v7/iV^ ^fw-Restore inoperable 6 hours D. Required position ( D.1 indication inoperable. j' position indicator ,
I'1m channel to OPERABLE status, b l Nh:)- 00.44(93sv>_tsws- - W .6 hours . - A: . e . Align the CEA group (s) with the l i inoperable position l' indicator (s) at the fully withdrawn position.
.,' (continued) l 3.1-9 AMENDMENT r0.
SAN ON0FRE--UNIT 3 9
CEA Alignment 3.1.5 ACTIONS (continued) COMPLETION TIME g CONDITION REQUIRED ACTION E.1 Be in MODE 3. 6 hours
. E. Required Action and associated Completion Time of Condition A, B, C or D not met.
03 One full length CEA untrippable. - E . More than one full length CEA trippable, but misaligned from any other CEA in its ' group by > 7 inches. .' E More than one part length CEA misaligned from any other CEA in , its group by > 7 inches. : SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.1.5f1; Verify the ' .l. . dposition of each full 12 hours W ' .and part length CEA is within 7 inches of 4 all other CEAs in its group. (continued) 3.1-10 AMENDMENT NO. SAN ONOFRE--UNIT 3 J
R Part-Length CEA Insertion Limits 3.1.8 , 3.1 REACTIVITY CONTROL SYSTEMS ~ 3.1.8 Part Length Control Element Assembly (CEA) Insertion Limits The part length CEA grouas shall be limited to the insertion LC0 3.1.8 limits specified in of t1e COLR. APPLICABILITY: MODE 1 > 20% RTP. '
-.--..----------------------NOTE-------------------.-.---.--
This LCO not applicable while exercising part length CEAs. . ______....______. ___.........................__............ t ACTIONS COMPLETION TIME ON M ON REQUIRED ACTION Restore part length 2 hours Part length CEA groups A.1 , A. CEA groups to within inserted beyond the the limi.t. f transient insertion limit. 03 < 2 hours A.2 Reduce THERMAL POWER to less than or equal to the fraction of RTP allowed by the CEA group position and insertion limits
- specified in the COLR.
Restore part length 2 hours Part length CEA groups B.1 B. CEA groups to within inserted between the the long tem steady long tem steady state state insertion insertion limit and limit. the transient - ' insertion limit for intervals
> 7 effective full
' power days (EFPD) per 30 EFPD or > 14 EFPD per 365 EFPD interval. .
(cmo/wa {} AMENDMENT NO. 3.1-18 SAN ONOFRE--UNIT 3 1
Part-Length CEA Insertion Limits 3.1.8 l 1 ACTIONS (continued)
.;9 h- - CONDITION REQUIRED ACTION COMPLETION TIME
(;;atin.;d):" (]f) Required Action and C.1 Reduce THERMAL POWER 4 hours ; C. associated Completion to 5 20% RTP. ' Time of Condition B not met. J SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.1.8.1 Verify part length CEA group position. 12 hours i SR 3.1.8.2 Verify the accumulated time during which 24 hours i the part length CEA groups are inserted beyond the long term steady state insertion l i limit but within the transient insertion f limit. [ e f l 9 e J
< SAN ONOFRE--UNIT 3 3.1-19 AMENDMENT NO.
1 l Y 4
.'D i
i Boration Systems - Operating t 1 3.1.9 4 l MINIMUM STORED BORIC ACID VOLUME AS A FUNCTION OF CONCENTRATION (Gallons) 12,000-Region of Acceptable Operation 10,000 RWST at 2,350 ppm k h 8,000 \\s\w 27 , l l RWST at 2,500 ppm
- c. \
Se w ' RWST at 2,650 ppm Nb 2 o [\xx\ 'N \ N l l 32 > NM RWST at 2,800 ppm M$ \ \ N s N s
.g g 6,000 \*s ' ' '
S N Ns x N N\ ',sh'N N N N
's
\
4,000 Region of Unacceptable Operation 2,000 2.30 2.50 2.75 3.00 2.25 2.50 (4,021) (4,371) (4,808) (5,245) (5,682) (6,119) Boric Acid Concentration WT% (ppm) Figure 3.1.9-1 , SAN ON0FRE--UNIT 3 3.1-21a AMENDMENT NO.
Boration Systems - Shutcown 3.1.10 3 SURVEILLANCE REQUIREMENTS ..) SURVEILLANCE FREQUENCY Verify that at least one of the above 31 days SR 3.1.10.1 required flow paths is OPERABLE and +e4( veive (mar.ual, p.;;r : cr:ted :r ::t:::tf:)( is in its correct position.
,, r r r v w, ,-m, - rr v khT Nb MkVL M%F1Wh!p M W Of W A #DF h woe.-,L, w 6 m t ._x.A, s -14 oc g
.%a.s- s ome. 4) . m A o.o m
- r< stuers A C\.a p +k e
1 2 J 4 l I l 6 3.1-23 AMENDMENT NO. SAN ON0FRE--UNIT 3
- n. _ _ . _ - _ _ _
STE - HODES 2 and 3 3.1.12 8 3.1 REACTIVITY CONTROL SYSTEMS
- 3.1.12 Special Test Exception (STE) - MODES 2 and 3 D'uring perfonnance of PHYSICS TESTS the following LCOs may be LCO 3.1.12 suspended:
LCO 3.1.1, "SHUTDOWNMARGIN(SDM)-T,Tivityavailablefor > 200*F:" OIO (Provided the shutdown reac trip insertion is : int:f.:d t: :tx!!; :t !:::t it:fg StosvaluW e h heA' n tod
. i ct : :r ' ' t'::: T:
Ohmsg UA7 M ik; p; ithi . ...~ . ) LCO 3.1.4, " Moderator Temperature Coefficient (MTC);" LCO 3.1.5, " Control Element Assembly (CEA) Alignment;" LCO 3.1.6, " Shutdown Control Element Assembly (CEA) Insertion Limits;" LCO 3.1.7, " Regulating Control Element Assembly (CEA) Insertion Limits;" LCO 3.1.8, "Part length CEA Insertion Limits;" LCO 3.3.1, "RPS Instrumentation - Operating," Table 3.3.1-1, ALLOWABLE VALUE for FUNCTION 2 and footnote (d) for FUNCTIONS)4"andJ5' 11 it APPLICABILITY: MODES 2 and 3 during PHYSICS TESTS.
---------..-------------------NOTE------------------ive Operation in MODE 3 shall be limited to 6 consecut hours.
- 4 e
3.1-26 AMENDMENT NO. SAN ON0FRE--UNIT 3 - 6
+
I STE - Center CEA Hisalignment and Regulating CEA Insertion Limits 3.1.14 3 '.1 REACTIVITY CONTROL SYSTEMS fl 3.1.14 . Special Test Exceptions (STE) - Center CEA Misalignment and Regulating CEA Insertion Limits LC0 3.1.14 During perfonnance of PHYSICS TESTS the following LCOs may be suspended: LCO 3.1.5, ' Control Element Assembly (CEA) Alignment;" and LC0 3.1.7, " Regulating CEA Insertion Limits;" provided that: s
'a . Only the center CEA (CEA #1) is misaligned, or only regulating CEA Group 6 is inserted beyond the transient insertion Limit of LCO 3.1.7; and
- b. The LHR and DNBR do not exceed the limits specified in the COLR. .
APPLICABILITY: H0DE 1. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME _ 15 minutes A. LHR or DNBR outside A.1 [ Reduce THERMAL POWER the limits specified to restore LHR and in the COLR. DNBR to within limits. 6.- *M k C50r.IAtacl
' Y ^ Be in MODE 3. 6 hours m
b mole.fien Tame M Mt,f .
&""2"* y SAN ON0FRE--UNIT 3 3.1-30 AMENDMENT.NO.
RPS Instrumentation-Operating 3.3.1
- 3.3 INSTRUMENTATION 3.3.1 Reactor Protective System (RPS) Instrumentation-Operating LC0 3.3.1 Four RPS trip'and operating bypass removal channels for each Function in Table 3.3.1-1 shall be OPERABLE.
APPLICABILITY: According to Table 3.3.1-1. ACTIONS
-------------------------------------NOTES------------------------------------
- 1. Separate Condition entry is allowed for each RPS Function.
- 2. If a channel is placed in bypass, continued operation with the channel in the bypassed condition for the Completion Time specified by Required Action A.2 or C.2.2 shall be reviewed by the Onsite Review Committee.
CONDITION REQUIRED ACTION COMPLETION TIME
.l uL k
A. One or more Functions A.1 Place b""=cti=1"-it I hour with one automatic RPS wi iauie a.s.. m i n. trip channel bypass or trip. inoperable. AND Prior to A.2 Restore channel to entering MODE 2 OPERABLE status. following next MODE 5 entry (continued) J v) . SAN ON0FRE--UNIT 3 3.3-1 AMENDMENT NO.
i RPS Instrumentation-. Operating 3.3.1
.. - Table 3.3.1 1 (page 1 of 2)
( Reactor Protective System Instrumentation APPLICABLE HDDES ?* OTHER SPECIFIED SURVE!LLANCE FUNCTION CONDITIONS RLQUIREMENTS ALLOWABLE VALUE
- 1. Linear Power Level - High 1,2 SR 3.3.1.1 s 111.0% RTP SR 3.3.1.4 SR 3.3.1.6 SR 3.3.1.7 SR 3.3.1.8 SR 3.3.1.9 g SR 3.3.1.13 ,
N (p
- 2. Logarithmic Power Level - Higb(a) 2(b) $g 3,3,g,3 3 gyp SR 3.3.1.7 5R 3.3.1.9 SR 3.3.1.12 SR 3.3.1.13
- 3. Pressurizer Pressure - High 1,2 SR 3.3.1.1 s 2385 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13 4 Fressurizer Pressure - Lew(C) 1,2 SR 3.3.1.1 e 1700 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.12 SR 3.3.1.13
- 5. Containment Pressure - High
' e) 1,2 SR 3.3.1.1 SR 3.3.1.7 s 3.4 psig SR 3.3.1.9 SR 3.3.1.13
- 6. Steam Generator 1 Pressure-Low 1.2 SR 3.3.1.1 t 729 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13
- 7. Steam Generator 2 Pressure-Low 1,2 SR 3.3.1.1 e 729 psia SR 3.3.1.7 SR 3.3.1.9 SR 3.3.1.13 (continued)
(a) Trip may be bypassed when THERKAL POWER is w IE-4% RTP. Bypass shall be automatically removed when THERMAL POWER is < 1E-4% RTP. Trip may be manually bypassed during physics testing pursuant to 1.C0 N (b) When any RTCB is closed. ).I* $1 e (c) The setpoint may be decreased to a minimum value of 300 psia, as pressurfrer pressure is reduced, provided the margin between pressurizer pressure and the setpoint is maintained s 400 psia. Trips may be bypassed when pressurizer pressure is < 400 psia. Bypass shall be automatically removed when pressurizer pressure is e 472 psia. The setpoint shall be automatically increased to the normal setpoint as pressurizer pressure is increased. SM ON0FRE--UNIT 3 3.3-8 AMENDMENT N0.
.e
I l RPS Instrumentation-Operating 3.3.1 1 i t C,[.# Table 3.3.1-1 (page 2 of 2) i Reactor Protective System Instrumentation ; APPLICABLE MODES OR , DTHER SPECIFIED SURVEILLANCE FUNCTION CohDITIONS REQUIREMENTS ALLOWABLE VALUE
- 8. Steam Generator 1 Level- Low '.2 SR 3.3.1.1 e 20%
SR 3.3.1.7 ) SR 3.3.1.9 SR 3.3.1.13 i
- 9. Steam Generator 2 Level - Low 1.2 SR 3.3.1.1 a 20% !
SR 3.3.1.7 , SR 3.3.1.9 ! Sk 3.3.1.13 I
- 10. Reactor Coolant Flow- Low (d) 1.2 SR 3.3.1.1 Ramp: s 0.231 psid/sec.
R 3.3.1.7 Floor: a 12.1 psid i 3R 3.3.1.9 Step: 7.25 psid SR 3.3.1.12 SR 3.3.1.13
- 11. Local Power Density - High(d) 1.2 SR 3.3.1.1 s 21.0 kW/ft [
SR 3.3.1.3 SR 3.3.1.4 SR 3.3.1.7 , SR 3.3.1.9 SR 3.3.1.10 ; SR 3.3.1.11 SR 3.3.1.12 r ,) SR 3.3.1.13 . yJ !
- 12. Departure From Wu@ te Boiling 1.2 SR 3.3.1.1 2 1.31 ;
Ratio (DhBR) - Low 4 SR 3.3.1.2 t SR 3.3.1.3 ; SR 3.3.1.4 -f SR 3.3.1.5 SR 3.3.1.7 l SR 3.3.1.9 i SR 3.3.1.10 : I SR 3.3.1.11 SR 3.3.1.12 SR 3.3.1.13 i (d) Trip may be bypassed when THEIMAL POWER is < 1E 4% RTP. Bypass shall be automatically removed when THERMAL POWER is a 1E-44 RTP. During testing pursunfit to LCD W.. trip may be bypassed below 5% RTP. Bypass shall be automatically removed when THERMAL POWER is J 5% RTP. P U ),( . l k J l i l p? U" SAN ONOFRE--UNIT 3 3.3-9 AMENDMENT N0.
RPS Instrumentation-Operating 3.3.1 s Table 3.3.1-2 (page 1 of 1) L. Functional Units Required Action A.1
/
Process Measurement Circuit Functional Unit Bypassed f
- 1. Linear Power Linear Power Level - High (Subchannel or Linear) local Power Density - High DNER - Low
- 2. Pressurizer Pressure - High Pressurizer Pressure - High Local Power Density - High DNBR - Low
- 3. Containment Pressure - High Containment Pressure - High (RPS)
Containment Pressure High (E5F) 4 $ team Generator Pressure - Low fteam Generator Pressure - Low Steam Generator AP 1 AND 2 (EFAS 1 and 2) Steam Generator Level steam Generator Level - Low Steam Gertrator Level - High SteamGeceraterAP(EFAS)
- h. Core Protection Calculator Local Power Density - High DNBR - Low e Required Action A.2 A .. . Functional Unit Bypas ed Process Measurement Circuit 1, Linear Power Linear Power Level - High (Subchannel or Linear) Local Power Density - High DNBR - Lcw 2, Pressurizer Pressure - High Pressurizer Pressure - High Local Power Density - High DNBR - Low 3 , Containment Pressure - High ContainmentPressure-High(RPS)
Containment Pressure - High (ESF) 4 , Steam Generator Pressure - Low Steam Generator Pressure - Low Stese Generator AP 1 and 2 (EFAS 1 and 2) 5 Steam Generator Level Steam Generator - Low Steam Generator - High SteamGeneratorAP(ESFAS)
/
/
- 6. Core Protection Calculator Local Power Density - High / j
/ DNBR - Low j
-_ /~ l l
l SAN ONOFRE--UNIT 3 3.3-10 AMENDMENT NO. 1
RPS Instrumentation-Shutdoen 3.3.2
- - 3.3 INSTRUMENTATION l 3.3.2 Reactor Protective System (RPS) Instrumentation-Shutdown
- M LCO 3.3.2 Four RPS Logarithmic Power evel--High drip channels and ;
associated instrument and ypass removal channels shall be l OPERABLE. Trip channels shall have an Allowable Value of 5 .93% RTP. i APPLICABILITY: MODES 3, 4, and 5, with any reactor trip circuit breakers (RTCBs) closed and any control element assembly capable of being withdrawn.
-------- -----------------NOTE----------------- .--------
Tri ay be bypassed when THERMAL POWER is > 1E-4% RTP. B ass shall be automatically removed when THERMAL POWER 1E-4% RTP. t ACTIONS
----..-_ ----------------------------NOTE-------------------------------------
If a channel is placed in bypass, continued operation with the channel in the
) bypassed condition for the Completion Time specified by Required Action A.2 or C.2.2 shall be reviewed by the Onsite Review Committee.
CONDITION REQUIRED ACTION COMPLETION TIME A. One RPS logarithuic A.1 Place channel in 1 hour i power level trip bypass or trip. channel inoperable. AND
' - A.2 Restore channel to Prior to OPERABLE status. entering MODE 2 following next MODE 5 entry >
r (continued) ,
]
SAN ON0FRE--UNIT 3 3.3-11 AMENDMENT N0. l l
CEACs ', 3.3.3 ACTIONS
-3 REQUIRED ACTION COMPLETION TIME
- CONDITION B.2 Verify all full 4 hours B. (continued) length and part length control element assembly ! (CEA) groups are fully withdrawn and maintained fully withdrawn, except during Surveillance testing pursuant.to , SR 3.1.5.3 and SR 3.1.5.4 or for control, when CEA ; group #6 may be ! inserted to a maximum of 127.5 inches. AND B.3 Verify the "RSPT/CEAC 4 hours ; Inoperable" ! addressable constant - in each core I rotection calculator P(CPC) is set to indicate that-bee k ^F#N' . CEAQ3) apo v inoperable.
*} ,
AND B.4 Verify the Control 4 hours : Element Drive Mechanism Control System is placed in .
"0FF" and maintained in "0FF," except :
during CEA motion i permitted by Required Action B.2. AND I B.5 Perform SR 3.1.5.1. Once per 4 hours (continued) t 5 3.3-16 AMENDMENT NO. SAN ONOFRE--UNIT 3
RPS Logic and Trip Initiation 3.3.4 i (' ~ ACTIONS (continued)
COMPLETION TIME )
CONDITION REQUIRED ACTION E. Required Action and E.1 Be in MODE 3. 6 hours associated Completion Time of Condition A, AND , s B, or D not met. E.2 Open all RTCBs. l 6 hours ; 03 , One or more Functions with more than one Manual Trip, Matrix Logic, Initiation Logic, or RTCB channel ' inoperable for reasons other than Condition A or D. i
^
SURVEILLANCE RFOUIREMENTS ;
)
SURVEILLANCE FREQUENCY SR 3.3.4.1 Perfom a CHANNEL FUNCTIONAL TEST on each 31 days
""S '.;;-:; d = .;l x d RTCB channel.
SR 3.3.4./) Perfom a CHANNEL FUNCTIONAL TEST, 18 months including separate verification of the undervoltage and shunt trips, on each RTCB. i SR Once within 3.3.4/4 Perform a CHANNEL RPS Manual FUNCTIONAL TEST on Trip channel. eachprior to 7 days .i each reactor startup y / - g-- y m L_[ 3e g.s.4. z 3,A encort. r,wersooA msr Sz 3 Q en auL. R ts %c c k="4 _ A / J - l SAN ONOFRE--UNIT 3 3.3-21 l l
ESFAS Instrumentation 3.3.5 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME D. (continued) D.2 Place one affected I hour automatic trip channel in bypass and place the other in trip. E. Required Action and E.1 Be in MODE 3. 6 hours associated Completi Time not metd b-&gg 3 AND ige b Ardw 4.S p fce W M 4 Loth $8 MCead E.2 Be in MODE 4. 12 hours h w14.M,w u - s J - n, h i~ h wwwsu~sw p, M M k (< 5 U tr. I Br. W M3 (, k,,4 asAr.44p@ u- 4% T
~
Fg g w M6 Sla bw3 SURVi C[M*%D4 REQUIREMENTS SURVEILLANCE FREQUENCY m
)
SR 3.3.5.1 Perform a CHANNEL CHECK of each ESFAS 12 hours channel. SR 3.3.5.2 Perfonn a CHANNEL FUNCTIONAL TEST of each 92 days ESFAS channel, including bypass removal functions. SR 3.3.5.3 Perform a CHANNEL CALIBRATION of Function 18 months 5, Recirculation Actuation Signal, including bypass removal functions. (continued) 1 i SAN ONOFRE--UNIT 3 3.3-24 AMENDMENT NO. I
ESFAS Inst _rumentation 3.3.5 Table 3.3.51 (page 1 of 1) Engineered Safety Features Actuation System Instrumentation l APPLICABLE MODES OR i
~
0THER SPECIFIED . FUNCTION CONDITIONS ALLOWABLE VALUE
- 1. Safety In.jection Actuation SignalI *)
- a. 1,2,3 8 3.7 psig
- b. Containment Pressure - High ) l Pressurizer Pressure - Lowlb a 1700 psia ,
t
- 2. Containment Spray Actuation Signal h) '
- a. Containment Pressure - High-High 1,2,3 s 15.0 psig ,
i
- 3. Containment Isolation Actuation Signal ,
- 8. Containment Pressure - High 1,2,3 s 3.7 psig ;
4 Main Steam Isolation Signal
- a. Steam Generator Pressere - Low (C) 1,2(d) 3(d)
, t 729 psia S. Recirculation Actuation Signal !
j
- a. Refueling Water Storage Tank Level - Low 1,2,3,4 19.27% e tap span a 17.73% ;
- 6. I
( EmerebyfeedwaterActuationSignalSG#1 (EFA- . i f
- a. Steam Generator Level - Low 1,2,3 a 20%
- b. SG Pressure Difference - High g s 140 psid
- c. i Steam Generator Pressure - Low t 729 psia -
- 7. Emergency Feedwater Actuation Signal SG #2( ?
(EFAS-2) I
- a. Steam Generator Level - Low 1,2,3 e 20%
- b. SG Pressure Difference - High s 140 psid
- c. Steam Generator Pressure - Low N e 729 psfa '
(a) Automatic SIAS also initiates a Containment Cooling Actuation Signal (CCAS). (b) The setpoint may be decreased to a minimum value of 300 psia, as pressurizer pressure is reduced, provided the margin between pressurizer pressure and the setpoint is maintained s 400 psia. Trips may be bypassed n when pressurizer pressure is < 472 psia decreasing. Bypass shall be automatically removed when pressurizer . pressure is e 472 psia increasing. The setpoint shall be automatically increased to the normal setpoint as. pressurizer pressure is increased. (c) The setpoint may be decreased as steam pressure is reduced, provided the margin between steam pressure and the setpoint is maintained s 200 psi. The setpoint shall be automatically increased to the normal setpoint- : as steam pressure is increased. !
.(d) The Main Steam Isolation Signal Function (Steam Generator Pressure - Low) is not required to be OPERABLE when I all associated valves isolated by the MSIS Function are closed and de-activated. ,
(Q $MS IS f red h NAM b CcskS% 0 , SAN ONOFRE--UNIT 3 3.3-26 AMENDMENT NO. '! i i
_ . . . . __ ~. ESFAS Instrumentation 3.3.5 C Table 3.3.5-2 (page 1 of 1) O Functional Units A'ction A.1 Process Measurement Circuit Functional Unit Bypassed , Containment Pressure - High Containment Pressure - High (ESF) ,
- 3. Containment Pressurs - High (RPS)
- 2. Steam Generator Pressure - Low Steam Generator Pressure Low Steam Generator AP 1 and 2 (EFAS) ,
i
- 3. Steam Generator Level Steam Generator Level - Low ,
steam Generator Level - High i SteamGeneratorAP(EFAS) Action 8.1 Process Measurement Circuit Functional Unit Bypassed /Trippec j Containment Pressure - High ESF f
- 1. Containment Pressure Circuit Containment Pressure - High RPS
- 2. Steam Generator Pressure - Low Steam Generator Pressure - Low SteamGeneratorPressureAP(EFAS) l
- 3. Steam Generator Level - Low steam Generator Level - Low Steam Generator Level - High SteamGeneratorAP(EFAS) >
n - i a t 1 h 7 SAN ON0FRE--UNIT 3 3.3-27 AMENDMENT NO. 4
--- - - - - - . - . , ~ . _ . . - . , - . . - -, . ,- - - -.
ESFAS Logic and Manual Trip 3.3.6 ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME (d',4, ask fu C. One or more Functions C.1 gpenatleastone immediately ' with two Initiation contact in the Logic channels affected trip leg of affecting the same both ESFAS Actuation trip leg inoperable. Logics. AND C.2 Restore channels to 48 hours OPERABLE status. D. One or more Functions 0.1 --------NOTE--------- with one Actuation One channel of Logic channel Actuation Logic may inoperable. be bypassed for up to I hour for , Surveillances, provided the other channel is OPERABLE.
] .
Restore inoperable 48 hours , i channel to OPERABLE status, r E. Required Action and E.1 Be in MODE 3. 6 hours associated Completion .: Time of Conditions for AND Main Steam Isolation l Signal, Containment E.2 Be in MODE 4. 12 hours Spray Actuation
' Signal, or Emergency Feedwater Actuation Signal not met.
(continued) l i 3.3 29 AMENDHENT NO. l SAN ON0FRE--UNIT 3 m
ESFAS Logic and Manual Trip 3.3.6 i Table 3.3.6 1 (page 1 of 1) .
%- Engineered safety Features Actuation System Logic and Manual Trip Applicability FUNCT!DN APPLICABLE MODES
- 1. Safety injection Actuation Signal
- a. Matrix Logic 1,2,3
- b. Initiation Legic 1,2,3,4
- c. Actuation Logic 1,2,3,4 l
- d. Manual Trip 1,2,3,4
- 2. Containment 1 solation Actuation $lgnal
- e. Matrix Logic 1,2,3 ,
Initiation Logic 1,2,3,4 (,C /s b.
- c. Actuation Logic 1,2,3,4
- d. Manual Trip 1,2,3,4
- 3. ContainmentCoolingActuationSignal(a)
- a. Initiation Logic 1,2,3,4
- b. Actuation Logic 1,2,3,4
- c. Manual Trip 1,2,3,4
- a. Recirculation Actuation Signal
- a. Matrix Logic 1,2,3,4
- b. Initiation Logic 1,2,3,4
- c. Actuation Logic 1,2,3,4
- 5. Containment Spray Actuation SignalID)
- a. Matrix Logic 1,2,3 '
- b. Initiation Logic 1,2,3
(' c. Actuation Logic 1,2,3
- d. Manual Trip 1,2,3
- 6. Main Steam Isolation Signal
- a. Matrix Logic 1,2,3
- b. Initiation Logic 1,2,3
, c. Actuation Logic 1,2,3
- d. Manual Trip 1,2,3
- 7. Emergency Feedwater Actuation Signal SG #1 (EFAS-1)
- a. Matrix Logic 1,2,3
- b. Initiation Logic 1,2,3
- c. Actuation Logic 1,2,3
- d. Manual Trip 1,2,3
- 8. Emergency Feedwater Actuation Signal SG #2 (EFAS-2)
- a. Matrix Logic 1,2,3
;- b. Initiation Logic 1,2,3
- c. Actuation Logic 1,2,3
- d. Manual Trip 1,2,3
~ (a) Automatic SIAS also initiates CCAS. l 1 F) Automatic $1A$ also required for automatic CSAS initiation. l
% portiA5 68 **
[#) WW a8/m a up p " w 1 U : SAN ONOFRE--UNIT 3 3.3-32 AMENDMENT NO, , l I i l 2
DG-4Jndervoltage Start l 3.3.7 { SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.7.1 Perform CHANNEL CHECK. 12 hours - SR 3.3.7.2 Perform CHANNEL FUNCTIONAL TEST. 24 months SR 3.3.7.3 Perfonn CHANNEL CALIBRATION with setpoint Allowable Values as follows: 24 months
- a. Degraded Voltage Function a 4181 V and s 4275 V 7 !ix dday -t--it5 Yerond:, anu 5%-seromts at-9228-Y, and -
- b. Loss of Voltage Function a 3554 V and s 3796 V Time delay: E 0.95 seconds and-
-) s 1.05 seconds at 0 V.
SR 3.3.7.4 Verify Response Time of required DG-LOV 24 months on a channel is within 1.05 seconds. STAGGERED TEST BASIS spy $$ (SushM Meads Tw Q '. & lS*S sA Mhth ag : cuspa M. h , p *Y a =+5 $9) . . ! j ,,s c p u v,iy 6 w5 T;w Q 4. , f g b NIdNA-- C99
% is ) of-stkS) :
SAN ON0FRE--UNIT 3 3.3-35 AMENDMENT NO.
i FHIS 3.3.10 , 3.3 STRUMENTATION
- 3. 10 Fuel Handling Isolation Signal (FHIS)
- ~ '
L0 3.3.10 One FHIS channel shall be OPERABLE. .
/
hPPLICABILITY: During movement of irradiated fuel in) el handling ! building. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME l A. Actuation Logic, A.1 Place one OPERABLE Immediately Manual Trip, or fuel Handling - required channel of Building Post gaseous _ radiation Accident Cleanup . monitor inoperable System (PACU) train during movement of in operation. irradiated fuel Immediately , assemblies. g3 () A.2 Suspend movement of irradiated fuel . assemblies in the ; fuel handling i building. i r B
- _ - q SAN ONOFRE--UNIT.3 3.3-43 AMENDMENT N0. l 4
/ 3. .
___ - -- g~ SURVEILLANCE REQUIREMENTS
"'~STRVEi[ LANCE [ FREQlENCY SR 3 .10.1 Perform a CHANNEL CHECK on required FH 12 ho s radiation monitor channel. .
SR 3.3.10.2 Perform a CHANNEL FUNCTIONAL TEST on 92 ddys required FHIS radiation monitor channel. l Verify radiation monitor setpoint Allowable Values: Airborne Gaseous: 5 6E4 cpm above background i SR 3.3.10.3 -------------------NOTE-------------------- 1 Testing of Actuation Logic shall include the i actuation of each initiation relay and ; i verification of the proper operation of each _ ignition relay. l
\
} ...........................................
- g l Perform a CHANNEL FUNCTIONAL TEST on 18 mon'hs ,
i required FHIS Actuation Logic channel. ?
\ ,
\ \
-SR 3.3.10.4 Perform a CHANNEL FUNCTIONAL TEST on 18 months i
\ required FHIS Manual Trip logic. \ l
\ \
\
\
' SR 3.3.10.5 Perform a CHANNEL CALIBRATION on required 18 month FHIS radiation monitor channel.
\-
\ l Q _-
J 1-SAN ON0FRE--UNIT 3 3.3-44 AMENDMENT NO. i e i l
PAM Instrumentation ! 3.3.11 i ACTIONS (continued) CONDITION REQUIRED' ACTION COMPLETION TIME N C. ---------NOTE--------- C.1' Restore one channel 7 days l Not applicable to to OPERABLE status. hydrogen monitor channels. One or more Functions with two required channels inoperable. D. Two hydrogen monitor D.1 Restore one hydrogen 72 hours channels inoperable. monitor channel to OPERABLE status. E. Required channel of E.1 Restore required 7 days g Functions 18, 21, 24, channel to OPERABLE i I s / or 25 inoperable. status. F. Required Action and F.1 Enter the Condition Immediately associated Completion referenced in Time of Condition C, D Table 3.3.11-1 for or E not met. the channel. G. As required by G.1 Be in MODE 3. 6 hours Required Action F.1 and referenced in AND Table 3.3.11-1. G.2 Be in MODE 4. 12 hours H. As required by _ H.1 Initiate action in Immediately Required Action F.1 accordance with and referenced in Specification 5.7.2. Table 3.3.11 1.
. .f M 0 -
d SURVEQLANCEREQUIREMENTE Ah UNGFRE--Unti 3 3.3-46 AMENDMENT NO.
?
f i Source Range Monitoring Channels ! 3.3.13 3.3 INSTRUMENTATION O, '-. 3.3.13 Source Range Monitoring Channels LC0 3.3.13 Two channels of source range monitoring instrumentation ! shall be OPERABLE. l l APPLICABILITY: MODES 3, 4, and 5, with the reactor trip circuit breakers open or Control Element Assembly (CEA) Drive System not' capable of CEA withdrawal. 1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Suspend all .Immediately-channels inoperable. operations involving r positive reactivity ' additions. AND
-,)
s- A.2 Perform SDM 4 hours verification in accordance with AND SR 3.1.1.1, if
> 200'F, or Once per T '3.1.2 l if SE 12 hours T.,, 5 20 'F. thereafter A
2 , S.- up/ SAN ONOFRE--UNIT 3 3.3-52 AMENDMENT NO. l
RCS Pressure, Temperature, and Flcw Limits 3.4.1 - 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.1 RCS Pressure, Temperature, and Flow limits LCO 3.4.1 RCS parameters for pressurizer pressure, cold leg temperature, and RCS total flow rate shall be within the limits specified below:
- a. Pressurizer pressure a 2025 psia and 5 2275 psia;
- b. RCS cold leg temperature (T.):
g 1. For RTP s 30%,TI limit not aoolicableaS2tfgsT,a n 7g
'T 2. For 30% < RTP < 70%, 535 F s eT s 557'F,
- 3. For RTP a 70%, 544*F s Tc 5 557'F; and
- c. RCS total flow rate is specified by the COLR.
APPLICABILITY: MODE 1.
---__--_-_-_----__---------NOTE---- ---------_---------
Pressurizer pressure limit does not apply during:
- a. THERMAL POWER ramp > 5% RTP per minute; or
- b. THERMAL POWER step > 10% RTP.
ACTIONS COMPLETION TIME CONDITION REQUIRED ACTION i A.1 Restoreparameter(s) 2 hours , A. Pressurizer pressure j to within limit, or RCS flow rate not within limits. l ( fcont N t: B.1 Be in MODE 2. 6 hours B. Required Action and . associated Completion ! Time of Condition A l not met. I 1 I 3.4-1 AMENDHENT NO. SAN ON0FRE--UNIT 3
I RCS Pressure, Temperature, and Flow limits 3.4.1 ACTIONS (continued) REQUIRED ACTION' COMPLETION TIME CONDITION . C.1 Restore cold leg 2 hours C. RCS cold leg temperature not within temperature to within i limits. limits. D.1 Reduce THERMAL POWER 6 hours D. Required Action and associated Completion to 5 30% RTP. Time of Condition C not met. SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE Verify pressurizer pressure a 2025 psia and 12 hours SR 3.4.1.1 5 2275 psia. erify RCS cold leg temperature: 12 hours SR 3.4.1.2 J. For 30% < RTP < 70%, 535'F s T e s 557'F,
- 3. For RTP a 70%. 544*F s T,. s 557'F '
Ghr MPs 30% sto'rsTasss7'F-]
---------------------------NOTE-------------------------- 12 hours Required to be met in MODE 1 with all RCPs running.
SR 3.4.1.3 Verify RCS total flow rate is within limit specified in the COLR. t l I a 3.4-2 AMENOMENT NO. SAN ONOFRE--UNIT 3 l l
)
f RCS L:::s wCC 3 l 3.4.5
)
ACTIONS (continued) COMPLETION TlHE Q REQUIRED ACTION CONDITION Imediately C.1 Suspend all C. No RCS loop OPERABLE. operations involving a reduction of RCS O_ R boron concentration. No RCS loop in A.N,0 operation. Imediately C.2 Initiate action to restore one RCS loop to OPERABLE status and operation. SURVEILLANCE REQUIREMENTS FREQUENCY. SURVEILLANCE 12 hours SR 3.4.5.1 Verify required RCS loop is in operation. 12 hours SR 3.4.5.2 Verify secondary s e water level in each steam generator a % (wide range). O 7 days SR 3 4.5.3 Verify correct breaker alignment and indicated power available to the required pump that is not in operation.
~
AMENDHENT NO. SAN ONOFRE--UNIT 3 3.4-10 I
l RCS Loops -MCCE 4 ! 3.4.6 ( SURVEILLANCE REQUIREMENTS D '- SURVEILLANCE FREQUENCY Verify at least one RCS loop or SDC train 12 hours SR 3.4.6.1 is in operation. Verify secondary side water level in 12 hours SR 3.4.6.2 (wide range). required SG( is t 1 50 Verify correct breaker alignment and 7 days SR 3.4.6.3 indicated power available to the required pump that is not in operation.
. .. )
=-
J 3.4-13 AMENDMENT NO. SAN ONOFRE--UNIT 3 e
RCS Loops -HODE 5. Lceps Filled 3.4.7 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.7 RCS Loops-MODE 5. Loops Filled At least one of the following loop (s)/ trains listed below LC0 3.4.7 shall be OPERABLE and in operation:
- a. Reactor Coolant Loop 1 and its associated steam generator and at least one associated Reactor Coolant Pump
- b. Reactor Coolant Loop 2 and its associated steam generator and at least one associated Reactor Coolant Pump
- c. Shutdown Cooling Train A
- d. Shutdown Cooling Train B One additional Reactor Coolant Loop / shutdown cooling train shall be OPERABLE, or The secondary sid water level of each steam generator sha.11 be greater than (wide range).
/3 so
----------------------------NOTES------------------ --------
All reactor coolant pumps (RCPs) and pumps prov iding 1. shutdown cooling may be de-energized for 51 hour per 8 hour period, provided:
- a. No operations are pennitted that would cause .
reduction of the RCS boron concentration; and
- b. Core outlet temperature is maintained at least 10'F below saturation temperature. ,
- 2. One required SDC train may be inoperable for up to 2 hours for surveillance testing provided that the other SDC train or RCS loop is OPERABLE and in operation.
- 3. One required RCS loop may be inoperable for up tg_2 :
hours.for surveillance testing provided that the other RCS loop or SDC train is OPERABLE and in operation. l
------------------------------------------------(continued) e 3.4-14 AMENDHENT NO.
SAN ONOFRE--UNIT 3
-he
RCS Loops-HOCE 5. Loops Filled 3.4.7 ACTIONS (continued) COMPLETION TIME CONDITION REQUIRED ACTION i
-_ l Suspend all Immediately B. No SOC train 7RCS loop B.1 operations involving l in operation l reduction in RCS '
boron concentration AND Immediately B.2 Initiate action to restore required SDC train /RCS loop to operation SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE Verify at least one RCS loop or SDC train 12 hours SR 3.4.7.1 is in operation. Verify required SG secondary side water 12 hours SR 3.4.7.2 le is a (wide range).
'a3 61)
Verify correct breaker alignment and 7 days SR 3.4.7.3 indicated power available to the required pump that is not in operation. 3.4-16 AMENDMENT NO. SAN ONOFRE--UNIT 3' f
LTOP System 3.4.12.1 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.12.1 Low Temperature Overpressure Protection (LTOP) System RCS Temperature 5 LTOP Enable Temperature [ g geyssm'ggr A l (,65G N o n S W L A b k ~ LC0 3.4.12.1 No more than two high pressure safety injection pumps shall be OPERABLE, the safety injection tanks shall be isolated , and at least one of the following overpressure protection systems shall be OPERABLE:
- a. The Shutdown Cooling System Relief Valve (PSV9349) with:
- 1) A lift setting of 406 i 10 psig Relief Valve isolation valves V9337,[HV9339, 2)
V9377, and HV9378 open, 3 3 or,
- b. The Reactor Coolant System depressurized with an RCS vent of greater than or equal to 5.6 square inches.
APPLICABILITY: MODE 4 when the temperature of any one RCS cold leg is less than or equal to the enable temperatures specified in the PTLR, MODE 5, and MODE 6 when the head is on the reactor vessel.
........................_.. NOTES-------.------ ------.--.---
@ 4p/
- 1. The SDCS Relief Valve lift setting assumes valve temperatures less than or equal to 130*F.
g _
- 2. SIT isolation kis only required when SIT pressure is g g h /4t. .
greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature allowed by the P/T
$741 U.M4I limit curves provided in the PTLR.
3.4-23 AMENDMENT NO. SAN ONOFRE--UNIT 3
LTOP System 3.4.12.1
"~
ACTIONS COMPLETION TIME CONDITION REQUIRED ACTION A.1 Initiate action to Imediately A. With more than two HPSI pumps capable of verify a maximum of injecting into the two HPSI pumps RCS. capable of injecting into the RCS B.1 Isolate affected SIT. I hour B. SIT pressure is greater than or equal ag;lP _ ) to the maximum RCS OR pressure for existing _ Depressurize affected 12 hours l cold leg temperature .,Jkf* l
- allowed in the PTIR. _ g,/ SIT to less than the maximum RCS pressure l g,
g ggj p for existing cold leg l b,## I'" temperature allowed
@ . d8 in the PTLR.
g M/N#N 8 #/ #8/ 1 Open the closed 24 hours p / With one or both SDCS valve (s). Relief Valve isolation valves in a single SDCS Relief Valve OR isolation valve pair 24 hours pair 34 V9337 .2 Power-lock open the (valv and V9339 or valve [F OPERABLE SDCS Relief Valve isolation valve pairJAV9377 and pair. 3 A V9378) closed. (continued) { 3.4-24 AMEN 0HENT NO. SAN ONOFRE--UNIT 3
LTOP System ! 3.4.12.1 l
; ACTIONS (continued)
REQUIRED ACTION COMPLETION TIME CONDITION Reduce T 8 hours [ / SDCS Relief Valve " than2007,toless 1 inoperable. depressurize RCS and g ! establish RCS vent of a 5.6 square inches. Required Action and associated Completion Time of Condition A. g or #, not met. m LTOP System inoperable for any reason other ' an Condition A,
, or D.
0 1 3.4-25 AMENOMENT NO. SAN ONOFRE--UNIT 3
_ d-LTOP System 3.4.12.1 SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE '3-SR 3.4.12.1.1 ------------------NOTE-------ifying that A HPSI pump is secured by ver its motor circuit breaker is not racked-in, or its discharge valve is locked closed. The requirement to rack out the HPSI pump breaker is satisfied with the pump breaker racked out to its disconnected or test position. 12 hours Verify a maximum of two HPSI pumps are capable of injecting into the RCS. r SR 3.4.12.1.2 ----.--.- -------. NOTE------------lying Required to be performed when comp with LCO 3.4.12.1 Note 2. Verify each SIT is isolatedj ar dp D
- 12 hours l~t f h n & A 2 9 72 4 & j./
-12 hours for Verify RCS vent t 5.6 square inches is SR 3.4.12.1.3 unlocked op(en open when in use for overpressure ventvalves) protection.
bh0 31 days for locked, sealed, or otherwise secured open -t ventvalve(s). or open flanged RCS penetrations (continued) P AMENDMENT NO. 3.4-26 SAN ON0FRE--UNIT 3
l LTOP System I 3.4.12.1 (continued) FREQUENCY SURVEILLANCE REQUIREMENTS f __
~ SURVEILLANCE
}
---NOTE -------- --..----
SR 3.4.12.1.4 -------k The power-loc open requirement is satisfied open for valve eitherpair with the AC breakers i
$26V9337 andyV9339 or the inverter input and output breakers open for valve pair 3fhV9377 and326V9378, whichever valve pair is OPERABLE....................
12 hours The OPERABLE valve pair SDCS and (valve pair &2fiV9337 Relief Valve isolation 3,2hV9339, or valve pairJffiV9377 and 3,28V9378) that is used for overpressurep Valve isolation valve pair being INOPERABLE power-lock open condition shall beuntilverified the' to be in the INOPERABLE valve pair is returned SDCS Relief Valve to OPERABLE status isolation or the RCS is depressurized and vented. - 72 hours Verify that SDCS Relief Valve isolation SR 3.4.12.1.5 valvesMliV9337,32RV9339,J/HV9377, and jg2HV9378 are open when the SDCS Relief Valve is used for overpressure protection. _ In accordance Verify SOCS Relief Valve Setpoint with the SR 3.4.12.1.6 Inservice Testing Program AMENDMENT NO. 3.4-27 SAN ONOFRE--UNIT 3 - t r-,-
LTOP System l 3.4.12.2 l n. ACTIONS. REQUIRED ACTION COMPLETION TIME CONDITION A.1 Be in MODE 5 and vent 8 hours l A. No pressurizer code the RCS through a safety valves OPERABLE. greater than or equal to 5.6 square inch AND vent. The SOCS Relief Valve INOPERABLE. SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY
--------------------Note-------------------
Only required when the SOCS Relief Valve is being used for overpressure protection. 72 hours b SR 3.4.12.2.1 Verify that the SDCS Relief Valve isolation valves 3HV9337, 3HV9339, T 3HV9377, and 3HV9378 are open. b 9 1 Verify relief valve setpoint. In accordance SR 3.4.12.2.2 with the Inservice Testing Program on 24 hours b.W,Hres.</*MGKS '8*lNgas) dosed pa.m vatupaa4an vava ;98
- ie a tingis sucs Reuf kiw isolatieb vahtyzin/vatwpair 8,2 lW-loak qsw Jgj,,,3 3HV9337and 3W9139ce salve. ACPO4845MS ptie 3Wf377and 3MW378ahu/ }lefje t&Gie, &lar%f t
/wh 4
3.4-29 AMENDMENT NO. SAN ONOFRE--UNIT 3
RCS ?!i _eaa ;e 3.4.14 Table 3.4.14-1 REACTOR COOLANT SYSTEM PRESSURE ISOLATION VAL SECTION A W VALVE DESCRIPTION VALVE NUMBER HPSI Check to Loop f1A S$204MUO18 HPSI Check to Loop #18 < 204MUO19 HPSI Check to Loop #2A 204MUO20 HPSI Check to Loop #2B S 204MUO21 Hot leg injection to loop #1
@ 204MU152 S 1204MU156 Hot leg injection to loop #2 Hot leg injection check 1204MU157 Hot leg injection check -
1204MU158 SDC Suction Isolation EniV-9337 SDC Suction. Isolation ;
/JHV-9339 SDC. Suctiort Isolation
$3HV-9377 SDC Suction Isolation
/3HV-9378 SECTION B VALVE DESCRIPTION VALVE NUMBER LPSI Check to Loop f1A 204MUO72 LPSI Check to Loop #1B 204MUO73 LPSI Check to Loop #2A 204MUO74 LPSI Check to Loop #2B 1204MUO75 Cold leg injection to loop f1A 1204MUO27* Cold leg injection to loop #18 204MU029' Cold leg injection te loop #2A 204MUO31* Cold leg injectic: to loop #2B 204MUO33*
SIT T008 Check 204MUO40 SIT T007 Check l 204MUO41 SIT 1009 Check , 204MUO42 SIT T010 Check 204MUO43 i
- Redundant to LPSI and SIT checks AMENDMENT NO.
3.4-36 SAN ONOFRE--UNIT 3 l \
RCS Specific Activity 3.4.16 3.4 REACTOR COOLANT SYSTEM (RCS) k 3.4.16 RCS Specific Activity LCO 3.4.16 The specific iodine activity of the reactor coolant shall be , limited to:
- a. DOSE EQUIVALENT I-131 specific activity 5 1.0 gCi/gm; and
- b. Gross specific activity 5 100/E pCi/gm.
MODES 1 and 2, P APPLICABILITY: MODE 3 with RCS average temperature (T ,,) a 500'F ACTIONS REQUIRED ACTION , COMPLETION TIME CONDITION
- - - - - - NOTE - - - - -
A. DOSE EQUIVALENT I-131 :
> 1.0 pCi/gm. The provisions of Specification 3.0.4 are not
- 5 $* --- _(
Verify DOSE Once per 4 hours A.1 EQUIVALENT I-131 within the acceptable region of Figure 3.4.16-1.
' AND A.2 Restore DOSE 48 hours EQUIVALENT I-131 to within limit.
(coiTrinued) i f
' SAN ONOFRE--UNIT 3 I
l i
T . _ . _ . . Con'.6inmeni Air Locks 3.6.2 COMPLETION TIME CON 51 TION. , REQUIRED ACTION Verify the OPERABLE 1 hour A.1
-A. (continued) - N door is closed in the affected air lock.
AND Leck the OPERABLE 24 hours A.2 door closed in the affected air lock. AND A.3 --------NOTE--------- Air lock doors in high radiation areas may be verified. locked closed by administrative means. Verify the OPERABLE Once per 31 days door is locked closed ' in the affected air lock. B. One or more
------------NOTES------------ ;
Required Actions B.1,
~
containment air locks 1. B.2, and 8.3 are not with containment air applicable if both doors lock interlock in the same air lock are j mechanism inoperable. inoperable and f Condition C is entered. l
- 2. Entry and exit of l containment is '
permissible under the MS' control of a dedicated s individual . ..... c...................... 3.% OMWie owJ w Ltc 2.c4 ass- (continued) O d y Lic.4 Sta. l AMENDHENT NO. .. SAN ONOFRE--UNIT g3 3.6-4 1 i
m
. . _ . _ . _ . . . _ . . _ . .._..__.....s..._....__...___.__ . . . _ _ . . . . .
L............._._....--- Containment Iso htion Valves 3.6.3 l
. J ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME D. (continued) D.2 --------NOTE---------
Valves and blind flanges in high radiation areas may be verified by use of administrative means. Verify the affected Once per 31 days penetration flow path for isolation is isolated. devices outside containment ! l AND Prior to L entering MODE 4 from MODE 5 if not performed ; within the ' L
' previous 92 days for isolation devices inside containment .
AND f D.3 Perform SR 3.6.3.6 Once per for the resilient 184 days , seal purge valves closed to comply with Required Action D.1. t t E. One or more Section E.1 Secure the inoperable 4 hours D.1 containment valve (s) in its ESFAS actuated position. (; u,mt c. eld isolationvalve(s) g l inoperable, p gg AND ,g E.2 Restore the Prior to^entTy inoperable valve (s) L L .-;0Di 5, e I* % to OPERABLE status. 30 days, J.;am.m. is h'h wi
& rt:r, v.} v SAN ONOFRE--UNIT 3 3.6-11 AMENDMENT'NO. :
r 4
.- . . - . - . - . . - . . -. .- j l
Containment Isolation Valves 3.6.3 I SURVEILLANCE REQUIREMENTS
------------------------------------NOTE-------------------------------------
- 1. Section A, B, C, D, and E isolation valves are located in the LCS.
SURVEILLANCE FREQUENCY SR 3.1 31 days Veri ach 42 inch purge valve is sealed closed except for one purge valve in - a penetration flow path while in Condition D of this LCO. SR 3 .2 f erifyWch 8 inch purge valve is closed except when 31 days the 8 inch purge valves are open for pressure control, ALARA or air quality considerations for personnel entry, or for Surveillances that require the valves to be open. J SR 3.6.3.3
------- ---------NOTE--------------------
7"~ Valves and blind flanges in high radiation areas may I be verified by use of administrative means. IVerifyeachcontainmentisolationmanualvalveand 31 days blind flange that is located outside containment and is required to be closed during accident conditions is closed, except for containment isolation valves that u are open under administrative controls. (continued) SAN ON0FRE--UNIT 3 3.6-13 AMENDMENT NO. E
=
l Containment Isolation Valves 3.6.3 sm I SURVEILLANCE FREQUENCY SR 3.6.3.4
--------- --------NOTE------ - -------------
vel.us and blind flanges in high radiation areas may be verified by use of administrative means. I. _. ..___ _...______.____._________._..___.. Verify each containment isolation manual valve and Prior to lind flange that is located inside containment and entering MODE 4 required to be closed during accident conditions is from MODE 5 if . c]osed, except for containment isolation valves that not performed de open under administrative controls. within the previous 92 days SR 3.6.3.5 In accordance er e isolation time of each Section A and B with the power operated and each automatic containment Inservice isolation valve is within limits. Testing Program SR 3.6.3.6
- ------ -------NOTE--------------------
Resul s s all be evaluated against acceptance criteria of SR 3.6.1.1 in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions. Perform leakage rate testing for containment purge 184 days jvalves with resilient seals. AND Within 92 days after opening the valve (continued) SAN ONOFRE--UNIT 3 3.6-14 AMENDMENT NO. e
Containment Isolation Valves 3.6.3
. m,.
-1 SURVEILLANCE FREQUENCY SR 3.6.3.7
---- ----------NOTE--------------------
he provisions of the' Inservice Testing Program are not applicable when the valves are secured open. Verify each Section D1 and 02 containment isolation In accordance valve is OPERABLE. with the Inservice Testing Program and those SRS associated with those Specifications pertaining to each valve or system in which it is installed. SR 8 24 months Veri fy ch Section A, B, C, and E automatic containment isolation valve actuates to the isolation position on an actual or simulated actuation signal. SAN ON0FRE--UNIT 3 3.6-15 AMEljDMENT NO. : m
. . . . . . - . - - ~ - _ _. . _ _ _. t A0ys , 3.7.4 I 4 3.7 PLANT SYSTEMS :
* ' 3.7.4 Atmospheric Dump Valves (ADVs)
One ADV per required Steam Generator (SG) shall be OPE LCO 3.7.4 , i APPLICABILITY: MODES 1, 2, and 3 MODE 4 when steam generator is being r removal. : ACTIONS COMPLETION TIME CONDITION REQUIRED ACTION l i A.1 _. -----NOTE--------- - A. One required ADV LCO 3.0.4 is not i inoperable. applicable.
.h 72 hours Restore ADV to ,
OPERABLE status. ; 24 hours B.1 Restore one ADV to B. Two ADVs inoperable. OPERABLE status. t k Restore backup 72 hours Backup nitrogen gas C.1 C. nitrogen gas supply supply syst.em capacity system capacity r s 8 hours Jerecch #DV ddth ADY (continued) l
?
'l 4
l l AMENDMENT NO. U SAN ON0FRE--UNIT 3 3.7-7 f l i
CCW Safety Related Hakeup System 3.7.7.1 ACTIONS COMPLETION TIME REQUIRED ACTION '9- CONDITION
~
6 hours C.1 Be in MODE 3. C. Required Ac'tions and associated Completion . AND Times of Conditions A @j-hours or B not met. C.2 Be in MODE 5. 36 - ; SURVEILLANCE REQUIREMENTS FREQUENCY SURVEILLANCE r 7 days SR 3.7.7.1.1 Verify the contained water. volume in thePrim its limits. _ In accordance with inservice
-- SR 3.7.7.1.2 ' Verify each CCW Safety Related Makeup testing program on recirculation flow. _
24 months SR 3.7.7.1.3 Measure CCW Leakage. = d AMEN 0 MENT NO. 3.7-19 l
' " SAN ON0FRE--UNIT 3
% __ _ - =. . . _ _, Fuel Handling Building Post dccident Cleanup Filter System 3.7.14 l l 3.7 PLANT SYSTEM 3.7.14 Fuel Handli Building Post-Accident Cleanup Filter System LCO 3.7.14 Two Fu Handling Building Post-Accident Cleanup Filter System ains shall be OPERABLE. ; APPLICABILITY: During movem t of irradiated fuel assemblies in the fuel building. ACTIONS CONDITION QUIRED ACTION COMPLETION TIME A. One Fuel Handling A.1 Re pre fuel Handling 7 days Building Post-Accident Build'ng - Cleanup Filter System Accide t , lea up train inoperable. Filter " tem rain to OPERAB tus.
) Imediately B. Required Action and B.1 Place OPERAB Fuel Associated Completion Handling Bui ng Time of Condition A Post-Accident leanup not met during Filter System <ain movement of irradiated in operation.
fuel assemblies in the Imediately fuel building. OR B.2 Suspend movement of irradiated fuel assemblies in the fuel building.
*2 4,
AMENDMENT NO. SAN ONOFRE--UNIT Q pp 3.7-28 te 30 b M Tr w M y W b L
-, e = g ,-,-- _ _ _ x w: , . ..-.:..-..
. .w......._,..; _._. . . . . - . _ . -
FueiHanl ling Building Post-Accident- Cleanup Filter System 3.7.14 ACTIONS -(continued)
-~
CONDITION COMPLETION TIME
\REQUIREDACTION C. Two Fuel Ha'n'dling C.1 spe ovement of Immediately Building Post-Accident ir d ate fuel Cleanup Filter System asse lies 'n the trains inoperable fuel 'ldi g.
during movement of irradiated fuel . assemblies in the fuel building.
\ .
4 4
% .2 v
4 f*.
- SAN ONOFRE--UNIT 3.7-29 AMENDMENT NO.
m____.__.-- -
...--.._: . .m- =.m _.-. . . _ _ . _ - _ . _ _ . . . m. .:-.-__ _o-a._
Fuel Handling Building Post-Accident Cleanup Filter System 3.7.14 r SURVEILLANCE REQUIREMENTS (G .;/ - i - i SU EILLANCE FREQUENCY SR 3.7.14.1 Operate each el Handling Building Post- 31 days o.n a Accident Cleanu Filter System train for STAGGERED TEST . t 10 continuous ours 'with the heaters BASIS , operating. SR 3.7.14.2 Perform required Fuel ling Bu iding In accordance-Post-Accident Cleanup Fi er System filter with the VFTP testing in accordance with he V itilation . Filter Testing Program (V TP . ! k SR 3.7.14.3 Verify each Fuel Handling Bu ding. Post- 24 months Accident Cleanup Filter Syste train' - actuates on an actual or simul ted . actuation signal. G t
,Y e W SANONOFRE--UNITb(,h 3.7-30 AMENDMENT NO.
C Iw:es-::ri: : 3.3.. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME Required Action and F.1 Be in MODE 3. 6 hours F. Associated Completion Time of Condition A, A_ND B, C, D, or E not met. F.2 Be in MODE 5. 36 hours Three or more required G.1 Enter LCO 3.0.3. Immediately G. AC sources inoperable. SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY:
- 2. A 1 SR 3.8.1.1 ----------- -------N ES---[--------------
- 1. Buses 04 and 1 are equired when unit crosstie breaker 0416 is used to provide a sour e o AC power.
A b
- 2. Buses h06 and h2 are[ required when unit crosstie breaker R0603 is used to provide a source of AC power.
O verifv correct breaker alignment and 7 days N AM eaten power availability for each required offsite circuit. (continued) SAN ONOFRE--UNIT 3 3.8-4 AMENDMENT NO.
AC Scu-:es -::e 3: ; 3.5.1 SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY SR 3.8.1.3 --------------.----NOTES-------------....--
- 1. DG loadings may include gradual '
loading as recommended by the manufacturer.
- 2. Momentary transients outside the load range do not invalidate this test.
- 3. This Surveillance shall be conducted on only one DG at a time.
- 4. This SR shall be preceded by, and immediately follow without shutdown, a successful performance of SR 3.8.1.2 or SR 3.8.1.7.
Verify each DG is synchronized and loaded, As specified'in an rates for a 60 minutes at a load Table 3.8.1 1 a - kW and s 4700 kW. on a staggered
**'* i' 45C)
SR 3.8.1.4 Verify each day tank contains a(125 gal)of 31 days fuel oil. ' {30 lnc/tti SR 3.8.1.5 Check for and remove accumulated water from 31 days each day tank. l SR 3.8.1.6 Verify the fuel oil transfer system 31 days operates to automatically transfer fuel oil from storage tank to the day tank. I (continue: l l l l SAN ONOFRE--UNIT 3 3.8-6 AMEN 0 MENT NO.
C Sce:es -::s m ; 3.5.i SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY SR 3.8.1.9 -------------------NOTE------------------- Credit may be taken for unplanned events that satisfy this SR. Verify each OG, when operating with design - basis kW loading and maximum kVAR loading permitted during testing, rejects a load a 682 kW, and: 24 months
- a. Following load rejection, thL -
- 66.~lS frequency isu on nz angs@Hz;
- b. Within 4 seconds following load rejection, the voltage is a 3924 V and s 4796 V; and
- c. Within 4 seconds following load rejection, the frequency is a 58.8 Hz and 5 61.2 Hz.
SR 3.8.1.10 -------------------NOTE------------------- Credit may be taken for unplanned events that satisfy this SR. Verify each DG, when operating with design basis kW loading and maximum kVAR loading permitted during testing, does not trip and voltage is maintained s 5450 V du and 24 months following a load rejection of a kW and s 4700 kW. 3Id3 'a I (continuec) l SAN ONOFRE--UNIT 3 3.8-8 AMENDNENT NO.
i f AC sources -::e-n ; ; 3.5.1 l l SURVEILLANCE REQUIREMENTS (continued) 1 SURVEILLANCE FREQUENCY SR 3.8.1.14 -------------------NOTES-------------------
- 1. Momentary transients outside the load and power factor ranges do not invalidate this test.
- 2. Credit may be taken for unplanned events that satisfy this SR.
Verify each DG, when operating with the maximum kVAR loading permitted during testing, operates for a 24 hours: 24 months
- a. For a 2 hours loaded a 4935 kW and 5 5170 kW; and
- b. For the ing hours of the test '
loaded a kW and s 4700 kW. 4460 SR 3.8.1.15 ---.---------------NOTES----------------..-
- 1. This Surveillance shall be performed within 5 minutes of shutting down the DG after DG has operated a 2 hours loaded a kW and s 4700 kW.
QSO Momentary transients outside of load range do not invalidate this test.
- 2. All DG starts may be preceded by an engine prelube period.
Verify each DG starts and achieves, in s 10 seconds, voltage a 3924 V and 24 months s 4796 V, and frequency a 58.8 Hz and s 61.2 Hz) ond opd5 g sg m;ng}ti, (continue: 3.8-11 AMENDMENT N0. SAN ONOFRE--UNIT 3
D esi :se: D ' , u::e :- , 3rc s u m ng 2., 3,3.3 3.8 ELECTRICAL POWER SYSTEMS 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air LCO 3.8.3 The stored diesel fuel oil, lube oil, and starting air subsystem shall be within limits for each required diesel generator (DG). i APPLICABILITY: When associated DG is required to be OPERABLE. ACTIONS
.........................__..........N0TE..---..-......-.-.....-...-
Separate Condition entry is allowed for each DG. REQUIRED ACTION COMPLETION TIME CONDITION 1 A. One or more DGs with A.1 Restore fuel oil 48 hours fuel level 99 */o level to within
< 'C,'2' [' and limits. '
3storage
":,0:0 tank
;;'Qg g -
g 4 man or more DGs with B.1 Restore lube oil 48 hours B. O lub oil inventory inventory to within . INS l kla'y'[^ 3 a n T,x _ ;;- 3 '"n 5y
. W. ' m ! -
_ i_E' L~l .. _ _ . !! _.. m e
.1 Restore fuel oil 7 days p g One or more DGs with total particulates to stored fuel oil total within limits, particulates not within limits.
(continued) 3.8-20 AMENDMENT NO. SAN ONOFRE.. UNIT 3
l 4 e If $
*7 ', { m.
,, 4 C. One required DG with C.1 Restore fuel oil urs fuel level in the level to within storage tank <72% and limits *
>63% during Mode 5 or 6.
i
)
1 I i i l l
- >ese: Fael Oil, Late Oi ', a .: i : 3 ~. - ; :-
3.3.3 ACTIONS (continued) REQUIRED ACTION COMPLETION TIME CONDITION (g.OneormoreDGswith h A .1 Restore stored fuel 30 days new fuel oil oil properties to properties not within within limits. limits. 8 g. One or more DGs with g.1 Restore starting air 48 hours starting air receiver receiver pressure to pressure < 175 psig a 175 psig. and a 136 psig. &# Required Action and 6I'.1 Declare associated OG Imediately associated Completion inoperable. Time of Condition A, , B, C, D,*or E not met. F e 's One or more DGs with diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than ConditionA,B,C,D,6, or d. F SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY 31 days SR 3.8.3.1 Verify each, fuel, oil storage tank contains
~a .
7 31 % hetlIn N U l ekt3,or4 AM( l (continueci tr 727. Isel so M*4.t 6or 6 . j 3.8-21 AMENDMENT NO. SAN ON0FRE--UNIT 3 l
i 3:ese' .e' :i., . te :- , 1-: :3 , ,; : - - 3.B.3 l SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY Verify lubricating oil inventory is $2-- 31 days SR 3.8.3.2 Jr14 gai Tor the 20 cyiincer engine and Le 170 aal for the 16 cylinder encine-b bredn llN. 3.8.3.3 Verify fuel oil properties of new and In accordance SR stored fuel oil are tested in accordance with the Diesel with, and maintained within the limits of, Fuel Oil the Diesel Fuel Oil Testing Program. Testing Program Verify each DG air start receiver pressure 31 days SR 3.8.3.4 is a 175 psig. I SR 3.8.3.5 Check for and remove accumulated water from 31 days each fuel oil storage tank. , SR 3.8.3.6 For each fuel oil storage tank: 10 years
- a. Drain the fuel oil;
- b. Remove the sediment; and
- c. Clean the tank.
l l 4 l l 3.8-22 AMENDMENT NO. SAN ONOFRE--UNIT 3 l l _._____________________j
CC Scurces -Ccermn; f 3.8.4 1 l 3.8 ELECTRICAL POWER SYSTEMS I 3.8.4 DC Sources-Operating l LC0 3.8.4 The Train A, Train B, Train C, and Train D DC electrical ! power subsystems shall be OPERABLE. l APPLICABILITY: MODES 1, 2, 3, and 4. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME f Tram A er Trash & Restore DC electrical 2 hours A. -4ee battery or A.1 associated control power subsystem to equipment or cabling OPERABLE status. inoperable. . C. p.1 Be in MODE 3. 6 hours { g. Required Action and Associated Completion Time not met. AND 0 ib #2 Be in MODE 5. 36 hours d or b P p. One required battery ------------NOTE------------ charger or associated Entry into MODE 1, 2 or 3 per control equipment or LCO 3.0.4 is not allowed, cabling inoperable. except during power reductions. Verify battery cell I hour T 1 parameters meet J. , gp ( Table 3.8.6-1 Category A limits. AND
%s Once per ,
8 hours , thereafter (continued) SAN ON0FRE--UNIT 3 3.8-23 AMENDMENT NO.
y B. Train C or Train 8.1 Restore DC 72 hours D battery or electrical power associated subsystems to control equipment OPERABLE status. or cabling inoperable. t
;C Sources -;;e-w ; ;
,3.3.4 ACTIONS (continued) i REQUIRED ACTION COMPLETION TIME CONDITION Declare associated Immediately Required Action and 1 associated Completion battery inoperable. .,
Time of Condition / n not met. F ' l SURVEILLANCE REQUIREMENTS + SURVEILLANCE FREQUENCY I 7 days- b SR 3.8.4.1 Verify battery terminal voltage is a 129.V on float charge. t . Verify no visible corrosion at teminals 92 days j SR 3.8.4.2 and connectors. OR Verify connection resistance is ! s 150x10 ' ohn for inter-cell connections, i s 150x10-8 ohm for inter-rack connections, , s 150x10-' ohm 'for inter-tier connections, i and s 150x108 ohm for terminal connections. l t Verify cells, cell plates, and battery. 24 months SR 3.8.4.3 racks show no visual indication of physical I damage or abnormal deterioration. 1 (continued). t l l SAN ONOFRE--UNIT 3 3.8 AMEN 0 MENT NO.
DC Sources -Operating 3.8.4 SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY a SR 3.8.4.4 Remove visible terminal corrosion, verify 24 months cell to cell and terminal connections are clean and tight, and are coated with i anti-corrosion material. I SR 3.8.4.5 Verify connection resistance is 24 months j s 150x108 ohm for inter-cell connections, / s 150x10-8 ohm for inter-rack connections, ; 5 150x10-8 ohm for inter-tier connections, ! and s 150x10-8 ohm for tenninal connections. SR 3.8.4.6 --------------------NOTE------------------- ' Credit may be taken for unplanned events that satisfy this SR. Verify each battery charger supplies 24 months a 300 amps at a 125 V for a 12 hours. SR 3.8.4.7 -------------------NOTES------------------- ;
- 1. SR 3.8.4.8 may be pe ormed in lieu of j SR 3.8.4.7 once per months.
Q
- 2. Credit may be taken for unplanned events that satisfy this SR.
Verify battery capacity is adequate to 24 months supply, and maintain in OPERABLE status, the required emergency loads-for the design duty cycle when subjected to a battery service test. l l (continued) l U 3.8-25 AMENDMENT NO. SAN ONOFRE--UNIT 3 \ i i i
- C S c a r e s ~.: + 3 . ;
3.3.2 SURVEILLANCE REQUIREMENTS (continued) SURVEILLANCE FREQUENCY 1 SR 3.8.4.8 ----..-.---....--.-.N0TE----------------.-- Credit may be taken for unplanned events that satisfy this SR. ryg Verify battery capacity is e 80% of the ((flmonths manufacturer's rating when subjected to a performance discharge test. ANQ
-----NOTE------
Only applicable when battery shows degradation or has reached 85% of the expected life 12 months SAN ONOFRE.-UNIT 3 3.8-26 AMENDMENT NO.
- n.e- e-: '.:+ n :
). i.'
3.8 ELECTRICAL POWER SYSTEMS
~
inverters - Ope rati ng (e, P rdm b 6Y ffdD1 [> 3.8.7 LC0 3.8.7 The required' Train A, Train B, Train C, and Train 0 p inverters sholl be OPERABLE. One inverter (either ------------- ---------------NOTE---------------------------- Train C or Train D) may be disconnected from its OneinverterdmaybedisconnectedfromitsassociatedDCbus associated vital bus for for 5 24 hours to perform an equalizing charge on its s72 hours to perform an associated battery, provided: equalizing charge on The associated AC vital bus is energized from the its associated battery a. Class 1E constant voltage source transfomer; and provided all other AC vital buses for the b. All other AC vital buses for the remaining trains are
- remaining trains are energized from their associated OPERABLE inverters.
energized from their ~~-----~~~~~~~~--~~-~--~~~~~----~-------~~~~~~-~~~~~~----~~- associated OPERABLE ynverters. APPLICABILITY: MODES 1, 2, 3, and 4. - ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME
------------NOTE------------
Enter applicable Conditions {y$M A# and Required Actions of j$ LC0 3.8.9 with one AC vital bus de-energized. A. One required inverter A.1 Power AC vital bus 2 hours inoperable. - from its Class 1E constant voltage source transformer. 8.@. A.2 Restore inverter to 24 hours OPERABLE status. (continued) SAN ONOFRE--UNIT 3 3.8-34 AMENDMENT NO.
- n +-sers -::e 3:
- j. 3.'
ACTIONS (continued) CONDITION REQUIRED ACTION COMPLETION TIME 97 Required Action and s&.1 Be in MODE 3. 6 hours ,ar. associated Completion CL, (L Time not met. AND 36 hours 4 CeMih A or h #2 Be in MODE 5. C'. SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY 3.8.7.1 Verify correct inverter voltage and 7 days SR alignment to required AC vital buses.
--------NOTE---------
Enter applicable Conditions and Required Actions of LC0 3.8.9 with one AC vital bus de-energized. One required 8.1 Restore inverter 72 hours B. Train C or Train to OPERABLE D inverter status. inoperable. L _ 3.8-35 AMENDMENT NO. SAN ONOFRE--UNIT 3
Distribation Systems -Operating 3.8.9 3.8 ELECTRICAL POWER SYSTEMS 3.8.9 Distribution Systems-Operating LC0 3.8.9 Train A and Train 8 AC; Trains A, B, C, and D DC; and Trains A, B, C, and D AC vital bus electrical power distribution subsystems shall be OPERABLE. APPLICABILITY: MODES 1, 2, 3, and 4. ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One AC electrical A.1 Restore AC electrical 8 hours power distribution power distribution ' subsystem inoperable. subsystem to OPERABLE
]Q status.
Thtset A orTr dir 8 B. AC vital bus B.1 Restore AC vital bus 2 hours inoperable. subsystem to OPERABLE status. (TrWirl8ofTrdM$ ;Q.1 Restore DC electrical 2 hours pe 4a oC electricai r power distribution power distribution subsystem inoperable, subsystem to OPERABLE status. _n r f f g Required Action and jd1 Be in MODE 3. 6 hours associated Completion Time of Condition A, AND B, / p not met, p 36 hours Af.2 Be in MODE 5. l' h or h 56 ;
.r.8T k
SAN ONOFRE--UNIT 3 3.8-38 AMENDMENT NO.
em 4 e e t) // w or C. Train C or Train C.1 Restore AC vital 72 hours D AC vital bus bus subsystem to inoperable. OPERABLE status _.. 1 E. Train C or Train E.1 Restore DC 72 hours i D DC electrical electrical power power distribution distribution subsystem to subsystem OPERABLE status, inoperable.
..e Design Faatures
' 4.0 ;
j 4.0 DESIGN FEATURES f) 4.1 Site 4.1.1 Exclusion Area Boundary The exclusion area boundary shall be as shown in Figure 4.1-1. 4.1.2 Low Population Zone (LPZ) The LPZ shall be as shown in Figure 4.1-2. 4.2 Reactor Core 4.2.1 Fuel Assemblies Each assembly The reactor shall contain 217 fuel assemblies. shall consist of a matrix of Zircaloy clad fuel rods with an initial dioxidecomp)osition of natural or slightly enriched uranium (U0, as fuel material. Absorber Rods may be used.4 Limited substitutions of zirconium alloy or stainless steel filler rods for fuel rods, in accordance with approved applications of fuel rod configurations, may be used. Fuel assemblies shall be limited to those fuel designs that have been ar.alyzed with applicable NRC staff approved codes and methods and shown by tests or analyses to comply with all fuel safety design bases. A limited number of lead test assemblies that have not completed representative testing ma be placed in k nonlimiting core regions. 4.2.2 Control Element Assemblies d/t 8[ N I The reactor co.re shall contain 83 full length control element assemblies (CEAs). The control material shall be silver indium cadmium, boron carbide, and inconel as approved by the NRC. n ( l a oroc
. TAef maj inelan'e. brosWeate ylass (a?%b,fNo Oo enAlib - 8 4 zincewium bonife ERS2 , gam 4thm '
0XIWe - Ca'9 z 0 3 erAbm oxide - d 053
\
. -(continued)
~
4.0-1 AMENDMENT NO. , SAN ONOFRE--UNIT 3
.1...__.. Organization 5.2 p-s . .. 5.2 Organization 5.2.2 UNIT STAFF The unit' staff organization shall include the following:
- A A/Mgr a. ach on cuty snitt shall be compos'ed of at least the minim M r
shift crew composition shown in the LC V
- b. At least one licensed Reactor Operator (RO) shall be in the Control Room when fuel is in the reactor. In addition, while the unit is in MODE 1, 2, 3 or 4, at least one licensed Senior u Reactor Operator (SRO) shall be in the Control Room Area.
^
7 .$d A/ $.7~ C. T g A health physics technician shall be on site when fuel is in the reactor. The position may be vacant for not more than 2 hours, in order to provide for unexpected absence, provided immediate action is taken to fill the required position. ; g, [ Administrative procedures shall be developed and implemented to limit the working hours of unit staff who perform safety-related functions (e.g., licensed SR0s, licensed R0s, health physicists, nuclear plant equipment operators, and key maintenance personnel). I Adequate shift coverage shall be maintained without routine heavy use of overtime. The objective shall be to have operating personnel work an 8 or 12-hour day, nominal 40-hour week, while the unit is operating. However, in the event that unforeseen problems require substantial amounts of overtime to be used, or during extended periods of shutdown for refueling, major maintenance, or major plant modification, on-a temporary basis, the following guidelines shall be followed:
- 1) An individual should not be permitted to work more than 16 hours straight, excluding shift turnover time.
- 2) An individual should not be permitted to work more than 16 hours in any 24-hour period, nor more than 24 hours in any 48-hour period, nor more than 72 hours in any 7-day period, all excluding shift turnover time.
Personnel r.egularly assigned to 12-hour. shifts may w)rk up to 26 hours in a 48-hour period.
- 3) A break of at least 8 hours should be allowed between work periods, including shift turnover time.
> (continued)
SAN ONOFRE--UNIT 3 S.0-3 - Amendment No.
.a .-
- O @en I
_ Twe* r "A " - Openalon sham /e assgne/4 g nos liansed each uaelor amAzisig ed as'en aaWMawl aM/e asegsea! or ead l pos- licensed $wealer u,J ases a uas, ,c goaray,wxeeslw 14uk shalc/wn w '
& 1:!: MM foM
- d~ - a W of #4ree dl%eled x- n nse 'd eyeaa4xs we teruM f
,6 ko muVs
.,__US egy " (8 -
/$eftsn S9'/w)(k)(t) s e >u en u m u fi cam + f q waa weae aa n.z .a nw p a4,aangs y, t a,apaged
.utoca s in i afsenee $ on-a'uf 1/uf/ emu'swubsespwt4; aea,a iu w s a m s wunt & su y uuum y a w k.
cnew ocyikou to 88
. ~ . . - . -
Organization 5.2
,tm
(
.) 5.2 Organization 5.2.2 UNIT STAFF (continued)
- 4) Except during extended shutdown periods, the use of overtime should be considered on an individual basis and not for the entire staff on a shift.
Any deviation from the above guidelines shall be authorized by the Vice President-Nuclear Generation or designee, in accordance with approved administrative procedures, or by higher levels of management, in accordance with established procedures and with documentation of the basis for granting-the deviation. Controls shall be included in the procedures such that individual overtime shall be reviewed monthly by the Vice President-Nuclear Generation or designee to ensure that excessive hours have not been assigned. Routine deviation from the above guidelines is not authorized.
], The Plant Superintendent (at time of appointment), the j Assistant Plant Superintendent-0perations, Shift Superintendents, and Control Room Supervisors shall hold a Senior Reactor Operator's license. The Control Operators and
' Assistant Control Operators shall hold a Reactor Operator's license or Senior Reactor Operator's license.
The Shift Technical Advisor (STA) shall provide advisory technical support to the Shift Superintendent in the areas of f* thermal hydraulics, reactor engineering, and plant analysis with regard to the safe operation of the unit. The STA shall have a Bachelor's Degree or equivalent in a scientific or engineering discipline with specific training in plant design and in the response and analysis of the plant for transients and accidents.
- k. .,
5.0-4 Amendment No. SAN ON0FRE--UNIT 3
1 Procedures, Programs, and Manuals ' 5.5 5.5 Procedures, Programs, and Manuals
]
5.5.2.7 Explosive Gas and Storage Tank Radioactivity Monitoring Program (continued) The program shall include:
- a. The limits for the concentrations of hydrogen and oxygen in the Gaseous Radwaste System and a surveillance program to ensure the limits are maintained. Such limits shall be appropriate to the system's design criteria (i.e., whether or not the system is designed to withstand a hydrogen explosion);
and
- b. A. surveillance program to ensure that the quantity of radioactivity contained in each waste gas decay tank and fed into the gaseous radwaste vent system is less than the amount that would result in a whole body exposure of greater than or equal to 0.5 rem to any individual in the unrestricted area, in the event of an uncontrolled release of the tanks contents; and
- c. A surveillance program to ensure that the quantity of radioactivity contained in all outdoor liquid radwaste tanks ;
that are not surrounded by liners, dikes, or walls, capable of holding the tanks' contents and that do not have tank overflows and surrounding area drains connected to the Liquid Waste Management System is less than the amount that would result in concentrations less than the limits of 10 CFR Part 20, Appendix B, Table II, Column 2, at the nearest potable water supply and the nearest surface water supply in an unrestricted area, in the event of an uncontrolled release of the tanks' contents. The provisions of SR 3.0.2 and SR 3.0.3 are applicable to the Explosive Gas and Storage Tank Radioactivity Monitoring Program surveillance frequencies. i emme I 4 5.0-12 Amendment No. SAN ON0FRE--UNIT 3
- b. SERT C " i 5S.2'8' p,."* j Coola,& Sousees db isede. ;
l Con tatinm ert+. Tith prppam prove' des echols 4 ses'ainaje kabaya ' coniaiumen + {JhaArorm could con +a;n luyMy sadioae/We, oaise'de 4hese porlioss ey s,.ysks,S h(g durs'ag a serious Ms4n F or meMen4 40 ets i n S low as pracSeaAle, Py mn <Vrelfik b lc<< 1o heLCS, G. 5. 2,9, pre % g,4 g,&e.,&ga;,m./~Tady l G urrei b na e. Oregram, ; Msonib' I
~Tids ram ove'de.s codtelS n adion k e- h<-K<of eo l l
'nmwf, ineludixj efittenus y 43 i
%stou prokaticy 'u m , 4 e a s a u ._ g y a ca t j
Sf"kAwtaf !&G. froptun ig & uleca.le9' ! do / dS. 3
]hsewi ce- kshiy Pryam i
S S. 2.10 l This prgram proNs corr.fwls for i2, astrvim ana' 5 Jamg of AsME ew'e. sss l cenyeneas ine/aa'<yy apuage, syg. l zelsealed le 4ha LCS. Q iW /s l I W
2 ... fC2.// Steam Genana4r(SC) Tu& Suwedumee. Proprnm ww ' T/uy pyan ynwiEEV ceNeets, mewg/< ; e d k we n w ce y d aedzeamm 4ks 4 veug SC OMAwaki7f. Acfa", '
%aled 4 b LCS ilsel{ is 5 r. z. tz. Ve4f. ahoy RUen Teskng 0ff ram w
cizi/erra,
$S frf(bf ies, swRielllaneeem h1dkdo y%xm/s 7,rowc{
ed
%"d&Aictt 6 Cermu<ditg dethhf$ l b' *n nt ed /eehaw(ESf]fZ4e l yta4u &ws.
udaada a ps
,ua te.s R,ogran w egs is
- 5. 5 2. t3 @eset fieal OL % A y h "'"'
% gram impna~/s ugwus ,4sg. ,,x
+ + uw fest uta &z aex w ted va /<< tes~
Proya.- i4 is : 1
' 1 0 h~
i.L Reporting Requirements 5.7
,Fs 5.7 Reporting Requirements ..w )
5.7.2 Special Reports (continued)
- b. Following each inservice inspection of steam generator (SG) tubes, in accordance with the SG Tube Surveillance Program, the number of tubes plugged and tubes sleeved in each SG shall be reported to the NRC within 15 days. The complete results of the SG tube inservice inspection shall be submitted to the NRC within 12 months following the completion of the inspection. The report shall include- t
- 1. Number and extent of tubes inspected, and
- 2. Location and percent of wall-thickness penetration for each indication of an imperfection, and ;
- 3. Identification of tubes plugged and tubes sleeved.
Results of SG tube inspections which fall into Category C-3
- shall be reported to the NRC prior to resumption of plant operation. This report shall provide a description of investigations conducted to determine cause of the tube degradation and corrective measures taken to prevent ;
recurrence, s NY f i._) 5.0-19 Amendment Ne. ; SAN ON0FRE--UNIT 3 i'
9, .:
"w p
highRadiation I TN5 d T O S2 Q
/ ' 5.0 ADMlHIS.TRATIVE CONTR01.5
$~. 2 J
High Radiation Area __ 0 DL. , (R9 Pursuant to 10 CFR 20, paragr ph 20.203(c)(5), in lieu of the I requirements of 10 CFR 20.203 c), each high radiation area, as j Q[ defined in 10 CFR 20, in which the intensity of radiation is
> 100 nrem/hr but < 1000 mrem /hr, shall be barricaded and eretof
} conspicuously posted as a high radiation area and entrance }'
shall be controlled by requiring issuance of a Radiation m ! Individuals qualified in radiation protection 6F re m m .
) or personnel roce ures (e.g., $ealth Physics Technician e exempt from the I
ce tinuously escorted by such individuals maissuance Il requi duties in high radiation areas with exposure rates 51000 mrem /hr, !
*"" *"'"'*"**'"'"'"'""*"'"*"*"i "p" roc'e'dures for entry into such high radiation areas.
NEP; Any individual or group of individuals permitted , { to following I
)
- a. A radiation monitoring device that continuously indicates J the radiation dose rate in the area.
.n A radiation monitoring device that' continuously integrates b.
h the radiation dose rate in the area and alams when a preset Entry into such areas with integrated dose is received. this monitoring device say be made after the dose rate j i levels in the area have been established and personnel are aware of them. l
- c. An individual qualified in radiation protection procedures ,
with a radiation dose rate monitoring device, who is . responsible for providing positive control over l the diation surveillance at the frequency pecified by the adiation Protection Manager in the @ areas f
.11 In addition to the requirements of Specification 5 !
I with radiation levels = 1000 mrem /hr shall be orovid ! f.[. [ or continuously guarded doors toDoors prevent un
'. the Shift Foreman on duty or health physics hsupe
;~ !
, (continued)
F 9Al h a-Rev. O, W2U SAN ON0FRE--UNIT 3 '~ - - -_-___ _
- y. '
;n :. w 3: :- -.3
~
r-
- c. g w .
g.8 High' Radiation Area ih
\
(continued)
- d. M
.11.2 t shall specify the dose rate levels in i s for
[ [, 1 underthe animediate approvedwork areas and the maximum allowable stay t fme
} In lieu of the stay time I individuals i'n those areas., direct or remote (such as closed circuit spec,ification:of the surveillance may be made by personnel !
TV.. came ra s) ' conti nuo I fqualified in radiat'on protection er the activities procedures being perfomed to provide po within the 4 exposure control
; area. gp For individual high radiation areas with radiation ilevels of f
o.11.3 > 1000 mrem /br, accessible to personnel, that are located large areas such as reactor containment, where no en f* g'} for purposes;of locking, or that cannot be continuously d the , g and whe.re nc enclosure can be reasonably constructed aroun d I individual" area, that individual area shall be barricaded an l h conspicuously posted, and a flashing light shall be activa warning device. 4 O
" 0,li9/2f/9
.0
5 SFDP 5.6 rw 5.0 ADMINISTRATIVE CONTROLS I) 5.6 Safety Function Determination Program (SFDP)
=
5.6.1 This program ensures loss of safety function is detected and appropriate actions taken. Upon failure to meet two or more LCOs at the same time, an evaluation shall be made to determine if loss.of safety function exists. Additionally, other appropriate limitations and remedial or compensatory actions may be identified to be.taken as a result of the support system inoperability and corresponding exception to entering supported system Condition and Required Actions. This program implements the requirements of LC0 3.0.6. 5.6.2 The SFDP shall contain the following:
- a. Provisions for cross-train checks to ensure a loss of the capability to perform the safety function assumed in the accident analysis does not go undetected.
- b. Provisions for ensuring the plant is maintained in a safe condition if a loss of function condition exists.
- c. Provisions to ensure that an inoperable supported system's Completion Time is not inappropriately extended as a result of multiple support system inoperabilities.
- d. Other appropriate limitations and remedial or compensatory actions.
5.6.3 A loss of safety function exists when, assuming no concurrent single failure, a safety function assumed in the accident analysis cannot be performed. 'For the purpose of this program, a loss of safety function may exist when a support system is inoperable, and:
- a. A required system redundant to system (s) supported by the inoperable support system is also inoperab_lg; or GuaSe &D
- b. A required system redundant to system (s) in turn supported by the inoperable supported system is also inoperable; or_
G C25e8) ' n c. A required system (a)redundant to support system (s) for th[ _//$$$,f',,[ supported systems and (b) above is also inoperable 5.6.4 The Safety Function Determination Program identifies where a loss of safety function exists. If a loss of safety function is determined to exist by this program, the appropriate Conditions and Required
. Actions of the LCO in which the loss of safety function exists are !
required to be entered.
. i s _,I !
SAN ONOFRE--UNIT 3 5.0-13 Amendment No. 1 I l
it W EAT" Generic Example: , Train A Train 8 System i System i *-C a s e C
& 4 System ii +(SupportSystem System ii
& Inoperable) &
System iii System iii .-Case A ' 4 4 System iv System iv .-Ca s e B s La ou Sil 3
ATTACHMENT "C" (Marked-Up Proposed Table of Contents and Bases) Unit 2
TABLE OF CONTENTS I USE AND APPLICATION . . . . . . . . . . . . ........ 1.1-1
'1. 0 1.1-1
- 1.1 Definitions ......................
1.2-1 1.2 Logical Connectors . . . . . . . . . . . . . . . . . . . 1.3-1 1.3 Compl eti on Ti mes . . . . . . . . . . . . . . . . . . . . 1.4-1 1.4 Frequency .......................
. . . . . . . . . . . . ........ 2.0-1 2.0 SAFETY LIMITS (SLs) 2.0-1 2.1 SLs ..........................
SL Violations ..................... 2.0-1 2.2 3.0-1 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY . . . . 3.0-4 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . . 3.1-1 3.1 3.1-1 3.1.1 SHUTDOWN MARGIN (SDM) -T,,, > 200*F ........ SHUTDOWN MARGIN (SDM)-T ,, s 200*F ........ 3.1-2 3.1.2 3.1-3 3.1.3 Reactivity Balance . . . . . . . ......... Moderator Temperature Coefficient (MTC) ...... 3.1-5 3.1.4 ..... 3.1-7 3.1.5 Control 3.1.6 ShutdownElement Assembly Control Element (CEA) Alig(nmentCEA) Insertion Assembly Limits . . . . . . . . . . . ......... 3.1-12 Regulating CEA Insertion Limits . ......... 3.1-14 3.1.7 3.1.8 Part length Control Element Assembly (CEA) Insertion Limits . . . . . . ......... 3.1-18 3.1.9 .Special Test Exceptinn_(SIEb;;@HGTOOWN-MAR <i-fS9t+)4 S o v v e . En3,* h.'.t F .QF!*!Af7.N(p . . . . . 3.1-20
~
M . .. 3.1-22 Borated Water Sp tw -ShutdoM."W. . . . . . . 3.1-24 3.1.11 3.1-26 3.1.12 Special Test Exception (STE) - MODES 2 and 3 ... Special Test Exceptions (STE) - MODE 1 ...... 3.1-28 3.1.13 3.1.14 Special Test Exceptions (STE) - Center CEA and Regulating CEA Insertion Limits ........ 3.1-30
. . . . . . ......... 3.2-1 3.2 POWER DISTRIBUTION LIMITS 3.2-1 3.2.1 Linear Heat Rate (LHR) . . . . . .........
Planar Radial Peaking Factors (Fxy) ........ 3.2-3 3.2.2 3.2-5 3.2.3 AZIMUTHAL POWER TILT (Tq ) . . . . ......... 3.2.4 Departure From Nucleate Boiling Ratio (DNBR) . . . . 3.2-9 3.2-12 3.2.5 AXIAL SHAPE INDEX (ASI) . . . . . .........
. . . . . . . . . . . ......... 3.3-1 3.3 INSTRUMENTATION 3.3.1 Reactor Protective System (RPS)
Instrumentation-Operating . . ......... 3.3-1 3.3.2 Reactor Protective System (RPS)
......... 3.3-11 Instrumentation -Shutdown . .
3.3.3 Control Element Assembly Calculators (CEACs) . . . .. 3.3-15 9 (continued) ii AMENDMENT NO. SAN ON0FRE 2
TABLE OF CONTENTS 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) (continued) Py i 3.5.5 Trisodium Phosphate (TSP) ............. 3.5-11 i>: 3.6 CONTAINMENT SYSTEMS . . ................ 3.6-1 3.6.1 Containment . . . . ................ 3.6-1 3.6.2 Containment Air Locks ............... 3.6-3 3.6.3 Containment Isolation Valves . . . . . . . . . . . . 3.6-8 3.6.4 Containment Pressure . . . . . . . . . . . . . . . . 3.6-16 3.6.5 Containment Air Temperature ............ 3.6-17 3.6.6.1 Containment Spray and Cooling Systems ....... 3.6-18 3.6.6.2 Containment Cooling System . . . . . . . . . . . . . 3.6-21 3.6.7 Hydrogen Recombiners ............... 3.6-23 3.6.8 Containment Dome Air Circulators . . . . . . . . . . 3.6-25 3.7 PLANT SYSTEMS . . . . . ................ 3.7-1 3.7.1 Main Steam Safety Valves (MSSVs) . . . . . . . . . . 3.7-1 ' 3.7.2 Main Steam Isolation Valves (MSIVs) ........ 3.7-3 3.7.3 Main Feedwater Isolation Valves (MFIVs) ...... 3.7-5 3.7.4 Atmospheric Dump Valves (ADVs) . . . . . . . . . . . 3.7-7 3.7.5 Auxiliary Feedwater (AFW) System . . . . . . . . . . 3.7-9 3.7.6 Condensate Storage Tank CST ........... 3.7-14 3.7.7 Component Cooling Water CCW System . . . . . . . . 3.7-16 3.7.7.1 Component Cooling Water CCW Safety : Related Makeup System ............. 3.7-18 i 3.7.8 Salt Water Cooling (SWC) System . . . . . . . . . . 3.7-21 3.7.9 Not used . . . . . . . . . . . . . . . . . . . . . . 3.7.10 Emergency Chilled Water (ECW) ........... 3.7-23 -- 3.7.11 3.7.12 Control Room Emergency Air Cleanup System (CREACUS) Not used . . . . . . . . . . . . . . . . . . . . . . 3.7-25 d 3.7.y Not used .,. . . . . . . . . . . . . .,. . q
, _ . nonuiin g uiiung , _ _ _ _ . .
v . m..y .....,r., - 3.7.15 Not used . . . . . . . . . . . . . . . . . . . . . . 3.7.16 Fuel Storage Pool Water Level . . . . . . . . . . .- 3.7-31 3.7.17 Fuel Storage Pool Boron Concentration .. . . . . . . 3.7-32 3 . 7 .18. ' Spent Fuel Assembly Storage ............ 3.7-34 3.7.19 Secondary Specific . Activity ............ 3.7-38 3.8 ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . . 3.8-1 3.8.1 AC Sources-Operating ............... 3.8-1 3.8.2 AC Sources -Shutdown . . . . . . . . . . . . . . . . 3.8-17 '3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air . . . . 3.8-20 3.8.4 DC Sources-Operating ............... 3.8-23 3.8.5 DC Sources - Shutdown . . . . . . . . . . . . . . . . 3.8-27 3.8.6 Battery Cell Parameters .............. 3.8-30 3.8.7 Inverters -Operating . . . . . . . . . . . . . . . . 3.8 3.8.8 Inverters -Shutdown ................ 3.8-36 3.8.9 Distribution Systems-0perating .......... 3.8-38 (continued) SAN ON0FRE 2 iv AMENDMENT NO. ) , l
TABLE OF CONTENTS % B 2.0-1
} B 2.0 SAFETY LIMITS (SLs) ................... B 2.0-1
~ B 2.1.1 Reactor Core SLs . . . . . . . . . . . . . . . . . B 2.0-6 B 2.1.2 Reactor Coolant System (RCS) Pressure SL . . . . . B 3.0-1 8 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY . . . B 3.0-10 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY B 3.1-1 B 3.1 REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . B 3.1-1 8 3.1.1 SHUTDOWN MARGIN (SDM) -T,,, > 200af . . . . . . . . SHUTDOWN MARGIN (SDM) - T,,, s 200* F . . . . . . . . B 3.1-7 8 3.1.2 B 3.1-12 8 3.1.3 Reactivity Balance . . . . . . . . . . . . . . . . Moderator Temperature Coefficient (HTC) . . . .. B 3.1-18 8 3.1.4 Control Element Assembly (CEA) Alignment . . . . . B 3.1-23 B 3.1.5 B 3.1.6 Shutdown Control Element Assembly (CEA) Insertion Limits . . ............. B 3.1-34 B 3.1.7 Regulating Control Element Assembly (CEA)
.............. B 3.1-39 Insertion Limits .
8 3.1.8 Part Length Control Element Assembly (CEA)
............. B 3.1-4B Insertion Limits .
a Special-Test-En.epU um, -(STET = MODES-t and 2 4-_. B 3.1-53B 3.1-I 8 3.1.10 B 3.1-57 B 3.1.11 Borated Water -System 41 Shutdown ~59 *.%5s. . . . .. Special Test Exception (STE)-MODES 2 and 3 . .. B 3.1-59 B 3.1.12 B 3.1-65 8 3.1.13 Special Test Exceptions (STE)-MODE 1 . . . . .. B 3.1.14 Special Test Exceptions (STE)-Center CEA and Regulating CEA Insertion Limits . . . . . . . . B 3.1-71 o B 3.2-1 E. B 3.2 POWER DISTRIBUTION LIMITS .............. B 3.2-1 B 3.2.1 B 3.2.2 Linear Heat Rate . . . . . . . . . . . . . . . . . Planar Radial Peaking Factor (Fu) . . . . . . .. B 3.2-9 B 3.2-16 [m B 3.2.3 AZIMUTHAL POWER TILT (Tq) l B 3.2.4 Departure from Nucleate Boiling Ratio (DNBR) . . . B 3.2-26 '
............. B 3.2-35 B 3.2.5 AXIAL SHAPE INDEX (ASI)
B 3.3-1 I B 3.3 INSTRUMENTATION ................... B 3.3.1 Reactor Protective System (RPS) Instrumentation-B 3.3-1 Operating . . . . . . . . . . . . . . . . . . . B 3.3.2 Reactor Protective System (RPS) Instrumentation-
................... B 3.3-38 Shutdown 8 3.3.3 Control Element Assembly Calculators (CEACs) . . . B 3.3-52 l' Reactor Protective System (RPS) Logic and Trip g B 3.3.4 B 3.3-63 Initiation .................. l B 3.3.5 Engineered Safety Features Actuation System B 3.3-77 (ESFAS) Instrumentation . . . . . . . . . . . .
8 3.3.6 Engineered Safety Features Actuation System B 3.3-103 (ESFAS) Logic and Manual Trip . . . . . . . . . (continued) I vi AMENDMENT NO. SAN ONOFRE 2
TABLE OF CONTENTS B 3.6 B 3.6.7 CONTAINMENT SYSTEMS (continued) Hydrogen Recombiners . . . . . . . . . . . . . . . B 3.6-48 ] B 3.6.8 Dome Air Circulators . . . . . . . . . . . . . . . B 3.6-53 B 3.7 PLANT SYSTEMS .................... B 3.7-1 B 3.7.1 Main Steam Safety Valves (MSSVs) . . . . . . . . . B 3.7-1 B 3.7.2 Main Steam Isolation Valves (MSIVs) . . . .... B 3.7-7 B 3.7.3 Main Feedwater Isolation Valves (MFIVs) . .... B 3.7-13 B 3.7.4 Atmospheric Dump Valves (ADVs) . . . . . . . . . . B 3.7-17 8 3.7.5 Auxiliary feedwater (AFW) System . . . . . . . . . B 3.7-23 B 3.7.6 Condensate Storage Tank (CST) . . . . . . .... B 3.7-31 B 3.7.7 Component Cooling Water (CCW) System . . . . . . . B 3.7-37 8 3.7.7.1 CCW Safety Related Makeup System . . . . . . . . . B 3.7-42 8 3.7.8 Salt Water Cooling System (SWC) . . . . . .... B 3.7-50 8 3.7.9 Not used . . . . . . . . . . . . . . . . . . . . . B 3.7.10 Emergency Chilled Water (ECW) System . . . . . . . B 3.7-55 B 3.7.11 Control Room Emergency Air Cleanup System (CREACUS) . . . . . . . . . . . . . . . . . . . B 3.7-53 B 3.7.12 Not used . . . . . . . . . . . . . . . . . . . . . B 3.7.13 N o t u s e d . War, u.c.aJ. . . . . . . . . . . . . . B 3.7.14 Fxl ": 9 ; D"4 W ";
- Cing 9"am M f::' ; 2.' %
B 3.7.15 Not used . . . . . . . . . . . . . . . . . . . . . B 3.7-74 8 3.7.16 Fuel Storage Pool Water Level . . . . . . .... B 3.7-82 B 3.7.17 Fuel Storage Pool Boron Concentration . . ... . B 3.7-85 B 3.7.18 Spent Fuel Assembly Storage . . . . . . . .... B 3.7-88 B 3.7.19 Secondary Specific Activity . . . . . . . ... . B 3.7-80 B 3.8 ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . B 3.8-1 B 3.8.1 AC Sources-Operating . . . . . . . . . . .... B 3.8-1 B 3.8.2 AC Sources - Shutdown . . . . . . . . . . . . . . . B 3.8-29 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ... B 3.8-35 B 3.8.4 DC Sources-Operating . . . . . . . . . . .... B 3.8-44 B 3.8.5 DC Sources - Shutdown . . . . . . . . . . . . . . . B 3.8-54 B 3.8.6 Battery Cell Parameters . . . . . . . . . .... B 3.8-58 B 3.8.7 Inverters -0 )erati ng . . . . . . . . . . . . . . . B 3.8-64 8 3.8.8 Inverters -S iutdown ............... B 3.8-68 B 3.8.9 Distribution Systems-Operating . . . . . .... B 3.8-72 l B 3.8.10 Distribution Systems -Shutdown . . . . . . . . . . B 3.8-79 8 3.9 REFUELING OPERATIONS . . . . . . . . . . . . . . . . . B 3.9-1 B 3.9.1 Boron Concentration ............... B 3.9-1 B 3.9.2 Nuclear Instrumentation . . . . . . . . . .... B 3.9-5 B 3.9.3 Containment Penetrations . . . ... . . . . . . . . B 3.9-9 B 3.9.4 Shutdown Cooling (SDC) and Coolant Ci'rculation-High Water Level . . . . . . . . . B 3.9-16 8 3.9.5 Shutdown Cooling (SDC) and Coolant Circulation-Low Water Level . . . . . .... B 3.9-21 B 3.9.6 Refueling Water Level . . . . . . . . . . .... B 3.9-25 SAN ONOFRE 2 viii AMENDMENT NO. j i
SDH - T.., > 200
- F B 3.1.1 s
BASES pressure, linear heat rate, and the DNBR do not exceed APPLICABLE SAFETY ANALYSIS . allowable limits. (continued) The startup of an inactive RCP will not result in a " cold water" criticality, even if the maximum difference in The maximum temperature exists between the SG and the core.
~
positive reactivity addition that can occur due to an inadvertent RCP start is less than half the minimum required SDM. An idle RCP cannot, therefore, produce a return to power from the hot standby condition. a a Thee., m jar.;rion 2.of 4CEAf from suberitical or low power Conditions adds reactivity to the reactor core, causing'both
'the core power level and heat flux to increase with corresponding increases in reactor coolant temperatures and pressure. The =f tSd ofgCEA/also produces a time dependent red tribution of core power.
gessen ~ The SDM satisfies Criterion 2 of th'e NRC Policy Statement. LCO The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the most limiting analyses that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10 CFR 100, " Reactor Site Criterion," limits (Ref. 4). For the boron dilution accident, if the LCO is violated, then the minimum required time assumed for operator action to teminate dilution may no longer be applicable. SDM is a core physics design condition that can be ensured through CEA positioning (regulating and shutdown CEAs) and through the soluble boron concentration. InNet5 3 and 4, the SOM requirements are applicable to APPLICABILT '
' provide sufficient negative reactivity to meet the In
asstaiptions of the safety analyses discussed above.
M00E3:1 and 2, SOM is ensured by complying with LCO 3.1.6,
" Shutdown Control Element Assembly (CEA) Insertion Limits,'
and LCO 3.1.7. If the insertion limits of LCO 3.1.6 or LCO 3.1.7'are not being complied with, SDM is not automatically violated. The SOM must be calculated by perfoming a reactivity balance calculation (considering the
' - (continued)
AMENDMENT NO. B 3.1-4 SAN ONOFRE--UNIT 2
SOM - T.,, s 200
- F B 3.1.2 l
BASES ,,, j l BACKGROUND Element Assembly (CEA) Insertion Limits." When the unit is f
, in the shutdown and refueling modes, the SDH requirements l (continued) are met by means of adjustments to the RCS boron concentration.
i APPLICABLE The minimum required SDM is assumed as an initial condition , SAFETY ANALYSES' in safety analysis. Thesafetyanalysis(Ref.2) establishes an SDM that ensures specified acceptable fuel design limits are not exceeded for normal operation and A00s with the assumption of the highest worth CEA stuck out following a reactor trip. When the CEAs are all verified to be inserted, by both open reactor trip breakers and the CEA position indications, it is not required to assume that the highest reactivity worth CEA is stuck out. Specifically, , for MODE 5, the primary safety analysis that relies on the SOM limits is the boron dilution analysis. The acceptance criteria for the SDM requirements are that the specified acceptable fuel design limits are maintained. This is done by ensuring that:
- a. The reactor can be made suberitical from all operating conditions, transients, and Design Basis Events;
- b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits (departure from nucleate boiling ratio, fuel centerline temperature limits for A00s, and
- s 280 cal /gm energy deposition for the CEA ejection accident);and
- c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.
An inadvertent boron dilution is .a moderate frequency incident as defined in Reference 2. The core is initially
. suberitical with all CEAs inserted. A Chemical and Volume Control System malfunction occurs, which causes unborated water to be pumped to the RCS .:; t"r ^~ ' ; ; 7
." ,' (continued)
SAN ONOFRE--UNIT 2 B 3.1-8 AMENDMENT NO. i
SDM -- T,,, 5 200* r , B 3.1.2 BASES
- p. )
SURVEILLANCE SR 3.1.2.1 (continued) REQUIREMENTS Fuel burnup based on gross thermal energy generation; m d.
- e. Xenon concentration; '
- f. Samarium concentration; and
- g. Isothermal temperature coefficient (ITC).
Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical, and the fuel
. temperature will be changing at the same rate as that of the RCS.
INSERT' The Frequency of 24 hours is based on the generally slow change in required boron concentration, and it. allows sufficient time for the operator tq collect the required data, which includes performing a boron concentration analysis, and complete the calculation.
- 1. 10 CFR 50, Appendix A, GDC 26.
[,. REFERENCES
- 2. FSAR, Section 15.4.1.4. i 4
- - (continued) l
8 3.1-11 AMENDMENT NO. ,
SAN ONOFRE--UNIT 2 I P
INSERT The reactivity effects of items c, d, e, and f above, are nominally constant, and are bound while the RCS boron concentration is maintained greater than the refueling boron concentration specified for MODE 6 and all CEAs inserted. Therefore, a SDM = 3.0% is assured by determining at least once per 24 hours that:
- a. The core has not been critical since the refueling (e.g. factors c through f are unchanged).
- b. The reactor coolant system boron concentration is greater than or equal to the refueling boron concentration required by TS 3.9.1.
- c. All CEAs are inserted.
- d. No more than one charging pump is functional, by verifying that power is removed from the remaining charging pumps, when the reactor coolant level is below the hot leg centerline.
.c. _
Reactivity Balance B 3.1.3 83.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Reactivity Balance BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity . shall be controllable, such that, subcriticality is , maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, a reactivity balance is used to compare the predicted versus measured core reactivity during power operation. The periodic confimation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control element assembly (CEA) worth, or operation at Conditions not consistent with those assumed in the predictions of core reactivity, and could potentially r6sult in a loss of SDM or , violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, " SHUTDOWN MARGIN (SDM)-Tm
> 200*F") in ensuring the reactor can be brought safely to ) - cold, subcritical conditions.
When the reactor core is critical or in nomal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since l parameters are being maintained relatively stable under ' steady state sower conditions. The positive reactivity inherent in tie core design is balanced by the negative 1
. reactivity of the control components, themal feedback, l neutron leakage, and materials in the core that absorb l neutrons, such as burnable absorbers producing zero net i reactivity. Excess reactivity can be inferred from the !
cr'itical boron curve, which provides a prediction of the ! soluble boron concentration in the Reactor Coolant System (RCS)versuscycle.burnup. Periodic measurement'of the RCS boron concentration for comparison with the predicted value with other variables fixed (such as CEA height, temperature, and power) provides a convenient method of ensuring that- , core reactivity is within design expectations, and that the i calculational models used to generate the safety analysis. are adequate. (continued) 'j SAN ONOFRE--UNIT 2 B 3.1 AMENDMENT NO. it l
Reactivity Balance
, B 3.1.3 BASES /
BACKGROUND In order to achieve the required fuel cycle energy output, (continued) .the uranium enrichment in the new fuel loading and in the fuel remaining from the previous cycle (s), provides excess positive reactivity beyonci that required to sustain steady state operation throughout the cycle. Whej the reactor is critical at RTP' W rd:. ;.1 m.,r. - . y the excess positive reactivity is compensated by burnable absorbers, CEAs, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concen.tration. l When the core is producing THERMAL POWER, the fuel-is being depleted and excess reactivity is decreasing. As the fu.e1 depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The critical boron curve is based on steady state operation at RTP, Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated. APPLICABLE Accurate prediction of core reactivity is either an explicit SAFETY ANALYSES or implicit assumption in the accident analysis evaluations. , Every~ accident evaluation (Ref. 2) is, therefore, dependent i upon accurate evaluation of core reactivity. In particular, i SOM, and reactivity transients such as CEA withdrawal l accidents or CEA ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident { analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, ; and analytical benchmarks. Monitoring reactivity balance { additionally ensures that the nuclear methods provide an j
. accurate representation of the core reactivity.
Design calculations and safety analyses are performed for . each fuel cycle for the purpose of predetermining reactivity 1 behavior and the RCS boron concentration requirements for reactivity control during fuel depletion. l The comparison between measured and predicted initial core ' reactivity provides a nonnalization for calculational models used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then 4 (continued) . SAN ONOFRE--UNIT 2 B3.1-g AMENDMENT NO. IS .
Reactiv_ity Balance B 3.1.3 BASES APPLICABLE the assumptions used in the reload cycle d sign analysis or SAFETY ANALYSES the calculational models used to predict soluble boron (continued) requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at B0C, then the prediction may be normalized to the measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted critical boron curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred. - The normalization of predicted RCS boron concentration to the measured value is to be performed prior to reaching 60 EFPD following startup from a refueling outage, with the CEAs in their normal positions for power operation. The normalization is performed near B0C, so that core reactivity relative to predicted values can be continually monitored and evaluated as core coriditions change during the cycle. - The reactivity balance satisfies Criterion 2 of the NRC Policy Statement. 's J LCO Large~ differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the nuclear design methodology are larger than expected. A limit on the reactivity balance of 1% Ak/k has been established, based.on engineering judgment.'A 1% Ak/k deviation in reactivity from that predicted is larger than expected for normal operation, and should therefore be evaluated. When measured core reactivity is within 1% Ak/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between measured and predicted values would be'approximately 100 ppm i (dependingontheboronworth)beforethelimitisreached. j l e (continued) O SAN ONOFRE--UNIT 2 B 3.1- AMENDMENT NO. It
Reactivity Balance ll B 3.1.3 BASES c LCO These values are well within the uncertainty limits for (continued) . analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely. APPLICABILITY The limits on core reactivity must be maintained during MODES 1 and 2 bacause a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fuel depletes, core conditions are changing, and - confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in i MODES 3, 4, and 5 because the reactor is shut down and the i reactivity balance is not changing. In MODE 6, fuel loading results in a continually changing I core reactivity. Boron concentration requirements (LCO 3.9.1, " Boron Concentration") ensure that fuel movements are performed within the bo'unds of the safety j analysis. A SDM demonstration is required by the LCS during the first startup following operations that could have altered core reactivity (e.g., fuel movement, or CEA replacement,orshuffling). ACTIONS A.1 and A.2 Should an anomaly develop between measured and predicted core reactivity, an evaluation of the core design and safety analysis must be performed. Core conditions are evaluated , to determine their consistency with input to design l l . calculations. Measured core and process parameters are i evaluated to determine that they are within the bounds of l the safety analysis, and safety analysis calculational , models are reviewed to verify that they are adequate for l representation of the core conditions. The required .
~
Completion Time of 72 hours is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and j complete the evaluation of the core design and safety analysis. l l Following evaluations of the core design and safety , f analysis, the cause of the reactivity anomaly may be I (continued) l f f v: l SAN ONOFRE--UNIT 2 8 3.1-f AMENDMENT NO. W
- ~
Reactivity Balance B 3.1.3 l j BASES
~ 1 ACTIONS 'A.1 and A.2 (continued) resolved. If the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS - '
boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in,the calculation technique, then the calculational models must be revised to provide more accurate predictions. If any of these results are demonstrated and it is concluded that the
' reactor core is acceptable for continued operation, then the boron letdown curve may be renormalized, and power operation may continue. If operational restrictions or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must,be defined.
The required Completion Time of 72 hours is adequate for preparing whatever operating restrictior.s or Surveillances that may be required to allow continued reactor operation. q B.1 If the core reactivity cannot be restored to within i1% Ak/k, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours. If the SOM for MODE 3 is not met, then boration as required by TS 3.1.1'.1 ACTION A.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching
- MODE 3 from full power conditions in an orderly manner and
- without challenging plant systems.
SURVEILLANCE 'SR 3.1.3.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. ,The comparison is made considering that other core conditions are fixed or stable including CEA position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. (con.tinued) SAN ONOFRE--UNIT 2 8 3.1- AMENDMENT N0. S -
Reactitity Balance B 3.1.3 BASES g SURVEILLANCE SR 3.1.3.1 (continued) REQUIREMENTS
, The SR is modified by three Notes. The first Note indicates that the normalization of predicted core reactivity to the measured value (if performed) may take place within the first 60 effective full power days (EFPD) after each fuel loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations. The required subsequent Frequency of every 31 EFPD following the initial 60 EFPD after entering MODE 1, is acceptable, based on the slow rate of core changes due to fuel depletion and the presence of other indicators for prompt indication of an anomaly. A Note, "Only required after 60 EFPD," is added to the Frequency column to allow this. ~The Second Note indicates that the performance of SR 3.1.3.1 is not recuired prior to entering H0 DES 1 or 2. This Note is requirec to allow entry into MODES 1 or 2 to verify core reactivity because Applicability is for MODES 1 and 2.
REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.
- 2. ' SONGS Units 2 and 3 UFSAR; Section 15.
e SAN ONOFRE--UNIT 2 B 3.1- AMENDHENT NO. 17 -
, CEA Alignment B 3.1.5 1 B 3.1 REACTIVITY CONTROL SYSTEMS Control Element Assembly (CEA) Alignment B 3.1.5 BASES _ l The OPERABILITY (e.g., trippability) of the shutdown and BACKGROUND regulating CEAs is an initial assumption in all safety analyses that assume CEA insedion upon rea safety analyses that directly affects core power distributions and assumptions of available SDM. . i ity and power
.The applicable criteria for these react v dix A,
. distribution design requirements are 10 CFR Criteria for Emergency Core Cooling Cooled Nuclear Power Plants" (Ref. 2 .
Mechanical or electrical failures inay cause a CEA CEA to become-inoperable or to become misaligned from its group. inoperability or misalignment may cause increased power peacing, due to the asymetric reactivity distribution and reduction in the CEA Therefore, totalalignment available CEA worth and operability are for reactor shutdown. related to core operation in design power peaking limits and the core design requirement of a minimum SDN. Limits on CEA alignment and operability have been , established, and all CEA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved. CEAs are moved by their control element 'rM 4J s Lw9,A
'"ddrive
(* , (CEDHs). C.tAs q 4 inch) at a time, but at varying rates B"; a: depending on the signal output from the control ;,o Element m Drive Mechanism Control System (CEDMCS).
, fen (q The CEAs are arranged into groups that are radially W4s Q'
Ot symetric. Therefore, movement of the CEAs doat ettdistribution.
. introduce radial asymetries in the core pearThe reactivity worth for imediate reactor shutdown upon reactortrip).
(powerlevel control during normal operation and (continued) AMENDMENT NO. B 3.1-22 SAN ONOFRE--UNIT 2 .
** w ,
+,_m. 4,,,%...as e ee * * - . .
CEA Alignment B 3.1.5 BASES transients. " ' - r n r. ; -. , ', - - a t ' ~ ~ +- ' "
- BACKGROUND Part length CEAs are n d "
(continued) ; t, "- "--- + - " ;t' * ; ( ;;;;. credited in the safety analyses for shutting down the , reactor, as are the regulating and shutdown grou s. The ' part length CEAs are used g;;;1g for ASI control and Q ,gj y (w tw.Q cwr t Jdem3 nerM ersrsw*w . .a %,,% *, The axial position of shutdown and regulating CEAs is , indicated by two separate and independent systems, which are ' the Plant Computer CEA Position Indication System and the Reed Switch Position Indication. System. , The Plant Computer CEA Position Indication System counts the comands sent to the CEA gripper coils from the CEDMCS that
> moves the CEAs. There is one step counter for each group of CEAs. Individual CEAs in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group.
The Plant Computer CEA Position .Ind.ication Syster is consideredhighlyprecise( one step or t 4 inch). If a CEA does not move one step for each comand signal, the step counter will still count the command and incorrectly reflect the position of the CEA. ; q The Reed Switch Position Indication System provides a highly s) accurate indication of actual CEA position, but at a lower precision than the step counters. This system is 4eeed-e# y.g: ;; ..., ; _17..,, <.- a series of reed switches spaced along a tube with a center to center distance of 1.5 inches, which is two steps.- To increase the reliability of the system, there are redundant reed switches at each position. APPLICIBLE CEA misalignment accidents are analyzed in the safety ' l SAFETY ANALYSES analysis (Ref. 3). 'The accident analysis defines CEA misoperation as any event, with the exception of sequential j
' ,. group withdrawals, which could result from a single !
- malfunction in the reactivity control systems. For example, l
' CEA misalignment may be caused by a malfunction of the CEDM, CEDMCS, or by operator error. A stuck CEA may be caused by mechanical jaming of the CEA fingers or of the gripper.
Inadvertent withdrawal of a single CEA may be caused by I'
- - -- < a. .s. m
- -g g 7; f f e; r u mg ;;g l @fr : 7. : : ..,2 : ;; . . '.c ;.4% "'.. A dropped CEA Q
- 5*agle. M6nst'ow of t% CEDtics er by L Ofsu der ArYer
~ '
(continued) i SAN ONOFRE--UNIT 2- B 3.1-23 AMENDMENT NO. , l
CEA Alignment B 3.1.5 I BASES O i APPLICABLE subgroup could be caused by an electrical failure in the CEA r SAFETY ANALYSES coil power programers. (continued) The acceptance criteria for addressing CEA inoperability or misalignment are that: ;
- a. There shall be no violations of:
- 1. specified acceptable fuel design limits, or
- 2. Reactor Coolant System (RCS) pressure boundary ,
integrity; and i
- b. The core must remain subcritical after accident transients.
Three types of misalignment are distinguished. During movement of a group, one CEA may stop moving while the other CEAs in the group continue. This condition may cause excessive power peaking. The second type of misalignment occurs if one CEA fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to detemine that sufficient reactivity worth is , held in the remaining CEAs to meet the SDM reauiraman+ u th the maximum worth CEA stuck fully withdrawnFIf a CEA is g g}* ' stuck in the fully withdrawn position, its worth is added to the SDM requirement, since the safety analysis does not take two stuck CEAs into account. The third type of misalignment occurs when one CEA drops partially or fully into the reactor core. This event causes an initial power reduction followed 'oy a return towards the original power due to positive reactivity feedback from the negative moderator temperature coefficient. Increased peaking during the power increase may result in excessive local linear heat rates (LHRs). _ _rr_r_ Another type of misalignment occurs if one CEA fails to , insert upon a reactor trip and remains stuck fully , withdrawn. This condition is assumed in the evaluati.on to determine that the required SDM is met with the maximum worth CEA also fully withdrawn (Ref. 5). m
~ ~
m (continued) SAN ONOFRE--UNIT 2 B 3.1-24 AMENDMENT NO. 4
CEA Alignment B 3.1.5 BASES t APPLICABLE The effect of any misoperated CEA on the core power SAFETY ANALYSES distribution will be assessed by the CEA calculators, and an (continued) approariately augmented power distribution penalty factor will )e supplied as input to the core protection calculators (CPCs). As the reactor core responds to the reactivity - changes caused by the misoperated CEA and the ensuing ' reactor coolant and Doppler feedback effects, the CPCs will initiate a' low DNBR or high local power density trip signal if specified acceptable fuel de:;ign limits (SAFDLs) are ' approached.
.Since the CEA drop incidents result in the most rapid :
. approach to SAFDLs caused by a CEA misoperation, the accident analysis analyzed a single full length CEA drop, a single part length CEA drop, and a part length CEA subgroup drop. The most rapid approach to the DNBR SAFDL may be caused by either a single full length drop or a part length 1 CEA subgroup drop depending upon initial conditions. The most rapid approach to the fuel centerline melt SAFDL.is caused by a single part length CEA drop.
In the case of the full length CEA drop, a prompt decrease in core average power and a distortion in radial power are -)
- initially producea, which when conservatively coupled result in local power and heat flux increases, and a decrease 'n DNBR. For plant operation within the DNBR and local power density (LPD) LCOs, DNBR and LPD trips can nonnally be avoided on a dropped CEA.
For a part length CEA subgroup drop, a distortion in power distribution, and a decrease in core power are produced. As the dropped part length CEA subgro is detected, an appropriate power distribution pen ty bythe CPCs, and a reactor trip signal on, fac low DNBRM6 moy 44 1 i generated. For the part length CEA drop, both core average ; power and three dimensional peak to average power' density increase promptly. As the dropped part length CEA is detected, core power and an appropriately augmented power distribution penalty factor are supplied to the CPCs. l l l (continued) j U ! SAN ONOFRE--UNIT 2 B 3.1-25 AMENDMENT NO. l
)
CEA Alignment l B 3.1.5 l BASES (continued) i ACTIONS A.I. A.2.1. A.2.2. A.3.1. a A.3.2. B.l, 6.*2..L D.1.1, anch M A CEA may become misaligned, yet remain trippable. In this condition, the CEA can still perfom its required function i of adding negative reactivity should a reactor trip be necessary. ' If one or more regulating CEAs are misaligned by 7 inches but trippable, continued operation in MODES 1 and 2 may l continue, provided, within 1 hour, the power is reduced in accordance with Figure 3.1.531, and SDM is t 5.15% Ak/k, and within2hoursthemisalignedCEA(s)isalignedwithin . 7 inches of its group or the misaligned CEA's aligned within 7 inches of the misaligned s). CEA(group is - Xenon redistribution in the core starts to occur as soon as a CEA becomes misaligned. Reducing THERMAL POWER in accordance with " r - ? l f ' 9a +b- ::::;.r.,:..,i0)'4ks,CQG ensures acceptable power distributions are maintained (Ref. 6). For small misalignments (< 7 inches) of.28CEAd there is: 4
- a. A small effect on the time dependent long tem power a distributions relative to those used in generating
_) LCOs and limiting safety system settings (LSSS) setpoints;
- b. A small effect on the available SDM; and
- c. A small effect on the ejected CEA worth used in the accident analysis.
WithalargeCEAmisalignment(a7 inches),howeve*,this misalignment would cause distortion of the core power distribution. This distortion may, in turn, have a significant effect on:
- a. The available SOM; -
- b. The time dependent, long term power distributions relative to those used in generating LCOs and LSSS setpoints; and
- c. The ejected CEA worth used in the accident analysis.
l (continued) Q SAN ONOFRE--UNIT 2 B 3.1-27 AMENDMENT NO. l
CEA Alignment l B 3.1.5 . 1
)
BASES 3 . b s . t .e, o . a .a., s a s. 3 m ACTIONS A.I. A.2.1. A.2.2. A.3.1. JW6 A.3.2, (continued) - Therefore, this condition is limited to the single CEA misalignment, while still allowing 2 hours for recovery. j In both cases, a 2 hour time period is sufficient to: j
- a. Identify cause of a misaligned CEA; {
- b. Take appropriate corrective action to realign the ]
CEAs; and
'c. Minimize the effects of xenon redistribution.
.i In this condition, an additional allowance must be made for i the worth of the affected CEA when calculating the available ;
SDN. With one or more misaligned CEAs, SDM must be verified for CEAs at the existing nonaligned, positions.. SDM is I calculated by performing a react ~ivity balance calculation according to procedure, considering the listed effects in : SR 3.1.1.1.. This is necessary since the OPERABLE CEAs must , still meet the single failure criterion. If additional I negative reactivity it required to provide the' necessary , SDM, it must be provided by increasing the RCS boron concentration. One hour allows sufficient time to perform : the SDN calculation and make any required boron adjustment ! to the RCS. : B.1. B.2.1. B.2.2. and B.3 [ If one or more shutdown CEAs are misaligned by > 7 inches ] but trippable, continued operation in MODES 1 and 2 may ; continue, provided, within 1 hour, the power is reduced in , accordance with Figure 3.1.5-1, and SDM is a 5.15% Ak/k, and within2hoursthemisalignedCEA(s)isalignedwithin
- 7. inches of its group. ,
C.1. C.2.1. and C.2.2 -l
.If one or more part length 'CEAs are misaligned by > 7 inches l continued operation in MODES 1 and 2 may continue, provided ;
power is reduced in accordance with the appropriate figure l I within1 hour,andwithin2hoursthemisalignedCEA(s)is- j
. (continued)
SAN ONOFRE--UNIT 2 B 3.1-28 AMENDMENT NO. i
)
c _ . . _ . . . _ __ CEA Alignment B 3.1.5 BASES O ACTIONS C.I. C.2.1. and C.2.2 (continued
. restored to within 7 inches of its group, or the misaligned CEA's group is aligned within 7 inches of the misaligned CEA.
A ough a part length CEA has less of an effect on core flux than a~ full length CEA, a misaligned part length CEA will still result in xenon redistribution and affect core power distribution. Requiring realignment within 2 hours minimizes these effects and ensures acceptable power distribution is maintained.
'D.1 The ACTION statements applicable to inoperable CEA position indicators pemit continued operatipns when the positions of CEAs with inoperable position indicators can be verified by-the " Full In" or " Full Out" limits: Setting the "RSPT/CEAC Inoperable" addressable constant in the CPCs to indicate to the CPCs that one or both of the CEACs is inoperable does not necessarily constitute the inoperability of the RSPT rod indications from the respective CEAC. Operability of the ")
CEAC rod indications is detemined from the nomal surveillance. y or NW N SW f If a Required Action or associated Completion Time of Condition A, Condition B, Condition C or Condition D is not met, one regulating or shutdown CEA is untrippable, or more
. than one full length 0CEA misaligned, the unit is required to
. be brought to MODE 3. By being brought to MODE.3, the unit is brought outside its MODE of applicability.
When a Required Action cannot be completed w'ithin the required Completion Time, a controlled shutdown should be connenced. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems. If a CEA.is untrippable, it is not available for reactivity insertion during a reactor trip. With an untrippable CEA,
. . (continued)
Q SAN ONOFRE--UNIT 2 B 3.1-29 AMENDMENT NO.
CEA Alignment B 3.1.5 BASES
,O ACTIONS LJ. (continued) meeting the insertion limits of LCO 3.1.6, " Shutdown Control Element Assembly (CEA) Insertion Limits," and LCO 3.1.7,
" Regulating Control Element Assembly (CEA) Insertion Limits," does not ensure that adequate SDM exists.
Therefore, the plant must be~ shut down in order to evaluate the SDM required boron concentration and power level for critical operation. Continued operation is not allowed in.the case of more than one CEA(s) misaligned from any other CEA in its group by
> 7 inches, or with one full length C untrippable. This ,
.is because these cases are 'indicative of a '.;; ;' ::" .. Jc% l
' power distribution. W ='a~ - ' ~ ' " ' - -
*^7--t '" ';f oun.de, we, n.+id caed Mens 4ssumaJ in
%e. s48'e,*y awklysis .
~
SURVEILLANCE SR 3.1.5.1 REQUIREMENTS Verification that individual CEA positions are within 7 inches (indicated reed switch positions) of all other CEAs in the group at a 12 hour Frequency allows the operator to detect a CEA that is beginning to deviate from its expected j position. The specified Frequency takes into account other CEA position information that is continuously available to~ the operator in the control room, so that during actual CEA motion, deviations can imediately be detected. SR 3.1.5.2 OPERABILITY of at least two CEA position indicator channels is required to determine CEA positions, and thereby ensure compliance with the CEA alignment and insertion limits. The CEA full in and full out limits provide an additional independent means for detemining the CEA positions when the CEAs are at either their fully inserted or fully withdrawn positions. SR 3.1.5.3 Verifying each full length CEA is trippable would require that each CEA be tripped. In MODES 1 and 2 tripping each-(continued) SAN ONOFRE--UNIT 2 B 3.1-30 AMENDMENT NO. b
Shutdown CEA Insertion Limits B 3.1.6 l B 3.1 REACTIVITY CONTROL SYSTEMS
.B 3.1.6 Shutdown Control Element Assembly (CEA) Insertion Limits BASES BACKGROUND The insertion limits of the shutdown CEAs are initial assumptions in all safety analyses that assume CEA insertion upon reactor trip. The insertion limits directly affect core power distributions and assumptions of available SDN, ejected CEA worth, and initial reactivity insertion rate.
The ap)licable criteria for these reactivity and power distri)ution design requirements are 10 CFR 50, Appendix A,
'GDC 10. " Reactor Design," and GDC 26, " Reactivity Limits" (Ref.1), and 10 CFR 50.46, " Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power.
Reactors" (Ref. 2). Limits on shutdown CEA insertion have been established, and all CEA positions are monitored and controlled during power operation to ensure that the reactivity limits, ejected CEA worth, and SDM limits are preserved. The shutdown CEAs are arranged into groups that are radially symmetric. Therefore, movement of the shutdown CEAs does not introduce radial asymetries in the core powe.r distribution. The shutdown and regulating CEAs provide the required reactivity worth for imediate reactor shutdown upon a reactor trip. The design calculations are performed with the assumption that the shutdown CEAs are withdrawn prior to the regulating CEAS. The shutdown CEAs can be fully withdrawn without the coregoingcritical. This_provides available negative
. reactivity for SDM in the event of boration errors. The shutdown CEAs are controlled manually r :"'-t'::??fby the control room operator. During nomal unit operation, the shutdown CEAs are fully withdrawn. The shutdown CEAs must be completely withdrawn from the core prior to -
withdrawing regulating CEAs during an approach to criticality. The shutdown CEAs are then left in this position until receipt of a reactor trip signal and they are inserted into the reactor core to add negative reactivity and shutdown the reactor. 9 (continued) J B 3.1-34 AMENDMENT NO. SAN ONOFRE--UNIT 2
Regulating CEA Insertion Limits B 3.1.7 > 3 B 3.1 REACTIVITY CONTROL SYSTEMS O B 3.1.7 Regulating Control Element Assembly (CEA) Insertion Limits- , BASES BACKGROUND The insertion limits of the regulating CEAs are initial ' assumptions in all safety analyses that assume CEA insertion upon reactor trip. The insertion limits directly affect core power distributions, assumptions of available SDM, and initial reactivity insertion rate. The applicable criteria-for these reactivity and power distribution design , requirements are 10 CFR 50, Appendix A, GDC 10 " Reactor Design," and GDC 26, " Reactivity Limits" (Ref.1), and 10 CFR 50.46, " Acceptance Criteria for Emergency Core Cooling) (Ref. 2 . Systems for Light Water Nuclear Power React , Limits on regulating CEA insertion have been established, and all CEA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking, ejected CEA worth, reactivity insertion rate, and SDM limits are preserved. q s - The regulating CEA groups operate with a predetermined amount of position overlap, in order to approximate a linear relation between CEA worth and position '... Q J C '* b.4. The regulating CEA groups are withdrawn and operate in a predetermined sequence. Specification 3.1.7 and the ,y. ' core protection calculato will not pennitTGroup 5)to be 9
""**M
. inserted more than6 Group The group sequence and overlap limits are specified in t e COLR.
[ sc3. growP (e.,ss,: The regulating CEAs are used for precise reactivity control of the reactor. The positions of the regulating CEAs are manually controlled. They are capable of addin very quickly (compared to borating or diluting)g reac The power density at any point in the core must be limited to maintain specified acceptable fuel design limits, including limits that preserve the criteria specified in 10CFR50.46(Ref.2). Together, LCO 3.1.7; LCO 3.2.4,
" Departure from Nucleate Boiling Ratio (DNBR)"; and LCO3.2.5,"AXIALSHAPEINDEX(ASI),"providelimitson control component operation and on monitored process variables to ensure the core operates within LCO 3.2.1, (continued) b AMENDMENT NO.
SAN ONOFRE--UNIT 2 B 3.1-39
Regulating CEA Znsertion Limits B 3.1.7 BASES
- q. ,
increased power peaking and corresponding increased local APPLICABLE SAFETY ANALYSES LHRs. (continued) The SDM requirement is ensured by limiting the regulating and shutdown CEA insertion limits, so that the allowable inserted worth of the CEAs is such that sufficient
;eactivity is available in the CEAs to shut down the reactor to hot zero aower with a reactivity margin that assumes the maximum wort 1 CEA remains fully withdrawn upon trip (Ref.4).
p we Operation at the insertion limits or ASI may approach th. maximum allowable linear heat generation rate or peaking
' factor, with the allowed To present. Operation at the insertion limit may also indicate the maximum ejected CEA worth could be equal to the limiting value in fuel cycles *5 that have sufficientlyhigh e x ejected CEA worths. ' ^ -
na - m The regulating and shutdown CEA insertion limits ensure that safety analyses assumptions for reactivity insertion rate, SDM, ejected CEA worth, and power distribution peaking factors are preserved (Ref. 5). The regulating CEA insertion limits satisfy Criterion 2 of the NRC Policy Statement. The limits on regulating CEA sequence, r " and physical LCd insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected CEA worth is maintained, and ensuring adequate negative reactivity insertion on trip. The overlap between regulating banks arovides more uniform rates of reactivity insertion and wit 1drawal.ixl:L : W a.J LC ...a -it -:; .o..O.g m n+- t p ; nt':; t '.,. g .m..3 The power delendent insertion limit (PDIL) alarm circ 0it is required to )e OPERABLE for notification that the CEAs are outside the required insertion limits. When the PDIL alarm circuit is inoperable, the verification of CEA positions is increased to ensure improper CEA alignment is identified before unacceptable flux distribution occurs, e**rkf ef tks. P,g wte/in 3 e3roups e m y 6s 3 8asetsssk,trwi M <%:r<k m owss.of resets +Q r' a#'s. Scour Sensw+w fieJ. W *M msh N% continued) t l B 3.1-42 AMENDMENT NO. SAN ONOFRE--UNIT 2 i
Regulating CEA Insertion Licits B 3.1.7 i l g BASES (continued) l APPLICABILITY The regulating CEA sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES 1 and 2. These limits must be maintained, since the preserve the assumed power distribution, ejected CEA wort , DM M p :t' :.7 . A : . m . , ; ;, . assumptions. Applicability in MODES 3, 4, and 5 is not required, since neither the )ower distribution nor ejected CEA worth assumptions would se , exceeded in these MODES. SDM is preserved in MODES 3, 4, and 5 by adjustments to the soluble boron concentration. This LCO is modified by a Note indicating the LCO requirement is suspended during SR 3.1.5.3. This SR
. verifies the freedom of the CEAs to move, and requires the regulating CEAs to move below the LCO limits, which would normally violate the LCO.
~
ACTIONS A.1.1. A.1.2. A.2.1. and A.2.2 Operation beyond the transient insertion limit may result in a loss of SDM and excessive peaking factors. If the regulating CEA insertion limits are not met, then SDM must be verified by perfonning a reactivity balance calculation, (') considering the listed reactivity effects in Bases Section SR 3.1.1.1. One hour is sufficient time for conducting the calculation and comencing boration if tha SDM is not within limits. The transient insertion Jimit shoeld not >e violated during normal operatiorf,t: 2%n( f) wever, vaQMs
,may occur during transients when the operator is manually controlling the CEAs in response to changing plant conditions. When the . regulating groups are inserted beyond the transient insertion limits, action be taken .to either withdraw the rega)ating groups the limits or to reduce THERKAL POWER to less than or equal to that allowed for the actual CEA insertion limit. Two hours provides a reasonable time to accomplish this, allowing the operator to deal with current plant conditions while limiting peaking factors to acceptable levels.
B.1 and B.2 If the CEAs are inserted between the long term steady state insertion limits /the transient insertion limits for and . (continued) O B 3.1-43 AMENDMENT NO. SAN ONOFRE--UNIT 2
Regulating CEA Insertion Limits B 3.1.7 BASES ,] ACTIONS B.1 and B.2 (continued) intervals > 4 hours per 24 hour period, - ' "- -St := d y -+-t:
.x,.... __ _,. . _ d 4 peakin L:'candevelop that are of immediate concern (Ref. 6)g factors .
Additionally, since the CEAs can be in this condition without misalignment, penalty factors are not 4.. .. ,a i#9 W.J by the core protection calculators to compensate for the developing peaking factors. Verifying the short term steady state insertion limits are not exceeded ensures that the peaking factors that do develop are within those allowed for continued operation. Fifteen minutes provides adequate time for the operator to verify if the short term steady state insertion limits are exceeded. Experience has shown that rapid power increases in areas of the core, in which the flux has been depressed, can result in fuel damage as the LHR in those areas rapidly increases. Restricting the rate of THERMAL POWER increases to 5 5% RTP per hour, following CEA insertion beyond the long term. steady state insertion limits, ensures the power transients experienced by the fuel will not result in fuel failure (Ref.7). c.1 With the regulating CEAs inserted between the long term f.c VM <teady' state insertion limit and the transient insertion limitP =d 't' : :: : :;; :: '~r; th: 5 effective full p( power days (EFPD) per 30 EFPD, o914 EFPD per 365 EFPD iimi a , sc wiu -. - :- - ~ r' : "-i t: ;!:::f :: /
" flux patterns outside those assumed in the g b g r -- burnup long tem assumptions. In this case, the CEAs must be returned to within the long tem steady state insertion
' limits, or the core must be placed in a condition in which the abnormal fuel burnup cannot continue. A Completion Time of 2 hours is a reasonable time to return the CEAs to within the long term steady state insertion limits.
The required Completion Time of 2 hours from initial discovery of a regulating CEA group outs.de i the limits until its restoration to within the long tem steady state limits, shown on the figures in the COLR, allows sufficient time for (continued) J SAN ONOFRE--UNIT 2 B 3.1-44 AMENDMENT NO.
]
Regulating CEA Insertion Limits { B 3.1.7 BASES O . l ACTIONS .qd (continued) gppp
- borated water to enter e Reactor Coolant System from the l chemical addition and eup systems, and to cause the i regulating CEAs to wit draw to the acce) table region. It is reasonable to continu operation for 2 ,1ours after it is discovered that the 5 or 14. dest EFPD limit has been exceeded. This Completion Time is based on limiting the potential xenon redistribution, the low probability of an accident, and the steps required to complete the action.
D.1.1. 0.1.2. D.2.1. and 0.2.2 If the regulating CEA insertion limits are not met, then SOM must be verified by performing a reactivity balance calculation, considering the effects in SR 3.1.1.1 bases. r One hour is sufficient time for conducting the calculation and commencing boration if the SDM'is not within limits. With the Core Operating Limit Supervisory System out of service, operation beyond the short tenn steady state insertion limits can result in peaking factors that could approach the DNB or local power density trip setpoints.
) Eliminating this condition within 2 hours limits the magnitude of the peaking factors to acceptable levels.
(Ref.8). Restoring the CEAs to within the limit or reducing THERMAL POWER to that- fraction of RTP that is allowed by CEA group position, using the limits specified in the COLR, ensures acceptable peaking factors are maintained. Ed With the PDIL circuit inoperable, performing SR 3.1.7.1 within 1 hour and every 4 hours.thereafter ensures improper CEA alignments are identified before unacceptable . flux distributions occur. f.d i When a Required Action cannot be completed within the required Completion Time, a controlled shutdown should be comenced. The allowed Completion Time of 6 hours is (continued) h SAN ONOFRE--UNIT 2 B 3.1-45 AMENDHENT NO. ;
Part Length CEA Insertion Lisits B 3.1.8 8 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Part length Control Element Assembly (CEA) Insertion Limits BASES BACKGROUND The insertion limits of the part length CEAs are initial assumptions in all safety analyses. The insertion limits directly affect core power distributions. The applicable criteria for these power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, " Reactor Design" (Ref.1), and 10 CFR 50.46, " Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Plants" (Ref. 2). Limits on part length CEA insertion have been established, and all CEA positions are monitored and controlled during power operattori to ensure that the power distribution defined by the design power peaking limits is preserved. g yp pee i m th The n;u':tMCEAs are used for. precis reactivity control of the reactor. The positions of the re;r ht N CEAs are manually controlled. They are capable of addin very quickly (compared to borating or diluting)g reactivity The power density at any point in the core must be limited to maintain specified acceptable fuel design limits, including limits that preserve the criteri specified in 10 CFR 50.46 (Ref. 2). Together, LCO 3.1. "t;_' J,./ M % W Control Element Assembly (CEA) Insertion L mits"; 44MHP@repr LCO 3.2.4, " Departure From Nucleate Boiling Ratio (DNBR)"; and LC0 3.2.5, " AXIAL SHAPE INDEX (ASI)," provide limits on control component operation and on monitored process variables to ensure the core operates within the linear heat rate (LHR) (LCO 3.2.1, " Linear Heat Rate (LHR)"); planar l
' peaking factorand Factors (F,y)"); (F,y) LCO 3.2.4 limits in the COLR.(LC0 3.2.2, " Plan' Operation within the limits given in "'; n 2 : Tofthe COLR prevents power peaks that would exceed the loss of 7' coolant accident (LOCA) limits derived by the Emergency Core f Cooling Systems analjsis. Operation within the F,y and
- departure from nucleate boiling (DNB) limits given in th'e COLR prevents DNB during a loss of forced reactor coolant flow accident. .
I The establishment of limiting safety system settings and ! LCOs requires that the expected long and short tenn behavior (continued) l
. v SAN ON0FRE--UNIT 2 B 3.1-48 AMENDMENT N0.
Part length CEA Insertion Limits B 3.1.8 BASES APPLICABLE d. The CEAs must be capable of shutting down the reactor SAFETY ANALYSES with a minimum required SDH, with the highest worth CEA stuck fully withdrawn, GOC 26 (Ref. 1). (continued) Regulating CEA position, part length CEA position, ASI, and T, are process variables that together characterize and control the three dimensional power distribution of the
. reactor core.
Fuel cladding damage does not occur when the core is i operated outside these LCOs during normal operation. However, fuel cladding damage could result, should an accident occur with simultaneous violation of one or more of these LCOs. Changes in the power distribution can cause Th P%rt'194 CEA Cse rtion leh,'rs $reasedpowerpeakingandcorrespondingincreasedlocal G o s is r e . 4 A g e 5 4 ( a + y g, n*h5cs assadeph ->The-eegtdeth CEA insertiorilimituatisfy friterioA 2_of _ g the NRC )olicy 2ateme'ntdTh'e ~part'leTngTh TErs Trer rFqta rsd' for opma CE.A dile to' tie jiotenfial'pieak'ing factor violations that could w 4 y power. - occur if part length CEAs exceed insertion limits. 4kmgu%n y n gy .p'- Q ,sses ser. pressrv . LC0 The limits on part length CEA insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution / ami t.osorah rW qwM CtM sorA. as enamte,'ns) <tl *~ hmds . APPLICABILITY- The part length insertion limits shall be' maintained with the reactor in H0DE 1 > 20% RTP. These limits must be maintained, since they preserve the assumed power
,, ze,%e.J distributior$ j ApplicabilityqnlowerH0DESisnotrequired, g s ince the power distribution g umptions would not beWow 2A% B.TP %
exceeded in these MODES. fr. . 4 I '"' D *4e p This' LCO has been modified by a Note suspending the LC0 requirement while exercising part' length CEAs. Exercising g& ' . part length CEAs may require moving them outside their' W insertion limits. 4 (continued) a 8 3.1-50 AMENDHENT NO. SAN ONOFRE--UNIT 2
Boration Systems - Operating B 3.1.9 8 3.1 REACTIVITY CONTROL SYSTEM 7' B 3.1.9 Boration Systems - Operating BASES
=
The boron injection system ensures that negative reactivity control is i d to available during each mode of facility operation. The com chargingpumps,3) perform this function include 1) borated water sources, 2)pone separate flow paths, 4) boric acid makeup pumps, and 5) an emergency power , supply from OPERABLE diesel generators. , With the RCS average temperature above 200*F, a minimum of two separate anc redundant boron injection systems are provided to ensure single functional
~
capability the event an assumed failure renders one of the systems inoperable Allowable out-of-service periods ensure that minor component repair or corrective action may be completed without undue risk to overall facility safety from in.iection system failures during the repair oeriod. The boration capability of'either system is sufficient to provide a SHUTDOWN MARGIN from expected operating conditions of 3.0%-delta k/k after xenon decay The maximum expected boration capability requirements and cooldown to 200*F. occurs at EOL from full power equilibrium xenon conditions and requires boric acid solution from the boric acid makeup tanks in the allowable concentration and volumes of Specification 3.1.9 plus approximately 13,000 gallons of 2350 m ppm borated water from the refueling water tank or approximately 26,000 gallons of.2350 ppm borated water from the refueling water tank alone. < > With the RCS temperature below 200*F one injection system is acceptable without single failure consideration on the basis of the stable reactiv ty condition of the reactor and the additional' restrictions prohibiting CORE ALTERATIONS and positive reactivity changes in the event the single injectio system becomes inoperable. The boron capability-required below 200*F is based upoIproviding'a 3% delt This . K/k SHUTDOWN MARGIN after xenon decay and cooldown from 200*F to 140*F. ! condition requires 4150 gallons of 2350 ppm borated water from either the efueling water tank or boric acid solution from a boric acid makeup' tank. The water volume limits are saecified relative to the top of the hig est ! suction connection to the tanc. (Water volume below this datum is not , considered recoverable for purposes of this specification.) Vortexing, 1 internal structures and instrument error are considered in determining the tank level correspondi,ng to the specified water volume limits. (continued)
~
l l l B 3.1-53 AMENDMENT N0. SAN ON0FRE--UNIT 2 !
-- _ j
Boration Systems - Operating B 3.1.9 l BASES (continued)
,v,=n_, fv The OPERABILITY of one boron injection system during REFUELING ensures th this system is available for reactivity control while in MODE 6.
The limits on water volume and boron concentration of the RWST also ensure a pH value greater than 7.0 for the solution recirculated within containment after a LOCA. This pH minimizes the effect of chloride and caustic stress l corrosion on mechanical systems'and components. The maximum RWST volume is not specified since analysis of pH limits and containment flooding post-LOCA considered RWST overflow conditions. i
~
AMENDHENT NO. s SAN ONOFRE--UNIT 2 B 3.1-54
)
Boration Systems - Shutdown i 8 3.1.10 l B 3.1 REACTIVITY CONTROL SYSTEM
- q. .
~
B 3.1.10 Boration Systems - Shutdown 1 i BASES , The boron injection system ensures that negative reactivity control is i ed to l The com t charging pumps, 3)- available during each mode of facility operation. perform this fu separate flow paths, 4) boric acid makeup pumps, and 5) an emergency power supply from OPERABLE diesel generators. ' With the RCS average temperature above 200'F, a minimum of two separate arid redundant boron injection systems are provided to ensure single functional capability the event an assumed failure renders one of the systems inoperable. Allowable out-of-service periods ensure that minor component repair or corrective action may be completed without undue risk to overall facility ' safety from injection system failures during the repair period. The boration capability of either system is sufficien't to provide a SHUTDOWN MARGIN from expected operating conditions of 3.0% delta k/k after xenon decay- ; The maximum expected boration capability requirements and cooldown to 200*F. occurs at EOL from full power equilibrium xenon conditions and requires boric , acid solution from the boric acid makeup tanks in the allowable concentration and volumes of Specification 3.1.9 plus approximately 13,000 gallons of 2350 ppm borated water from the refueling water tank or approximately 26,000 gallons of 2350 ppm borated water from the refueling water tank alone. With the RCS temperature below 200*F one injection system is acceptable without single failure consideration on the basis of the stable reactivity. condition of the reactor and the additional restrictions prohibiting CORE ALTERATIONS and positive reactivity changes in the event the single injection system becomes inoperable., 'v/hu MMi posiwk revMvity sgu tsmpemwrt &csweens de not nas4 h t, ensidsrs d . The boron capability required below 200*F is base upon provicing a 3% delta This X/k SHUTDOWN MARGIN after xenon decay and cooldown from 200*F to 140*F. condition requires 4150 gallons of 2350 ppm borated water from either the refueling wa tank or ric ac d solution from a boric acid makeup tank. The water volume 1 mits are specifie relative to the top of the highest l suction connection to the tank. (Water volume below this datum is not considered recoverable for purposes of this specification.) Vortexing, . l internal structures and instrument error are considered in detemining the
~ tank level corresponding to'the specified water volume limits.
_~ (continued) ]
~
B 3.1-55 AMENDMENT NO. SAN ONOFRE--UNIT 2 f l l 1
Borated Water Sources - Shutdown B 3.1.11 l B 3.1 REACTIVITY CONTROL SYSTEM e B 3.1.11 Borated Water Sources - Shutdown i BASES ! l The boron injection system ensures that negative reactivity control is ts required to , The com charging pumps, 3) j available during each mode of facility operation. perform this fu separate flow paths, 4) boric acid makeup pumps, and %0 an emergency power supply from OPERABLE diesel generators. a minimum of two separate and 1 With the RCS average temperature above 20 *F, ' redundant boron injection systems are provided to ensure single functional capability the event an assumed failure renders one of the systems inoperable. Allowable out-of-service periods ensure that minor component repair or corrective action may be' completed without undue risk to overall facility safety from injection system failures during the repair
.. period.
e The boration capability of either system is sufficien't to provide a SHUTDOWN MARGIN from expected operating conditions of'3.0% delta k/k after xenon decay-The maximum expected boration capability requirement and cooldown to 200 F. occurs at EOL from full power equilibrium xenon conditions and requires boric g acid solution from the boric acid makeup tanks in the allowable concentrat y and volumes of Specification 3.1.11 plus approximately 13,000 gallons of 23 ppm borated water from the refueling water tank or approximately 26,000 gallons of 2350 ppm borated water from the refueling water tank alone. With the RCS temperature below 200*F one inject on system is acceptable without single failure consideration on the basis of the stable reactivity condition of the reactor and the additional restrictions prohibiting CORE ALTERATIONS and positive reactivity changes in the event the single injection system becomes inoperable. The boron capability required below 200*F is based upon providing a 3% delta This K/k SHUTDOWN MARGIN after xenon decay and cooldown from 200*F to 140*F. condition requires 4150 gallons of 2350 ppm borated water from either the refueling water tank or boric acid solution from a boric acid makeup tank. The. water volume limits are saecified relative to the top of the highest - suction connection to the tanc. (Water volume below this datum is not considered recoverable for purposes of this specification.) Vortexing, ; internal structures and instrument error are considered in determining the l tank level corresponding to the specified water volume limits. 06 esguire) wora,, o4 f.,mt berated e Pesahc rescwh s on e4 -t e " fr **fvr%
% *s u s. sosp.,ng.J ,,,% ,r c,,,,
4Lsawts'g. .- -
~
(continued)'l.
./ AMENDHENT NO.
SAN ONOFRE--UNIT 2 B 3.1-57
Borated Water Sources - Shutdown B 3.1.11 BASES (continued) _ The OPERABILITY of one boron injection system during REFUELING ensures that this system is available for reactivity control while in MODE 6. v v v - , d The limits pH value onthan greater water 7.0 forvolume and the solution boronwithin recirculated concentration containment of the RWS after a LOCA. This pH mir.in,izer the effect of chloride and caustic stress corrosion on mechanical systems and components. The maximum RWST volume is not specified since analysis of pH limits and containment flooding
-A post-LOCA
- A w condi 9
e 4 AMENDMENT NO. SAN ONOFRE--UNIT 2 B 3.1-58
STE-HCOES 2 ano 3 s -B 3.1.12 $' g t 1 BASES -: core are consistent with the design predictions and that the core can be operated as designed (Ref. 4). PHYSICS TESTS 1rocedures are written and approved in i accordance witn established formats. The procedures include all information necessary to permit a detailed execution of testing required to ensure that the design intent is met. PHYSICS TESTS are perfonned in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation. Examples of PHYSICS TESTS include determination of critical boron concentration, CEA group worths, reactivity coefficients, - flux symetry, and core power distribution. It is acceptable to suspend certain LCOs for PHYSICS ' : .-TESTS
- .' o n , ~ l APPLICABLE ': --- =^+ -v aadad SAFETY ANALYSES because ?" ' d'-':^ ' --^ n',0^;7 L.: 1,4 ~ ".~, a'r ip *:".4 + .'!ES
. 4 .... .'!S'S . ".. A u_-. -
,,.... s.a <. . . . . '
A (ed$ pe44 iimits on piwe 'i:t.: M i d and 5 td E ~ ' capability are maintaine during tued PHYSICS TESTS. Reference 5 defines the requirements for initial testing of ' - the facility, including PHYSICS TESTS. Requirements for ' reload fuel cycle PHYSICS TESTS are. defined in PHYSICS TESTS for reload ANSI /ANS-19.6.1-1985 (Ref. 4) . fuel cycles are given in Table 1 of ANSI /ANS-19.6.1-1985. Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as l the fuel design criteria are not violated. As long as the ' linear heat rate (LHR) remains within its limit, fuel design criteria are preserved. In this test, the following LCOs are suspended:
- a. LCO 3.1.1, " SHUTDOWN MARGIN (SDM)-Tm > 200'F"; and LCO3.1.4,"ModeratorTemperatureCoefficient(MTC)"; j b.
- c. LCO 3.1.5, " Control Element Assembly (CEA) Alignment";
i
- d. LCO 3.1.6, " Shutdown Control Element Assembly (CEA)
Insertion Limits"; 4 AMENDMENT N0. J; SAN ONOFRE--UNIT 2 B 3.1-60
-- ~, -_, , , _
1 l STE-MODES 2 and 3 1 B 3.1.12 l O BASES
- e. LC0 3.1.7, " Regulating Control Element Assemb.ly (CEA)
Insertion Limits."
- f. LCO 3.1.8, "Part length CEA Insertion Limits";
- g. LC0 3.3.1, "RPS Instrumentation - Operating," r Table 3.3.1-1, ALLOWABLE VALUE for FUNCTION 2 and footnote (d) for FUNCTIONS 14 and 15. ,
Therefore, this LCO places limits on the minimum amount of CEA worth required to be available for reactivity control when CEA worth measurements are perfonned. y TheindividualLCOscitedabovegovernSDM,CEAgrou/eight, insertion, and alignment and MTC. Additionally, they.COs f.h s LCc governing Reactor Coolant System (RCS) flow, reactof inlet temperature Te, and pressurizer pressure contribute to maintaining departure from nucleate boiling (DNB) parameter limits. The initial condition criteria for accidents sensitiv6 to core power distribution are preserved by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46,
" Acceptance Criteria for Emergency Core Cooling Systems for
-Light Water Nuclear Power Reactors" (Ref. 6). The criteria for the loss of forced reactor coolant flow accidents are specified in Reference 7. Operation within the LHR limit preserves the LOCA criteria; operation within the ONB parameter limits preserves the loss of flow criteria.
SRs are conducted as necessary to ensure that LHR and DNB parameters remain within limits during PHYSICS TESTS. Performance of these SRs allows PHYSICS TESTS to be conducted without decreasing the margin of safety. Requiring that shutdown reactivity equivalent to at least the highest estimated CEA worth (of those CEAs actually J. withdrawn) be available for trip insertion from the OPERABLE y CEAs, provides a high degree of assurance that shutdown capability is maintained for the most challenging postulated Since LCO 3.1.1 is suspended,
,gccident, a stuck CEA.
ghowever,thereisnotthesamedegreeofassuranceduring this test that the reactor would always be shut down if the APPLICABLE highest worth CEA was stuck out and calculational SAFETY ANALYSIS
~ certainties or the estimated highest CEA worth was not as.
(continued) e cted (the single failure criterion is not met). Thi ituation is judged acceptable, however, because .
~
.-1~ - - m i . <, . 1 % ,,, 14 1 - " " The jy is she y gltSt$n b3gg g,y + $ h s
v
- a% m, m i, ,x e.
l B 3.1-61 AMENDMENT NO. SAN ONOFRE--UNIT 2 l I i 4 l
STE-MODES 2 and 3 ;
}
.. a;i BASES risk of experiencing a stuck CEA and subsequent criticality
- is reduced during this PHYSICS TEST exception by the requirements to determine CEA1lositions every72days drawn within hours; by to prior the trip of each CEA to be wit suspending the SDM; and by ensuring that shutdown reactivity 3 equivalent to the reactivity worth of the estimated highest worth withdrawn CEA (Ref. 5) is available every 2 hours.
l I PHYSICS TESTS include measurement of core parameters or exercise of control components that affect process variables. Among the process variables involved are total j planar radial peaking factor, total integrated radial j peaking factor, T,, andseaking) ASI, which represent initial to the accident analysis. q condition input (power l Also involved are the slutdown and regulating CEAs, which affect power peaking and are required for shutdown of the reactor. The limits for these variables are specified for each fuel cycle in the COLR. .. PHYSICS TESTS meet the criteria for inclusion in the J Technical Specifications since the components and process variable LCOs suspended during PHYSICS TESTS meet Criteria 1, 2, and 3 of the NRC Policy Statement. . - , l f ' LCO This LCO provides that a minimum amount of CEA worth isim
' % 57J = : r r t t r t: are performed. This STE is required to permit the periodic verification of the actual versus predicted co.'e reactivity condition occurring as a result of fuel burnup or fuel cycling operations. The requirements of LCO3.1.1,LCO3.1.4,(LCO3.1.5,LCO3.1.6,LCO3.1.7,LCO 3.1.8, and LCO 3.3.1 Adjustment of 10-'% Bistable to 55% l and Adjustment of Hi Log Power Trip to 55%) may be ;
suspended. ; C \ APPLICABILITY This LCO is applicable in MODES 2 and 3. Although PHYSICS TESTS are conducted in MODE 2, sufficient negative reactivity is inserted during the performance of surveillanc,e 3.1.12.2 to result in temporary entry into MODE 3. Because the intent is to i'amediately return to [ ( AMENDHENT NO. SAN ONOFRE--UNIT 2 B 3.1-62 i
1 STE-MODES 2. and 3 ! B 3.1.12 Q BASES y m h vesrs
. MODE 2 to continue C" _. .:. ,,,- -> s..mnd, the STE allows i limited operation to 6 consecutive hours in MODE 3 as i indicated by the Note, without having to borate to meet the SDM requirements of LCO 3.1.1.
ACTIONS Ad With any CEA not fully inserted and less than the minimum
- required reactivity ecuivalent available for insertion, or ,
with all CEAs insertec and the reactor subcritical by less
-than the reactivity equivalent of the highest worth
' withdrawn CEA, restoration of the minimum SDM requirements >
must be accomplished by increasing the RCS boron concentration. The required Completion Time of 15 minutes for initiating boration allows the operator sufficient time to align the valves and start the boric acid pumps and is . consistent with the Completion Timd of LCO 3.1.1. SURVEILLANCE SR 3.1.12.1 REQUIREMENTS Verification of the sosition of each partially or fully withdrawn full lengt1 or part length CEA provides assurance that the CEAs are in the expected positions through the PHYSICS TESTS. A 2 hour Frequency is sufficient to verify that each CEA position is acceptable. SR 3.1.12.2 Prior demonstration that each CEA to be withdrawn from the core during PHYSICS TESTS is capable of full insertion, when tripped from at least a 50% withdrawn position, ensures that the CEA will insert on a trip signal. The 7 day Frequency b ensures that the CEAs are OPERABLE prior to reducing SDM to
.R less than the limits of LCO 3.1.1.
SURV LLLANCE SR 3.1.12.3 REQUI: EMENTS (con' 'inued) Verifying that the required shutdown reactivity equivalent
; of at least the highest estimated CEA worth (of those CEAs actually withdrawn) is available ensures that the shutdown capability is preserved. A 2 hour Frequency is sufficient to verify the appropriate acceptance criteria. ;
O SAN ONOFRE--UNIT 2 B 3.1-63 AMENDMENT NO.
STE-MODE 1 l n, 2 n l BASES core core canarebe consistent operated aswith the desig(n designed predictions a'nd that the Ref. 4). PHYSICS TESTS procedures are written and approved in BACKGROUND accordance with established formats. The procedures include (continued) all information necessary to permit a detailed execution of testing required to ensure that design intent is met. PHYSICS TESTS are perfo'rmed in accordance with these procedures and test results are approved prior to continued power escalation and long tenn power operation. Examples of PHYSICS TESTS include determination of critical boron concentration, CEA group worths, reactivity coefficients, flux symetry, and core power distribution. APPLICABLE It is acceptable to suspend certain. LCOs for PHYSICS TESTS ' SAFETY ANALYSES because ;l de.,-ge c itcri; ..= nu6 e w cuded.- L .. ;. ,rn f _2reiden+ nertire Aiirinn PHYRirR TFtTC wi+k One em7; B$g dL'ge"And, #'_'01 dam 89c- us s 6cs a o or c pr userveu uccouas dreg
; maintained during PHYSICS
*JJa.aadTESTS.
limitson "= $ntN " **dm
- Mm P**d w destrebet w .y c Reference 5 defines requirements for initial testing of the facility, including PHYSICS TESTS. Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI /ANS-19.6.1-1985 (Ref.4). Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. As long as the linear heat rate (LHR) remains within its limit, fuel design criteria are preserved.
During PHYSICS TESTS, the following LCOs may be suspended:
$ LCO 3.1.7, " Regulating Control Element Assembly (CEA) p: Insertion Limits (Fly)";
% LCO 3.1.8, "Part Length Control Element Assembly (CEA)
Insertion Limits"; !
~LCO LCO 3.2.2, 3.2.3, " Planar POWER
" AZIMUTHAL Radial Peaking (Factors";
TILT T )"; and LCO 3.2.5, " Axial Shape Index" .
\
e (continued) {m: l l B 3.1-66 AMENDMENT N0. l SAN ONOFRE--UNIT 2
- i
STE-H00E 1 B 3.1.13 BASES I APPLICABLE The safety analysis (Ref. 6) places limits on allowable i SAFETY ANALYSES THERMAL POWER during PHYSICS TESTS and requires that the LHR (continued) parameter be maintained within limits. The power plateau of l
- s 85% RTP ensures that LHR is maintained within acceptable limits.
The individual LCOs governing CEA groun Mf+I insertion h f.ignment, ASI, total planar radial peaking factor, Mate Ateg"+">2dia4-pe kN f::tes and Ta, preserve the LHR limits. Additionally, the LCOs governing Reactor Coolant System (RCS) flow, reactor inlet temperature (Te), and pressurizer pressure contribute to maintaining DNB i
. parameter limits. The initial condition criteria for accidents sensitive to core power distribution are preserved 4 by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46, " Acceptance Criteri.a for Emergency Core Cooling)
(Ref. 7 . The Systems criteriafor forLight Water the lo'ss Nuc. reactor of forced lear Power Reactors coolant flow accident are specified in Reference 7. Operation within the LHR limit preserves the LOCA criteria; operation within the DNB parameter limits preserves the loss of flow criteria. t During PHYSICS TESTS, one or more of the LCOs that normally preserve the LHR and DNB parameter limits may be suspended. The results of the accident analysis are not adversely impacted, however, if LHR is verified to be within its limit while the LCOs are suspended. Therefore, SRs are placed as necessary to ensure that LHR remains within its limit during PHYSICS TESTS. Performance of these Surveillances allows PHYSICS TESTS to be conducted without decreasing the margin of safety. PHYSICS TESTS include measurement of core parameters or exercise of control components that affect process variables. Among the process variables involved are total A. planar radial peaking factor, +:t:1 int:;"+" ed+e44'
;pding f::t:; T , and ASI, which represent initial
.. condition input (power peaking) to the accident analysis.
Also involved are th Wdniand regulating CEAs, which affect power peaking nd are required for shutdown of the reactor. The limit for these variables are specified for each fuel cycle in 1 he COLR. Per % (continued) C; SAN ONOFRE--UNIT 2 B 3.1-67 AMENDHENT NO. l l I l7 .. ., . . . . - . . . - . - . _ , _ _ , _ ___
SVE -MMt E B 3.1.13 BASES - 9 APPLICABLE PHYSICS TESTS meet the criteria for inclusion in the
. Technical Specifications, since the component and process SAFETY ANALYSES variable LCOs suspended during PHYSICS TESTS meet (continued) Criteria 1, 2, and 3 of the NRC Policy Statement, evp LCO This LCO pemits individual CEA# to be positioned outside of their nomal group heights and insertion limits during the performance of PHYSICS TESTS, such as those required to:
- a. Measure CEA worth; ,
'b . Detemine the reactor stability index and damping factor under xenon oscillation conditions;
- c. Detemine power distributions for rodded CEA configurations; ,
- d. Measure rod shadowing factors; and
- e. Measure temperature and oower coefficients.
TWwmmW Additionally, it pemits the center CEA to be misaligned during PHYSICS TESTS to detemine the isothermal temperature .- coefficien} (1TC), MTC, and powergefficient.
~
The requirements of LCO 3.1.7, LCO 3.1.8, LCO 3.2.2, , LCO 3.2.3, and LCO 3.2.5 may be suspended during the perfomance of PHYSICS TESTS provided:
- a. THERMAL POWER is restricted to test power plateau, which shall not exceed 8% RTP; and
- b. LHR does not exceed the limit specified in the COLR.
APPLICABIL This LCO is applicable in MODE 1 because the reactor must be
!; critical at various THERMAL POWER levels to perfom the
~" PHYSICS TESTS described in the LCO section. Limiting the test power plateau to 5 8% RTP ensures that LHR is maintained within. acceptable limits.
- . l (continued) .
B 3.1-68 AMENDMENT NO. U- I SAN ONOFRE--UNIT 2
B 3.1.13 p BASES (continued) ACTIONS A.1 If THERMAL POWER exceeds the test power plateau in MODE 1, 1 THERMAL POWER must be reduced to restore the additional thennal margin provided by the reduction. The 15 minute Completion Time ensures that prompt action shall be taken to reduce THERMAL POWER to within acceptable limits. B.1 If the LHR requirement is not met, THERMAL POWER must be reduced promptly. A Completion Time of 15 minutes is ad equat e for an operator to correctly align and start the required systems and components. Power reduction will continue until the LHR is within the limit. C.1 and C.2 If Required Action A.1 or B.1 cannot ':e completed within the required Completion Time, PHYSICS TESTS must be suspended within 1 hour, and the reactor must be brought to MODE 3. Allowing I hour for suspending PHYSICS TESTS allows the operator sufficient time to change any abnormal CEA i configuration back to within the limits of LCO 3.1.7 and LCO i 3.1.8. Bringing the reactor to H00E 3 within 6 hours increases thermal margin and is consistent with the Required Actions of the power distribution LCOs. The required Completion Time of 6 hours is adequate for perfonning a controlled shutdown from full power conditions in an orderly manner and without challenging plant systems, and is consistent with the power distribution LCO Completion Times. SURVEILi.ANCE SR 3.1.13.1 REQUIREMENTS Verifying that THERMAL POWER is equal to or less than that allowed by the test power plateau, as specified in the PHYSICS TEST procedure r f . ,b ed ui C .- ..f 4 . . .. ' , ; ; ,,;' , [Il. o ensures that adequate LHR margin is maintained while LCOs are suspended. The 1 hour Frequency is sufficient, based upon the slow rate of power change and increased operational controls in place during PHYSICS TESTS. Monitoring LHR ensures that the limits are not exceeded. l
- 1 SAN ONOFRE--UNIT 2 B 3.1-69 AMENDHENT NO. j
**a *w 4 -*+w =- ete e .e e e .,u = w.. as f.,m,e w , , j a
.~. , ,s . . _ - , . . . _ ,
STE - Center CEA Hisalignment and Regulating CEA Insertion Limits B 3.1.14 1 B 3.1 REACTIVITY CONTROL SYSTEMS 3 B 3.1.14 Special Test Exceptions (STE) - Center CEA Misalignment and
. Regulating CEA insertion Limits BASES &
5TE BACKGR0VHD The primary purpose of the Cent r CEA Misalignment and Regulating CEA insertion Limits s to pemit relaxation of existing LCOs to allow the performance of PHYSICS TESTS. These tests are conducted to detemine the isothermal temperature coefficient, moderator temperature coefficient and power coefficient. t i Section XI of 10 CFR 50, Appendix B " Quality Assurance Criteria for Nuclear Power Plants and Fuel Processing Plants" (Ref.1), requires that a test program be
.estcblianed to ensure that structures, systems, and components will perform satisfactorily in service. All '
functions necessary to ensure that specified design t conditions are not exceeded during normal operation and > anticipated operational occurrences must be tested. Testing is required as an integral part of the design, fabrication, construction, and operation of the power plant. Requirements for notification of the NRC, for the purpose of i conducting tests and experiments, are specified in ; 10 CFR 50.59, " Changes, Tests, and Experiments" (Ref. 2). i The key objectives of a test program are to (Ref. 3): -
- a. Ensure that the facility has been adequately designed;
- b. . Validate the analytical models ~ used in design and i analysis; j
- c. Verify assumptions used for predicting plant response; .
t I d. Ensure that installation of equipment in the facility has been accomplished in accordance with the design; and
- e. Verify that operating and emergency procedures are adequate. ;
r i i 4 * (continued) Le ; SAN ONOFRE--UNIT 2 B 3.1-71 AMENDMENT NO.
-' -u.'-.
1 Ls-~.-.'
3TE-Center CEA Misalignment and Regulating CEA Insertion Limits B 3.1.14 BASES 3ACKGh0VND
- To accomplish these objectives, testing is required prior to (continued) initial criticality and after each refueling shutdown during startup, low power operation, power ascension, and at power operation. The FHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed (Ref. 4).
PHYSICS TESTS 3rocedures are written and approved in accordance wit 1 established formats. The procedures include all information necessary to permit a detailed execution of
. testing required to ensure that the design intent is met.
PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation. Examples of PHYSICS TESTS include detennination of critical boron concentration, CEA group worths, reactivity coefficients, flux symetry, and core power . distribution. APPLICABLE It is acceptable to suspend certain LCOs for PHYSICS TESTS SAFETY ANALYSES because fuel damage criteria are not exceeded. Even if an accident occurs during PHYSICS TESTS with one or more LCOs suspended, fuel damage criteria are preserved because adequate limits on power distribution and shutdown capability are maintained during PHYSICS TESTS. l Reference 5 defines the requirements for initial testing of the facility, including PHYSICS TESTS. Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI /ANS-19.6.1-1985(Ref.4). PHYSICS TESTS for reload fuel cycles are given in Table 1 of ANSI /ANS-19.6.1-1985. Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more.LCOs must be suspended to make completion of PHYSICS J- TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. As long as the linear heat rate (LHR) and departure from r"# ::Tboiling fuel design ratio (DNBR) remains within theirlimit[nuglc,gfg,, criteria are preserved. l \ I l .. (continued) l y B 3.1-72 AMENDMENT NO. SAN ONOFRE--UNIT 2
. . . . J
RPS Instrumentation-Operating B 3.3.1 BASES l BACKGROUND Measurement Channels (continued) l bistables, and most provide indication in the control room. Measurement channels used as an input to the RPS are not ! Mt toau- W" " # used cW4 for chop trol h e5functions.
. g h. -bc.a. c.e m + it.Ps/EEM$ M$N When a channel monitoring a parameter excee's d a A% O 5"" '
predetermined setpoint, indicating an unsafe condition, the *s.P5*d i bistable monitoring the parameter in that channel will trip. Tripping bistables monitoring the same parameter in two or more channels will de-energize Matrix Logic, which in turn de-energizes the Initiation Logic. This causes all eight i RTCBs to open, interrupting power to the CEAs, allowing them ' to fall into the core. Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 1). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for - maintenance or testing while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure in the RPS can ]L either cause an inadvertent trip or prevent a required trip from occurring. Adequate channel to channel independence includes )hysical and electrical independence of each channel from tie others. This allows operation in two-out-of-three logic with one channel removed from service until following the next MODE 5 entry. Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control, this arrangement meets the requirements of IEEE Standard 279-1971(Ref.4). The CPCs perform the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. Four separate CPCs perform the calculations independently, ; one for each of the four RPS channels. The CPCs provide outputs to drive display indications (DNBR margin, LPD i margin, and calibrated neutron flux power levels) and l provide DNBR-Low and LPD-High pretrip and trip signals. ] The CPC channel outputs for the DNBR-Low and LPD-High l trips operate contacts in the Matrix Logic in a manner , identical to the other RPS trips. ) i IQ (continued) i SAN ON0FRE--UNIT 2 B 3.3-3 AMENDMENT NO. I l
RPS 1nstrumentation-Operating B 3.3.1 ' BASES ] BACKGROUND RPS Loaic (continued) When a coincidence occurs in two RPS channels, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four breaker control relays, which simultaneously _de-energize the undervoltage and energize the shunt trip attachments in all eight RTCBs, tripping them open. Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. 1 The Initiation Logic consists of the trip ath ower source, s, l matrix relays and their associated co interconnecting wiring, and solid s te b ;;;m ,) re ays thro, ugh the K-relay contacts in the TCB contro1 cir itry. _ It is possible to change the two-out-of-four RPS Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three ) matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition. Trip channel bypassing can be simultaneously perfonned on any number of parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or l testing. Two-out-of-three logic also prevents inadvertent trips caused by any single channel failure in a. trip condition. In addition to the trip channel bypasses, there are also operating bypasses on select RPS trips. These bypasses are enabled manually in all four RPS channels when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling (continued) y SAN ONOFRE--UNIT 2 B 3.3-8 AMENDMENT NO. i
RPS Instrumentation-Operating l B 3.3.1 : O 8^ses BACKGROUND RPS Loaic (continued) bypass conditions are no longer satisfied. Operating bypasses are nomally implemented in the bistable, so that nomal trip indication is also disabled. Trips with operating bypasses include Pressurizer Pressure-Low, Logarithmic Power Level-High Reactor Coolant Flow-Low, and CPC (DNBR-Low and LPD-High). Reactor Trio Circuit Breakers (RTCBs) The reactor trip switchgear, addressed in LCO 3.3.4, consists of eight RTCBs, which are operated in four sets of two breakers (four channels). Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel, such t. hat the loss of either MG set ' does not de-energize the CEDMs. There are two separate CEDM power supply buses, each bus powering half of the CEDMs. Power is supplied from the MG sets to each bus via two redundant paths (trip legs). Trip legs IA and IB supply power to CEDM bus 1. Trip legs 2A and 2B supply power to CEDM bus 2. This ensures that a fault or the openin '
) breaker in one trip leg (i.e., for testing purposes)g will of a not interrupt power to the CEDM buses.
Each of the four trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits. The eight RTCBs are operated as four sets of two breakers (fourchannels). For example, if a breaker receives an open signal in trip in trip leg B for(leg A (for CEDM busCEDM bus receive
- 2) will also 1), an identical an open breaker signal. This arrangement ensureyAhat power is interrupted to both CEDM buses, thus prev ting t%of only half of the -
CEAs (a half trip). Any o inoperable breaker in a channel will make the entire cha el inoperable. ' iwh44 Each set of RTCBs is perated by either manual reactor trip push button or n RPSD :txt d K- There are four Manual Trip push buttons, arranged twoinsets yelay. of.two. - Depressing both pusl buttons in eith'er set will result in a i reactor trip. ,/ l j ] (continued) SAN ON0FRE--UNIT 2 B 3.3-9 AMENDMENT NO. l
s... I RPS Instrumentation-Operating B 3.3.1 BASES l BACKGROUND Reactor Trio Circuit Breakers (RTCBs) (continued) M When a Manual Trip is k@ide6d using the control room push buttons, the RPS trip paths and K-relays are bypassed, and the RTCB undervoltage and shunt trip attachments are . actuated independent of the RPS. ! 4 Manual Trip circuitry includes the push button and interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip attachments but excludes the K-relay contacts and their interconnecting ! wiring to the RTCBs, which are considered part of the Initiation Logic. Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be perfomed either at power or shutdown and is normally UFSAR, Section 7.2 p(erfomed on a quarterly basis.Ref. 8), explains RPS testing in m APPLICABLE Desian Basis Definition SAFETY ANALYSES The RPS is designed to ensure that the following operational criteria are met:
. The associated actuation will occur when the parameter monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied;
. Separation and redundancy are maintained to pennit a channel to be out of service for testing or maintenance while still maintaining redundancy within the RPS instrumentation network.
Each of the analyzed accidents and transients can be detected by one or more RPS Functions. The accident analysis takes credit for most of the RPS trip Functions. Those functions for which no credit is taken, termed equipment protective functions,~are not needed from a safety perspective. (continued) 1 B 3.3-10 AMENDMENT NO. l SAN ONOFRE--UNIT 2
RPS Instrumentation-Operating B 3.3.1 BASES APPLICABLE 2. Lonarithmic Power Level -High SAFETY ANALYSES (continued) The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition. In MODES 2, 3, 4, and 5, with the RTCBs closed and the , CEA Drive System capable of CEA withdrawal, protection l is required for CEA withdrawal events originating when THERMAL POWER is < 1E-4% RTP. For events originating above this power level, other trips provide adequate protection. MODES 3, 4, and 5, with the RTCBs closed, are addressed in LC0 3.3.2, " Reactor Protective System (RPS) Instrumentation-Shutdown." In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level-High trip does not have to be OPERABLE. However, the indication and alarm portion of two logarithmic channels must be OPERABLE to ensure proper indication of neutron population and to indicate a baron dilution event. The indication and alann functions are addressed in LCO 3.3.13, " Logarithmic Power Monitoring Channels."
- 3. Pressurizer Pressure-High The Pressurizer Pressure-High trip provides protection for the high.RCS pressure SL. In conjunction with the pressurizer safety valves and the main steam safety valves (MSSVs), it provides protection against overpressurization of the RCPB during the following events:
. LossofElectricalLoadWithoutaReactorNrip Being Generated by the Turbine Trip (A00);
- Loss of Condenser Vacuum (A00); !
. CFA Withdrawal From Low Power Conditions (A00);
- Chemical and Volume Control System Malfunction (A00) @
(continued) i SAN ON0FRE--UNIT 2 B 3.3-12 AMENDMENT N0. l
RPS Instrumentation-Operating i B 3.3.1 l
) BASES APPLICABLE 4. Pressurizer Pressure-Low SAFETY ANALYSES (continued) The Pressurizer Pressure-Low trip is provided to trip j the reactor to assist the ESF System in the event of I loss of coolant accidents (LOCAs). During a LOCA, the l SLs may be exceeded; however, the consequences of the l accident will be acceptable. A Safety Injection Actuation Signal (SIAS) and CCAS are initiated simultaneously. l S. Containment Pressure-High The Containment Pressure-High trip prevents exceeding the containment design pressure psig during a design basis LOCA or main steam line break (MSLB) accident.
During a LOCA or MSLB the SLs may be exceeded; however, the consequences of the accident will be acceptable. An SIAS, CCAS, CIAS are initiated simultaneously. 6, 7. Steam Generator Pressure-Low g The Steam Generator #1 Pressure-Low and Steam p$ a canc 4pm , uenerator at Pressure-Low tripsp~ r:t;jt k.. , 032'"'01 2I 0""2 #C '"'" "'"'""'""'"o"*'"" Y aumb h ;te3= nanoratnre and reen]tinn ranid untnntrnilorL co c in vT th; "CS. Thistripisneededtoshutdown 4 .&, pfive, rud' the reactor and assist the ESF System in the event of b4w b b4* an MSLB or main feedwater line break accident. A main. steam isolation signal (MSIS) is initiated 6 44. p c. td.e.a m simultaneously.
% L4kD hw~ N Steam Generator Level -Low J 8, 9.
re.a.c 4 . J The Steam Generator #1 Level-Low and Steam Generator #2 Level-Low trips ensure that a reactor trip signal is generated for the followingavents to help prevent exceeding the design pressure of the RCS due to the loss of the heat sink: !
- Inadvertent Opening of a Steam Generator i Atmospheric Dump Valve (A00); l l
l b ' (continued) ; SAN ON0FRE--UNIT 2 B 3.3-13 AMENDMENT NO. l
RPS Instrumentation-Operating B 3.3.1 BASES LCO 2. Locarithmic Power Level-Hiah (continued) MODE 3, 4, or 5 when the RTCBs are shut and the CEA Drive System is capable of CEA withdrawal. The MODES 3, 4, and 5 Condition is addressed in
. LCO 3.3.2.
The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level-High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur. o The Logarithmic Power Level-High trip may be bypassed when THERMAL POWER is above 1E-4% RTP to allow the reactor to be brought to power during a reactor startup. This bypass is automatically removed when THERMAL POWER decreases below 1E-4% RTP. Above 1E-4% RTP, the Linear Power Level -High and Pressurizer Pressure-High trips provide protection for reactivity transients. g The trip may be manuall[ passed ""C Ly,-during L , physics ,,Sf*M g ggyth$ - W IM*, testing WU pursuant to LC04.4.17, via . " During this testing, the Linear Power
\ Level-High trip and administrative controls provide the required protection.
- 3. Pressurizer Pressure-Hiah This LC0 requirtis four channels of Pressurizer Pressure-High to be OPERABLE in MODES 1 and 2.
' The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its operation avoids the undesirable operation of these valves during normal plant operation. In the event of a complete loss of electrical load from 100% power, this setpoint ensures the reactor trip will take place, thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety valves may lift to prevent overpressurization of the RCS. (continued) g SAN ON0FRE--UNIT 2 B 3.3-18 AMENDMENT NO.
I RPS Instrumentation-Operating B 3.3.1 b BASES LC0 8, 9. Steam Generator level-Low (continued) cause a reactor trip during normal plant operations. The same bistable providing the reactor trip also i.nitiates emergency feedwater to the affected generator via the Emergency Feedwater Actuation Signals (EFAS). The minimum setpoint is governed by ; EFAS requirements. The reactor trip will remove the ; heat source (except decay heat), thereby conserving the reactor heat sink. This and the Steam Generator (1 and 2) Leve 'h ; p may be manually bypassed simultaneously . en cold leg temperature is below the specified limit to al for CEA withdrawal during testing. .The b automatically removed wha" ccM ic3 i.emperature p' reaches ry 9%,,, 200aF.\d Flod
- Loa This LCO requires four channels of Reacto'r Coolant Flow-Low to be OPERABLE in MODES 1 and 2. :
The Allowable Value is set low enough to allow for l slight variations in reactor coolant flow during i 3 normal plant operations while providing the required 1 protection. Tripping the reactor ensures that the resultant power to flow ratio provides adequate core ' cooling to maintain DNBR under the expected pressure conditions for this event. ' The Reactor Coolant Flow-Low trip may be manually bypassed when reactor power is less than 1E-4% RTP. This allows for de-energization of one or more RCPs (e.g.,forplantcooldown),whilemaintaining.the ability to keep the shutdown CEA banks withdrawn from the core if desired. LC0 3.4.5, "RCS Loops -MODE 3," LCO 3.4.6, "RCS. Loops-MODE 4," and LC0 3.4.7, "RCS Loops . MODE 5, Loops Filled," ensure adequate RCS flow rat ~e is maintained. The bypass is automatically removed when ' THERMAL POWER-increases above 1E-4% RTP, as' sensed by the wide range (logarithmic) nuclear instrumentation. When below the power range, the Reactor Coolant Flow-Low is not required for plant protection. j (continued) SAN ONOFRE--UNIT 2 B 3.3-21 AMENDMENT NO. l
I RPS Instrumentation-Operating j B 3.3.1 BASES LCO 11. Local Power Density-High , (continued) This LC0 requires four channels of LPD-High to be OPERABLE. The LC0 on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable. A CPC is not considered inoperable if CEAC' inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety Function. The CPC channels may be manually bypassed below IE-4% RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR-Low and LPD-High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied. This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are ' inserted. It also allows system tests at low power with Pressurizer Pressure-Low or RCPs off. 1.\ .\ 3-During special testing pursuant to LC00.1.1^, the CPC channels may be manually bypassed when THERMAL POWER is below 5% RTP to allow special testing without generating a reactor trip.
- 12. Departure from Nucleate Boilina Ratio (DNBR)-Low This LC0 requires four channels of DNBR-Low td-be OPERABLE. j The LC0 on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable.
(continued) ,
)
SAN ON0FRE--UNIT 2 B 3.3-22 AMENDMENT NO. l
RPS Instrumentation-Operating B 3.3.1 O Bases LC0 12. Departure from Nucleate Boilina Ratio (DNBRl-Low (continued) A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs ; are capable of performing their safety Function. The CPC channels may be manually bypassed below ' 1E-4% RTP, as sensed by the logarithmic nuclear instrumentation. -This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR-Low and LPD-High trips from the RPS logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied. This operating bypass is required to perfonn a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure-Low or RCPs off. During special testing pursuant to LC06.1.lo, the CPC channels may be manually bypassed when THERMAL PGWER is below 5% RTP to allow special testing without generating a reactor trip. Bypasses The LCO on bypass permissive removal channels requires that the automatic bypass removal feature of all four operating bypass channels be OPERABLE for each RPS Function with an operating bypass in the MODES addressed in the specific LC0 for each Function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels' are inadvertently bypassed. This LC0' applies to the. bypass removal feature only. If the bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level-High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint. (continued) J SAN ON0FRE--UNIT 2 B 3.3-23 AMENDMENT NO.
RPS Instrumentation-Operating B 3.3.1 BASES APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during A00s and assists the ESFAS in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:
. The Logarithmic Power Level-High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events.
The Logarithmic Power Level-High trip in these lower MODES is addressed in LC0 3.3.2. The Logarithmic Power Level-High trip is bypassed prior to MODE 1 entry and is not required in MODE 1. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LC0 3.3.4. a%Ms vs.ks dsksmM ACTIONS The most common causes o channel inoperability are outright failure or drift of the istable or process module sufficient to exceed thy + ' - - - - "--
- by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to 9 7 ring it to withinRpaci'ic:ti r. If the trip setpoint is Waw less conservative than the Allowable Value in Table 3.3.1-1, the channel is declared inoperable immediately, and the appropriate Condition (s) must be entered imediately.
In the event a channel's trip set)oint is found nonconservative with respect to tie Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected functions provided by that channel must be declared inoperable, and the unit must enter the Condition for the particular protection Function affected. (continued) , SAN ON0FRE--UNIT 2 B 3.3-24 AMENDMENT N0. 1
RPS Instrumentation-Operating B 3.3.1 O 8ASES SURVEILLANCE SR 3.3.1.4 (continued) REQUIREMENTS located in the control room to detect deviations in c anr$1 outputs. The Frequency is modified by a Note indicat ing4hi Surveillance need only be perfonned within 12 hours after reaching 20% RTP. The 12 hours after reaching 20% RT s required for plant stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at ; lower power levels. A second Note in the SR indicates the SR may be suspended during PHYSICS TESTS. The conditional suspension of the daily calibrations under strict I administrative control is necessar to a11 ~ vacial testing to occur. 4 g,,,,l SW.A$ *' j SR 3.3.1.5 97. The RCS flow rate indicated by each CPC is verified to e less than or equal to the RCS total flow rate eva ryJi days. ; The Note indicates the Surveillance is performedAwithin 12 hours after THERMAL POWER is t 85% RTP. This check (and, if necessary, the adjustment of the CPC addressable flow constant coefficients) ensures that the DNBR setpoint is
' conservatively adjusted with respect to actual flow indications as determined by a calorimetric calculation.
Operating experience has shown the specified Frequency is ' adequate, as instrument drift is minimal and changes in actual flow rate are minimal over core life. SR 3.3.1.6 The three vertically mounted excore nuclear instrumentation < detectors in each channel are used to determine APD for use in the DNBR and LPD calculations. Because the detectors are mounted outside the reactor vessel, a portion of the signal from each detector is from core sections not adjacent to the detector. SR 3.3.1.6 ensures that the preassigned gains are still proper. The 92 day Frequency is adequate because the demonstrated long term drift of the instrument channels is minimal. ' g (continued) SAN ONOFRE--UNIT 2 B 3.3-31 AMEN 0 MENT NO.
RPS !astrumentation-Operating B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST on each channel is performed every 92 days to ensure the entire channel will perform its intended function when needed. The SR is modified by two Notes. Note 1 is a requirement to verify the correct CPC addressable constant values are installed in the CPCs when the C CHANNEL FUNCTIONAL TEST is performed. Note 2 allows H L FUNCTIONAL TEST for the Logarithmic Power Leve Hig channels to be performed 2 hours after i power rop below 1E-4% RTP and is required to be performed only e RTCBs are closed. Not required if performed I in the surveillance interval.
..rgi, so m , gheRPSCHANNEL JFUNCTIONAL 2ddit!... LTEST r_,ists cons of three overlapping tests as I
described in Reference 8. These tests verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. They include: Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. veAWeh-The requirements for this 1cview are outlined in Reference 9. Matrix Looic Tests Matrix Logic tests are addressed in LCO 3.3.4. This test is perfonned one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays. During testing, holding power is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts. (continued) SAN ONOFRE--UNIT 2 B 3.3-32 AMENDMENT NO.
RPS Instrumentation-Operating B 3.3.1
)
BASES SURVEILLANCE SR 3.3.1.8 (continued) REQUIREMENTS between successive tests. Measurement error determination, setpoint error detemination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis. g Operating experience has shown this Frequency to be su 5M satisfactory. The detectors are excluded from CHANNEL ce burnup CALIBRATION because they are passive devices with minima drift and because of the difficulty of simulating a meaningful signal. Slow changes in :':t::t:r ;a;iti it; are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4) and the quarterly linear subchannel gain check (SR 3.3.1.6). In addition, the associated control room indications are monitored by the operators. SR 3.3.1.9 SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION every 24 months. CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error detemination, and calibration adjustment must be perfomed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis. The Frequency is based upon the assumption of a 24 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis as well as operating experience and consistency with the typical 24 month fuel cycle. - The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION
\
(continued) - SAN ONOFRE--UNIT 2 B 3.3-34 AMENDMENT NO.
c RPS Instrumentation-Operating I B 3.3.1 BASES i w1& (4a.%'e.efnaabmu: N **7 SURVEILLANCE SR 3.3.1.9 (continued)
. REQUIREMENTS because they are passive devices wit a minimal drift and because of the difficulty of simulat ing a meaningful signal.
are compensated for by Slow performing changes in e t::t r ca the daily calorimetric e rriti it;libration (SR 3.3.1 and the quarterly linear subchannel gain check (SR 3.3.1.6 . SR 3.3.1.10 Every 24 months, a CHANNEL FUNCTIONAL TEST is perfomed on the CPCs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alarm and trip Functions. The basis for the 24 month Frequency is that the CPCs ' perfom a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS. This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function. Operating experience has shown that undetected CPC or CEAC
' failures do not occur in any given 24 month interval.
SR 3.3.1.11 The three excore detectors used by each CPC channel for axial flux distribution infomation are far enough from the core to be exposed to flux from all heights in the core, although it is desired that they only read their particular level. The CPCs adjust for this flux overlap by using shape annealing matrix elements in the CPC software. After refueling, it is necessary to re-establish the shape annealing matrix elements for the excore detectors based on more accurate incore detector readings. This is necessary because refueling could possibly produce a significant change in the shape annealing matrix coefficients. Incore detectors are inaccurate at low power levels < 15%. THERMAL POWER should be significant but < 85% to aerfom an ; accurate axial shape calculation used to derive t1e shape annealing matrix elements. J (continued) ) B 3.3-35 AMENDMENT N0. j SAN ONOFRE--UNIT 2 1
RPS Instrumentation-Operating l B 3.3.1 ; r BASES
');
SURVEILLANCE SR 3.3.1.11 (continued) REQUIREMENTS By retricting power to 5 85's until shape annealing matrix elements are verified, excessive local power peaks within ! the fuel are avoided. Operating experience has shown this Frequency to be acceptable. i SR 3.3.1.12 ; SR 3.3.1.12 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.7, except SR 3.3.1.12 is applicable only to bypass i functions and is performed once within 92 days prior to each ! startup. Proper operation of bypass permissives is critical ; during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain i reactor trips. Consequently, the appropriate time to verify ) bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this Surveillance hin ' s 92 days of presented startup in topical is based report on the CEN-327, reliabilityExt "RPS/ESFAS analy de$(est Interval Evaluation" (Ref. 9). Once the operating b asse are removed, the bypasses must not fail in such a way tiat. . the associated trip Function gets inadvertently bypassed. This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR.3.3.1.7. Therefore, further testing of the bypass function after startup is unnecessary. P SR 3.3.1.13 This SR ensures that' the RPS RESPONSE TIMES are verified to ; be less'than or equal to the maximum values assumed in the ; i safety analysis. Individual component response times are not modeled in the analyses. The' analyses model the overall or total elapsed time, from the point _at which the parameter , exceeds the trip.setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on an 24 month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given channel of ' n x 24 months, where n is the number of channels in the function. The Frequency of 24 months is based upon operating experience, which has shown that random failures (continued) SAN ON0FRE--UNIT 2 B 3.3-36 AMENDMENT NO. = _ _ _ . . _ - _. _ _ - . .- . _ . - . _ _ , _
~. a l RPS Instrumentation-Operating B 3.3.1
^es, e
, ) BASES SURVEILLANCE SR 3.3.1.13 (continued)
REQUIREMENTS of instrumentation com)onents causing serious response time degradation, but not c1annel failure, are infrequent .
. occurrences. Also, response times cannot be detemined at
>ower, since equipment operation is required. Testing may i
)e perfomed in one measurement or in overlapping segments,. ,
with verification that all components are tested. l A Note is added to indicate that the neutron' detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the I of difficulty of simulating a meaningful signal. Slow changes a win _ in itutr xniti;it; are compensated for by
. th,d daily calorimetric calibration (SR 3.3.1.4)perfoming .
g %g REFERENCES . 10 CF ,
- 2. 10 CFR 100.
$ 13. NRC Safety Evaluation Rep t. !
andard 279- ril 5, 1972.
- 5. SONGS Units 2 and 3 UFSAR, Chapter 15. ;
- 6. 10 CFR 50.49.
- 7. PPS Setpoint Calculation CE-NPSD-570, Revision 3. ')i
- 8. UFSAR, Section 7.2. I
- 9. CEN-327, June 2, 1986, including Supplement.1, March 3, 1989. l
'l
~..
(continued) 1
' SAN ONOFRE--UNIT 2 B 3.3-37 AMENDMENT NO.
l
. l l
_ J
l 1 RPS Instrumentation-Shutdown B 3.3.2 BASES BACKGROUND The acceptable limit during accidents is that the offsite (continued) dose shall be maintained within an acceptable fraction of 10 CFR 100 (Ref. 2) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having 4 acceptable consequences for that event. The RPS is segmented into four interconnected modules. These modules are: 1 i Measurement channels; i l
- Bistable trip units;
- RPS Logic; and 3M* R"7
= Reactor trip circuit breakers (RTCBs).
l This LC0 applies only to the Logarithmic Power Level-High l trip in MODES 3, 4, and 5 with the RTCBs clos d. In MODES 1 and 2, this trip Function is addressed in LC 3.3.1,
" Reactor Protective System (RPS) Instrument i on -
) Operating." LC0 3.3.13, "le;="i+h=ie "r:r Monitoring Channels," applies when the RTCBs are open. L- th: ;;s; of LC0 3.3.13, th: hiprith.;ic chenr.;h Or: r: quired fer moiii tu. ing ucub un iiux, aitnougn tne trip runction is not re M Measurement Channels and Bistable Trio Units The measurement channels providing input to the Logarithmic Power Level-High trip consist of the four logarithmic nuclear instrumentation channels detecting neutron flux l leakage from the reactor vessel. Other aspects of the Logarithmic Power Level-High trip are similar to the other measurement channels and bistables. These are addressed in the Background section of LCO 3.3.1. ]
Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBr, can be performed either at power or shutdown and is nomally perfomed on a quarterly basis. Nuclear instrumentation can O (continued) SAN ONOFRE--UNIT 2 B 3.3-39 AMENDMENT NO. l t _ _ _
RPS Instrumentation-Shutdown B 3.3.2 I BASES (continued) l APPLICABLE be similarly tested. R,- ection 7.2 (Ref. 3), provides l SAFETY ANALYSES more detail on RPS st . The RPS functions to maintain the SLs during A00 an tig tes the consequence of DBAs in all MODES in which the TC are closed. , Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis were j qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. Noncredited Functions include the Steam Generator Water Level-High .and. U.m Lou vf Lxd. The Step Generator Water Level-High *smi - the I nu ^# ' ~4 tripf ave @urely equipment protective, and ih thew use minimizes the potential for equipment damage. The Logarithmic Power I.evel-High trip protects the integrity of the fuel c,! adding and helps protect the RCPB in the event of an unplanned criticality from a shutdown , condition. In MODES 2, 3, 4, and 5, with the RTCBs closed, and the Control Element Assembly (CEA) Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events ' originating when THERMAL POWER is < 1E-4% RTP. YFor events originating above this power level, other trips pruviuc M adequate protection. MODES 3, 4, and 5, with the RTCBs closed, are addressed in this LCO. MODE 2 is addressed in LCO 3.3.1. In MODES 3, 4, or 5, with the RTCBs open or the CEAs not { capable of withdrawal, the Logarithmic Power Level High trip does not have to be OPERABLE. " =r,f}fie indication 7 rano alarm portion : -t-^ ing=~ "="- W ; Z must be ! OPERABLE to ensure proper indication of neutron population ) u"d + a indicate a boron dilution event.J H M cet r =c ; 3 82" f""" + i O F, - ;Ti addii33id iii LCC J.3.13. l The RPS satisfies Criterion 3 of the NRC Policy Statement. LC0 The LC0 requires the Logarithmic Power Level-High RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel (s) inoperable and reduces the reliability of the affected Function. 1 (continued) ,; SAN ON0FRE--UNIT 2 B 3.3-40 AMENDMENT NO. i I l
RPS Instrumentation-Shutdown B 3.3.2 BASES LCO and Pressurizer Pressure-High trips provide protection for (continued) reactivity transients. The trip may be manually bypassed during physics testing pursuant to LC0 3.4.17, "RCS Loops-Test Exceptions." During this testing, the Linear Power Level-High trip and administrative controls provide the required protection. APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The trips are designed to take the reactor subcritical, which maintains the SLs during A00s and assists the Engineered Safety Features Actuation System (ESFAS) in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:
. The Logarithmic Power Level-High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed and any CEA capable of being withdrawn, to provide protection for boron dilution and CEA withdrawal events. The Logarithmic Power Level-High trip in these lower MODES is addressed in this LCO. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LC0 3.3.4, " Reactor Protective System (RPS) Logic and Trip Initiation."
The A 1 k dilit, L mvdii;cd 'uy a nu6e tnat allows nc ' e bypassed when THERMAL POWER is > 1E-4% RTP, and is automatically removed when THERMAL POWER is 5 1E-4% RIP. ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is found to be small and results in' a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL FUNCTIONAL TEST (continued) B 3.3-42 AMENDMENT NO. SAN ONOFRE--UNIT 2
RPS Instrumentation-Shutdown B 3.3.2 BASES ACTIONS E.I (continued) Condition E is entered when the Required Actions and associated Completion Times of Condition A, B, C, or D are not met. If Required Actions associated with these Conditions cannot be completed within the required Completion Time, all RTCBs must be opened, placing the plant in a condition where the logarithmic power trip channels are not required to be OPERABLE. A Completion Time of 1 hour is a reasonable time to perfonn the Required Action, which maintains the risk at an acceptable level while having one or two channels inoperable. SURVEILLANCE The SRs for the Logarithmic Pover Level-High trip are an REQUIREMENTS extension of those listed in Lu0 3.3.1, listed here because of their Applicability in these MODES. SR 3.3.2.1
.3.2.1 is the performance of a CHANNEL CHECK of each log r+thmic power channel. This SR is identical to SRj3.31.1. 1 Only the Applicability differs.
ance of the CHANNEL CHECK once every 12 hours ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, in'cluding indication and readability. If a channel is outside the match criteria, it may be an indication that the (continued) ) SAN ONOFRE--UNIT 2 B 3.3-46 AMENDHENT NO.
RPS Instrumentation-Shutdoan B 3.3.2 BASES SURVEILLANCE Matrix Lonic Tests REQUIREMENTS (continued) Matrix Logic Tests are addressed in LCO 3.3.4. This test is performed one matrix at a time. It verifies that a coincidence in the two input channels for each Functi hMdi removes power from the matrix relays. During testing power is applied to the matrix relay test coils and prevent the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts. Trio Path Test Trip path (Initiation Logic) tests are addressed in LC0 3.3.4. These tests are similar to the Matrix Logic tests except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result. The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 6). The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so as to test the first active element downstream of the detector. b (continued) a SAN ONOFRE--UNIT 2 B 3.3-48 AMENDMENT NO. i l l l
a - RPS Instrumentation-Shutdown B 3.3.2 BASES l SURVEILLANCE SR 3.3.2.4 (continued) REQUIREMENTS The Frequency is based upon the assumption of an 24 month , calibration interval for the determination of the magnitude ' of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 24 month fuel cycle. The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the_ difficulty of simulating a meaningful signal. I'* h *f u k.6 = $ wA slowcnangesin(detuivi >cus i i;,; u are compensated for b performing the daily calorimetric calibration (SR 3.3.1.4)y . cwo kewp SR 3.3.2.5 ' This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on a 24 month STAGGERED TEST BASIS. This results in the interval between successive tests of a given channel of n x 24 months, where n is the number of channels in the ' Function. The 24 month Frequency is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time ' degradation, but not channel failure, are infrequent occurrences. Also, response times cannot be determined at power, since equipment operation is required. Testing may be performed in one measurement or in overlapping segments,
.with verification that all components.are tested.
l (continued) / o SAN ONOFRE--UNIT 2 B 3.3-50 AMENDMENT NO. l
1 CEACs l B 3.3.3 ' h BASES BACKGROUND different fraction of these limits based on probability of (continued) occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. The RPS is segmented into four interconnected modules. These modules are:
. Measurement channels;
. Bistable trip units; a RPS Logic; and
. Reactor trip circuit breakers (RTCBs).
This LC0 addresses the CEACs. LCO 3.3.1, " Reactor Protective System (RPS) Instrumentation-Operating," provides a description of this equipment in the RPS. The excore nuclear instrumentation, the core protection calculators (CPCs), and the CEACs are considered components in the measurement channels of the Linear Power Level-High,
-) Logarithmic Power Level-High, DNBR-Low, and Local Power Density (LPD)-High trips. The CEACs are addressed by this Specification.
All four CPCs receive control element assembly (CEA) deviation penalty factors from each CEAC and use t.he larger 1*
=
of thefy m r factors from the two CEACs in the calculation of DNBR and LPD. CPCs are further described in the Background section of LC0 3.3.1. The CEACs perform the calculations required to detennine the position of CEAs within their subgroups for the CPCs. Two independent CEACs compare the position of each CEA to its ; subgroup position. If a deviation is detected by either ; CEAC, an annunciator sounds and appropriate " penalty ! factors" are transmitted to all CPCs. These penalty factors 1 conservatively adjust the effective operating margins to the i DNBR-Low and LPD-High trips. Each CEAC also drives a 1 single cathode ray tube (CRT), which is witchable between CEACs. The CRT dis) lays individual CEA ;1sitions and current values of t1e penalty factors v the selected . CEAC. (continued) SAN ONOFRE--UNIT 2 B 3.3-53 AMENDMENT NO. t I
CEACs B 3.3.3 BASES ) ACTIONS A.1 and A.2 (continued) position of all CEAs and provides verification of the proper operation of the remaining CEAC. An OPERABLE CEAC will not generate penalty factors until deviations of a 9.7 inches within a subgroup are encountered. : l The Completion Time of once per 4 hours is adequate based on l operating experience, considering the low probability of an i undetected CEA deviation coincident with an undetected ! failure in the remaining CEAC within this limited time ! frame. As long as Required Action A.1 is accomplished as specified, the inoperable CEAC can be restored to OPERABLE status within 7 days. The Completion Time of 7 days is adequate for most repairs, while minimizing risk, considering that dropped CEAs are detectable by the redundant CEAC, and other LCOs specify Required Actions necessary to maintain DNBR and LPD margin. B.1. B.2. B.3. B.4. and B.5 Condition B applies if the Required Action and associated Completion Time of Required Action A are not met, or if both CEACs are inoperable. Actions associated with this Condition involve disabling the Control Element Drive . Mechanism Control System (CEDMCS), while providing increased assurance that CEA deviations are not occurring and informing all OPERABLE CPC channels, via a software flag, A thathee
%ee- failed.
CEA@dssociated with two CEAC failures will beThis will ensure th penalty factor h CA applied to CPC calculations. The penalty factor for two failed CEACs is sufficiently large that power must be-maintained significantly < 100% RTP if CPC generated reactor trips are to be avoided. The Completion Time of 4 hours is adequate to accomplish these actions while minimizing risks. The Required Actions are as follows: B.1 Meeting the DNBR margin requirements of LCO 3.2.4, "DNBR," ensures that power level and ASI are within a conservative ! region of operation based on actual core conditions. l (continued) ) a SAN ON0FRE--UNIT 2 B 3.3-56 AMENDMENT.NO. n
p l CEACs B 3.3.3
! BASES ACTIONS B.2 ;
(continued) . The " full out" CEA reed switches provide acceptable indication of CEA position. Therefore, the CEAs will remain ' fully withdrawn, except as required for specified testing or flux control via group #6. This verification ensures that undesired perturbations in local fuel burnup are prevented. > B.3 4 4 j,g The"RSPT/CEACInoperable"addressablfconstant each of the CPCs is set to indicate that 4eenCEACA)arge inoperable. i This provides a c::n* trvative penalty factor to ensure that a conservative effective margin is maintained by the CPCs in the computation of DNBR and LPD trips. B.4 f The CEDMCS is placed and maintained in "0FF," except during CEA motion permitted by Required A-tion B.2, to prevent inadvertent motion and possible misalignment of the CEAs. B.5 t A comprehensive set of comparison checks on individual CEAs within groups must be made within 4 hours. Verification that each CEA is within 7 inches of other CEAs in its group , provides a check that no CEA has deviated from its proper ; position within the group. L.1 , Condition C applies if the CPC channel B or C cabinet receives a high temperature alarm. There is one temperature sensor in each of the four CPC bays. Since CPC bays B and C also house CEAC calculators 1 and 2, respectively, a high tem >erature in either of these bays may also indicate a l pro)lem with the associated CEAC. If a CPC channel B or C cabinet high temperature alarm is received, it is possible for the CEAC to be affected and not be completely reliable. Therefore, a CHANNEL FUNCTIONAL TEST must be performed within 12 hours. The Completion Time of 12 hours is adequate, considering the low probability of (continued) AMENDMENT NO. SAN ON0fRE--UNIT 1 ~ B 3.3-57 l I
CEACs B 3.3.3
) BASES SURVEILLANCE SR 3.3.3.4 (continued)
REQUIREMENTS The Frequency is based upon the assumption of an 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 24 month fuel cycle. SR 3.3.3.5 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on the CEACs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY, including alann and trip Functions. The basis for the 24 month Frequency is that the CEACs perform a continuous self monitoring function that
- inates the need for frequent CHANNEL FUNCTIONAL TESTS.
This CR NNEL FUNCTIONAL TEST essentially validates the self
-H+6mo itorinq function and checks for a small set of fai e modes that are undetectable by the self monitoring nction. Operating experience has shown that undetected I CPC or CEAC failures do not occur in any given 24 month interval.
SR 3.3.3.6 The isolation characteristics of each CEAC CEA position isolation amplifier and each optical isolator for CEAC to CPC data transfer are verified once per refueling to ensure l that a fault in a CEAC or a CPC channel will not render ar,0cher CEAC or CPC channel inoperable. The CEAC CEA ! position isolation amplifiers, mounted in CPC cabinets A and D, prevent a CEAC fault from propagating back to CPC A or D. The optical isolators for CPC to CEAC data transfer prevent a fault originating in any CPC channel from ' l propagating back to any CEAC through this data link. The Frequency is based on plant operating experience with regard to channel 0PERABILITY, which demonstrates the failure of a channel in any 24 month interval is rare. b (continued) SAN ONOFRE--UNIT 2 B 3.3-61 AMENDMENT NO.
RPS Logic and Trip initiation B 3.3.4 l
) BASES BACKGROUND RPS Loaic (continued) l i
each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one ; j or more of the six logic matrices indicate a coincidence I condition. Each trip path is responsible for opening one set of two of the eight RTCBs. The RTCB control relays (K-relays), when de-energized, interrupt power to the breaker undervoltage trip attachments and simultaneously apply power to the shunt trip attachments on each of the two breakers. Actuation of I either the undervoltage or shunt trip attachment is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive mechanisms (CEDMs). When a coincidence occurs in two RPS channels, all four i matrix relays in the affected matrix de-energize. This in ) i turn de-energizes all four breaker control relays, which simultaneously de-energize the undervoltage and energize the shunt trip attachments in all eight RTCBs, tripping them open. Matrix Logic refers to the matrix power supplies, trip !' channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. The Initiation Logic consists of the p pa h po source, matrix relays and their associated ontacts, all interconnecting wiring, and solid tate A P W ) rel ys through the K-relay contacts in th TCB control circ ' ry. It is possible to change the two-out- Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectiv'ely shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function nonnally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition. Trip channel bypassing can be simultaneously performed on any number of (continued) SAN ONOFRE--UNIT 2 B 3.3-65 AMENDMENT NO. __- __ - - _ _ _ _ - - - - - _ - - - - - - . _ _ _ - - _ _ _ - - _ - - _ _ _ _ _ _ - . - I
RPS Logic and Trip Initiation B 3.3.4 BASES h BACKGROUND RPS Loaic (continued) parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An , interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is nomally employed during maintenance or testing. , Reactor Trio Circuit Breakers (RTCBs) The reactor trip .;witchgear consists of eight RTCBs, which are operated in tour sets of two breakers (four channels). Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel such that the loss of either MG set does not de-energize the CEDMs. There are two separate CEDM power supply buses, each bus powering half of the CEDMs. Power is supplied from the MG sets to each bus via two redundant paths (trip legs). This ensures that (i.e.,afor fault or the testing opening)of a breaker in one trip legwill not interrup purposes CEDM buses. ,1 j_ Each of the feur trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits. The eight RTCBs are operated as four sets of two breakers (fourchannels). For example, if a breaker receives an open signal in B in trip leg trip for(leg A (for CEDM busCEDM busreceive
- 2) will also 1), an identical an open breaker signal. This arrangement ensures that power is interrupted to both CEDM buses, thus preventin control element assemblies (CEAs) g trip Any (ahalftrip). of only onehalf of the inoperable breaker in a channel will make the entire channel inoperable.
%.iPMs4 Each set of RTCBs s operated by either a Manual Trip push button or an RP . +"-tM -K-relay. There are four Manual Trip push buttons, arranged in two sets. of two. Depressing both push buttons in either set will result in a reactor ,
trip. (continued) ) SAN ONOFRE--UNIT 2 B 3.3-66 AMENDMENT NO. t _ _. /
l l RPS Logic and Trip Initiation B 3.3.4 l ") BASES l BACKGROUND Reactor Trio Circuit Breakers (RTCBs) (continued) Ached *d When a Manual Trip is initistd4using the control room push buttons, the RPS trip paths and K-relays are bypassed, and the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS. Manual Trip circuitry includes the push button and interconnecting wiring to both RTCBs necessary to actuate l both the undervoltage and shunt tri) attachments, but l excludes the K-relay contacts and t1eir interconnecting I wiring to the RTCBs, which are considered part of the Initiation Logic. Functional testing of the entire RPS, from bistable input through the opening of the individual sets of RTCBs, can be perfomed either at power or shutdown and is normally perfomed on a quarterly basis. FSAR, Section 7.2 (Ref. 3), explains RPS testing in more detail. l
,. APPLICABLE Reactor Protective System (RPS) Loaic SAFETY ANALYSES The RPS Logic provides for automatic trip initiation to maintain the SLs during A00s and assist the ESF systems in ensuring acceptable consequences during accidents. All transients and accidents that call for a reactor trip assume the RPS Logic is functioning as designed.
Reactor Trio Circuit Breakers (RTCBs) All of the transient and accident analyses that call for a i reactor trip assume that the RTCBs operate and interrupt
, power to the CEDMs.
Manual Trio There are no accident analyses that take credit for the Manual Trip; however, the Manual Trip is part of the RPS circuitry. It is used by the operator to shut down the l r reactor whenever any parameter is rapidly trending toward l its trip setpoint. A Manual Trip accomplishes the same l results as any one of the automatic trip Functions. (continued) SAN ONOFRE--UNIT 2 B 3.3-67 AMENDMENT NO.
r .. RPS Logic and Trip Initiation B 3.3.4 b BASES LC0 4. Manual Trip (contic.ued) Manual Trip push buttons are also provided at the reactor trip switchgear (locally) in case the control room push buttons become inoperable or the control room becomes uninhabitable. These are not part of the RPS and cannot be credited in fulfilling the LCO OPERABILITY requirements. Furthermore, LCO ACTIONS need not be entered due to failure of a local Manual Trip. APPLICABILITY The RPS Logic, RTCBs, and Manual Trip are required to be OPERABLE in any MODE when the CEAs are capable of being withdrawn off the bottom of the core (i.e., RTCBs closed and power available to the CEDMs). .This ensures that the reactor can be tripped when necessary, but allows for maintenance and testing when the reactor trip is not needed. t In MODES 3, 4, and 5 with the RTCBs open, the CEAs are not capable of withdrawal and these Functions do not have to be W 4h unRABLE. However, twof y*tM: p r:r i n:1 channels
,' MbAM .) must be OPERABLE to ensure proper indication
- of neutron population and to indicate a boron dilution event. This is addressed in LCO 3.3.13, "1:pHtH: "e svMonitoring Channels." g ,
ACTIONS When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately-entered if applicable in the current MODE of operation. A.1 Condition A applies if one Matrix Logic channel is inoperable in any applicable MODE. Loss of a single vital instrument bus will de-energize one of the two matrix power - supplies in up to three matrices. This is considered a single matrix failure, providing the matrix relays associated with the failed power supplies de-energize as required. The above statement is supported by a Note. 3 (continued) SAN ONOFRE--UNIT 2 B 3.3-71 AMENDMENT NO.
RPS Logic and Trip Initiation B 3.3.4 BASES O< ACTIONS D.1 (continued) If the affected RTCB cannot be opened, Required Action E is entered. This would only occur if there is a failure in the Manual Trip circuitry or the RTCB(s). E.1 and E.2 Condition E is entered if Required Actions associated with Condition A, B, or D are not met within the required Completion Time or, if for one or more Functions, more than one Manual Trip, Hatrix Logic, Initiation Logic, or RTCB channel is inoperable for reasons other than Condition A or D. If the RTCBs associated with the inoperable channel cannot be opened, the reactor must be shut down within 6 hours and all the RTCBs opened. A Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required plant conditions from full power conditions in an orderly manner and without challenging plant systems and for opening RTCBs. All RTCBs should then be opened, placing the I plant in a MODE where the LCO does not apply and ensuring no CEA withdrawal occurs. SURVEILLANCE (SR 3.3.4.1 a.4 S.S A 'k j REQUIREMENTS A CHANNEL FUNCTIONAL TEST on each RPS Logic channel and RTCB channel is performed very 92 days o ensure the entire channel will narfa i+e intended functinn uhaa needed. 6v6 ti da3s ag r res p
- N y i
The RPS CHANNEL FUNCTIONAL ItST consists of Inree ' overlapping tests as described in Reference 3. These tests verify that the RPS is capable of perfoming its intended function, from bistable input through the RTCBs. The'first test, the bistable test, is addressed by SR 3.3.1.7 in LCO 3.3.1. This SR addresses the two tests associated with the RPS Logic: Matrix Logic and Trip Path. (continued) ,)j
\( l SAN ON0FRE--UNIT 2 B 3.3-74 AMENDMENT NO. l l
1
RPS Logic and Trip Initiation B 3.3.4 f 6 O BASES SURVEILLANCE Matrix looic Tests REQUIREMENTS (continued) These tests are performed one matrix at a time. They verify that a coincidence in the two input channels for each Function removes power from the matrix relays. During gD 1.esting,jpower is applied to the matrix relay test coils and prevents"the matrix relay contacts from assuming .their de-energized state. The Matrix Logic tests will detect any short circuits around the bistable contacts in the coincidence logic such as may be caused by faulty bistable relay or trip channel bypass contacts. Trio Path Tests These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result. The Frequency of 92 days is based on the reliability
^ analysis presented in topical report CEN-327, "RPS/ESFAS -.) Extended Test Interval Evaluation" (Ref. 5).
SR 3.3.4 / 5 Each RTCB is actuated .by an undervoltage coil and a shunt trip coil. The system'is designed so that either de-energizing the undervoltage coil or energizing the shunt trip coil will cause the circuit breaker to open. When an RTCB is opened, either during an automatic reactor trip or by using the manual push buttons in the control room, the undervoltage coil is de-energized and the shunt trip coil is energized. This makes it impossible to determine if one of the coils or associated circuitry is defective. Therefore, once every 13 mon sfaCHANNELFUNCTIONALTEST is perfonned that individu ly tests all f = nt; :f ab W undervoltage coils and all f;..; nt;; ;,f-shunt trip coils & (4
- B - During undervoltage coil testing, the shunt trip coils must remain de-energized, preventing their operation.
Conversely, during shunt trip coil testing, the undervoltage coils must remain energized, preventing their operation. This Surveillance ensures that every undervoltage coil and j (continued) SAN ONOFRE--UNIT 2 B 3.3-75 AMENDMENT NO.
RPS Logic and Trip Initiation B 3.3.4 BASES O s SURVEILLANCE SR 3.3.4/ (continued) REQUIREMENTS every shunt trip coil is capable of perfoming its intended function and that no single active failure of any RTCB component will prevent a reactor trip. " - " - ' ' r re;=; i., baseu on one cod te ;,:rfm. thi; krveillence
.unt r the cenditie... Uiet oppiy ouring a plont voto3c oi d the nntential (07 ;.. unplaiincd tren,507.t ## th: L. vu illoriwe-
;= r.......- . m one reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the Frequency of once every 18 months.
SR 3. 3.4 /4 A CHANNEL FUNCTIONAL TEST on the Manual Trip channels is perfomed prior to a reactor startup to ensure the entire channel will perform its intended function if required. The Manual Tri) Function can only be tested at shutdown. However, tie simplicity of this circuitry and the absence of drift concern make this Frequency adequate. Additionally, operating experience has shown that these components usually pass the Surveillance when perfomed at a frequency of once every 7 days prior to each reactor startup. REFERENCES 1. 10 CFR 50, Appendix A.
- 2. 10 CFR 100.
- 3. SONGS Units 2 and 3 UFSAR, Section 7.2.
- 4. NRC Safety Evaluation Report.
- 5. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.
O SAN ONOFRE--UNIT 2 B 3.3-76 AMENDMENT NO.
~ ESFAS Instrumentation B 3.3.5 0 8^ses BACKGROUND Measurement Channels (continued) ace a m3 Adequate channel to channel indepen nce includes physical and electrical independence of eac channel from the others. Furthermore, each channel must be nergized from separate inverters and station batteries. N;c,t; th;t hr ko demonstrated adequate channel to channel independence may
- g g operate in two-out-of-three logic configuration, with channel removed from service, until following the next MODE 5 entry.
Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 4). Bistable Trio Units Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the Matrix Logic for each ESFAS
' Function. They also provide local trip indication and remote annunciation.
There are four channels of bistables, designated A through 0, for each ESFAS Function, one for each measurement channel. In cases where two ESF Functions share the same input and trip setpoint (e.g., containment pressure input to CIAS and SIAS), the same bistable may be used to satisfy both Functions. Similarly, bistables may be shared between the RPS and ESFAS (e.g., Pressurizer. Pressure-Low input to the RPS and SIAS). Bistable output relays de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks. The contacts from these bistable relays are arranged into six coincidence matrices, comprising the Matrix Logic. If bistables monitoring the same parameter in at least two - channels trip, the Matrix Logic will generate an ESF actuation (two-out-of-four logic). (continued) g 8 3.3-79 AMENDMENT NO. SAN ON0FRE--UNIT 2 I
-. -~ ~ _ .. - . _ ..
ESFAS Instrumentation B 3.3.5 O BASES BACKGROUND ESFAS Logic (continued) four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. ; Bistable relay contact outputs from the four channels are ; configured into six logic matrices. Each logic matrix checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices to reflect the bistable channels ' being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected in the two channels being monitored by the logic matrix, all four matrix relays de-energize. The matrix relay contacts are arranged into trip paths, with . one relay contact from each matrix relay in each of the four : M paths. ch trip path controls two initiation relays. Each of the two initiation relays in each trip path controls 1; e, contact / in the Actuation Logic for one train of ESF. wo channels of Actuation Logic, mounted in the 7 Auxiliary Relay Cabinet (ARCS), is responsible for actuating s/ one train of ESF equipment. Each ESF Function has separate Actuation Logic in each ARC. The contacts from the Initiation Logic are configured in a ; selective two-out-of-four logic in the Actuation Logic, similar to the configuration employed by the RPS in the i RTCBs. This logic controls ARC mounted subgroup relays, ; which are normally energized. Contacts from these relays, when de-energized, actuate specific ESF equipment. When a coincidence ~ occurs in two ESFAS channels, all four . matrix relays in the affected matrix will de-energize. This ! in turn will de-energize all eight initiation relays, four used in each Actuation Logic. , Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring ; between bistable relay cards, up to but not including the l matrix relays. Matrix contacts on the bistable relay cards < are excluded from the Matrix Logic definition, since they 1 are addressed as part of the measurement channel. l (continued) .Q SAN ON0FRE--UNIT 2 B 3.3-81 AMENDMENT NO.
ESFAS Instrumentation B 3.3.5 : O BASES BACKGROUND ESFAS Loaic (continued) I shares an operating bypass with the Pressurizer Pressure-Low reactor trip. RAS Manual ESFAS initiation capability is provided4to permit the , operator to manually actuate an ESF System when necessary. < Two sets of two push buttons (located in the control room) for each ESF Function are provided, and each set actuates both trains. Each Manual Trip push button opens one trip path, de-energizing one set of two initiation relays, one : affecting each train of ESF. Initiation relay contacts are arranged in a selective two-out-of-four configuration in the ' Actuation Logic. By arranging the push buttons in two sets of two, such that both push buttons in a set must be depressed, it is possible to ensure that Manual _ Trip will not be prevented in the event of a single random failure. Each set of two push buttons is designated a single channel in LC0 3.3.6. ,
-)
w APPLICABLE Each of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be the , secondary, or backup, actuation signal for one or more other accidents. ESFAS protective Functions are as foilows: i
- 1. Safety In.iection Actuation Sianal SIAS ensures acceptable consequences during ,large break loss of coolant accidents (LOCAs), small break LOCAs, control element assembly ejection accidents, j and main steam line breaks (MSLBs) inside containment. i To provide the required protection, either a high l containment pressure or a low pressurizer pressure )
signal will initiate SIAS. SIAS initiates the Emergency Core Cooling Systems (ECCS) and performs several other functions such as initiating a j (continued) SAN ON0FRE--UNIT 2 B 3.3-83 AMENDMENT NO. l m
ESFAS instrumentation B 3.3.5 BASES APPLICABLE 1. Safety In.iection Actuation Sional (continued) SAFETY ANALYSES Containment Cooling Actuation Signal (CCAS), initiating control room isolation, and starting the diesel generators. CCAS mitigates containment overpressurization when required by either a manual CCAS actuation or an automatic SIAS Function.
- 2. Containment Soray Actuation Sional CSAS actuates containment spray, preventing containment overpressurization during large break LOCAs, small break LOCAs, and MSLBs or feedwater line breaks (FWLBs) inside containment. CSAS is initiated by high high containment pressure and an SIAS. This configuration reduces the likelihood of inadvertent containment spray.
- 3. Containment Isolation Actuation Sional CIAS ensures acceptable mitigating actions during large and small break LOCAs, and MSLBs or FWLBs inside containment. CIAS is initiated by high containment pressure.
- 4. Main Steam Isolation Sianal ,4 MSIS ensures acceptable consequences . ring an MSLB or FWLB (between the steam generator a the main feedwater check valve), either ins' e or outside containment. MSIS isolates both team generators if either generator indicates a low pressure condition.
This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events.
- 5. Recirculation Actuation Sianal At the end of the injection phase of a LOCA, the refueling water storage tank (RWST) will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the (continued)
B 3.3-84 AMENDMENT NO. SAN ON0FRE--UNIT 2
ESFAS Instrumentation s B 3.3.5 h BASES t LCO b. Pressurizer Pressure-Low (continued) The Allowable Value for this trip is set low ! enough to prevent actuating the ESF Functions (SIAS) during normal plant operation and 3ressurizer pressure transients. The setting is , ligh enough that, with the specified accidents,
- the ESF systems will actuate to perform as expected, mitigating the consequences of the accident.
The Pressurizer Pressure-Low trip setpoint, which provides SIAS, and RPS trip, may be manually decreased to a floor value of 300 psia to allow for a controlled cooldown and ' depressurization of the RCS without causing a reactor trip, or SIAS. The margin between actual - 3ressurizer pressure and the trip set >oint must 3e maintained less than or equal to t1e specified value (400 psia) to ensure a reactor trip, and SIAS will occur if required during RCS cooldown and depressurization. b From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure increases, tracking actual-RCS pressure until the trip setpoint is reached. 472 Whenthetripsetpointhasbeenlo/eredbelowthe bypass permissive setpoint of-teenpsia, the Pressurizer Pressure-Low reactor trip, and SIAS actuation may be manually bypassed in preparation for shutdown cooling. When RCS pressure rises above the bypass removal setpoint, the bypass is > ah%c t, removed. Bvoass Removal . This LC0 requires four channels of bypass removal for Pressurizer Pressure-Low to be OPERABLE in MODES 1, 2, and 3. 1 (continued)
- ]
l B 3.3-87 AMENDMENT NO. ! SAN ONOFRE--UNIT 2
)
ESFAS Instrumentation B 3.3.5 l' BASES LC0 Bypass Removal (continued) Each of the four channels enables and disables the bypass capability for a single channel. Therefore, this LCO applies to the bypass removal feature only. If the bypass enable function is failed so as to prevent entering a bypass condition, operation may continue.. Because the. trip setpoint has a floor value of 300 psia, a channel trip will result if pressure is decreased below this setpoint without bypassing. The bypass removal Allowable Value was chosen because MSLB events originating from below this setpoint add less positive reactivity than that which can be compensated for by required SDM.
- 2. Containment Sorav Actuation Sianal CCf. :, ini ud ' : r:11; er 2rt it' illy. -)
For en-automati[Metuation, it is necessary to have a Containment Pressure-High High signal, coincident with an SIAS. The SIAS requirement should always be i I satisfied on a legitimate CSAS, since the Containment Pressure-High signal used in the SIAS will initiate before the Containment Pressure-High High. This ensures that a CSAS will not initiate unless required.
- a. Containment Pressure-Hiah Hiah This LCO requires four channels of Containment Pressure-High High to be OPERABLE in MODES 1, 2, and 3.
l The Allowable Value for this trip is set high ~ enough to' allow for first response ESF systems (containment cooling systems) to attempt to ! mitigate the consequences of an accident before resorting to spraying borated water onto ! containment equipment. The setting is low enough to initiate CSAS in time to prevent containment pressure from exceeding design. (continued)
):
B 3.3-88 AMENDMENT NO. SAN ONOFRE--UNIT 2
ESFAS Instrumentation B 3.3.5 m BASES ) LCO a. Steam Generator Pressure-Low (continued) The Allowable Value for this trip is set below the full. load operating value for steam pressure so as not to interfere with norulal plant operation. However, the settin to provide an MSIS (Function 4)g an during is high enough excessive steam demand event. An excessive steam demand event causes the RCS to cool down, resulting in a positive reactivity addition to the core. MSIS limits this cooldown by isolating both steam generators if the pressure in either drops below the trip setpoint. An RPS trip on Steam Generator Pressure-Low is initiated simultaneously, using the same bistable. The Steam Generator Pressure-Low bistable output is also used in the EFAS logic (Function 7) to aid in detennining if a steam generator is intact. The Steam Generator Pressure-Low trip setpoint may be manually decreased as steam generator pressure is reduced. This prevents an RPS trip or MSIS actuation during controlled plant cooldown. The margin between actual F w , m b* g4* w a k pressure and the trip setpoint must be maintained less than or equal to the specified value of 200 psi to ensure a reactor trip and MSIS will occur when required.
- Mpoht wid W e n a* '-
am bm.a4:s a tt3 !v makhla., n y 4 2e. g as 84 *a*,*M psaame,
- 5. Recirculation Actuation Sianal 4 *
- a. Refuelina Water Storace Tank Level-Low This LC0 requires four channels of RWST Level-Low to be OPERABLE in MODES 1, 2, 3, and 4.
The upper limit on the Allowable Value for this trip is set low enough to ensure RAS does not initiate before sufficient water is transferred - to the containment sump. Premature recirculation , could impair the reactivity control function of { ' safety injection by limiting the amount of boron injection. (continued) SAN ON0FRE--UNIT 2 8 3.3-90 AMENDMENT NO.
4 ESFAS Instrumentation ' B 3.3.5 j ] BASES LCO c. Steam Generator Pressure-Low (continued) The Steam Generator Pressure-Low input is derived from the Steam Generator Pressure-Low RPS bistable output. This output is also used as an MSIS input. ; The Allowable Value for this trip is set below , the full load operating value for steam pressure so as not to interfere with normal plant operation. However, the setting is high enough to provide an MSIS (Function 4) during an excessive steam demand event. An excessive steam demand is one indicator of a potentially ruptured steam generator; thus, this EFAS input, in conjunction with the SGPD Function, prevents the feeding of a potentially ruptured steam generator. LCO D Star- C; ~ u m P . c a o u , s - L v., " c hununucu) # The Steam Generator Pressure-Low trip setpoint may be manually decreased as steam generator
) pressure is reduced. This prevents an RPS trip or MSIS actuation during controlled plant cooldown. The margin between actual - H ::r
*M*a~ $6a 6 '* +* ' pressure and the trip setpoint must b'emaintained less than or equal to the specified value of 200 occur will psi to ensure that a reactor when required. trip +and MSIS W edpoia wl4 3** w le g 3., as s A permbe aJw*b*L) w=414eb e-~
w an & a q.oy w..,yta,. m APPLICABILITY In MODES 1, 2 and 3 there is sufficient energy in the primary and secondary systems to warrant automatic ESF System responses to:
. Close the main steam isolation valves to preclude a positive reactivity addition;
. Actuate. emergency feedwater to preclude the loss of the steam generators as a heat sink (in the event the ,
normal feedwater system is not available); (continued) l J ! SAN ONOFRE--UNIT 2 B 3.3-93 AMENDMENT N0.
ESFAS Instrumentation B 3.3.5 O BASES ACTIONS D.1 and 0.2 (continued)
-^
LC0 3.0.3, as explained in Condition B. Completion Times consistent with Condition B. je @ . *E. I"1 Ridi E.2 ww 53 Nl. 4 Ade 4 SD If the Required Actions and associate Completion Times of Condition A, B, C, or D cannot be me , the plant must be h,,,, ts.olah g ,, brougat to a MODE in which the LC0 does not apply. To
" achigse this status, the plant must be brought to at least MODy3 within 6 hours and to MODE 4 within 12 hours. The Sgal owed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
[ b%%T l w SURVEILLANCE SR 3.3.5.1 REQUIREMENTS - Performance of the CHANNEL CHECK once every 12 hours ensures m ) that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the match criteria, it is an indication that the channels are OPERABLE. s The Frequency, about once every shift, is based on operating experience that demonstrates channel failure i~s rare. Thus, ] (continued) SAN ONOFRE--UNIT 2 B 3.3-99 AMENDMENT NO.
l>JssmT l S.E a4 FL ,
\ C. .& kyu Ac k s s4 . seee M Q W.us- . =
_et c g,% A B, C , o, D ca.uf kyf L % -_. . - Recte<4tw A<f.w. A S,3 =0,. R pCa.) e4 A . - _ _._.. L& to n . p.obs . ;~ alteL A. Leo . das W .._-_ to ackiew 1ku slaLs, +L. gia J msf be. Q. -. . bro C+. to a 4- hasV 4eot 3 wi% 4 . kones. M /u . - Arvos S wlH< in SG keu r.s . TL allows %ph fic~ Ti u s e m._ a.,sou a , ku4 n ,psj_a<pw;anoe, . b (A +k. s les.J. pia J casd Nier.$ le an o m a n n e- A uiLJ chalk 19 plad yk s . - w - -t.c %r
- - + =w a m--+ rm.%%v-s.,, ins m
==. -- %. --4 wee.~..w,., ..m,,
r --4 -' - e+8=w- %* -4e e * --@"dM>e--ep JP 7-+*" weg di 4,-es,-y- m ..a, . . . -- ,.m., ,, +,- r w --*#e-ew--, .auw-s
- - - * - ..--,i - . . ~ , , - 4,s,- ei.m-,mm ee-me-+ e,Ip+--w-mn a-e * .,, < , - ,,ww.-,,.m -.
,.- -.w- p -u = -u-==-g. -*--mm<-+e'-i++e--ge e M-a - N*=9 n **e.-
- y.gs-. .m & - 4=re.,saS.A.- .**mcJ+kmaw-- s. --e . i+.-
w m p ,, , ,,,,,.. n o e m<- - - -.mm,- -,rMu-, mae-wh u + aiw_e 15"f- i-=*b%.er.mm-- iAm-- ** -+- i- au--- 4-**s-*='e"*'t" 4 .
ESFAS Instrumentation B 3.3.5 BASES (continued) SURVEILLANCE SR 3.3.5.1 (continued) REQUIREMENTS performa 4o the CHANNEL CHECK guarantees that l i undetecegvetchannelfailureislimitedto12 obability of two random failures in hours. redundant Since e channel any 12 hour period is low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of i displays associated with the LCO required channels. l l l SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire channel will perform its intended function when needed. The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays. These overlapping tests are described in Reference 1. l SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing. SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized. These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components. SRs 3.3.6.1 and 3.3.6.2 are addressed in LCO 3.3.6. SR 3.3.5.2 includes bistable tests. A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the specified tolerance around the setpoint. This is done with the affected PPS trip channel bypassed. !
\
SR 3.3.5.3 and SR 3.3.5.4 CHANNEL CALIBRATION is a complete check of the instrument channel including the detector and the bypass removal functions. The Surveillance verifies that the channel (continued) B 3.3-100 AMENDMENT NO. SAN ONOFRE--UNIT 2
i ESFAS Znstrumentation B 3.3.5 f O BASES (1 SURVEILLANCE SR 3.3.5.3 and SR 3.3.5.4 (continued) i REQUIREMENTS responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational ~ between successive surveillances. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current i plant specific setpoint analysis. 1 The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were perfomed with the reactor at power. ! I SR 3.3.5.5 This Surveillance ensures that the train actuation response times are within the maximum values assumed in the safety l l
]. analyses.
Response time testing acceptance criteria are included in Reference 10. i ESF RESPONSE TIME tests are' conducted on a STAGGERED TEST l BASIS of once every 24 months. The 24 month Frequency is I consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious resnonse time de radation, but not channel failure, are requent h . S R 3.S.6 h 3.3 sac FUNCTIONAL TEST similar t'o SR . 5.2, ex ept SR 3.3.5.6 is perfomed within 92 days prior to startup and is only applicable to bypass functions. Since the Pressurizer Pressure-Low bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13. h (continued) SAN ONOFRE--UNIT 2 B 3.3-101 AMENDMENT NO.
ESFAS Logic and Manual Trip B 3.3.6 BASES
]'
BACKGROUND - Matrix Logic, ' (continue 0, - Initiation Logic (trip paths), and '
- Actuation Logic.
This LCO addresses ESFAS Logic. Bistables and measurement channels are addressed in LC0 3.3.5, " Engineered Safety Features Actuation System (ESFAS) Instrumentation." The role of the measurement channels and bistables is described in LC0 3.3.5. The role of the ESFAS Logic is described below. ESFAS Loaic The ESFAS Logic, consisting of Matrix, Initiation and Actuation Logic, employs a scheme that provides an ESF actuation of both trains when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. , Bistable relay contact outputs from the four channels are configured into six Matrix Logics. Each Matrix Logic checks for a coincident trip in the same parameter in two bistable channels. The matrices are designated the AB, AC, AD, BC, , BD, and CD matrices, to reflect the bistable channels being monitored. Each Matrix Logic contains four normally energized matrix relays. When a coincidence is detected in the two channels being monitored by the Matrix Logic, all four matrix relays de-energize. The matrix relay contacts are arranged into tri) paths, with one rela contact from each matrix relay in eac1 of the four ri . Each trip path controls two initiation relays. E ch of the o initiation relays in each trip path controls ; [ e. contact /, in t e Actuation Logic for one train of ESF. , I e two channels of Actuation Logic, mounted in the Auxiliary Relay Cabinets (ARCS), is responsible for actuating one train of ESF equi) ment. Each ESF Function has separate Actuation Logic in eac1 ARC. The contacts from the Initiation Logic are configured in a selective two-out-of-four logic in the Actuation Logic, similar to the configuration employed by the RPS in the RTCBs. This logic controls ARC mounted subgroup relaye (cantinued) , SAN ONOFRE--UNIT 2 B 3.3-104 AMENDMENT NO. l
ESFAS Logic and Manual Trip B 3.3.6 P BASES O 1 BACKGROUND ESFAS Loaic (continued) channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing. Trip channel bypassing is addressed in LC0 3.3.S. Manual ESFAS initiation capability is provided to permit the [#k f,"",'f[As NS N ** d b "fE E retog , Two sets of two push buttons (located in the control room) Afor each ESF Functiofyare orovideA and each set actuates both trains 6xcept for RAS) Each Manual Trip push button opens one trip path, de-energizing one set of two initiation ' relays, one affecting each train of ESF. Initiation relay contacts are arranged in a selective two-out-of-four : configuration in the Actuation Logic. By arranging the push buttons in two sets of two, such that both push buttons in a set must be depressed, it is possible to ensure that Manual . Trip will not be prevented in the event of a single random failure. Each set of two push buttons is designated a single channel in this LCO. h, a tt as tr=, RAS does not have manual pushbuttons on the Control I y % ,iy u g - Manual Hoom panels. AAAS manual actuation +s-available from the pushbuttons on the ESFAS panels. These pushbuttons b y6 operate contacts in the' Actuation Logic, so Initiation Logic is not required for a manual actuation. %su pod eu ** w F er.4 M 1. A.TecWe.f W s. l APPLICABLE Each of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS i Function may be the primary actuation signal for more than ) one type of accident. An ESFAS Function may also be a , secondary, or backup, actuation signal for one or more other l accidents. l ESFAS Functions are as follows:
- 1. Safety Iniection Actuation Sional SIAS ensures acceptable consequences during large break loss of coolant accidents (LOCAs), small break (continued)
.)
SAN ONOFRE--UNIT 2 B 3.3-106 AMENDMENT NO.
.l x
ESFAS Logic and Manual Trip B 3.3.6 ) BASES APPLICABLE 1. Safety In.iection Actuation Sianal (continued) SAFETY ANALYSES LOCAs, control element assembly ejection accidents, I y and main steam line breaks (MSLBs) inside or outside l containmeng To provide the required protection, l (; % b e k.s either a high containment pressure or a low l l pressurizer pressure signal will initiate SIAS. SIAS initiates the Emergency Core Cooling Systems (ECCS) and performs several other Functions, such as initiating a containment cooling actuation, initiating control room isolation, and starting the diesel generators.
- 2. Containment Isolation Actuation Sianal CIAS ensures acceptable mitigating actions during large and small break LOCAs and during MSLBs or feedwater line breaks (FWLBs) inside containment.
CIAS is initiated by high containment pressure.
- 3. Containment Coolina Actuation Sianal CCAS mitigates containment overpressurization when required by either a manual CCAS actuation or an automatic SIAS Function.
- 4. Recirculation Actuation Sianal At the end of the injection phase of a LOCA, the refueling water storage tank (RWST) will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. Switchover from RWST to containment sump must occur before the RWST empties to prevent damage to the ECCS pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support pump suction.
Furthermore, early switchover must not occur to ensure sufficient borated water is injected from the RWST to ensure the reactor remains shut down in the recirculation mode. An RWST Level-Low signal initiates the RAS. J (continued) SAN ON0FRE--UNIT 2 B 3.3-107 AMENDMFNT N0.
i ESFAS Logic and Manual Trip t B 3.3.6 ! i BASES Containment Spray Actuation Signal 4" b APPLICABLE 5. SAFETY ANALYSES (continued) CSAS actuates containment spray, preventin containment overpressurization during lar e break , LOCAs, small break LOCAs, and MSLBs or LBs inside containment. CSAS is initiated by hi high containment pressure and a coinciden . This configuration reduces the likelihood f inadvertent containment spray. .i
- 6. Main Steam Isolation Signal MSIS ensures acceptable consequences during an MSLB either inside or outside containment or FWLB (between the steam generator and the main feedwater check valve). MSIS isolates both steam generators if either generator indicates a low pressure condition. This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events.
7, 8. Emergency Feedwater Actuation Signal
& EFAS consists of two steam generator (SG) specific signals (EFAS-1 and EFAS-2). EFAS-1 initiates A*gl'*9 . f emergency feed to SG #1, and EFAS-2 initiates g
p g g / g emergency h. feed to SG #2. Steenda gigh /eVp EFAShtintains a cter ,:n:r;tsgheat s nk during tr
- nt :nd an MSLB or FWLB j e ed l st:: ;;n:r:t r +"" ""pt r:
event either inside or outside containment. x(u.tiw( ((/ /p kadig 84 tunahkd or least AFA.eM.
*6" "-
f Low steam generator water level initiates emergency feed to the affected steam generator, providing the
/ generator is not identified (by the circuitry) as $p 6
faulted (an MSLB or FWLB). EFAS logic includes steam generator specific inputs from the Steam Generator Pressure-Low bistabli - comparator (also used in MSIS) and the SG Pressure Difference-High (SG #1 > SG #2 or SG #2 > SG #1, bistable comparators) to detennine if a rupture in either generator has occurred. Rupture is assumed if the affected generator has a low pressure condition, unless that generator is (continued) 1 SAN ON0FRE--UNIT 2 B 3.3-108 AMENDMENT N0. l
ESFAS Logic and Manual Trip B 3.3.6 i O 8^Sc5 APPLICABLE ~7, 8. Emeraency Feedwater Actuation Sianal (continued) SAFETY ANALYSES significantly higher in pressure than the other generator. This latter feature allows feeding the intact steam generator even if both are below the MSIS setpoint, while preventing the ruptured generator from being fed. Not feeding a ruptured generator prevents containment overpressurization during the analyzed events. The ESFAS satisfies Criterion 3 of the NRC Policy Statement. LCO The LCO requires all channel components necessary to provide an ESFAS actuation to be OPERABLE. The requirements for each Function are listed below. The reasons for the applicable MODES for each Function are addressed under APPLICABILITY.
- 1. Safety In.iection Actuation Sianal ya ue.ws%~j Automatic SIAS is required te4ieitic.t; CCAS and CSAS.
Automatic SIAS occurs in Pressurizer Pressure-Low or Containment Pressure-High and is explained in Bases 4 3.3.5.
- a. Manual Trio This LC0 requires two channels of SIAS Manual Trip to be OPERABLE' in MODES 1, 2, 3, and 4.
- b. Matrix Loaic i This LC0 requires six channels of SIAS Matrix Logic to be OPERABLE in MODES 1, 2, and 3.
- c. Initiation Loaic This LCO requires four channels of SIAS- l Initiation Logic to be OPERABLE in MODES 1, 2, 3, i and 4. j h (continued)
SAN ON0FRE--UNIT 2 B 3.3-109 AMENDMENT NO. j l l 1
i ESFAS Logic and Manual Trip ! B 3.3.6
' '\ .
BASES LC0 d. Actuation Loaic (continued) This LCO requires two channels of SIAS Actuation Logic to be OPERABLE in MODES 1, 2, 3, and 4.
- 2. Containment Isolation Actuation Sional su -wrA; .
For Containmed Pressure-High, the SIAS and CIAS i share the samd4eput channels, bistables, and matrices and matrix relays. The remainder of the initiation channels, the manual channels, and the Actuation Logic are separate. Since their applicability is also the same, they have identical actions.
- a. Manual Trio This LCO requires two channels of CIAS Manual Trip 47 . o diannela ef E!AS ";r.;;l T. h, to be OPERABLE in MODES 1, 2, 3, and 4.
- b. Matrix Loaic This LCO requires six channels of CIAS Matrix ;
Logic to be OPERABLE in MODES 1, 2, and 3.
- c. Initiation Loaic -
This LCO requires four channels of CIAS Initiation Logic to be OPERABLE in MODES 1, 2, 3, and 4.
- d. Actuation Locic This LCO requires two channels of CIAS Actuation Logic to be OPERABLE in MODES 1, 2, 3, and 4.
- 3. Containment Coolino Actuation Sianal sit Mut;u(b a.J Mic The CCAS Function een be- ;.m ily actuated on an4SIAS.
It can also be manually actuated using two channels of CCAS push buttons, configured similarly to all other ESFAS Manual Trips except for RAS. CCAS therefore shares the SIAS (continued) J SAN ONOFRE--UNIT 2 B 3.3-110 AMENDMENT NO.
ESFAS Logic and Manual Trip B 3.3.6 BASES LC0 3. Containment Coolina Actuation Sianal (continued) iMxidhann'els, bistables, coincidence matrices, and matrix relays. It has separate manual channels and Actuation Logic. _r
- a. Manual Trio This LC0 requires two channels of CCAS Manual g ~A 1 _ e." sAS Trip = M h al T.-;p to be OPERABLE in tess %
N5 "# y ,ge,3gy , MODES 1, 2, 3, and 4. et***d5 'I 49 k 7 Initiation loaic f wt I, ceA5ugs i,2,ed5 d/5.
#^ i*W3 This LC0 requires four channels of CCAS
** Initiation Logic to be OPERABLE in MODES 1, 2, 3, M**' " Y .a (nWeb Y and 4.
4-
~
sec ens. s /. Actuation loaic
- c. NNikkWC~
- This LC0 requires two pha.nnels of CCAS Actuation Logic to be OPERABLE ih MODES 1, 2, 3, and 4.
145 Leo $*3M 'Mada .
] et. 3 Ws > k N Lg" b b '
## nal Re,irculation Actuation Sic L a. Matrix Loaic
& 1 Few- cka w(sof Sig j This LC0 requires six channels of RAS Matrix Logic to be OPERABLE in MODES 1, 2, -and 3dpa=4 4.
l.1tra 44. Lg6 A'6 *(5 8 a w W * '*'f b. Initiation Loaic Ac h es' 'g ..j eke ==4 f 1 This LC0 requires twe4 channels of RAS Initiationlogic to be OPERABLE in MODES 1, 2, 3, u As l* W e N u %6 9 and 4. g ;g mg, 4 N* b' ekawls*f W s$$'. Actuation Loaic . This LCO requires two channels of RAS Actuation Logic.to be OPERABLE in MODES 1, 2, 3, and 4.
- 5. Containment Sorav Actuation Sional CSAS is initiated either manually or automatically.
For an automatic actuation it is necessary to have a (continued)
]
D 3.3-111 AMENDMENT NO. SAN ONOFRE--UNIT R
ESFAS Logic and Manual Trip B 3.3.6 : h BASES LCO S. Containment Spray Actuation Sianal (continued) Containment Pressure-High High signal, coincident with g.C' M SIAS. The SIAS requirement should always' be satisfied on a legitimate CSAS, since the Containment , Pressure-High signal used in the SIAS will initiate before.the Containment Pressure-High High input signal to CSAS. This ensures that a CSAS will not initiate unless required.
- a. Manual Trio This LC0 requires two channels of CSAS Manual Trip to be OPERABLE in MODES 1, 2, and 3.
- b. htomatic SIAS (Function 1) ,
~
This LCO requires four channels of Automatic SIAS l' inputtoCSAStobeOPERABL[inMODES1,2 se*n*s. N'3 New kic and 3aras deer.e k 4 1+ . og ww. A g The Automatic SIAS occurs on Pressurizer ~ 3 Pressure-Low or Containment Pressure-High and is u) explained above.
- c. Matrix Loaic j b
- M *f M M** D Logic to be OPERABLE in MODES 1, EL2,.and 3.
,4. i
- ~ ~ m.
'd. .-- .seLoaic 7nitiation a w .= ~ CW:0 ww w &c %*
16 bc,hs **k%s . i ' This LCO requires four channels of CSAS isle b % 88-g Ar ch /3 4SM$ Initiation Logic to be OPERABLE in MODES 1, 2, - and 3. p.As, e$ ou ebut, ,s 3:45 f W ttm. Qtc. , 9 daalm4. #a. c =uspewsl$ cle w ( e# es4s W h 4. . !
, e. Actuation Locic ,
8 *$' - This LCO requires two channels of CSAS Actuation Logi. to be OPERABLE in MODES 1, 2, and 3. 1 I b- (continued) - SAN ONOFRE--UNIT 2 B 3.3-112 AMENDMENT NO.
ESFAS Logic and Manual Trip B 3.3.6 BASES ] APPLICABILITY
- Actuate emergency feedwater to preclude the loss of I (continued) the steam generators as a heat sink (in the event the normal feedwater system is net available);
- Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or MSLB; and
- Actuate ESF systems to ensure sufficient borated inventory to pemit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident.
In MODES 4, 5, and 6, automatic actuation of these Functions is not required because adequate time is available to ' evaluate plant conditions and respond by manually operating the ESF components if required.
.s ESFAS " q;, ;. T Q capability is required in MODE 4 for SIAS, for sW, Cth, CIAS, CCAS, and RAS even though automatic actuation is not
,, ccAs -require 4( Because of the large number of components actuated by these Functions, ESFAS actuation is simplified )
b s % CM5ead ** bmWm5- A ras kthe use of the Manual Trip tr~ epush p.V,% L mos+# form buttons a dass 9i.uWau =N
* ** DM C , N , and EFAS have relatively few components, which can be actuated individually if required in MODE 4, and the systems may be disabled or reconfigured, making system level Manual Trip impossible and unnecessary.
The ESFAS logic must be OPERABLE in.the same MODES as the In MODE 4, only the portion of fstM *c e4 ' W T automatic the4ESFAS and Manual Trip. for the required Manual Trip logic responsible ccAs Q o.6 must be OPERABLE. w In MODES 5 and 6, the systems initiated by ESFAS are either reconfigured or disabled for shutdown cooling operation. Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. ACTIONS When the number of inoperable channels in a trip Function i exceeds those specified in any related Condition associated with the same trip Function, then the plant is outside the l (continued) J i SAN ONOFRE--UNIT 2 B 3.3-116 AMENDMENT NO. l m l
.ESFAS Logic and Manual Trip ,
B 3.3.6 j h BASES ACTIONS safety Analysis. Therefore, LCO 3.0.3 should be entered (continued) immediately, if applicable in the current MODE of operation. f A Note has been added to the ACTIONS to clarify the a> plication of the Comp 1.etion Time rules. The Conditions of t11s Specification may be entered independently for each - Function. The Completion Time for the inoperable channel of a function will be tracked separately for each Function, starting from the time the Condition was entered for that-Function.
.1 A.1 Condition A applies if one Matrix Logic channel is inoperable. Since matrix power supplies in a given matrix T AB, BC, etc.) are common to all ESFAS Functions, ainglepo CO;9- s(e.g..
6A W e h ma, e pse Aa4tien . Failures of individual bistables and their relays are considered measurement channel failures. This section describes failures of the Matrix Logic not addressed in the above, such as the failure of matrix relay power supplies,. e) or the failure of the trip channel bypass contact in the bypass condition. Loss of a single vital bus will. de-energize one of the two power supplies in each of three matrices. This will result in two initiation circuits de-energizing, reducing the ESFAS Actuation Logic to a one-out-of-two logic in both trains. This Condition has been modified by a Note stating that for the purposes of this LCO, de-energizing up to three matrix power supplies due to a single failure, such as loss of a vital instrument bus, is to be treated as a single matrix channel failure, providing the affected matrix relays de-energize as designed. Although each of the six matrices within an ESFAS Function uses separate power supplies, the matrices for the different ESFAS Functions share power supplies. Thus, failure of a matrix power supply may' force entry into the Condition specified for each of the affected ESFAS Functions. The channel must be restored to OPERABLE status within 48 hours. This provides the operator with time to take' appropriate actions and still ensuras that any risk involved in operating with a failed channel is acceptable. Operating Q (continued) SAN ONOFRE--UNIT 2 B 3.3-117 AMENDMENT NO.
I ESFAS Logic and Manual Trip B 3.3.6 BASES l l ACTIONS C.1 and C.2 (continued) satisfying the Required Action to open at least one set of contacts in the affected trip leg. Indefinite operation in this condition is prohibited because of the difficulty of ensuring the contacts remain open under all conditions. Thus, the channel must be restored to OPERABLE status within 48 hours. This provides the operator with time to take appropriate actions and still ensures that any risk involved in operating with a failed channel is acceptable. Operating experience has demonstrated that the probability of a random failure of a second channel is low during any given 48 hour period. If the channel cannot be restored to OPERABLE status with 48 hours, Condition E or Condition F, as appropriate, is entered. Of greater concern is the failure of the initiation circuit in a nontrip condition, e.g., due to two initiation relay failures. With one failed, there is still the redundant contact in the trip leg of each Actuation Logic. With both failed in a nontrip condition, the ESFAS Function is lost in the affected train. To prevent this, opening of at least one contact in the affected trip leg is required. If the ') required contact has not opened, as indicated by annunciation or trip leg current lamps, Manual Trip of the affected trip leg contacts may be attempted. Caution must be exercised, since depressing the wrong ESFAS push buttons ma result i ESFAS actuation. TAMEAT N 3 D1 Condition D applies to Actuation Logic. With one Actuation Logic channel inoperable, automatic actuation of one train of ESF may be inhibited. The remaining train provides adequate protection in the event of Design Basis Accidents, but the single failure criterion may be violated. For this reason operation in this condition is restricted. The channel must be restored to OPERABLE status within 48 hours. Operating experience has demonstrated that the probability of a random failure in the Actuation Logic of the second train is low during a given 48 hour period. (continued) d 8 3.3-119 AMENDMENT NO. SAN ONOFRE--UNIT 2
v m
/
Tjuvr 43 For the EFAS function only, the This contact will cause opened themust be invalve cycling series with the Interposing relay. actuated by that relay to go to the open position and remain there, and will cause a contact to open in series with the subgroup relays. Opening only the contact in series with the subgroup relays would preserve the ability to deenergize the subgroup relays, but would leave the cycling valve unable to go ' to the EFAS actuated position. With one EFAS cycling valve held open by a deenergized EFAS Interposing relay, an MSIS actuation will not be able to takeOther that cycling valve to its MSIS actuated position (closed). MSIS actuated valves will prevent feeding the affected steamThis generator, but there will only be single valve isolation. single' valve isolation is acceptable for_the short ceriod of time allowed to restor tthe channak 1 9 i l I k, h 4 Y e m
ESFAS Logic and Manual Trip B 3.3.6 BASES {} ACTIONS 0.1 (continued) Failure of a single Initiation Logic channel, matrix channel power. supply, or vital instrument bus _ may open one or both ; contacts in the same trip leg in both Actuation Logic channels. For the purposes of this Specification, the , Actuation Logic is not inoperable. This obviates the need ! to enter LCO 3.0.3 in the event of a vital bus, matrix, or initiation channel failure. < Required Action D.1 is modified by a Note to indicate that one channel of Actuation Logic may be bypassed for up to 1 hour for Surveillance, provided the other channel is OPERABLE. This allows perfomance of a PPS CHANNEL FUNCTIONAL TEST on ' an OPERABLE ESFAS train without generating an ESFAS actuation in the inoperable train. E.1 and E.2 CSO , If the Required ctio s and associ ed Completion Times of Conditions for M IS, or EFAS can be met, the plant must )< be brought to a 40DE in which LC0 does not apply. To - achieve this stat nt must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full' power conditions in an orderly manner and without challenging plant systems. - F.1 and F.2 , If the Require etio s an associated Completion Times for SIAS, CIAS, , 49 &t or C AS are not met, the plant must be brought to a MODE in wh* h the LC0 does not apply.' To achieve this atus lant must be brought to at least MODE 3 within urs and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without i challenging plant systems. (continued) h : SAN ONOFRE--UNIT 2 B 3.3-120 AMENDMENT NO.
1 l ESFAS Logic and Manual Trip B 3.3.6 I 1 ] BASES (continued) l SURVEILLANCE SR 3.3.6.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire channel will perform its intended function when needed. The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and SR 3.3.6.2, tests the entire ESFAS from the bistable input through the actuation of the individual subgroup relays. These overlapping tests are described in Reference 1. SR 3.3.5.2 and SR 3.3.6.1 are normally performed together and in conjunction with ESFAS testing. SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized. These tests verify that the ESFAS is capable of performing its intended function, from bistable input through the actuated components. SR 3.3.5.2 is addressed in LCO 3.3.5. SR 3.3.6.1 includes Matrix Logic tests and trip path (Initiation Logic) tests.
) Matrix Loaic Tests i These tests are performed one matrix at a time. They verify that a coincidence in the two input channels for each function removes power to the matrix relays. During
@Y testing,fpower is applied to the matrix relay test coils, e
- g the matrix relay contacts from assuming their d oenergized state. The Matrix Logic tests will detect any rcuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.
TriD Path (Initiation Loaic) Tests These tests are similar to the Matrix Logic tests, except that test aower is withheld from one matrix relay at a time, allowing t1e initiation circuit to de-energize, opening one contact in each Actuation Logic channel. The initiation circuit lockout relay must be reset (except for EFAS, which lacks initiation circuit lockout relays) prior to testing the other three initiation circuits, or an ESFAS actuation may result. l (continued) J SAN ONOFRE--UNIT 2 B 3.3-121 AMENDMENT NO.
I 1 ESFAS Logic and Manual Trip B 3.3.6 h BASES l SURVEILLANCE Trio Path (Initiation Loaic) Tests (continued) ) REQUIREMENTS Automatic Actuation Logic operation is verified during Initiation Logic testing by verifying that current is interrupted in each trip leg in the selective , two-out-of-four actuation circuit logic whenever the initiation relay is de-energized. A Note is added to l indicate that testing of Actuation Logic shall include verification of the proper operation of each initiation . relay. The Frequency of 92 days is based on the reliability ' analysis presented in topical report CEN-327, "RPS/ESFAS b Su.g 9 Extended Test Interval Evaluation" (Ref. 2). y ,p g gg.u te. shol g lattvidaA SR 3.3.6.2 W" l. -----pIndividual ESFAS subgroup relays must a.Lse-be tested, one at a time, to verify the individual ESFAS components will , actuate when required. Proper operation of the individual l subgroup relays is verifiecl by de-energizing each relay in
> "'""8y) 4 T response to a test signal,@ = ;i = in . + = t: _ =:t
@ ', rd :t ! = t-one connected component or pair of nW685 TI contacts is observed to actuate when the relay deenergizes.
g
** The 184 day Frequency is based on operating experience and ,
wg wthi$ ensures individual relay problems can be detected within , this time frame. The actual justification is based on CEN-403, " Relaxation of Surveillance Test Interval for ESFAS l i Subgroup Relay Testing" (Ref. 3). Some components cannot be tested at power since their actuation might lead to plant trip or equipment damage. Reference 1. lists those relays exempt from testing at power, with an explanation of the reason for each exception. Relays not tested at power must be tested in accordance with j the Note to this SR. SR 3.3.6.3 - A CHANNEL FUNCTIONAL TEST is performed on the manual ESFAS actuation circuitry, de-energizing relays and providing j manual actuation of the function. i (continued) h i B 3.3-122 AMEN 0 MENT NO. SANON0FRE--UNITkE
_ . . . . ~ _ . _ _ . . . _ - . _ ESFAS Logic and Manual Trip B 3.3.6 BASES
-.a This test verifies that theAtrip push buttons are capable of opening contacts in the Actuation Logic as designed. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an un)lanned transient if the Surveillance were performed with t1e reactor at power.
0)erating experience has shown these components usually pass t1e Surveillance when performed at a Frequency of once every 24 months. REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 7.3.
- 2. CEN-327, May 1986, including Supplement 1, March 1989.
- 3. CEN-403.
)
1 t 0 SAN ONOFRE--UNIT 2 B 3.3-123 AMENDMENT NO. l
DG - LOVS B 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Diesel Generator (DG)-Loss of Voltage Start (LOVS) BASES . i
?
BACKGROUND The DGs provide a source of emergency power when offsite power is either unavailable or insufficiently stable to allow safe unit operation. . Undervoltage protection will generate a LOVS in the event a loss of Voltage or Degraded Voltage condition occurs. There are two LOVS Functions for each 4.16 kV vital bus. Four undervoltage relays with inverse time characteristics are provided on each 4.16 kV Class 1E instrument bus for the purpose of detecting a loss of bus voltage. Four undervoltage relays with definite time characteristics are provided for the purpose of detecting a sustained. degraded voltage condition. The relays are combined in a two-out-of-four logic to generate a LOVS if the voltage is below 75% for a short time or below 90% for a long time. The LOVS initiated actions are described in "0nsite Power Systems" (Ref. 1).
;)
Trio Setooints and Allowable Values The trip setpoints and Allowable Values are based on the analytical limits presented in " Accident Analysis," Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, ' and instrument drift, Allowable Values gnif
- J .n H;r 2.2.'-1 are conservatively adjusted with respect to the analytical limits. The actual nominal trip setpoint is nomally still' more conservative than that required by the plant specific setpoint calculations. If the measured trip setpoint does not exceed the documented SurveiMance acceptance criteria, the undervoltage relay is considered OPERABLE.
Setpoints.in accordance with the Allowable Values will ensure that the consequences of accidents will be acceptable, providing the plant is operated from within the LCOs at the onset of the accident and the equipment functions as designed. (continued). SAN ON0FRE--UNIT 3- B 3.3-124 AMENDMENT N0.
DG - LOVS B 3.3.7 i BASES
)
ACTIONS Note 1 was added to ensure review by the Onsite Review l (continued) Committee is perfonned to discuss the desirability of maintaining the channel in the bypassed condition. A.1 and A.2 Condition A applies if one channel is inoperable for one Function per DG bus. If the channel cannot be restored to OPERABLE status, the affected channel should either be bypassed or tripped within 1 hour (Required Action A.1). Placing this channel in either Condition ensures that logic is in a known configuration. In trip, the LOVS Logic is one-out-of-three In bypass, the LOVS Logic is two-out--of-threeM rd ".t:rkd: pr:ar.t Li e m vi o es-od chr M for the orie deu Tunct hr.. The 1 hour Completion Time is sufficient to perform these Required Actions. Once Required Action A.1 has been complied with, Required Action A.2 allows prior to entering MODE 2 following the s i next MODE 5 entry to repair the inoperable channel. If the channel cannot be restored to OPERABLE status, the plant cannot enter MODE 2 following the next MODE 5 entry. The time allowed to repair or trip the channel is reasonable to repair the affected channel while ensuring that the risk involved in operating with the . inoperable channel is ' acceptable. The prior to entering MODE 2 following the next' MODE 5 entry Completion Time is based on adequate channel independence, which ~ allows a two-out-of-three channel operation since no single failure will cause or prevent a-reactor trip. B.1 and B.2 :- Condition B applies if two channels are inoperable for one Function. l The Required Action is modified by a' Note stating that i LCO 3.0.4 is not applicable. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a l (continued) ! 1 SAN ONOFRE--UNIT F B 3.3-128 AMENOMENT NO. l
l DG - LOVS B 3.3.7 ] BASES ACTIONS B.1 and B.2 (continued) one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation. If the channel cannot be placed in bypass or trip within 1 hour, the Conditions and Required Actions for the associated DG made inoperable by DG-LOVS instrumentation are required to be entered. Alternatively, one affected channel is required to be bypassed and the other is tripped, in accordance with Required Action B.2. This places the Function in one-out-of-two logic. The 1 hour Completion Time is sufficient to perform the Required Actions. Ag One of the two inoperable channels will need to be estored to OPERABLE status prior to the next required CHA EL FUNCTIONAL TEST because channel surveillance tes ing on an OPERABLE channel requires that the OPERABLE ch nel be placed in bypass. However, it is not f = ib! to bypass more than one DG-LOVS channel, and placing a second channel 4 in trip will result in a loss of voltage diesel start l signal. Therefore, if one DG-LOVS channel is in trip and a second channel is in bypass, a third inoperable channel j would place the unit in LC0 3.0.3. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. C.1 Condition C applies when more than two undervoltage or Degraded Voltage channels on a single bus are inoperable. Required Action C.1 requires all but two channels to be restored to OPERABLE status within 1 hour. With more than two channels inoperable, the logic is not capable of providing the DG-LOVS signal for valid Loss of Voltage or Degraded Voltage conditions. The 1 hour Completion Time is reasonable to evaluate and take action to correct the i degraded condition in an orderly manner and takes into account the low probability of an event requiring LOVS occurring during this interval. l l 1 (continued) %] SAN ONOFRE--UNIT 3 B 3.3-129 AMENDMENT NO. l
$- CPIS B 3.3.8 BASES LCO b. -Airborne Radiation and Containment Area Radiation (continued) The LC0 on the radiation channels requires that each channel be OPERABLE for each Actuation Logic channel, since they are not totally redundant to each other.
The trip setpoint of twice background is selected to allowdetectionofsmalldeviationsfromnormar./The absolute value of the trip setpoint in MOD @6 differs from the setpoint in MODES 1,.2, 3, and 4 so j that a fuel handling accident can be detected in the lower background radiation expected t<r.T in-t4rere MODE j /. (och On+7 Th6 Conwoment Arce_, P# A
- c. Actuation Loaic w +w pc.m Ofe.nMcE poe.ns moC2 c-e. Ib6 Airturno PJ AW ghpaelI, arc ne t re 4. erd l i One channel of Actuation Logic is-required, since the umsMoth 6. (
valves can be shut independently of the CPIS signal either manually from the control room or using either the SIAS or CIAS push button. APPLICABILITY In MODES 1, 2, 3, and 4, the minipurge valves may be open. i In these MODES, it is necessary to ensure the valves will shut in the event of a primary leak in containment whenever any of the containment purge valves are open. With the purge valves open during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, a fuel handling accident would require CPIS on high radiation I in containment. The APPLICABILITY is modified by a Note, which states that the CPIS Specification is only required when the penetration is not isolated by at least one closed and de-activated automatic valve, closed manual valve, or blind flange. i l (continued) h B 3.3-13S AMENDMENT NO. SAN ONOFRE--UNIT 2
CPIS B 3.3.8 BASES LC0 b. Airborne Radiation and Containment Area Radiation (continued) p4 The LC0 on the radiation channels requires that c h channelbeOPERABLEforeachActuationLogicchannelf
& cc tScy re n t tvuoli, cuuido.it tu coJ. u d.m. .
The trip setpoint of twice background is selected to allow detection of small deviations from normal. The absolute value of the trip setpoint in MODES 5 and 5 differs from the setpoint in MODES 1, 2, 3, and 4 so that a fuel handling accident can be detected in the lower background radiation expected in these MODES.
- c. Actuation Loaic One channel of Actuation Logic is required, since the valves can be shut independently of the CPIS signal either manually from the control room or using either the SIAS or CIAS push button.
APPLICABILITY In MODES I, 2, 3, and 4, the minipurge valves may be open. In these MODES, it is necessary to ensure the valves will shut in the event of a primary, leak in containment whenever any of the containment purge valves are open. With the purge valves open during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, a fuel handling accident would require CPIS on high radiation in containment. The APPLICABILITY is modified by a Note, which states that the CPIS Specification is only required when the penetration is not isolated by at least one closed and de-activated automatic valve, closed manual valve, or blind flange. (continued) SAN ON0FRE--UNIT 2 B 3.3-136 AMENDMENT NO.
v.u - - l CRIS B 3.3.9 BASES (continued)* This test verifies that the trip push buttons are capable of opening contacts in the Actuation Logic as designed, (continued) AMEN 0HENT NO. SAN ONOFRE--UNIT 2 B 3.3-148
CRIS B 3.3.9 4
) -
BASES (continued) __-%.%m l~ ~
' N ~~s SURVEILLANCE SR 3.3.9.5 (continued)
REQUIREMENTS de-energizing the initiation relays and providing Manual Trip of the function. The 18 month Frequency is based on the need to perform this Surveillance under the conditions . that apply during a plant outage and the potential for an l j unplanned transient if the Surveillance were performed with I the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at a l Frequency of once every 18 months. I I'
- 1. SONGS Units 2 and 3 UFSAR, Chapter 15.
REFERENCES
- 2. PPS Selection of Trip Valves Document.
- 3. 10 CFR 50, Appendix A, GDC 19.
~~ ~ ~ '
x%.
~ ,
~
W f ! M onne gw 0.0b AMENDHENT NO. SAN ONOFRE--UNIT 2 B 3.3-149
~_- __ _ - . _ _ . _ _ _
FHIS B 3.3.10 8 3.3 INSTRUMENTATION B 3.3.10 Fuel Handling Isolation Signal (FHIS) BASES BACKGROUND This LC0 encompasses FHIS actuation, which is a plant specific instrumentation channel that per nns an actuation Function required for plant protection by is not otherwise ; included in LC0 3.3.6, " Engineered Safe y Features Actuation l System Generator(ESFAS) (DG)-LossLogic and Manual of Voltage Trip,"(orThis Star, LOVS)." LCO is 3.3.7, a " Diesel non-Nuclear Steam Supply System ESFAS Function that, because of differences in purpose, design /and operating requirements, is not included in/tC0 3.3.6 and LC0 3.3.7.
/
TheFHISprovidesprotectionffomradioactivecontamination in the spent fuel pool area fn the event that a spent fuel element ruptures during haridling.
/
The FHIS will detect radfoactivity from fission products in the fuel and will initjate appropriate actions so the i release to the environment is limited. More detail is > provided in Referencs 1. The FHIS includes t /wo independent., redundant subsystems, i including actuat' ion trains. Each train employs a separate . sensor to dete'ct gaseous activity. Since the two sensors detect different types of activity, they are not considered redundant,fo each other. However, since there is a separate i sensor in each train, the trains are redundant. If the bistable monitoring the sensor indicates an unsafe condJt' ion, that train will be actuated (one-out-of-two lofc). The two trains actuate separate equipment. t Trio Setooi'nts and Allowable values Trip setpoints used in the bistables are based on the analytical limits (Ref. 2). The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, and instrument drift, Allowable Values specified in LCO 3.3.10 are conservatively adjusted with respect to the analytical limits. A detailed . description of the methodology used to calculate the trip (continued) J B 3.3-150 AMENDMENT NO. SAN ONOFRE--UNIT 2 ,
FHIS B 3.3.10 9 ] BASES
./
[ BACKGROUND Trio Setooints and Allowable Values (conti nue'd')
./
setpoints, including their explicit uncertainties, is provided in " Plant Protection System Selection of Trip Setpoint Values" (Ref. 3). The actual .n'ominal trip setpoint entered into the bistable is normally;.still more conservative than that specified by,the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable'is considered OPERABLE.
/
Setpoints in $rdancewiththeAllowableValuewillensure the consequen es.of Design Basis Accidents will be acceptable, pr id)f the accident and the equipmentg'the plant is LCOs at the onse o functions as designed.
/
/
APPLICABLE The FHIS is re' quired to isolate the normal Fuel Handling SAFETY ANALYSES Building Post / Accident Cleanup (PACU) System and automatically initiate the recirculation and filtration systems in the event of the fuel handling accident in the fuel handlifig building, as described in Reference 2. The FHIS helpsj' ensure acceptable consequences for the dropping of a spent fuel bundle breaching up to 60 fuel pins. The FHISj! satisfies the requirements of Criterion 3 of the NRC Policy Statement.
/
/
LC0 LCOj 3.3.10 requires one channel of FHIS to be OPERABLE. The recuired channel consists of Actuation Logic, Manual Trip, arg gaseous radiation monitor. The specific Allowable alues for the setpoints of the FHIS are listed in the SRs. Only the Allowable Values are specified for each trip Function in the SRs. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that the difference between the nominal trip setpoint and the Allowable Value is (continued) B 3.3-151 AMENDMENT NO. SAN ONOFRE--UNIT 2'
FHIS 3 3.3.10 ] BASES LCO equal to or greater than the drift allowance assumed fo (continued) each trip in the transient and accident analyses. The Allowable Value specified is more conservative ,than the
-8ent analytical limit assumed in the transient and acc)tainties analysis in order to account for instrument uncer appropriate to the trip Function. These uncerfiiinties are defined in the " Plant Protection System Selection of Trip Setpoint Values" (Ref. 3). /
The Bases for the LCO on the / FHIS cussed are below fordis / - each Function:
- a. Kanual Trio The LC0 on Manual Trip ensur/ es that the FHIS Function can easily be initi%f any parameter is trending rapidly toward its setloint. Components can be actuated independently of the FHIS. Both available channels are required to ensure a single failure will not disable automatic initiation capability.
- b. Airborne Radiation The LC0 on the twor Airborne Radiation channels requires that eacti channel be OPERABLE for the requiredActuati/nLogicchannel,sincetheyarenot redundant to each other.
/
- c. Actuation Loofc
/
Twochanne)sofActuationLogicarerequiredtobe OPERABLE to ensure no single random failure can preventgutomaticactuation. l APPLICABILITY One FHIS annel is required to be OPERABLE during movement of irradiated fuel in the fuel building. The FHIS isolates the fusl building area in the event of a fuel handling ac ent. ACTIONS
/n FHIS A
channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most (continued) j B 3.3-152 AMENDMENT NO. SAN ON0FRE--UNIT 2
FHIS 8 3.3.10 l I
^
BASES
-)
ACTIONS comon cause of channel inoperability is outright failure or (continued) drift of the bistable or process modul sufficient to exceed the tolerance allowed by the plant sp ific setpoint analysis. Typically, the drift is n t large and would result in a delay of actuation rati) r than a total loss of function. This detennination is g6nera11y made during the perfonnance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to bring it within specification. If the trip setpoint is not consistent with the Allowable Value in LCO 3.3J10, the channel must be - declared inoperable immediateTy and the appropriate Conditions must be entered./ / In the event a channel's tr'ip setpoint is found nonconservative with respect to the Allowable Value, or the sensor, instrument loop,jsignal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel are required to be declared inoperablearAtheLC0Conditionenteredfortheparticular protective fi ndtion affected.
/
A.1 and A.2 / Condition A applies to FHIS Manual Trip, Actuation Logic, and required giseous radiation monitor inoperable during movement of i adiated fuel in the fuel handling building. The Required ctions are to restore required channels to OPERABLE sta us, or place one OPERABLE PACU train in operation,jbr suspend movement of irradiated fuel in the fuel building. These Required Actions are required to be completed'imediately. The Completion Time accounts for the higher luelihood of releases in the fuel building during fuelh[ndling. SURVEILLANCE S 3.3.10.1 REQUIREMENTS /
/ Performance of the CHANNEL CHECK once every 12 hours ensuresA that a gross failure of instrumentation has not occurred.
CHANNEL CHECK is a comparison of the parameter indicated on It is one channel to a similar aarameter on other channels. based on the assumption t1at instrument channels monitoring the same parameter should read approximately the same value. (continued) B 3.3-153 AMENDMENT NO. SAN ON0FRE--UNIT 2
FHIS B 3.3.10 l j BASES SURVEILLANCE SR 3.3.10.1 (continued) , REQUIRMENTS channels Significant deviations between the two instrumen could be an indication of excessive instrument rift CHANNELin one j ofthechannelsorofsomethingevenmoreserj'us. CHECK will detect gross channel failure; thus, it is key to l verifying the instrumentation continues to,6perate properly between each CHANNEL CALIBRATION. /
/
Agreement criteria are determined by tt)d plant staff based on a combination of the channel instrument uncertainties, including indication and readability.' If a channel is outside the match criteria, it may lie an indication that the transmitter or the signal processing equipment has drifted outside its limit. / The Frequency, about once eve.ry shift, is based on operating experience that dem ates'the rarity of channel failure. Thus, performance o th CRANNEL CHECK guarantees that undetected overt ch failure is limited to 12 hours. Since the probability o two random failures in redundant channels in any 12 hou period is low, the CHANNEL :: HECK minimizes the chance of loss of protective function due to failure of redundant thannels. The CHANNEL CHECK supplements less fordal, but more frequent, checks of channel OPERABILITY during normal operational use of the displays associate with the LC0 required channels. SR 3.3.10.2 A CHANNEL FUNCTIONAL TEST is performed on the required fuel building radiation monitoring channel to ensure the entire channel w'11 perform its intended function. oint shall be left set consistent with the The se) ions of the current plant specific setpoint analysis. assumpt The Frequency of 92 days is based on plant operating ' experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 92 day Frequency is a rare event. (continued) J B 3.3-154 AMENDMENT NO. SAN ONOFRE--UNIT 2
^
t t
FHIS B 3.3.10 ] BASES SURVEILLANCE SR 3.3.10.3 REQUIREMENTS (continued) Proper operation of the individual initiation ryelays is verified by actuating these relays during the CHANNEL FUNCTIONAL TEST of the Actuation Logic every*18 months. This will actuate the Function, operating ,all associated equipment. Proper operation of the equipment actuated by each train is thus verified. The Frequency of 18 months is based on plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Func' tion during any 18 month Frequency is a rare event./
/
A Note to the SR indicates that this Surveillance includes verification of operation for ea'ch initiation relay. SR 3.3.10.4 1
/
/
P Every18 months,aCRANk)kLFUNCTIONALTESTisperformedon the FHIS Manual Trip chgnnel. This Surveillance verifies that the trip push buttons are capable of opening con, tacts in the Actuation Logic as designed, de-energizing the initiation relays and providing Manual Trip of the Function. Operating experience has shown these components usually pass the Surveillance when performed at a Frequency of once every 18 months. SR 3.3.10.5 , CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies th'at the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successise calibrations to ensure that the channel remains operational between successive tests. Measurement error deterinination, setpoint error determination, and calibration ajjustment must be performed consistent with the plant dpecific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis. (continued) i 8 3.3-155 AMENDMENT NO. SAN ON0FRE--UNIT 2
-s:. FHIS B 3.3.10 BASES j
/
f SURVEILLANCE SR 3.3.10.5 (continued) / REQUIREMENTS As found and as left channel calibration val'ues are recorded. If the as found calibration issoutside its Allowable Value, the plant saecific setpoint analysis may be revised as appropriate, if t1e history /of this setpoint and all other pertinent information indicate a need for setpoint revision. The setpoint analysis shall be revised before the ' next time this channel is calibrated. The Frequency is based upon the/ assumption of an 24 mo calibration interval r (setpointthe'detennination of the magnitude analysis. of equipment drift in f
/
REFERENCES 1. SONGS Units 2 ,and 3 UFSAR, Chapter 9. .
,7
- 2. SONGS Units 2 and 3 UFSAR, Chapter 15.
r
- 3. " Plant Prothetion System Selection of Trip Setpoint Values."/
/
7'
/
/
(
)
AMENDMENT NO. SAN ON0FRE--UNIT 2 8 3.3-156 l
PAM Instrumentation B 3.3.11 BASES LC0 2, 3. Reactor Coolant System (RCS) Hot and Cold tea Temperature (continued) RCS Hot and Cold Leg Temperatures are Category I variables provided for verification of core cooling and long term surveillance. Reactor outlet temperature inputs to the PAMI are provided by two fast response resistance elements and associated transmitters in each loop. ne &r ch pen"4de in d':; tier, v.s u i u,.g of 3:^I t; 00^I.
- 4. Reactor Coolant System Pressure (wide rance)
RCS Pressure (wide range) is a Category I variable, provided for verification of core cooling and RCS integrity long term surveillance. um rm;e ocs 1eep pre m r; i; ;;;;;7:3 3,, p7;;;.;7; irrritt:r; .u o span vi G p2 3 iu 3000 pa;3 The pressure transmitters are located inside the containment. Redundant monitoring capability is provided by two trains of instrumentation. Operator actions to maintain a controlled cooldown, such as adjusting steam generator pressure or level, would use this indication. Furthermore, RCS pressure i is one factor that may be used in decisions to terminate reactor coolant pump operation.
.5. Reactor Vessel Water Level Reactor Vessel Water Level is provided for '
verification and long term surveillance of core cooling. The Reactor Vessel Water Level Monitoring System provides a direct measurement of the collapsed liquid . level above the fuel alignment plate. The collapsed level represents the amount of liquid mass that is in the reactor vessel above the core. (continued) SAN ON0FRE--UNIT 2 B 3.3-160 AMENDMENT N0. l 1 I
- . = __ . -
F i PAM Instrumentation B 3.3.11 ! BASES LC0 S. Reactor Vessel Water Level (continued) Measurement of the collapsed water level is selected ', because it is a direct indication of the. water inventory. The collapsed level is obtained over the same temperature _and pressure range as the saturation measurements, thereby encompassing all operating and ; accident conditions where it must function. Also, it' functions during the recovery interval. Therefore, it is designed to survive the high steam temperature that may occur during the preceding core recovery interval. The level range extends from the top of the vessel down to the top of the fuel alignment plate. The response time is short enough to track the level ; during small break LOCA events. The resolution is sufficient to show the initial level drop, the key , locations near the hot leg elevation, and the lowest levels just above the alignment plate. This provides the operator with adequate indication to track the progression of the accident and to detect the ! consequences of its mitigating actions or the , functionality of automatic equipment. A channel is eight sensors in a probe. A channel is ' OPERABLE if four or more sensors, one sensor in the upper head and three sensors in the lower.haadvare OPERABLE. ps
- 6. Containment Sump Water Level (wide ranae)
- Containment Sump Water Level is provided for ,
verification and long term surveillance of RCS ' integrity.
- 7. Containment Pressure (wide ranae)-
Containment Pressure is provided for verification of RCS and containment OPERABILITY. (continued) i SAN ONOFRE--UNIT 2 B 3.3-161 AMENDMENT N0.
PAM Instrumentation B 3.3.11 BASES i LC0 11. Pressurizer Level - (continued) Pressurizer Level is used to determine whether to terminate safety injection (SI), if still in progress, or to reinitiate SI if it has been stopped. Knowledge ; of pressurizer water level is also used to verify the plant conditions necessary to establish natural circulation in the RCS and to verify that the plant is maintained in a safe shutdown condition.
- 12. Steam Generator Water level Steam Generator Water Level is provided to monitor operation of decay heat removal via the steam generators. The Category I indication of steam generator level is the wide range level instrumentation. Temperature compensation of this indication is performed manually by the operator. '
Redundant monitoring capability is provided by two trains of instrumentation. , i Operator action is based on the control room indication of Steam Generator Water Level. The RCS response during a design basis small break LOCA is dependent on the break size. For a certain range of break sizes, the boiler condenser mode of heat ' transfer is necessary to remove decay heat. Wide range level is a Type A variable because.the operator , must manually raise and control the steam generator level to establish boiler. condenser heat transfer. Operator action is initiated on a loss of subcooled margin. Feedwater flow is increased until the _; indicated extended startup range level reaches-the boiler condenser setpoint. .
- 13. Condensate Storage Tank (CST) Level i
CST Level is'provided.to ensure water supply for AFW. ; The CST provides the ensured, safety grade water i supply for the AFW System. The CST ::n;i;t; ;f s . - ! i (continued)- SAN ONOFRE--UNIT 2 B 3.3-163 AMENDMENT NO. i
PAM Instrumentation B 3.3.11 BASES LC0 13. Condensate Storace Tank (CST) Level (continued)
+?"'r r^""a-+ad h y2 cr- r" ::t!;t h;;d;r. CST Level is displayed on a control room indicator, strip chart recorder, and plant computer. In addition, a control room annunciator alarms on low level.
CST Level is considered a Type A variable because the control room meter and annunciator are considered the-primary indication used by the operator. The DBAs , that require AFW are the loss of electric power, steam line break (SLB), and small break LOCA. The CST.is. the initial source of water for the AFW System. 14, 15, 16, 17. Core Exit Temperature Core Exit Temperature is provided for verification and long term surveillance of core cooling. An evaluation was made of the minimum number of valid core exit thermocouples necessary for inadequate core cooling detection. The evaluation determined the complement of core exit thermocouples necessary to detect initial core recovery and trend the ensuing core heatup. The evaluations account for core nonuniformities including incore effects of the radial decay power' distribution and excore effects of condensate runback in the hot legs and nonuniform inlet temperatures. Based on these evaluations, adequate or inadequate core cooling detection is ensured with two valid core exit thermocouples per quadrant. The design of the Incore Instrumentation System includes a Type K (chromel alumel) thermocouple within each of the 56 incore. instrument detector assemblies. The junction of each thermocouple is located a few inches above the fuel assembly, inside a structure that supports and shields the incore instrument t 4 (continued) A SAN ONOFRE--UNIT'2 8 3.3-164 AMENDMENT NO. ; 1 I
PAM Instrumentation B 3.3.11 BASES LC0 14, 15, 16, 17. Core Exit Temperature (continued) detector assembly string from flow forces in the outlet plenum region. These core exit thermocouples monitor the temperature of the reactor coolant as it exits the fuel assemblies. Th; muic casi Jier;;c.;;up'c W e a "Mble te perature range frea. 22^f-tc 2300 " , although accuracj is aduved ai icupereturcs Ob;/ IS00^f r
- 18. Auxiliary Feedwater (AFW) Flow AFW Flow is provided to monitor operation of decay heat removal via the steam generators.
Arn r '4 0W**To edCH S Lediti Scisci o sui i; dCt0 H 90d #r0T 2
# ## ~ ' pacasusr i.casuicliicnb Cd'liDrdT.eu LU d bpan of n 37- te egg gg... Each differential pressure transmitter provides an input to a control room indicator and the plant computer. Since the primary indication used by the operator during an accident is the control room indicator, the PAMI Specification deals specifically with this portion of the instrument channel.
AFW Flow is also used by the. operator to verify that the AFW System is delivering the correct flow to each steam generator. However, the primary indication used by the operator to ensure an adequate inventory is steam generator level.
- 19. Containment Pressure (Narrow Rance)
Containment Pressure is provided for-verification of containment OPERABILITY. (continued) SAN ON0FRE--UNIT 2 B 3.3-165 ' AMENDMENT NO. i l
PAM Instrumentation B 3.3.11 BA'c SURVEILLANCE SR 3.3.11.2 (continued) REQUIREMENTS Agreement criteria are determined by the plant staff based ! on a combination of the channel instrument uncertainties, ; including indication and readability. If a channel is outside the match criteria, it may be an indication that the-sensor or the signal processing equipment has drifted outside its limit. If the channels are within the match. criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during-times when surveillance is required,-the CHANNEL CHECK will , only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be i reading at the bottor, of the range and not fai' led downscale. The Frequency of 31 days is based upon plant operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more.than one channel of a given Function in any 31 day interval is a rare event. The CHANNEL CHECK supplements less formal, but more .; frequent, checks of channel during normal operational use of. i the displays associated with this LCO's required channels. !- j SR 3.3.11.3 ; A 31 day CHANNEL FUNCTIONAL TEST is required for the : Containment Area Radiation Monitor only. . SR 3.3.11.4 4 A CHANNEL CALIBRATION is perfonned every N months or - approximately every refueling. CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies the channel responds to the measured parameter within the necessary range and ' accuracy. The Frequency is based upon operating experience and consistency with the typical industry refueling cycle and is . justified by the assumption of an 24 month calibration ' interval for the determination of t magnitude of equipment - dri f t.
@ i a
(continued) SAN ON0FRE--UNIT 2 B 3.3-172 AMENDMENT NO. g - g-
PAM Instrumentation ) B 3.3.11 j BASES SURVEILLANCE SR 3.3.11.5 j REQUIREMENTS ' (continued) A CHANNEL CALIBRATION is performed every 24 months for the Containment Area Radiation Monitor, i REFERENCES 1. SONGS Units 2 and 3 Regulatory Guide 1.97 Instrumentation Report #90065, Rev. O, dated October 1, 1992.
- 2. Regulatory Guide 1.97, Revision 2.
effERENCES-- 3. NUREG-0737, Supplement 1. Mttuedh NRC Safety Evaluation Report ,ER). 4. t 6 i 4 SAN ON0FRE--UNIT 2 B 3.3-173 AMENDMENT fl0.
s Remote Shutdown System B 3.3.12 BASES APPLICABLE 10 CFR 20, Appendix A, GDC 19 (Ref. 1) SAFETY ANALYSES (continued) The Remote Shutdown System has been identified as an important centributor to the reduction of plant accident risk and, therefore, has been retained in the Technical Specifications, as icdicated in the NRC Policy Statement. LC0 The Remote Shutdown System LC0 provides the requirements for the OPERABILITY of the instrumentation necessary to place , and maintain the plant in MODE 3 from a location other than the control room. The instrumentation required are listed in Table 3.3.12-1 in the accompanying LCO. ; Instrumentation is required for:
. Reactivity Control (initial and long term);
- Vital Auxiliaries a RCS Inventory Control;
'
- RCS Pressure Control;
- Decay Heat Removal; and
. Safety support systems for the above Functions, as well as service water, component cooling water, and onsite power including the diesel generators.
A Function of a Remote Shutdown System is OPERABLE if all instrument channels needed to support the remote shutdown Functions are OPERABLE. In some cases, Table 3.3.12-1 may indicate that the required information -- is available from several alternative sources. In taese ' cases, the Remote Shutdown System is OPERABLE as long as one channel of any of the alternative information r x ;;, J souseee-for each Function is OPERABLE. The Remote Shutdown System instrumentation 4;d n .t n F circuits covered by this LCO do not need to be energized to be. considered OPERABLE. This LC0 is intended to ensure that
)
(continued) SAN ONOFRE - UNIT 2 B 3.3-175 AMENDMENT NO.
Remote Shutdown System B 3.3.12 1 BASES-LC0 the instrument .amF uunti v? circuits will be OPERABLE if (continued) plant conditions require that the Remote Shutdown System be placed in operation. APPLICABILITY The Remote Shutdown System LC0 is applicable in MODES 1, 2, l and 3. This is required so that the unit can be placed and { maintained in MODE 3 for an extended period of time from a location other than the control room. ! This LC0 is not applicable in MODE 4, 5, or 6. In these MODES, the unit is already subcritical and in the condition l of reduced RCS energy. Under these conditions, considerable , time is availabl.e to restore necessary instrument m iivi-Functions if control room instruments or control become unavailable. t i ACTIONS A Note has been included that excludes the MODE change ! restrictions of LC0 3.0.4. This exception allows entry into : an applicable MODE while relying on the ACTIONS, even though the ACTIONS may eventually require a plant shutdown. This
') '
is acceptable due to the icw probability of an event . requiring this system. Note 2 has been added in the ACTIONS to clarify the ! application of Completion Time rules. The Conditions of i this Specification may be entered independertly for each Function listed in Table 3.3.12-1. TheCompletionTime(s) of the inoperable channel (s)/ train (s) of a Function will be i tracked separately for each Function starting from the time i the Condition was entered for that Function. A.1 ,
, Condition A addresses the situation where one or more functions of the Remote Shutdown System are inoperable. ,
This
,, .t.
includes,any ___i _ function
-_; ,_,_,< . listed in Table 3.3.12-I c a" em4+,t_,
l The Required Action is to restore the Functions to OPERABLE , status within 30 days. The Completion Time is based on (continued) ] i) l SAN ON0FRE - UNIT 2 B 3.3-176 AMENDMENT NO. l 1
Source Range Monitoring Channels i B 3.3.13 l i Q' B 3.3 INSTRUMENTATION 8 3.3.13 Source Range Monitoring Channels l BASES i BACKGROUND I The source range monitoring channels provide neutron flux \ l power indication from < IE-7% RTP to > 100% RTP. They also , provide reactor protection when the reactor trip circuit ) breakers (RTCBs) are shut, in the form of a Logarithmic Power Level-High trip.
/
This LC0 addresses M0EtS 3, 4, and 5 with the RTCBs open. When the RTCBs are shut, the source range monitoring
-channels are addressed by LC0 3.3.2, " Reactor Protective r 44 System (RPS) Instrumentation-Shutdown."
(# When the RTCBs are open, two of the four wide range power , channels must be available to monitor neutron flux power. In this application, the RPS channels need not be OPERABLE since the reactor trip Function is not required. By monitoring neutron flux (wide range) power when the RTCBs are open, loss of SDM caused by boron dilution can be detected as an increase in flux. Alarms are also provided , s-) when power increases above the fixed bistable setpoints. For plants employing separate post accident, wide range l nuclear instrumentation channels with adequate range, these f can be substituted for the source range range channels. Two channels must be OPERABLE to provide single failure protection and to facilitate detection of channel failure by j (providingCHANNELCHECKcanability. u*kr) . APPLICABLE The source rangegmonitoring channels are necessary to SAFETY ANALYSES monitor core reactivity changes. They are the primary means for detecting and triggering operator actions to res1ond to reactivity transients initiated from conditions in witch the RPS is not required to be OPERABLE. They also trigger operator actions to anticipate RPS actuation in the event of + reactivity transients starting from shutdown or low power , conditions. The source range monitoring channel's LCO requirements su , GDC 13 (Ref. 1)pport compliance Reference withspecific 2 describes the. 10 CFR 50, Append source : range monitoring channel features that are critical to comply with the GDC. j (continued) g. 3 SAN ONOFRE--UNIT 2 8 3.3-179 AMENDMENT NO. l n=t
go J l
\}$MY __
i ACKGnG 2;D The source range (startup) monitoring channels provide neutron flux countrate level indication from 0.1 to 500,000 cps. They also provide a Boron Dilution. Monitor and alarm in the Control Room to alert the operator of a boron dilution event. This LCO addresses MODES 3, 4, and 5 with the RTCBs open. LCO 3.9.2 addresses the source range monitors during Mode 6 refueling operations. Both source range monitoring channels must be available to monitor neutron flux level when the RTCBs are open. By monitoring source range countrate level, loss of SDM caused by a boron dilution event can be detected as an increase in i neutron flux. The Boron Dilution Monitor provides an alarm when the countrate level exceeds the setpoint which is adjusted to 0.5 volt above background. l l t
Source Range Monitoring Channels B 3.3.13 BASES
,]
APPLICABLE The OPERABILITY of source range monitoring channels SAFETY ANALYSES is necessary to meet the assumptions of the safety analyses (continued) and provide for the mitigation of accident and transient conditions. The source range monitoring channels satisfy Criterion 3 of the NRC Policy Statement. LCO The LC0 on the source range monitoring channels ensures that adequate information is available to verify core reactivity conditions while shut down. A minimum of two source range monitoring channels are required to be OPERABLE. At 50MCS f:;r :h;..nci; arc c;p:ble-d ;;rfe....!ag tH r fr :ti:r. 'hcr.f:rc, multipic failur ; may i: t;1cretd hile the pl:nt; ;rc :;till ce..,yl, og ; U. LCO r:pi . c...udi. APPLICABILITY In MODES 3, 4, and 5, with RTCBs open or the Control Element Assembly (CEA) Drive System not capable of CEA withdrawal, source range monitoring channels must be OPERABLE to monitor core power for reactivity changes. In MODES 1 and 2, and in MODES 3, 4, and Smwith the RTCBs shut and the CEAs capable
$Fb, j oT withdrawal, thef:^" r m- =^-"- ' .; channels are addressed as part of the RPS in LC0 3.3.1, " Reactor p, Protective System (RPS) Instrumentation-Operating," and LCO l
Ah44 3.3.2,"ReactorProtectiveSystem(RPS)
> Instrumentation -Shutdown."
The requirements for source range neutron flux monitoring in MODE 6 are addressed in LC0 3.9.2, " Nuclear Instrumentation." The source range nuclear instrumentation channels provide neutron flux coverage extending an additional one to two decades below the logarithmic channels for use during refueling, when neutron flux may be extremely low. (continued) SAN ON0FRE--UNIT 2 B 3.3-180 AMENDMENT NO.
,,-j;.-
l. l
Source Range Monitoring Channels ! B 3.3.13 ; BASES SURVEILLANCE SR 3.3.13.1 (continued) , REQUIREMENTS verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff and should be based on a combination of the channel instrument uncertainties including control isolation, indication, and readability. If a channel is outside of the match criteria, it may be an indication that the transmitter or the signalIf processing equipment has drif ted outside of its limits. ~ the channels are within the match criteria, it is an indication that the channels are OPERABLE. The Frequency, about once every shift, is based on operating experience that demonstrates the rarity of channel failure. Thus, the performance of CHANNEL CHECK ensures that undetecte6 overt channel failure is limited to 12 hours. Since the probability of two random failures in redundant channels in any 12 hour period is extremely low, CHANNEL CHECK minimizes the chance of loss of protective function CHANNEL CHECX due to failure of redundant channels. supplements less formal, but more frequent, checks of channel OPERABILITY during normal operational use of displays associated with the LCO required channels. SR 3.3.13.1 sfwl pessor A CHANNEL FUNC1IONAL TEST is performed every 92 days t ensure that the entire channel is capable of properly used to indicating neutron flux. Internal test circuitry i
- "- to feed gadj.md test signals into It is notthe necessary to test the .,
verify channel alignment. detector, because generating a meaningful test signal is difficult; the detectors are of simple construction, and any failures in the detectors will be apparent as change in channel output. This Frequency is the same as that employed for the same channels in the other applicable MODES. (continued) y AMENDMENT NO. B 3.3-182 SAN ONOFRE--UNIT 2
3 3.4.. B 3.4 REACTOR COOLANT SYSTEN (RCS) B 3.4.1 RCS Pressure, Temperature, and Flow limits BASES These Bases address requirements for maintaining RCS BACKGROUND pressure, temperature, and flow rate within limits assumed in the safety analyses. The safety analyses (Ref.1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the nonnal steady state envelope. The limits placed on DNB related parameters ensure that these parameters will not be less conservative than were assumed in the analyses and thereby provide assurance that the minimum departure from nucleate boiling ratio (DNBR) will meet the required criteria for each of the transients analyzed. The LCO limits for minimum and maximum RCS pressures as ' measured at the pressurizer are consistent with operation within the nominal operating envelope and are bounded by those used as the initial pressures in the analyses. The LCO limits for minimum and maximum RCS cold leg , temperatures are consistent with operation at the indicated power level and are bounded by those used as the initial temperatures in the analyses.
. u.a.; t a ,,p.. 1e i.p V k u ,s.:ely .. . !, m n. a m '
Since RCS low is subject-to-vagiat. ions-auring-plant Life ,
,r de r
,./r. 4 ,m 1 ' and due to{ potent 444 instrument errors-of-the-f-low-meters-u~
which-are-used-to-measure-RGS-flow-rate, monitoring of this Q " ' "" "rd') parameter during plant operation will be specified by Core p.1 - J u Operating Limits Report (COLR). The COLR limits for minimum
, , t , . W '. ' and maximum RCS flow rates,are bounded by those used as the m cacir- initial flow rates in the analyses h a y , ,u.,p d _ res ft.-
9 u . . A .i.+, s,. ip ep APPLICABLE The requirements of LCO 3.4.1 represent the initial SAFETY ANALYSES conditions for DNB limited transients analyzed in the safety analyses (Ref. 1). The safety analyses have shown that transients initiated from the limits of this LCO will meet the DNBR criterion of a 1.31. This is the acceptance limit for the RCS DNB parameters. Changes to the facility that could impact these parameters must be assessed for their impact on the ONBR criterion. The transients analyzed for include loss of coolant flow events and dropped or struck (continued) B 3.4-1 AMENDMENT N0. SAN ONOFRE--UNIT 2
RCS Pressure, Temperature, and Flow limits B 3.4.1 ~ '} BASES APPLICABILITY counterproductive. Also, since they represent transients (continued) initiated from power levels < 100% RTP, an increased DNBR margin exists to offset the temporary pressure variations.
%o, a note which pemits exception from RC5 cold leg temperature limits when RTP s 30% was included in the proposed APPLICABILITY. j Another set of limits on DNB related parameters is provided in Safety Limit (SL) 2.1.1, " Reactor Core Safety Limits."
Those limits are less restrictive than the limits of this LCO, but violation of SLs merits a stricter, more severe Required Action. Should a violation of this LCO occur; the operator should check whether or not an SL may have been exceeded. M ACTIONS Pressurizer pressure is a controllable and measurable parameter. With this parameter not within the LCO limits, action must be taken to restore the parameter. The 2 hour Completion Time is based on plant operating experience that shows the parameter can be restored in this time period. , RCS flow rate is not a controllable parameter and is not expected to vary during steady state operation. If the flow rate is not within the limit specified in the COLR, then power must be reduced, as required by Required Action B.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds. The 2 hour Completion Time provides sufficient time to adjust plant parameters, and to determine the cause of the off normal condition. The Completion Time is based on plant operating experience. M If Required Action A.1 is not met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the
. 1 (continued) l SAN ONOFRE--UNIT 2 B 3.4-3 AMENDMENT NO.
;CS _::;; *CCE i S 3.4.5 l l
BASES p $0% 1 O' wide range water l LCO of requiring both SGs to be capable (> ' (continued) level) of transferring heat from the reactor coolant at a , controlled rate. Forced reactor coolant flow is the ' required way to transport heat, although natural circulation flow provides adequate removal. A minimum of one running RCP meets the LCO requirement for one loop in operation. The Note pemits a limited period of operation without RCPs. All RCPs may be de-energized.for 5 1 hour per 8 hour period. ! This means that natural circulation has been established. When in natural circulation, a reduction in baron concentration is prohibited because an even concentration l distribution throughout the RCS cannot be ensured. Core outlet temperature is to be maintained at least 10*F below the saturation temperature so that no vapor bubble may fcnn and possibly cause a natural circulation flow obstruction. In MODES 3, 4, and 5, it is sometimes necessary to stop all RCPs or shutdown cooling (SDC) pump forced circulation (e.g., to change operation from one SDC train to the other, ' to perform surveillance or startup testing, to perfonn the transition to and from SDC System cooling, or to avoid - operation below the RCP minimum net positive suction head ' limit). The time period is acceptable because natural circulatior, is adequate for heat removal, or the reactor coolant temperature can be maintained subcooled and boron stratification affecting reactivity control is not expected. An OPERABLE loop consists of at least one RCP providing forced flow for heat transport and an SG that is OPERABLE in l accordance with the Steam Generator Tube Surveillance Program. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required. I APPLICABILITY In MODE 3, the heat load is lower than at power; therefore, one RCS loop in operation is adequate for transport and heat removal. A second RCS loop is required to be OPERABLE but not in operation for redundant heat removal capability. Operation in other MODES is covered by: , LCO 3.4.4, "RCS Loops-MODES 1 and 2'; LCO 3.4.6, 'RCS Loops -MODE 4"; LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled"; (continued) { l B 3.4-22 AMENDMENT NO. SAN ONOFRE--UNIT 2 I l 1
f
;C3 ;:cc uCCE 3 3 3.4.5 BASES (continued)
SURVE!LLANCE SR 3.4.5.1 REQUIREMENTS This SR requires verification every 12 hours that the required number of RCS loops are in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The 12 hour interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analyses assumptions. In addition, control room indication and alarms will normally indicate loop status. SR 3.4.5.2 (Ck ; This SR requires verification every 12 hours at the secondary side water level in each SG is t
- wide range.
An adequate SG water level is required in or er to have a , heat sink for removal of the core decay heat from the ' reactor coolant. The 12 hour interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within the safety analyses assumptions. SR 3.4.5.3 Verification that the required number of RCPs are OPERABLE ensures that the single failure criterion is met and that an additional RCS loop can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to the required RCPs. The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience. REFERENCES 1. UFSAR, Section 15.3. = SAN ONOFRE--UNIT 2 B 3.4-24 AMENDMENT NO.
RCS L:cas -MCCE a 3 3.4.6 BASES ACTIONS B.1 (continued) reasonable, based on operating experience, to reach MODE 5 from MODE 4, with only one SDC train operating, in an orderly manner and without challenging plant systems. C.1 and C.2 If no RCS loops or SDC trains are OPERABLE or in operation, except during conditions permitted by Note 1 in the LC0 section, all operations involving reduction of RCS boron concentration must be suspended and action to restore one l RCS loop or SDC train to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and the margin to criticality must not be reduced in this type of operation. The immediate Completion Times reflect the importance of decay heat removal. The action to restore must continue until one loop or train is restored to operation. SURVEILLANCE SR 3.4.6.1 REQUIREMENTS inis SR requires verification every 12 hours that one l required loop or train is in operation. This ensures forced flow is providing heat removal. Verification includes flow rate, temperature, or pump status monitoring. The 12 hour Frequency has been shown by operating practice to be l I sufficient to regularly assess RCS loop status. In addition, control room indication and alarms will normally indicate loop status. SR 3.4.6.2 6Cf This SR requires verification every 12 ho ; of secondary side water level in the required SG(s) m 0- (wide range). An adequate SG water level is required in order to have a heat sink for removal of the core decay heat from the reactor coolant. The 12 hour interval has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analyses assumptions. (continued) B 3.4-28 g.- AMENDMENT N0. SAN ONOFRE--UNIT 2
RCS Loops-MODE 5. Loops Filled B 3.4.7 .m BASES (continued)
' son LCO The purpose of this LCO is to require a in east one of the operation with an SDC trains or RCS loops be OPERABLE a additional SDC train or RCS loop OP BLE or secondary side
- wide range. One SDC !
water level of each SG shall be e train or RCS loop provides sufficient forced circulation to perform the safety functions of the reactor coolant under these conditions. The second SDC or RCS loop train is nomally maintained OPERABLE as a backup to the operating train / loop to provide redundant paths for decay heat removal. However, if the standby SDC train /RCS loop is not OPERABLE, a sufficient alternate method to provide redundant paths for decay heat removal is two SGs with their secondary side water levels a wide range. Should the operating SDC train /RCS loop ai , the SGs could be used to remove the decay heat. Note 1 permits all RCPs and SDC pumps to be de-energized s I hour per 8 hour period. The circumstances for stopping l both SDC trains /RCS loops are to be limited to situations where pressure and temperature increases can be maintained well within the allowable pressure (pressure and temperature and low temperature overpressure protection) and 10*F subcooling limits, or an alternate heat removal path through theSG(s)isinoperation. This LCO is modified by a Note that prohibits boron dilution when forced flow is stopped because an even concentration distribution cannot be ensured. Core outlet temperatere is to be maintained at least 10*F below saturation temperature, so that no vapor bubble would form and possibly cause a In this MODE, the natural circulation flow obstruction. SG(s) can be used as the backup for heat removal. To ensure their availability, the RCS loop flow path is to be maintained with subcooled liquid. In MODE 5, it is sometimes necessary to stop all RCP or SDC forced circulation. This is permitted to change operation from one SDC train or RCS loop to the other, perform surveillance or startup testing, perfom the transition to and from the SDC, or to avoid operation below the RCP minimum net positive suction head limit. The time period is ; acceptable because natural circulation is acceptable for . decay heat removal, the reactor coolant temperature can be maintained subcooled; and boron stratification affecting . reactivity control is not expected. 4 (continued) ,
~~
AMENDMENT NO. SAN ONOFRE--UNIT 2 B 3.4-31 j l J
RCS Loops-MODE 5 Loops Filled ! B 3.4.7 ] BASES l I An OPERABLE RCS loop consists of at least one RCP providing LCO forced flow for neat transport and an SG that is OPERABLE in (continued) accordance with the Steam Generator Tube Surveillance Program. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required. APPLICABILITY In MODE 5 with RCS loops filled, this LCO requires forced circulation to remove decay heat from the core and to provide proper boron mixing. One SDC train /RCS loop - provides sufficient circulation for these purposes. Operation in other MODES is covered by: LCO 3.4.4, "RCS Loops-H0 DES 1 and 2"; ' LCO 3.4.5, "RCS Loops -MODE 3"; LCO 3.4.6, "RCS Loops-MODE 4"; LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled"; LC0 3.9.4, " Shutdown Cooling (SOC) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.5, " Shutdown Cooling (SDC) and Coolant Circulation-Low Water Level" (MODE 6). t ACTIONS A.1 and A.2 go If the required SDC train /RCS loop i noperable and any SGs have secondary side water levels < wide range, redundancy for heat removal is lost. Action must be initiated imediately to restore a second SDC train /RCS loop to OPERABLE status or to restore the water level in the required SGs. Either Required Action A.1 or Required Action A.2 will restore redundant decay heat removal paths. The imediate Completion Times reflect the importance of maintaining the availability of two paths for decay heat removal. 8.1 and B.2 If no SDC train /RCS loop is in operation, except as permitted in Note 1, all operations. involving the reduction of RCS boron concentration must be suspended. Action to restore one SDC train /RCS loop to operation must be (continued) B 3.4-33 AMENOMENT NO. SAN ONOFRE--UNIT 2
RCS Loops-MCCE 5, Loops Filled B 3.4.7 BASES t I ACTIONS initiated. Boron dilution requires forced circulation for (continued) proper mixing and the margin to criticality must not be , reduced in this type of operation. The immediate Completion i Times reflect the importance of maintaining operation for decay heat removal. , SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This SR requires verification every 12 hours that at least one SDC train /RCS loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing decay heat removal. The 12 hour Frequency has been shown by operating < practice to be sufficient to regularly assess degradation and verify operation is within safety analyses assumptions. In addition, control room indication and alams will , normally indicate loop status. , The SDC/RCS flow is established to ensure that core outlet f temperature is maintained sufficiently below saturation to 7 allow time for swapover to the standby SDC train /RCS loop should the operating train be lost. SR 3.4.7.2 gg Verifying the SGs are OP BLE by ensuring their secondary _ side water levels are a wide range ensures that redundant heat removal pa hs are available if the second SDC train /RCS loop is inoperable. The Surveillance is required to be perfomed'when the LCO requirement is being met by use of the SGs. If both SDC trains are OPERABLE and one SDC train is in operation, this SR is not needed. The 12 hour Frequency has been shown by operating practice to be sufficient to regularly assess degradation and verify operation within safety analyses assumptions. - i o (continued) SAN ON0FRE--UNIT 2 B 3.4-34 AMENDMENT NO. ! ___o
RCS Loops -MODE 5. Loops Filled B 3.4.7 i BASES l SURVEILLANCE SR 3.4.7.3 REQUIREMENTS Verification that the second SDC train /RCS loop is OPERABLE (continued) ensures that redundant paths for decay heat removal are available. The requirement also ensures that the additional train can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pumps. The Surveillance is required to be performed when the LCO requirement is being met by one of two SDC trains or one of wide range water two RCS loops, e.g., both SGs have level. The Frequency of 7 days is c sidered reasonable in view of other administrative contro available and has been shown to be acceptable by operatin experience.
- 1. UFSAR, Section 5.4.
Y / REFERENCES i i 4 B 3.4-35 AMENDMENT NO. SAN DNOFRE--UNIT 2
~ _. . -- .. .- . . . - - ~ . LTCP System B 3.4.12.1
~
BASES ( APPLICABLE RCS Vent Performance (continued) SAFETY ANALYSES The RCS vent is passive and is not subject to active ' failure. I This LCO is required to ensure that the LTOP System is LCO OPERA 8LE. The LTOP System is OPERABLE when the minimum coolant input and pressure relief capabilities are OPERA 8LE. - Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the l Reference 1 limits as a result of an operational transient. i I To limit the coolant input capability, the LCO requires at c most two HPSI pumps capable of injecting into'the RCS and
'f d'fNMW "d b kleH Mme /k fTl/ bb thepump SITSOPERABILWY iso 1Meds,requirements.
LCO 3.5.3, "ECCS-Shutdown," defines LCO 3.3.2, " Engineered Safety Feature Activation System (ESFAS) Instrumentation," defines SI actuation OPERA 8ILITY for the LTOP MODE 4 small break LOCA, as discussed in the previous section. [ The elements of the LCO that provide overpressure mitigation through pressure relief are: ,
- a. The Shutdown Cooling System Relief Valve; or
- b. The depressurized RCS and an RCS vent.
The SDCS is OPERABLE for LTOP when both trains of isolation valves are open, its lift setpoint is set at 406
- 10 psig or less and testing has proven its ability to open at that setpoint. An RCS vent is OPERABLE when open with an area a 5.6 square inches.
Each of these methods of overpressure prevention is capable i of mitigating the limiting LTOP transient. 1 APPLICA81LITY This LC0 is applicable in~ MODE 4 when the temperature of any ' RCS cold leg is s the enable temperatures specified in the - PTLR, in MODE 5, and in MODE 6 when the reactor vessel head is on. The pressurizer safety valves provide overpressure protection that meets the Reference 1 P/T limits above the (continued) B 3.4-53 AMEN 0 MENT NO. SAN ONOFRE--UNIT 2 , U
* " '~~
LTOP System B 3.4.12.1 BASES APPLICABILITY enable temperatures specified in the PTLR. When the reactor vessel head is off, overpressurization cannot occur. (continued) LCO 3.4.3 provides the operational P/T limits for all MODES. LCO 3.4.10 " Pressurizer Safety Valves," requires the OPERABILITY of the pressurizer safety valves that provide overpressure protection during MODES 1, 2, and 3, and MODE 4 above the enable temperatures specified in the PTLR. Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure when little or no time allows operator action to mitigate the event. The Applicability is modified by a Note stating that SIT 6 M, f4f,h gl.,g}, ,y i iisolationjis only required when the SIT pressure is greater le L84 4han he Pft4 W than or equal to the RCS pressure for the existing L temperature, as allowed by the P/T limit curves provided in the PTLR. This Note pernits the SIT discharge valve surveillance performed only under these pressure and temperature conditions. ACTIONS M With more than two HPSI pumps capable of injecting into the RCS, overpressurization is possible. The immediate Completion Time to initiate actions to restore restricted coolant input capability to the RCS reflects the importance of maintaining overpressure protection of the RCS. 8.1 b B.2 When the SIT pressure is greater than or equal to the maximus RCS pressure for the existing cold leg temperature allowed in the PTLR, an unisolated SIT requires isolation within 1 hour /tm tne arrectea nip) must be depressurized ' . Fto less than the maximum RCS pressure for the existing cold /
}1egtemperatureallowedinthePTLRwithin12hoursf l
(continued) 8 3.4-54 AMENDMENT NO. SAN ONOFRE--UNIT 2
i l LTOP System B 3.4.12.1 l
~
BASES O ACTIONS 8.1 [and B.2 ,(continuedf ' By isolating the SIT _(sJlor depressurizino the SIT (s) below [The LTOP Itm n nated in the PTLR D he RCS is protected again n tne 511 tanks pressurizing the RCS in excess of the LTOP limits. /g g .M /g ac /,M'/q The Completion Time based on operatin experiencetha[t V '
-th::e r+4"'t' r can be accomplished in time period and on engineering evaluationg?" indicating that an event requiring LTOP is not likely in the allowed time #8---
=
.TWSo r Af 0.1 and @.2 The 24-hour Allowable Outage Time (A01) for a single channel SOCS Relief Valve isolation valve (s) increases the availability of the LTOP system to. mitigate low temperature overpressure transients especially during MODES 5 and 6 when the potential for these transients are highest (RCS~
temperatures between 80*F and 190*F and the RCS is water-solid). The 24-hour A0T im lements the guidance provided in Generic Letter 90-06(Pef.6 L , or D If the SDCS Relief Vi ve is inoperable, or if a Required Action and the assoc ated Completion Time of Condition Aj C,bre. not met, or if the LTOP System is inoperable fer any reason other than Condition A,-~P C orn nnanina 0, the RCS must be depressurized and a vent established within 8 hours. The vent must be sized at least 5.6 square inches to ensure the flow capacity is greater than that required for the worst case mass input transient reasonable during the applicable MODES. This action protects the RCPB from a low temperature overpressure event and a possible brittle failure of the reactor vessel. The Com)1etion Time of 8 hours to depressurize and vent the RCS is )ased on the time required to place the plant in this condition and the relatively Icw probability of an overpressure event during this time period due to increased operator awareness of administrative control requirements. (continued) B 3.4-55 AMENDMENT N0. SAN ON0FRE--UNIT 2
4 INSERT "A" for the Bases 3.4.12.1, "LTOP System." A C If the Required Action and associated Completion Time of Condition B is not met, the affected SIT (s) must be depressurized to less than the maximum RCS pressure for the existing cold leg temperature allowed in the PTLR within 12 hours. By depressurizing the SIT (s) below the LTOP limit stated in the PTLR the RCS is protected against the SIT (s) pressurizing the RCS in excess of the LTOP limits. The Completion Time is based on operating experience that this activity can be accomplished in this time period and on engineering evaluation indicating that an event requiring LTOP is not likely in the allowed time. I I f 1 l ag 0gc{re - Nt1 ik
LTOP System B 3.4.12.1 BASES (continued) dd
- e SURVEILLANCE SR 3.4.12.1.1/SR 3.4.12.1.2 /and SR 3.4.12.1.3}
REQUIREMENTS To minimize the potential for a low temperature overpressure event by limiting the mass input capability, not more than two HPSI pumps are verified OPERABLE with the other pump - locked out with power removed nd the SIT discharge ' isolation valves Y#*e,es<er ,eaareu verified tarsen pc y _ isM.jued en o+j and deactivateddt" -) S The li hour interval considers optrating practice to regulurly assess potential degradation and to verify , operation within the safety analysis. SR 3.4.12.1.3 SR 3.4.12.1.3 requires verifying that the RCS vent is open a 5.6 square inches is proven OPERABLE by verifying its open condition either: ,
- a. Once every 12 hours for a vent valve that is unlocked open; and .
- b. Once every 31 days for a valve that is locked, sealed, or otherwise secured open and once every 31 days for open flanged RCS penetrations.
The passive vent arrangement must only be open to be OPERABLE. This Surveillance need only be perfomed if the vent is being used to satisfy the requirements of this LCO. The Frequencies consider operating experience with mispositioning of unlocked and locked vent valves, respectively. SR 3.4.12.1.4 and SR 3.4.12.1.5 When one or both SDCS Relief Valve isolation valve (s) in one isolation valve pair becomes INOPERABLE, the other OPERABLE SDCS Relief Valve isolation valve pair is verified in a power-lock open condition every 12 hours to preclude a single failure which might cause undesired mechanical motion of one or both of the OPERABLE SDCS Relief Valve isolation ' valve (s) in a single isolation valve pair and result in loss of systes function. (continued) 8 3.4-56 AMENOMENT NO. SAN ONOFRE--UNIT 2
LTOP Systen B 3.4.12.2 l BASES
=
LCO Each of these methods of overpressure prevention is capable (continued) of mitigating the limiting LTOP transient. APPLICABILITY This LCO is applicable in MODE 4 when the temperature of all RCS cold legs are above the enable temperatures specified in the PTLR. When the temperature of any RCS cold leg is equal to or below the enable temperatures specified in the PTLR the Shutdown Cooling System Relief valve is used for overpressure protection or if the RCS is also depressurized, then an RCS vent to atmosphere sized 5.6 inches or greater . can be used for overpressure protection. When the reactor vessel head is off, overpressurization cannot occur. LCO 3.4.3 provides the operational P/T limits for all MODES. LCO 3.4.10, " Pressurizer Safety Valves," requires the OPERABILITY of the pressurizer safety valves that provide overpressure protection during MODES 1, 2, and 3. Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure when little or no time allows operator action to mitigate the event. i ACTIONS &J With no pressurizer code safety valves OPERABLE and the SOCS Relief Valve INOPERABLE overpressurization is possible. The 8 hours Completion Time to be in MODE 5 and vented through a greater than or equal to 5.6 inch vent reflects the importance of maintaining overpressure protection of the RCS.
- (continued)
I yse4 7 "g " ju m n a 2 %s l l l ' i SAN ONOFRE--UNIT 2 B 3.4-61 AMEN 0 MENT NO. mm_ __m____-__ _ - . _ _ _ _ - . - . - - _ _ _ _ _ _ _ _ . - - _ _ - _ - _ _ u-._--
iGr MD 2.y/2.Z Tusegr X " 9
& land 8.2 The 24-hour Allowable Outage Time (A01) for a single channel SDCS Relief Valve isolation valve (s) increases the availability of the LTOP system to. mitigate low temperature overpressure transients especially during MODES 5 and 6 when the potential for these tranr.ients are highest (RCS temperatures between 80*F and 190*F and the RCS is water-solid). The 24-hour A0T, implements the guidance provided in Generic Letter 90-06
}
n i
1 , t
'5 p a b l 0 IMAGE EVALUATION Ab
((// g,fd ;d$ ,
,E , , - < , .
ig ,, 1.0 ltll*W
- - p'=2 t n:
l,l h3 1.8 1.25 1.4 1.6
==
4 150mm >
- 6" >
vi, *,, + i,r af y N ///gb f' y>///// - y ,
. RCS Specific 1::i<i:,.
B 3.4.15 q SASES
- this analysis is used to assess changes to the facility that APPLICABLE could affece RCS specific activity as they relate to the SAFETY ANALYSES acceptance limits. i l (continu.d)
The rise in pressure in the ruptured SG causes h lves. radioact v contaminated steam to discharge to the atmosphere thro the atmospheric dump valves or the main dsteam safety va The atmospheric discharge steps when l the ce turbine byp the condenser removes the excess energy ldewn to rEpid y re uT the RCS pressure and close the valves. remov ends. f The safety analysis shows the radiological consequenc an SGTR accident are within a small fraction of theOpe Reference 1 dose guideline limits. specific activity levels greater than thelimits LCO limit is permissible, if the activity levels do not exceed the shown in Figure 3.4.16-1 for more than 45 hours.~l The remainder of the above limit pennissible low iodine l shown in Figure 3.4.16-1 are acceptable because of h probability of an SGTR accident occurring during t eT the site established 48 hour time limit. accident at these pennissible levels could guideline limits. RCS specific activity satisfies Criterio Policy Statement. _ y.m e 1.0 gCi/om 00 The specifi etiv t li 5 LCO ., EQUIVALENT I-In, and the gross specific l activity primary coolant is limited to the numb of the average beta and gacuna energies of the cool nuclides). The limit on DOSE EQUIVALENT I-131 2 hour thyroid dose to an individual at the site bou
'during the Design Basis Accident The limit(DBA) on gro! will be a fraction of the allowed thyroid dose.
specific activity ensures the 2 hour w small fraction of the allowed whole body dose.
. (continued)
AMENDMENT NO. ; B 3.4-82 i SAN ONOFRE--UNIT 2 j
I. l MSSVs l B 3.7.1 ? 1 BASES ACTIONS based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner (continued) and without challenging unit systems. SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSSVs by the verification of each MSSV lift setpoints in accordance with the inservice testing program. The ASME Code, Section XI (Ref. 4), requires that safety and relief valve tests be perfomed in accordance with ANSI /ASME OH-1-1987 (Ref. 5). According to Reference 5, the following tests are required for MSSVs:
- a. Visual examination;
- b. Seat tightness determination;
- c. Setpoint pressure detemination (lift setting); and
- d. Compl'iance with owner's seat tightness critetia.
t 3 l
.i The ANSI /ASME Standard requires that all valves be tested each subsequent 10 year period, with a minimum of 20% of the valves tested within any 48 months. The ASME Code specifies the activities and frequencies necessary to satisfy the l
srequirements. 1 This SR is modified by a Note that allows entry into and l operation in MODE 3 prior to perfoming the SR. This is to l l allow testing of the MSSVs at hot conditions. The MSSVs may i be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the j MSSVs are not tested at hot conditions, the lift setting : pressure shall be corrected to ambient conditions of the valve at operating temperature and pressure. l v (continued) j B 3.7-5 AMENDMENT NO. SAN ONOFRE'-UNIT 2 ' l
HSivs B 3.7.2 l i BASES
- e. The MSIVs are also utilized during other events such APPLICABLE as a feedwater line break. These events are less ,
SAFETY ANALYSES limiting so far as MSIV OPERABILITY is concerned. (continued) The MSIVs satisfy criterion 3 of the NRC Policy Statement. . LCO This LCO requires that the MSIV in each of the two steam : lines be OPERABLE. the isolation times are within limits, and they close on an isolation actuation signal. This LCO provides assuranca that the MSIVs will perform , their design safety function to mitigate the consequences of ' accidents that could result in offsite exposures comparable to the 10CFR 100 (Ref 4) limits. __ APPLICABILITY The HSIVs must be OPERABLE in H0DE 1 and in MOl except when all MSIVs are closed and deactivated when there
~
is significant mass and energy in the RCS and steamW ' generators. performing their safety function. In MODE 4, the steam generator energy is low; therefore, the , HSIVs are not required to be OPERABLE. In MODES S and 6, the steam generators do not contain much energy because their temperature is below the boiling point of water; therefore, the HSIVs are not required for isolation of potential high energy secondary system pipe breaks in these MODES.
^
ACTIONS [oe made to the MSIV with the unit hof.JTe 8 hour
] tompieuon nme is rea>vneale, considering t l
require closure of the HSIVs. k M M o # h F 1(to "9' 0 S I~ '! E P"f'Y" ^ . (continued) AMENDMENT NO. B 3.7-10 SAN ONOFRE--UNIT 2
MSIVs B 3.7.2 BASES ACTIONS A.1 (continued) . With one MSIV inoperable in MODE 1, time is allowed toSomerepai restore the component to OPERABLE status. == The 8 hour Completion Time is greater than that normally . allowed for containment isolation valves because the HSIVs are valves that isolate a closed system penetrating containment. These valves differ from other containment isolation valves in that the closed system provides an additional means for containment isolation. r B.1 T If the MSIV cannot be restored to OPERABLE status within 8 hours, the unit must be placed in a MODE in which the LCO- ; does not apply. To achieve this status, the unit must be , placed in MODE 2 within 6 hours and Condition C would be entered. The Completion Time is reasonable, based on . operating experience, to reach MODE 2, and close the HSIVs in an orderly manner and without . challenging unit systems. C.I. and C.2 Condition C is modified by a Note indicating that separate Condition entry is allowed for each MSIV. Since the HSIVs are required to be OPERABLE in MODES 2 and 3, the inoperable HSIVs may either be restored to When closed, the MSIVs are OPERABLE status or closed. already in the position required by the assumptions in the safety analysis. . The 8 hour Completion Time is consistent with that allowed in Condition A. Inolerable HSIVs that cannot be restored to OPERABLE stat wit 1in the specified Completion Time, but are closed, must be verified on a periodic basis to be closed. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, MSIV status indications available in the control room, and other (continued) 8 AMENDHENT.NO. B 3.7-11 SAN ONOFRE--UNIT 2
1' ADVs. B 3.7.4 , BASES (continued) ACTIONS A.1 l Required Action A.1 is modified by a Note indicating that LC0 3.0.4 does not apply. j With one required ADY inoperable. acu on must be taken to i restore the OPERABLE status within 72 hours. 1 B.1 . t With two ADVs inoperable, action must be taken to restore ! one of the ADVs to OPERABLE status. As the block valve can ; be closed to isolate an ADV, some repairs may be possible i with the unit at power. The 24 hour Completion Time is : reasonable to repair inoperable ADVs, based on the > availability of the Steam Bypass System and MSSVs, and the - low probability of an event occurring during this period that requires the ADVs. l f
'I reach AOI _ [
If backup nitrogen gas supply system capacity is less than or equal to B' hours, action should be taken to restore , nitrogen gas supply system capacity in 72 hours. The backup nitrogen capacity is controlled to a minimum accumulator ' pressure of 1050 psig. This pressure represents enough
- backua nitrogen gas system capacity for each ADV to have up to 8 1ours of pneumatic operation. This time period is _l consistent and conservative relative to the SONGS Units 2 '
and 3 emergency operating instructions. l' The completion time of 72 hours is based on operating experience and on the fact that normal operating instrument ! air supply system is still available. i i
. (continued) t i
B 3.7-20 AMENDMENT NO. SAN ONOFRE--UNIT 2
r CCW Safety Related Hakeup System B 3.7.7.1 .
)
l J
; BASES ACTIONS B.1 and B.2 (continued)
Operating experience shows that the likelihood o corresponds to an allowable CCW 1eakage Also, aofProbabilistic 18 gpm based on Figure 3.7.7.1-1) is extremely low. Risk Assessment (PRA risk of core damage from an 8 hour allowed outage time Thefor PRA two trains of the CCW Safety Related Makeup System. indicated that the increased risk of core damage from an 8 hour allowed outage time is less than 1x10 per year. This increase in core damage risk is considered acceptably small. C.1 and C.2 In MODES 1, 2, 3, and 4, two CCW System critical loops provide cooling to a number of safety related systems, such as HPSI, LPSI, shutdown cooling, emergency chillers, etc. The CCW Safety Related Makeup System is a support system for the CCW System. Two CCW Safety Related Makeup flow paths are required to provide makeup to the two CCW critical loops. If one CCW Safety Related Hakeup flow path can not be restored to OPERABLE status in seven days, the Unit must be placed in a MODE in which the LIMITING CONDITION, FOR OPERATION does not apply. To achieve this status, the Unit must be placed in at least
) HOT STANDBY within the next 6 hours, and in COLD SHUTDOWN within X hours, s 3b $
Similarly, action should be taken if the PPMU Tank level is below that required for two CCW critical loops operation and/or both CCW Safety Related Makeup flow paths are inoperable. If both the PPMU Tank level and at least one flow 1ath are not OPERABLE within 8 hours, the Unit must then se placed in a MODE To in which the LIMITING CONDITION FOR d$f OPERATION does not apply. achieve this status, the Unit f
'K' must be placed in at least HOT STANDBY within the next 6 hours, and in COLD SHUTDOWN within 30 hours.
The allowed completion time is consistent with other Technical Specification completion time requirements to (continued) AMENDMENT NO. 8 3.7-48 SAN ONOFRE--UNIT 2
ECW System B 3.7.10 BASES ) related equipment is always operable to handle all design BACKGROUND , (continued) basis events. l' If redundant pieces of safety related equipment are located in the same room and the room has redundant emergency cooling, such as the spent fuel pool (SFP) pumps, loss of l one source of emergency cooling does not render either pump inoperable. The 7 day completion time of the REQUIRED ACTION A.1 would be in effect due to the loss of one source of emergency cooling. Since TS 3.7.10 establishes allowable i outage times for the ECWS, it is not necessary to declare the safety related equipment cooled by the ECWS inoperable during the allowable outage times (this assumes the normal coolingisoperable). i If an ECWS train is inoperable due to an inoperable room cooler, other than a CREACUS cooler, then the associated CREACUS train is considered operable provided the ECWS surveillances are maintained current. If an ECWS train is . ' inoperable due to an inoperable chiller or pump then the associated CREACUS train is inoperable and TS 3.7.11 applies. An inoperable room cooler does not affect the : capability of th'e ECWS to provide chilled water to the CREACUS coolers. An inoperable chiller or chilled water pump affects the capability of the system to provide chilled water to CREACUS. APPLICABLE The design basis of the ECW System is to remove the post accident heat load from ESF spaces following a DBA SAFETY ANALYSES coincident with a loss of offsite power. Each train provides chilled water to the HVAC units at the design temperature and flow rate. The maximum heat load in the ESF pump room area occurs during the recirculation phase following a loss of During recirculation, hot fluid from the coola,ngfccident. containment sump is supplied to the high press This heat load to injection and containment spray pumps. the area atmosphere must be removed by the ECW System to ensure that these pumps remain OPERABLE. , The ECW satisfies Criterion 3 of the NRC Policy Statement. (Continued) . AMENDMENT NO. SAN ONOFRE--UNIT 2 B 3.7-58
CREACUS B 3.7.11 BASES ACTIONS C.I. C.2.1. and C.2.2 i (continued) In MODE 5 or 6, or during movement of irradiated fuel assemblies, if Required Action A.1 cannot be completec thin the required Completion Time, the OPERABLE CREACUS titin must be imediately placed in the emergency mode of operation. This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that'any active failure will be readily detected. An alternative to Required Action C.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes This does not preclude the movement of the accident risk. fuel assemblies to a safe position. E.d If both CREACUS trains are inoperable in MODE 1, 2, 3, or 4, the CREACUS may not be capable of performing the intended function and the unitLCO Therefore, is in3.0.3 a condition must be outside the accident entered imediately. analyses. E.1 and E.2 When in MODES 5 or 6, or during' movement of irradiated fuel , assemblies with two trains inoperable, action must be taken j imediately to suspend activities that could result in a release of radioactivity that might enter the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel l to a safe position. Wo SR 3.7.11.1 . SURVEILLAK E ' REQUIREMENTS
*~ Standby systems should be checked periodically to ensure i that they function properly. Since the environment and normal operating conditions on this system are not severe, i testing each train once every month provides an adequate !
check on this system. (continued) AMENDMENT NO. SAN ONOFRE--UNIT 2 B 3.7-66
==
Fuel Handling Building Post-Accident Cleanup Filter System i B 3.7.14 j i 8 3.7 P T SYSTEMS B 3.7.14 el Handling Building Post-Accident Cleanup Filter System BASES BACKGROUND he Fuel Handling Building Post-Accident Cleanup Filter S) tem filters airborne radioactive particulates and gases the area of the fuel pool following a fuel handling fr acc ent. The fuel Handling Building Post-Accident Cleanup Filte System, in conjunction with other normally operating system , also provides environmental control of temperature in the el pool area. The Fuel (ndling Building Post-Accident Cleanup Filter System consy ts of two independent, redundant trains. Each train consisty of a heater, a prefilter a high efficiency ! particulate a1 (HEPA) filter, an activated charcoal adsorber sectio for removal of gas.eous activity - (principally iod es), a fan. Ductwork, valves or dampers, and instr en atio also fonn part of the system, as well as heaters, u lctioni g to reduce the relative humidity of the air s team. A second bank of HEPA filters follows the adsorber se ion to collect carbon fines and re of the main HEPA filter
^g provide backup in case
) bank. The downstream HE filter is not credited in the analysis, but serves to c 11ect charcoal fines, and to back up the upstream HEPA filtehshould it develop a leak. The <
system initiates filtered ventilation of the fuel handling building following receipt of a high radiation signal. The Fuel Handling Building Posti ccident Cleanup Filter System is a standby system, part f which may also be operated during normal unit opera ns. Upon receipt of the actuating signal, the fuel handling \puilding is isolated, and the stream of ventilation air disgharges through the , system filter trains. The prefilters temove any large particles in the air, to prevent excess'l e loading of the e HEPA filters and charcoal adsorbers. Y p Operation of the FHB nonnal HVAC system wit one PACFS unit operating and the other unit inoperable is pe issible : provided both radiation monitors RT-7823 and 7 and their associated circuitry remain OPERABLE. i (continued) SAN ONOFRE--UNIT 2 % B 3.7-69 % - D AMENDMENT NO. rure-no~ag uu c +- gu
r AC ke:es -::en : 5.3.3.[ BASES BACKGROUND Distribution System. Within 77 seconds after the initiating (continued) signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe ; condition are returned to service via the programed time ; interval load sequence. The onsite standby power source for each 4.16 kV ESF bus is a dedicated DG. DGs G002 and G003 are dedicated to ESF buses A04 and A06, respectively. A DG starts automatically on a safety injection actuation signal (SIAS) (i.e., low. pressurizer pressure or high containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it will automatically tie to its : respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SIAS signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SIAS alont. Following the trip of offsite power, an undervoltage signal strips nonpennanent loads from the ESF bus. When the DG is tied to the ESF bus, , loads are then sequentially connected to its respective ESF bus by the programed time interval load sequence. The sequencing logic controls the permissive and starting i signals to motor breakers to prevent overloading the DG by automatic load application. In the event of a loss of preferred power, the ESF electrical loads are automatically connected co the DGs in ; sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) p such as a loss of coolant accident (LNA). However, for standby Certain required unit loads are returned to service in a class of service like predetermined sequence in order to prevent overloading the the San Onofre DGs DG in the process. Within 77 seconds after the initiating the manufacturer sitInal is received, all loads needed to recover the unit or o a[v lu up to 116.1% of continuous Ratings for Train A and Train B DGs satisfy the requirements duty rating based on of Regulatory Guide 1.9 (Ref. 3). The continuous service the total hours the DG rating of each DG is 4700 kW with 10% overload permissible is operated per year. for up to 2 hours in any 24 hour period. The ESF loads that are powered from the 4.16 kV ESF buses a listed in y Reference 2. , l 1 (continued l SAN ONOFRE--UNIT 2 B 3.8-2 AMENDMENT NO. i
)
*: n. m _ :a r :
3 3.3.! BASES SURVEILLANCE SR 3.8.1.2 and SR 3 . 8 .1. 7_ (continued) REQUIREMENTS SR 3.8.1.7 requires that, at a 184 day Frequency, the DG starts from standby conditions and achieves required voltage and frequency within 10 seconds. The 10 second start requirement supports the assumptions of the design basis LOCA analysis in the UFSAR, Chapter 15 (Ref. 5). The 10 second start requirement is not applicable to SR 3.8.1.2 (see Note 3) when a modified start procedure as described above is used. Since SR 3.8.1.7 requires a 10 second start, it is more restrictive than SR 3.8.1.2 and it may be performed in lieu of SR 3.8.1.2. This is the intent of Note 1 of SR 3.8.1.2. The normal 31 day Frequency for SR 3.8.1.2 (see and h Table 3.8.1-1, " Diesel Generator Test Schedule," in the'^O companying LCO) h ~ :':^ --t _ . .:. Q.' .n . , : : f: _.
, 12,- " r 184 day Frequency for SR 3.8.1.7 %
a .-.4,, 4, c m u . . . . : 7 ---,1 i _,m, ,,,4
, _____. _.__m. ., _- - egulatory Guide 1.9 (Ref. 3).
These Frequencies provid adequate assurance of DG OPERABILITY, while mini zing degradation resulting from testing. ,
@t CONSIS1Tnf gg,.uk SR 3.8.1.3 y k4ffN This Surveillance verifies that the are capable of synchronizing with the offsite elect ical system and accepting loads greater than or equ to the equivalent of the maximum expected accident loads A minimum run time of 60 minutes is required to stabiliz engine temperatures, while minimizing the time that the DG is connected to the offsite source.
Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation to ensure circulating currents are minimized. (continued) B 3.8-14 AMENDMENT NO. SAN ON0FRE--UNIT 2 i
i 2C kc:es -::m : B 3.3.i , BASES SURVEILLANCE SR 3.8.1.3 (continued) REQUIREMENTS I The normal 31 day Frequency for this Surveillance (Table 3.8.1-1) is consistent with Regulatory Guide 1.9 - (Ref. 3). This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients because t of changing bus loads do not invalidate this test.
- Similarly, momentary power factor transients above the limit ,
will not invalidate the test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failurer that might result from i offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG' start must precede this test to credit ' satisfactory performance. thCh6 SR 3.8.1.4 This SR provides verific ion that the level of fuel oil in i the day tank is at or at ve the level at which fuel oil is automatically added. Tl e le equivalent volume in ;;:'-.gel andisisexpressed as an selected to ensure adequate fuel oil for a minimum of 1 hour of DG operation n l full load plus 10%. I The 31 day Frequency is adequate to assure that a sufficier: supply of fuel oil is available, since low level alams are provided and unit operators would be aware of any large use. of fuel oil during this period. SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous microorganisms that can grow in fuel oil and cause fouling, but all must have a i water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates i the necessary environment for microbial survival in the :n ; i (contire l SAN ONOFRE--UNIT 2 B 3.8-15 AMENDMENT NC i 1
C iu:n - ::m : 6 3.3.. BASES SURVEILLANCE SR 3.8.1.9 (continued) REQUIREMENTS recomendations for response during load sequence intervals. The 4 seconds specified is equal to 80% of a typical 5 second load sequence interval associated with sequencing of the largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are steady state voltage and frequency values to which the system must recover following load rejection. The 24 month Frequency is consistent with the recomendation of Regulatory Guide 1.9 (Ref. 3). In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is perfonned using design basis kW loading and maximum kVAR loading permitted during testing. These loadings represent the inductive loading that the DG would experience to the extent practicable and is consistent with the intent of Regulatory Guide 1.9 (Ref. 3). This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR. SR 3.8.1.10 This Surveilla demonstrates the DG capability to reject a load equal t 0 to 100% of its continuous rating without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a , system fault or inadvertent breaker tripping. This ' Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG will not trip upon loss of the load. These acceptance criteria provide DG damage protection. While the DS is not expected to experience this transient during an event and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or. isolated. These loads and limits are consistent with Regulatory Guide 1.9 (Ref. 3). (continued) 8 3.8-18 AMENDMENT NO. . SAN ONOFRE--UNIT 2 I
C i: /: n - ::g r. : e 2.s.. BASES SURVEILLANCE SR 3.8.1.10 (continued) . REQUIREMENTS ' c In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is performed using design basis kW loading and maximum kVAR loading permitted during testing. These loadings represent the inductive loading that the DG would ' experience to the extent practicable and is consistent with the intent of Regulatory Guide 1.9 (Ref. 3). . The 24 month Frequency is consistent with the recomendation of Regulatory Guide 1.9 (Ref. 3) and is intended to be , consistent with expected fuel cycle lengths. This SR is modified by a Note which acknowledges that credit may be taken for unplanned events that satisfy this SR. SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3), this ; Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time. The DG auto-start time of 10 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The frequency should be restored to within 2% of nominal following a load sequence step. The i Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have ; decayed and stability has been achieved. ! The requirement rify the connection and' power supply of pemanentrano auto-connecteoloads is intended to satisfactorily show the relationship of these loads to the j DG loading logic. In certain circumstances, many of these I loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. (continued) i i SAN ONOFRE--UNIT 2 B 3.8-19 AMENDMENT NO. i i l I 1
Diesel Fuel 311, Lee 011, and Star.,n; o - B 3.8.3 8 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air f7299urnat -{kt, t%4 XI(MM M *$0 0 bt M N BASES IS W IM b # BACKGR'JUND Each diesel genera DG) is provided with a storage tank having a fuel oil capac sufficient to operate that diesel for a period of 7 days, w. ile the DG is supplying maximum '
~ '
post loss of coolant accid t load demand as discussed in fSan Oncfre has a Diesel j the UFSAR, Section 9.5.4.2 Ref. 1). The maximum load , demand .is_calculated . _ - - ' Fuel Oil (DFO) testing i m ~_
, , " ' This onsite fuel' oil capacity is '
program which ensures sufficient to operate the DGs for longer than the time to fu lity. replenish the onsite supply from outside sources. {p 9g purchasing, receipt Fuel oil is transferred from storage tank to day tank by testing of new fuel 011' I either of two transfer pumps associated with each storage and periodic analyses tank. Redundancy of pumps and piping precludes the failure of the stored fuel. San of one pump, or the rupture of any pipe, valve, or tank to Onofre is not committed result in the loss of more than one DG. All outside tanks, pumps, and piping are located underground. pr on Re t ry Guide 1.137 (Ref. 2) or For proper operation of the standby DGs, it is necessary to ANSI N195-1976 (Ref. 3); I f ensure the or3oer quality of the fuel oil.Eegulatory - however, these standards P muide 1.137 (lef. 2) adoresses ms .cuumended fuel oil were utilized as guidance practices as supplemented by ANSI N195-1976 (Ref. 3). The] in the development of the fuel oil properties governed by these SRs are the water and DF0 testing program. sediment content, the kinematic viscosity, and impurity j k- Llevel. t n_ The DG lubrication system is designed to provide sufficient lubrication to pemit proper operation of its associated DG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. Each engine oil sump contains an inventory capable of supporting a minimum of 7 days of operation. The onsite storage in addition to the engine oil sump is sufficient to ensure 7 days of continuous operation. This supply is sufficient supply to allow the operator to replenish lube oil from outside sources, i Each DG has an air start system with adequate capacity for ; five successive start attempts on the DG without recharging the air start receiver (s). (continued) SAN ONOFRE--UNIT 2 B 3.8-35 AMENDMENT NO. l i
Diesel bei 011. Lute C11, anc star ng o - B 3.3.3 BASES APPLICABILITY air are required to be within limits when the associated DG 1 (continued) is required to be OPERABLE. {~1(o *fo {evel v P ACTIONS A.1 InthisCondition,the7dayfueloilsupplyMoraDGisnot available. However, the Condition is restricted to fuel _ oil l level reductions that maintain at least a 6 day suppig. - pTheanalysesforthe These circumstances may be caused by events such as f011 fuel oil are based load operation required after an inadvertent start while at upon the requirements minimum required level; or feed and bleed operations, which in gallons. The may be necessitated by increasing particulate levels or any percentage figures number of other oil quality degradations. This restriction are provided because allows sufficient time for obtaining the requisite , the fuel oil level replacement volume and performing the analyses required indicators in the prior to addition of fuel oil to the tank. A period of control room are 48 hours is considered sufficient to complete restoratio.n of marked in percentages the required level prior to declaring the DG inoperable. not in gallons. This period is acceptable based on the remaining capacity
) (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.
m lfTess 04rt OC hirt mark Me. diphCK
^^ 8 With lube oil inventory " f " - ,' .......f
--. .... .. ,,....... ..., _ , sufficient
' lubricating oil to support 7 days of continuous DG operation '
at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day suppl }This restriction allows sufficient time to obtain the re site replacement volume. A period of 48 hours is considere sufficient to complete restoration of the required vol prior to declaring the DG inoperable. This period is ac ptable based on the remaining capacity (> 6 days) the low rate of usage, the fact that procedures will b initiated to obtain replenishment, and the lo probability of an event during this brief period. OV (ldh ~ Ts;u dig bck J
&f3 '"
(continued) SAN ON0FRE--UNIT 2 8 3.8-37 AMENDMENT NO.
Diese: be 31, _a::e L ;, an Stam ;or 3 3.3.3 BASES w V ACTIONS /_d (continued) gThisConditionisenteredasaresultofafailuretomeet the acceptance criterion of SR 3.8.3.3. Nomally, trending of particulate levels allows sufficient time to correct high (CQ# particulate levels prior to reaching the limit of JL V acceptability. Poor sample procedures (bottom sampling), contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. e haf Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the C4 fuel oil. 1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and , load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of perfoming its intended function. F Xa With starting air receiver pressure < 175 psig, sufficient capacity for five successive DG start attempts does not exist. However, as long as the receiver pressure is a 136 psig, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours is considered sufficient to complete (continuec , SAN ON0FRE--UNIT 2 B 3.8-38 AMENDMENT NO.
El Q
..N<-#RT &
C.1 In this Condition, the 7 day fuel oil supply (72% level) for a DG during Mode 5 or 6 is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (63% level). These circumstances may be caused by events such as full load operation required after an inadvertent start while at minimum required level; or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This i restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours is considered sufficient to complete restoration of the required h level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. t i I
Dieset #;e' > . L4e :, ar4 S u m ; 21-B 3..B.3 BASES ACTIONS fM (continued) restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period. G f
/.1 With a Required Action a associated Completion Time not met, or one or more DGs ith diesel fuel oil or lube oil not within limits for reas s other than addressed by Conditions A through $ the associated DG may be incapable of performing its intended function and must be irmnediately declared inoperable.
(G9 % m Most I,s,1, or + and SURVEILLANCE SR 3.8.3.1 M2.*4 m Mo4L Sor f, ) REQUIREMENTS This SR provides ver fication that there is an adequate inventory of fuel oil in the storage tanks to support each DG's operation for 7 ays at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location. The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alams are provided and unit operators would be aware of any large uses-of fuel oil during this period. SR 3.8.3.2 This Surveillance ensures t at sufficient lube oil inventory is available to support at I ast 7 days of full load operation for each DG. The 13 gal for the 20 cylinder cylinder engine requirements engine and 370 gal for the'arebasedontheDGmanufactu run time _of the DG. Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG, when the DG lube oil sump does not hold adequate inventory for 7 days of full load (continued) SAN ONOFRE--UNIT 2 8 3.8-39 AMENDMENT NO. [
de#hir Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 f BASES SURVEILLANCE SR 3.8.3.2 (continued) REQUIREMENTS operation without the level reaching the manufacturer recommended minimum level. A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is ensite, since DG starts and run time are closely monitored by the unit staff. SR 3.8.3.3
) The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been if ii) accordance contaminated with substances that would have an immediate, wkhASTMD287-82 detrimental impact on diesel engine combustion. If results that the sample has from these tests are within acceptable limits, the fuel oil an API g ity t may be added to the storage tanks without concern for 60,F o
, s39 . contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank (s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days. The tests, limits, and applicable ASTM Within 31 days following Sample the new fuel oil in accordance with ASTM the initial new fuel oil a.
04057-81 (Ref. 6); delivery, the fuel oil ; is analyzed to establish Verify in accordance with the tests specified in ASTM that the other properties b. D975-81 (Ref. 6) that the sample has a kinematic specified in Table 1 of viscosity at 40*C of e 1.9 centistokes and ASTM 0975-81 (Ref. 6) s 4.1 pentistokes a. Mdd.Os[o I are met when tested in 44 D N'"%"" ^ #ad 9dimerd Cod Y A #5'Fi l accordance with ASTM ? Failure to meet any of the above limits is cause for 0975-81, except that the rejecting the new fuel oil, but does not represent a failure analysis for 1) sulfur may be performed in to meet the LCO concern since the fuel oil is not added to the storage tanks. accordance with ASTM D1266, D1552, 02622, ( 03120, or D4294 and 2) a j Qhe 31 day period is acceptable because the fuel oil l calculated cetane index mits, would not have an immediate effect on DG operation. {' may be determined in This Surveillance ensures the availability of hich quality accordance with ASTM 0976. d fuel oil for the DGs. Qan be. M icAP. AM g k . J Fuel oil degradation during long tenn storage " The c r an increase in particulate, due mostly to oxidation. (continued) ANENDMENT NO. SAN ONOFRE--UNIT 2 B 3.8-40 o
Diese Fael Jii, Lace Sti, ec33ry 3.- f B 3.8.3 BASES ! SURVEILLANCE SR 3.8.3.3 (continued) REQUIREMENTS presence of particulate does not mean the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure. kt44NdHtof]e o_+n.g" - r p
.. should be detennined in accordance with ASTM D2276-83, Method A (Ref. 6). This hidb method involves a gravimetric determination of total f
*g particulate concentration in the fuel oil and has a limit of f,10 mg/L. It is acceptable to obtain a field sample for hg[ sk subsequent laboratory testing in lieu of field testing.
The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between
- Frequency intervals.
my g5 g,, kaJ keggdejemlM SR 3.8.3.4 bO
- This Surveilla ce ensures that, without the aid of the refill compre sor, sufficient air start capacity for each DG is available The system design requirements provide for a minimum of f ve engine start cycles '"
without recharging. A g' start cycle " :_,... - "- . i_. ____::, -:: L 7--_....."....".v.' s.- ,,m..J._._._..' .;,' _. ...,._ O
..L. , ,,.... The pressure specified in this SR is Ontendedtoreflectthelowestvalueatwhichthefive starts can be accomplished.
The 31 day Frequency takes into account the capacity, ca) ability, redundancy, and diversity of the AC sources and ot1er indications available in the control room, including alarms, to alert the operator to below nomal air start pressure. SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous microorganisms that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates (continu : SAN ONOFRE--UNIT 2 B 3.8-41 AMENDMENT NO l
; ese' ~2e' :: , ..:e :- , 3-: 3:3-: ,; :.-
B 3.3.3 BASES REFERENCES 6. ASTM Standards: D4057-61; 0975-81; 02276-83. (continued) ASME, Boiler and Pressure Vessel de, Section XI. 7. S 5 pg652' , s Ol%LL" 3 947Y, . p z42.1 - I 1 t b e i B 3.8-43 AMENOMENT NO. SAN ONOFRE--UNIT 2 a w
X Sce:es - he r ; B 3.3.2 BASES LCO An OPERABLE DC electrical power subsystem requires the (continued) required battery and associated charger to be operating and connected to the associated DC bus. ; APPLICABILITY The DC electrical power sources are required to be OPERABLE q in MODES 1, 2, 3, and 4 to ensure safe unit operation and to {This2hourlimitis ensure that: appropriate for 125 VDC Acceptable fuel design limits and reactor coolant Trains A and B because a. these trains supply the pressure bcundary limits are not exceeded as a result of A00s or abnormal transients; and majority of the required safety related loads. Adequate core cooling is provided, and containment The 72 hour limit for b. Condition B is consistent integrity and other vital functions are maintained in the event of a postulated DBA. with the allowed time for Trains C and D as The DC electrical power requirements for MODES 5 and 6 are determined from a San addressed in the Bases for LCO 3.8.5, "DC Sources-Onofre Units 2 and 3 probabilistic risk Shutdown." { assessment (PRA). ACTIONS) A.1 and S.l gg Condition A represents one train with a loss of ability to completely spond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2 hour limit is consistent with the allowed time for an inoperable DC ( distribution system train. + gQgA If one of the required DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger, or inoperable battery charger and associated inoperable battery), the remaining DC electrical power . y Aor$ subsystem has the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure would, however, result in the loss of two of the remaining 125 VDC electrical power subsystems with attendant loss of ESF functions, continued power operation should not exceed 2 hour The 2 hour Completion TimegisbasedonRegulatoryGuide 93 (Ref. 8) and reflects Trsu A.r5 o y hg g g*g g g g,3 (continued) x - y SAN ONOFRE--UNIT 2 B 3.8-47 AMENDMENT N0. 1
- C Ic m e s - h e T. ;
3 3.3.4 BASES [* ACT!ONS (continued) a reasonable time to assess unit status as a function of the
# inoperable DC electrical power subsystem and, if the DC 7
The 72 hour Completion electrical power subsystem is not restored to OPERABLE Time is based on a PRA status, to prepare to effect an orderly and safe unit which determined that shutdown the resulting increase O in risk of core damage /.1and,f.2 due to unavailability If the inoperable DC electrical power subsystem cannot be of Trains C or D is restored to OPERABLE status within the required Completion significantly low. The Time, the unit must be brought to a MODE in which the LC0 resulting increase in risk of core damage does not apply. To achieve this status, the unit must be from a year long outage brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are of Train C or D is reasonable, based on operating experience, to reach the calculated to be required unit conditions from full power conditions in an approximately 1.9E-6 orderly manner and without challenging unit systems. The per year. A single 72 hour outage of Train Completion Time to bring the unit to MODE 5 is consistent with the time required in Regulatory Guide 1.93 (Ref. 8). C or Train D represents a 0.05% (1.6E-8) increase in the total core damage from p Condition / represents one train with a loss of ability to internal events as c mpletely respond to a long term event, and a potential calculated in the San loss of ability to remain energized during nomal operation. Onofre Units 2 and 3 Since eventual failure of the battery to maintain the Individual Plant required battery cell parameters is highly probable, it is Examination (IPE), Both imperative that the operator's attention focus on the 2 hour and 72 hour stabilizing the unit, minimizing the potential for complete Com i ( pletion Times reflect j loss of DC power to the affected train. The additional time provided by the Completion Time is consistent with the , battery's capability to maintain its short term capability to respond to a design basis event. A note is added to take exception to the allowance of LCO 3.0.4 to enter Modes or other specified conditions in the Applicability. Even thoughCondition)lQequiredActionsdonotrequireaplant shutdown or require exiting the Modes or other specified conditions in the >plicability, the condition of the DC system is not such that extended operation is expected. Therefore, the no requires restoration of the inoperable battery charger OPERABLE status prior to increasing power. This exc ption is not intended to preclude the allowance of LCO 3.0.4 to always enter Modes or other P (continue-SAN ON0FRE--UNIT 2 B 3.8-48 AMENDMENT NO.
CC Sources - %cn ; B 3.5.1 BASES P ACTIONS /d (continued) specified conditions in the Applicability as a result of a plant shutdown. N fl If the battery cell parameters cannot be maintained within Category A limits, the short term capability of the battery is also degraded and the battery must be declared inoperable. SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perfonn their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The 7 day Frequency is consistent with manufacturer recommendations and IEEE-450 (Ref. 9). SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells , and connections, or measurement of the resistance of each intercell, interrack, intertier, and teminal connection, provides an indication of physical damage or abnomal deterioration that could potentially degrade battery perfomance. The limits established for this SR must be no more than 204 l above the resistance as measured during installation or not ; above the ceiling value established by the manufacturer. I The Surveillance Frequency for these inspections, which can detect conditions that can cause power losses due to resistance heating, is 92 days. This Frequency is (continuedi SAN ONOFRE--UNIT 2 8 3.8-49 AMENDMENT NO.
CC hur:es - ::e r. n; B 3.3.4 BASES g SURVEILLANCE SR 3.8.4.7 continued) REQUIREMENTS This s modified by two Notes. Note 1 allows the once per months performance of SR 3.8.4.8 in lieu of SR 3. 4.7. This substitution is acceptable because SR 3.8.4.8 represents a more severe test of battery capacity than does SR 3.8.4.7. Note 2 acknowledges that credit may be taken for unplanned events that satisfy this SR. SR 3.8.4.8 A battery perfomance test is a test of constant current capacity of a battery, nonnally done in the "as found" condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage. The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These references reconnend that the battery be replaced if its capacity is below 80% of the manufacturer rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements. g The Surveillance Frequency for this test is months, or every 12 months if the battery shows degradation or has reached 85% of its expected life. Degradation is indicated, according to IEEE-450 (Ref, 9), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is below 90% of the ; manufacturer "- " = ^ m :' ' ::: _ T. . ,.. ...y < n 1 g .'s rating.- :--..-- y ; _ ,,,,,; ,,,, ,,;3 _ _, ,,, . !
$(($i 5f.5)5 i " "" ' "~"
' ^ " " " "
This SR is modified by a Note which acknowledges that credit i may be taken for unplanned events that satisfy this SR. ) REFERENCES 1. 10 CFR.50, Appendix A, GDC 17.
- 2. Regulatory Guide 1.6, March 10, 1971.
(continued) B 3.8-52 AMENDMENT NO. SAN ONOFRE--UNIT 2 l l
Ea:terf :e' W .e:e , B 1.3.5 BASES SURVEILLANCE Table 3.8.6-1 (continued) REQUIREMENTS The Category A limit specified for specific gravity for each pilot cell is e 1.200 (0.015 below the manufacturer fully charged nominal specific gravity or a battery charging current that had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity. According to IEEE-450 (Ref. 3), the specific gravity readings are based on a temperature of 77af (25aC). The specific gravity readings are corrected for actual electrolyte temperature and level . For each 3*F (1.67aC) above 77*F (25aC), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3*F below 77aF. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation. Footnote b to Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current is < 2 amps on float charge. This current provides, in general, an indication of overall battery condition. Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize. A stabilized charging current at the charging voltage is an acceptable alternative to specific gravity measurement for detemining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 3). Footnote c to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 7 days following a battery equalizing recharge. Category B defines the normal parameter limits for each connected cell. The term " connected cell" excludes any battery cell that may'be jumpered out. The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is a 1.195 (0.020 below the manufacturer fully charged, nominal s ecific gravity) with the average of all connected cells
> 1.205 (0.010 below the manufacturer fully charged, nominal specific gravity). These values are based on d (continuea.
B 3.8-62 AMENDMENT NO. SAN ONOFRE--Vi11T 2
Im e r:e rs - ;ce e e n; B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS l B 3.8.7 Inverters -Operati ng ) BASES
\ I16 BACKGROUND The inverters are the preferred sourc of power for the AC vital buses because of the stabili and reliability they achieve in being powered from the 2 VDC battery source.
The function of the inverter is to convert DC electrical power to AC electrical power, thus providing an uninterruptible power source for the instrumentation and controls for the Reactor Protective System (RPS) and the Engineered Safety Feature Actuation System (ESFAS). Specific details characteristics areonfound inverters in the and theirChapter UFSAR, operating8 (Ref.1). APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 6 (Ref. 2) and Chapter 15 (Ref. 3), assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RPS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);andSection3.6,ContainmentSystems. The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. This includes maintaining required AC vital buses OPERABLE during accident conditions in the event of:
- a. An assumed loss of all offsite AC electrical power or all onsite AC electrical power; and
- b. A worst case single failure.
Inverters are a part of the distribution system and, as such, satisfy Criterion 3 of the NRC Policy Statement. (continued) SAN ONOFRE--UNIT 2 B 3.8-64 AMENDMENT NO.
t in < er:ers - he r y - B 3,8.7 BASES (continueC LC0 The inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (A00) or a postulated DBA. Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The four battery powered inverters (one per train) are required to be OPERABLE to ensure an uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV ! safety buses are de-energized. OPERABLE inverters require the associated AC vital bus to be powered (105-140 Vby)the appliedinverte.", which from a battery has to the the correct inverter input, DC voltage l and inverter output AC voltage within tolerances. ggy This LCO is modified by a Note that allows inve N N be disconnected from its battery for s 24 hours, if the j ' associated vital bus is powered from a Class 1E constant ' voltage transfonner during the period and all other inverters are operable. This allows an equalizing charge to i
- f. ThesameNoteallow)s '
be placed on one batter . If the inverter (s) were not I either Train C or disconnected, the re ting voltage condition might damage Train D inverter to theinverter(s). se provisions minimize tne loss of be disconnected from i equipment that Id occur in the event of a loss of offsite its battery for 572 g 4, ,ne 24 hour time period for the allowance minimizes hours as long as all the time during which a loss of offsite power could result other inverters are in the loss of equipment energized from the affected AC operable. vital bus while taking into consideration the time required to perform an equalizing charge on the battery bank. When utilizing the allowance, if one or more of the provisions is ' not met (e.g., 24 hour ime period exceeded), LCO 3.0.3 must be entered immediately. g y by The intent of this Note is to limit the number of inverters that may be disconnected. Only those inverters associated with the single battery undergoing an equalizing charge may be disconnected. All other inverters must be aligned to i their associated batteries, regardless of the number of inverters or unit design. (continuec) B 3.8-65 AMENDMENT NO. SAN ONOFRE--UNIT 2 g - .
- me-:e-s -:;e n ;
B 3.3.7 BASES (continued) APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, ; and 4 to ensure that:
- a. Acceptable fuel design limits and reactor coolant
' pressure boundary limits are not exceeded as a result of A00s or abnormal transients; and
- b. Adequate core cooling is provided, and containment !
1 OPERABILITY and other vital functions are maintained in the event of a postulated DBA. Inverter requirements for MODES 5 and 6 are covered in the l 1 Bases for LCO 3.8.8, " Inverters -Shutdown."
)
ACTIONS A.1 and A.2 Required Action A.] is mod led by a Note, which states to I enter the applicable condi "ons and Required Actions of= LCO 3.8.9, " Distribution Sy ens-Operating," when I Condition A is entered with AC vital bus de-energized. This ensures the vital bus is returned to OPERABLE status within 2 hours. gg A y g*, g Required Action A.2 allows 24 hours to fix the inoperablejb inverter and return it to service. The 24 hour limit is based upon enginet-ing judgment, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems such a shutdown might entail. When the AC vital bus is powered from its constant voltage source, it is relying upon interruptible AC electrical power sources T (offsite and onsite). The uninterruptible, battery backed inverter source to the AC vital buses is the preferrad w si p source for powering instrumentation trip setpoint devices. O y.1and#2 If the inoperable devices or components cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to (continued) B 3.8-66 AMENOMENT NO. SAN ONOFRE--UNIT 2
(/. %( H ) i/ l/ L - 16 1 Required Action B.1 is modified by a Note, which states to enter the applicable conditions and Required Actions of LC0 3.8.9, " Distribution Systems-Operating," when Condition B is entered with either Train C or Train D : AC vital bus de-energized. This ensures the vital bus is returned to OPERABLE status within 72 hours. The 72 hour limit is based on the results of a , probabilistic risk assessment which determined that the resulting increase in ' risk of core damage due to the unavailability of Train C or D is significantly low. The resulting increase in risk of core damage from a year long outage of i Train C or D is calculated to be approximately 1.9E-6 per year. A single 72 hour outage of Train C or D represents a 0.05% (1.6E-8) increase in the total ' core damage from internal events as calculated in the San Onofre Units 2 and 3 Individual Plant Examination. i i l J l
-l 3
1 1 I
- n.e e-s -::e 3- :
B 3.3.* BASES c d. ACTIONS jdf.1 and ja".2 (continued) at least MODE 3 within 6 hours and to MODE S within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.8.7.1 REQUIREMENTS ; This Surveillance verifies that the inverters are - functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage output ensures that the required power is readily available for the instrumentation of the RPS and ESFAS connected to the AC vital buses. The 7 day Frequency takes into account the redundant capability . of the inverters and other indications available in the . control room that alert the operator to inverter I malfunctions. REFERENCES 1. UFSAR, Chapter 8.
- 2. UFSAR, Chapter 6. .
- 3. UFSAR, Chapter 15.
i I i e i i SAN ONOFRE--UNIT 2 B 3.8-67 AMENDMENT NO. S
Distmution Systems -%e w ; B 3.8.3 BASES ACTIONS A.1 (continued) train by stabilizing the unit, and on restoring power to the affected train. The 8 hour time limit before requiring a unit shutdown in this condition is acceptable because of:
- a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; and
- b. The potential for an event in conjunction with a single failure of a redundant component in the train with AC power.
g ei++r Trsn A a Tren 5 u With ab AC vital bus inoperable, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum required ESF functions not being supported. Therefore, the required AC vital bus must be
- restored to OPERABLE status within 2 hours.
l Condition B represents M AC vital bus without power; 4 y g*g g potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of )ower to the remaining vital buses, and restoring power to t1e affected vital bus. This 2 hour limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate vital AC power. The 2 hour Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period. (continued) SAN ONOFRE--UNIT 2 B 3.8-75 AMENDHENT NO.
Distributi on Systems - 0;ern3. , ; B 3.8.9 l BASES m ACTIONS kd f [rdtn d er TF#fh 6 l 9 (continued) With the'SC bus in one train inoperable, the remaining DC o electridal power distribution subsystems are capable of W( supporting the minimum safety functions necessary to shut r wg n down the reactor and maintain it in a safe shutdown , condition, assuming no single failure. The overall I N )' 4 I reliability is reduced, however, because a single failure in y6q the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the required DC bus must be restored to OPERABLE status within 2 Tr,iin A erTme'n S Condition represents r -
^
without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining trains and restoring power to the affected train. [ This 2 hour limit is more conservative than Completion Times allowed for the vast majority of components which would be
]g[ without power. p g*n A ,7 g', g p ,, . i The 2 hour Completion Time for C buses is consistent with Regulatory Guide 1.93 (Ref. 3) l fp.1and 2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the e unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
l (continued) l l B 3.8-76 AMENDMENT NO. SAN ONOFRE--UNIT 2
- NSERT "6" i
Cd With either Train C or Train D AC vital bus inoperable, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum required ESF functions not being supported. Therefore, the required AC vital bus must be restored to OPERABLE status within 72 hours. Condition C represents either one of the Train C or Train D AC vital bus without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all ' noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining vital buses, and restoring power to the affected vital bus. The 72 hour Completion Time is based on the results of a : probabilistic risk assesment which determined the low significance of the risks involved due to the unavailability of Train C or Train D AC vital bus when compared to Train A or B AC vital bus unavailability. This completion time also takes into account the ; importance to safety of restoring the AC vital bus to OPERABLE ' ' status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this. period. i l 1 l
1 IN53ftT "H" L.1 - With either Train C or Train D DC bus inoperable, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the required DC bus must be restored to OPERABLE status within 72 hours. Condition D represents Train C or Train D without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situation, the
- unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining trains and restoring power to the affected train.
The 72 hour Completion Time for Train C or Train D DC bus is consistent with the results of a probabilistic risk assesment which determined the low significance of the risk involved due to the unavailability of Train C or Train D AC vital bus when compared to Train A or B AC vital bus unavailability. This completion time also takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period. l
Boron Concentration B 3.9.1 BASES LCO COLR ensures a core k,7, of s 0.95 is maintained during (continued) fuel handling operations. Violation of the LC0 could lead to an inadvertent criticality during MODE 6. APPLICABILITY This LC0 is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The required boron concentration ensures a k,,, s 0.95. Above MODE 6, LC0 3.1.1, " SHUTDOWN MARGIN (SDM) -T > 200*F," and LCO 3.1.2, " SHUTDOWN MARGIN-T,, s2EdF,"ensurethatan - adequate amount of negative reac,tivity is available to shut down the reactor and to maintain it subcritical. 1 ACTIONS A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron concentration of any coolant volume in the RCS, or the refueling canal is less than its limit, hfgA.T' all operations involving CORE ALTERATIONS or positive reactivity. additions must be suspended immediately. Smalbtemperature fluctuations associated with maintaining I theplantstatusarepermissibleprovidedtheyremainwithN limits established by Statinn Technical for the olant/ l' 79ghpc (conditions.) hMd/ NM 46 M ~
' Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe GM5r/grc M eg '
osition.
$//tWC i So rea ef) fi Wk!>f
/) sr*WilWf )
- Wi % i w D In addition to immediately suspending CORE ALTERATIONS or positive reactivity additions, boration to restore the concentration must be initiated imediately.
In determining the required combination of boration flow rate and concentration, there is no unique design basis event that must be satisfied. The only requirement is to restore the boron concentration to its required value as (continued) SAN ONOFRE--UNIT 2 B 3.9-3 AMENDMENT NO.
Nuclear Instrumentation B 3.9.2 BASES (continued) APPLICABILITY In MODE 6, the SRMs must be OPERABLE to determine changes in core reactivity. There is no other direct means available to check core reactivity levels. In MODES 3, 4, and 5, the installed source range detectors and circuitry are required to be OPERABLE by LCO 3.3.13,
" Source Range Monitors."
ACTIONS A.1 and A.2 With only one SRM OPERABLE, redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and positive reactivity additions must be suspended imediately. Perfomance of Required Action A.1 shall not preclude bSM completion of movement of a component to a safe position. _ ey hmas i temperature fluctuations associated with maintaining
~
l T*M/ser*4MrE M/pgS - f the plant status are pemissible provided they remain within gg g limits established by Station Technical for the plant
" conditions.3 I
l'est$tWetEd $M N# N B.1 tat:w h W addif With no SRM OPERABLE, actions to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, actions shall be continued until an SRM is restored to OPERABLE status. E.:.Z With no SRM OPERABLE, there is no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and positive reactivity additions are not to be made, the core reactivity condition is stabilized until the SRMs are OPERABLE.- This stabilized condition is detemined by performing SR 3.9.1.1 to verify that the required boron 3 concentration exists. ; (continued) d SAN ONOFRE--UNIT 2 B 3.9-6 AMENDMENT NO.
l T.'. 1 i Containment Penetrations B 3.9.3 BASES l . g's, .
<.~ !
SURVEILLANCE SR 3.9.3.2 REQUIREMENTS These surveillances performed during H00E 6 (continued) requirements. ' will ensure that the valves are capable of closing after l postulated fuel handling accident to limit a release of .> fission product radioactivity from the containment. REFERENCE 1. UFSAR, Section 15.7.3.4.
=
e G
;_ (:: (c":::I:)
AMENDMENT NO. SAN ONOFRE--UNIT 2- B 3.9'-15
N SDC and Coolant Circulation-High Water Level B 3.9.4 BASES _.b-APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200 F, boiling of the reactor coolant could result. This could lead to inadequate cooling of the reactor fuel due to a resulting loss of coolant in the reactor vessel. Additionally, boiling of the actor coolant could lead to a reduction in boron concentra' ' n in the coolant due to the boron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration than is required to keep the reactor suberitical. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually. challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the SDC System is required to be operational in MODE 6, with the water level 2 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LC0 does permit de-energizing of the SDC pump for short durations under the condition that the boron concentration is not diluted. This conditional de-energizing of the SDC pump does not result in a challenge to the fission product barrier. SDC and Coo,lant Circulation-High Water Level satisfies Criterion /oftheNRCPolicyStatement. I 5 LCO Only one SDC loop is required for decay heat removal in H0DE 6, with water level 2 23 ft above the top of the reactor vessel flange. Only one SDC loop is required because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one SDC loop must be in operation to provide:
- a. Removal of decay heat;
- b. Mixing of borated coolant to minimize the possibility of a criticality; and
- c. Indication of reactor coolant temperature.
An OPERABLE SDC loop includes an SDC pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end temperature. (continued) 6 B 3.9-17 AMENDMENT NO. SAN ONOFRE--UNIT 2
ATTACHMENT "D" (Marked-Up Proposed Table of Contents and Bases) Unit 3
r; ~ $. I 1
? i e
TABLE OF CONTENTS
~
p, = E) 1.1-1 P '1. 0 USE AND APPLICATION .................... 1.1-1 Y -'l- 1 Definitions ...................... 1.2-1 1.2 Logi cal Connectors . . . . . . . . . . . . . . . . . . . 1.3-1 Completion Times . . . . . . . . . . . . . . . . . . . . 1.3' 1.4-1
, 1.4 Frequency .......................
2.0-1 ; SAFETY LIMITS (SLs) .................... 2.0 2.0-1 2.1 SLs .......................... 2.0-1 2.2 SL Violations ..................... 3.0-1
. 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY
........ 3.0-4 . . . .
3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY 3.1-1 3.1 REACTIVITY CONTROL SYSTEMS > 200*F
........... 3.1-1 3.1.1 SHUTDOWN MARGIN (SDM)-T,,, 3.1-2 SHUTDOWN MARGIN (SDM)-T,,,
s 200aF ........ 3.1.2 3.1-3 3.1.3 Reactivity Balance ................ 3.1-5 Moderator Temperature Coefficient (MTC) ...... 3.1-7 3.1.4 ..... 3.1.5 Control Element Assembly (CEA) Alig(nmentCEA) Insertion Shutdown Control Element Assembly 3.1.6 3.1-12 Limits .................... 3.1-14 3.1.7 Regulating CEA Insertion Limits .......... Part length Control Element Assembly (CEA) 3.1-18 3.1.8 ............... Insertion Limits Special Test Ex egtjgt_(ST4h;;;-SHUTOOWN-MAR &iN (50:1) G_ bet 77. J '.W : .QW r.N(p . . . . . 3.1.9 t 3.1-20
,-MOD
-Sper 1-Test-Exc3pt
- 3.1-22 3.1.10 M77.*4 b. @ (STE)%M.E41
- r. ..N...... and-2-Q_
Shutdown 'o. M . . . . . . 3.1-24 3.1.11 Borated Water-Sy nc ... 3.1-26 3.1.12 Special Test Exception (STE) - MODES 2 and 3 3.1-28 3.1.13 Special Test Exceptions (STE) - MODE 1 ...... 3.1.14 Special Test Exceptions (STE) - Center CEA and 3.1-30 Regulating CEA Insertion Limits ........
............... 3.2-1 3.2 POWER DISTRIBUTION LIMITS
.............. 3.2-1 3.2.1 Linear Heat Rate (LHR) ........ 3.2-3 Planar Radial Peaking Factors (Fxy) 3.2-5 3.2.2 AZIMUTHAL POWER TILT (T,) .............
3.2.3 3.2-9 3.2.4 Departure From Nucleate Boiling Ratio (DNBR) . . . . 3.2-12 3.2.S AXIAL SHAPE INDEX (ASI) .............. 3.3-1 3.3 INSTRUMENTATION .................... ReactorProtectiveSystem(RPS) 3.3-1 3.3.1 Instrumentation-Operating ........... Reactor Protective System (RPS) 3.3-11 3.3.2 ........... Instrumentation-Shutdown 3.3-15 Control Element Assembly Calculators (CEACs) . . . .. 3.3.3-(continued) ii AMENDMENT NO. SANONOFRE13 1 I l
l i i TABLE OF CONTENTS i 3.5 3.5.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) Trisodium Phosphate (TSP) ............. (continued) 3.5-11 g: l 3.6 CONTAINMENT SYSTEMS .................. 3.6-1 3.6.1 Containment .................... 3.6-1 3.6.2 Containment Air Locks ............... 3.6-3 3.6.3 Containment Isolation Valves . . . . . . . . . . . . 3.5-8 3.6.4 Containment Pressure . . . . . . . . . . . . . . . . 3.6-16 3.6.5 Containment Air Temperature ............ 3.6-17 3.6.6.1 Containment Spray and Cooling Systems ....... 3.6-18 , 3.6.6.2 Containment Cooling System . . . . . . . . . . . . . 3.6-21 3.6.7 Hydrogen Recombiners ............... 3.6-23 3.6.8 Containment Dome Air Circulators . . . . . . . . . . 3.6-25 3.7 PLANT SYSTEMS ..................... 3.7-1 3.7.1 Main Steam Safety Valves (MSSVs) . . . . . . . . . . 3.7-1 3.7.2 Main Steam Isolation Valves (MSIVs) ........ 3.7-3 3.7.3 Main Feedwater Isolation Valves (MFIVs) ...... 3.7-5 3.7.4 Atmospheric Dump Valves (ADVs) . . . . . . . . . . . 3.7-7 3.7.5 Auxiliary Feedwater (AFW) System . . . . . . . . . . 3.7-9 3.7.6 Condensate Storage Tank CST) ........... 3.7-14 3.7.7 Component Cooling Water CCW) System . . . . . . . . 3.7-16 3.7.7.1 Component Cooling Water CCW) Safety Related Makeup System ............. 3.7-18 3.7.8 Salt Water Cooling (SWC) System .......... 3.7-21 3.7.9 Not used . . . . . . . . . . . . . . . . . . . . . . 3.7.10 Emergency Chilled Water (ECW) ........... 3.7-23 3.7.11 Control Room Emergency Air Cleanup System (CREACUS) 3.7-25 j 3.7.12 Not used . . . . . . . . . . . . . . . . . . . . . . 3.7.13 3.7.14 Not i-iondling
-Fuel used . Buildin3
. . . . . .M.t .8-e . .%. .nt.9. . . N L &. p ~ '
Cl .. 4 .";iis. Sy L. ; 1 7? E 3.7.15 Not used . . . . . . . . . . . . . . . . . . . . . . 3.7.16 Fuel Storage Pool Water Level ........... 3.7-31 3.7.17 Fuel Storage Pool Boron Concentration ....... 3.7-32 3.7.18 Spent Fuel Assembly Storage ............ 3.7-34 3.7.19' Secondary Specific Activity ............ 3.7-38 3.8 r1ECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . . 3.8-1 3.8.1 AC Sources-Operating . . . . . . . . . . . . . . . 3.8-1 3.8.2 AC Sources - Shutdown . . . . . . . . . . . . . . . . 3.8-17 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air .... 3.8-20 3.8.4 DC Sources-Operating ............... 3.8 3.8.5 DC Sources - Shutdown . . . . . . . . . . . . . . . . 3.8-27 3.8.6 Battery Cell Parameters .............. 3.8-30 3.8.7 Inverters -0perating . . . . . . . . . . . . . . . . 3.8-34 3.8.8 Inverters -Shutdown ................ 3.8-36 3.8.9 Distribution Systems-0perating .......... 3.8-38 (continued) SANONOFRED- iv AMENDMENT N0. J.
) ] . .
s TABLE OF CONTENTS
=
B 2.0-1 SAFETY LIMITS (SLs) .... .............. B 2.0-1 h) J-B'2.0 B 2.1.1 Reactor Core SLs . . . . . . . . . . . . . . . . . B 2.0-6 Reactor Coolant System (RCS) Pressure SL . . . . . J ( B 2.1.2 B 3.0-1 B.3.0 LIMITING CONDITION FOR OPERATION (LCO)
....... APPLICABILITYB 3.0-10 ... ;
B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY-n B 3.1-1 ! I B 3 . 11 REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . B 3.1-1 SHUTDOWN MARGIN (SOM) -T,,, > 200*F . . . . . . . . B 3.1-7 J
. B'3.1.1 SHUTDOWN MARGIN (SDM) -T.,, s 200*F . . . . . . . . B 3.1-12 ;
- k B 3'.1.2 Reactivity Balance . . . . . . . . . . . . . . . . B 3.1-1B~
B 3.1.3 Moderator Temperature Coefficient (MTC) ..... B 3.1.4 B 3.1-23 Control Element Assembly (CEA) Alignment '. . . . . B 3.1.5 Shutdown Control Element Assembly (CEA) l 8 3.1.6 -
............. B 3.1-34 Insertion limits . . l B 3.1.7 ' Regulating Control Element Assembly (CEA) B 3.1-39 Insertion Limits . . .............
Part Length Control Element Asseubly (CEA) B 3.1-48 8 3.1.B ........... 4 Insertion Limits .. t Exqept4 ops-(QE-)--Sii DOWN H^iiGIN B 3.1.9 -Spectai-tea W7P 4 9 S.M r . .. P .M. = NODES 1 end 2Q .o . B 3.1-53B.3.1-5 ,
@l--Test-Exceptions-fSTE)
Specia B 3.1-57 '! B 3.1.10 Borated Water -System 91 Shutdown ~59 *.%es. B 3.1.11 ... B 3.1-59 B 3.1.12 Special Test Exception (STE) .-MODES 2 and ...... 3 B 3.1-65 8 3.1.13 Special Test Exceptions (STE)-+10DE 1 8 3.1.14 Special Test Exceptions (STE)-Center CEA and B 3.1-71 Regulating CEA Insertion Limits . . . . . . . . o, B 3.2-1 l, : B 3.2-1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Linear Heat Rate . . . . . . . . ........ ......... B 3.2-9 B 3.2.2 Planar Radial Peaking Tq) (Factor (Fn). . . . . . . . . . . . B 3.2-16 8 3.2.3 AZIMUTHAL POWER TILT B 3.2-26 ; 8 3.2.4 Departure from Nucleate Boiling Ratio (DNBR) . . . B 3.2-35 AXIAL SHAPE INDEX (ASI) B 3.2.5 1 B 3.3-1 B 3.3 INSTRUMENTATION ................... Reactor Protective System (RPS) Instrumentation- B 3.3-1 B 3.3.1 Operating . . . . . . . . . . . . . . . . . . . N Reactor Protective System (RPS) Instrumentation- B 3.3 y B 3.3.2 Shutdown ..........-......... B 3.3-52 Control Element Assembly Calculators (CEACs) . . . B 3.3.3 Reactor Protective System (RPS) Logic and Trip B 3.3.4 B 3.3-63 Initiation .................. ) 8 3.3.5 Engineered Safety Features Actuation System B 3.3-77 ) (ESFAS) Instrumentation . . . . . . . . . . . . B 3.3.6 Engineered Safety Features Actuation BSystem 3.3-103 - (Ej ; (continued)
)
AMENDMENT NO. vi SAN ONOFRE h3 i 1
TABLE OF CONTENTS B 3.6 B 3.6.7 CONTAINMENT SYSTEMS (continued) Hydrogen Recombiners . . . . . . . . . . . . . . . B 3.6-48 O-B 3.6.8 Dome Ai r Ci rculators . . . . . . . . . . . . . . . B 3.6-53 B 3.7 PLANT SYSTEMS .................... B 3.7-1 B 3.7.1 Main Steam Safety Valves (MSSVs) . . . . . . . . . B 3.7-1 B 3.7.2 Main Steam Isolation Valves (MSIVs) ....... B 3.7-7 , B 3.7.3 Main Feedwater Isolation Valves (MFIVs) ..... B 3.7-13 J B 3.7.4 Atmospheric Dump Valves (ADVs) . . . . . . . . . . B 3.7-17 i B 3.7.5 Auxiliary Feedwater (AFW) System . . . . . . . . . B 3.7-23 ' B 3.7.6 Condensate Storage Tank (CST) .......... B 3.7-31 B 3.7.7 Component Cooling Water (CCW) System . . . . . . . B 3.7-37 B 3.7.7.1 CCW Safety Related Makeup System . . . . . . . . . B 3.7-42 B 3.7.8 Salt Water Cooling System (SWC) ......... B 3.7-50 B 3.7.9 Not used . . . . . . . . . . . . . . . . . . . . . B 3.7.10 Emergency Chilled Water (ECW) System . . . . . . . B 3.7-55 B 3.7.11 Control Rooa Emergency Air Cleanup System (CREACUS) . . . . . . . . . . . . . . . . . . . B 3.7-53 B 3.7.12 Not used . . . . . . . . . . . . . . . . . . . . . B 3.7.13 Not used . M . u C.a J. . . . . . . . . . . . . . B 3.7.14 n:1 "r$7 D"i W S
- Clerg 9" = k? C' C .' %
B 3.7.15 Not used . . . . . . . . . . . . . . . . . . . . . B 3.7-74 B 3.7.16 Fuel Storage Pool Water Level .......... B 3.7-82 8 3.7.17 Fuel Storage Pool Boron Concentration ...... B 3.7-85 8 3.7.18 Spent Fuel Assembly Storage ........... B 3.7-88 8 3.7.19 Secondary Specific Activity ........... B 3.7-80 B 3.8 ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . B 3.8-1 B 3.8.1 AC Sources-Operating .............. B 3.8-1 B 3.8.2 AC Sources - Shutdown . . . . . . . . . . . . . . . B 3.8-29 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ... B 3.8-35 B 3.8.4 DC Sources-Operating .............. B 3.8-44 8 3.8.5 DC Sources -Shutdown . . . . . . . . . . . . . . . B 3.8-54 B 3.8.6 Battery Cell Parameters ............. B 3.8-58 i B 3.8.7 Inverters -0 )erating . . . . . . . . . . . . . . . B 3.8-64 8 3.8.8 Inverters -51utdown ............... B 3.8-68 B 3.8.9 Distribution Systems-Operating ......... B 3.8-72 B 3.8.10 Distribution Systems -Shutdown . . . . . . . . . . B 3.8-79 B 3.9 REFUELING OPERATIONS . . . . . . . . . . . . . . . . . B 3.9-1 B 3.9.1 Boron Concentration ............... B 3.9-1 B 3.9.2 Nuclear Instrumentation ............. B 3.9-5 B 3.9.3 Containment Penetrations . . . ... . . . . . . . . B 3.9-9 B 3.9.4 Shutdown Cooling (SDC) and Coolant Circulation-High Water Level . . . . . . . . . B 3.9-16 B 3.9.5 Shutdown Cooling (SDC) and Coolant Circulation-Low Water Level ......... B 3.9-21 B 3.9.6 Refueling Water Level .............. B 3.9-25 SANONOFREk3 viii AMENDMENT N0. ,) , 4
200*F SOH - T.,g >B 3.1.1 BASES pressure, linear heat rate, and the DNBR do not exceed APPLICABLE SAFETY ANALYSIS . allowable limits. (continued) The startup of an inactive RCP will not result in a " cold water" criticality, even if the maximum differenceThe inmaximum temperature exists between the SG and the core. positive reactivity addition that can occur due to aninadvertent SDM. An idle RCP cannot, therefore, produce a return to power from the hot standby condition.
- c. a a The ,}se.;rson++1of 3 CEAf from subcritical or low power Conditions adds reactivity to the reactor core, causing'both
'the core power level and heat flux to increase with corresponding increases in reactor coolant temperatures and pressure. The d th h d ofgCEA / also produces a time f dependent red stribution of core power.
i c.j e.c.non l The SDM satisfies Criterion 2 of th'e NRC Policy Statement. ) f LCO The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the most limiting analyses that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10 CFR 100, " Reactor Site Criterion," limits (Ref. 4). For the boron dilution accident, if the LCO is violat~ed, then the minimum required time assumed for operator action to terminate dilution may no longer be applicable. SDM is a core physics design condition that can be ensured through CEA positioning (regulating and shutdown CEAs) and through the soluble boron concentration. APPLICABILT InNORS3and4,theSDHrequirementsareapplicableto
'~
~ provide sufficient negative reactivity to meet the In assumptions of the safety analyses discussed above.
MODES:1 and 2 SDM is ensured by complying with LCO 3.1.6,
" Shutdown Control Element Assembly (CEA) Insertion Limits," ,
and LCO 3.1.7. If the insertion limits of LCO 3.1.6 or l LCO 3.1.7'are not being complied with, SDM is not ' automatically violated. The SDM must be calculated by performing a reactivity balance calculation (considering the j - .. 1 ' - (continued) AMENDMENT NO. SAN ONOFRE--UNIT 3 B 3.1-4 l
i SDM - T.,, s 200
- F l 8 3.1.2 BASES , . .
'i
. BACKGROUND Element Assembly (CEA) Insertion Limits." When the unit is
, in the shutdown and refueling modes, the SDM requirements (continued) are met by means of adjustments to the RCS boron concentration.
APPLICABLE The min'imum required SDM is assumed as an initial condition SAFETY ANALYSES' in safety analysis. The safety analysis (Ref. 2) establishes an SDM that ensures specified acceptable fuel design limits are not exceeded for normal operation and A00s with the assumption of the highest worth CEA stuck out following a reactor trip. When the CEAs are all verified to be inserted, by both open reactor trip breakers and the CEA position indications, it is not required to assume that the highest reactivity worth CEA is stuck out. Specifically, t for MODE 5, the primary safety analysis that relies on the SDM limits is the boron dilution analysis. The acceptance criteria for the SDM requirements are that the specified acceptable fuel design limits are maintained. This is done by ensuring that:
- a. The reactor can be made suberitical from all operating conditions, transients, and Design Basis Events; 3
- b. The reactivity transients associated with postulated accident conditions are controllable within acceptable ,
limits (departure from nucleate boiling ratio, fuel centerline temperature limits for A00s, and s 280 cal /gm energy deposition for the CEA ejection accident);and
- c. The reactor will be maintained sufficiently suberitical to preclude inadvertent criticality in the shutdown condition.
An inadvertent boron dilution is .a moderate frequency i incident as defined in Reference 2. The core is initially suberitical with all CEAs inserted. A Chemical and Volume Control System malfunction occurs, which causes unborated
' ' - - ^ ~ ~ ' - - - " - - ^ '
water to be pumped to the RCS (continued) SAN ON0FRE--UNIT 3 -B 3.1-8 AMENDMENT NO. , La- - - _ _ _
SDK- T ,, 5 200* F B 3.1.2 ; BASES p.I' SURVEILLANCE SR 3.1.2.1 (continued)
- d. Fuel burnup based on gross thermal energy generation;
- e. Xenon concentration;
- f. Samarium concentration; and l
- g. Isothermal temperature coefficient (ITC).
Using the ITC accounts for Doppler reactivity in this ' calculation because the reactor is subcritical, and the fuel
. temperature will be changing at the same rate as that of the RCS.
INSERT" The Frequency of 24 hours is based on the generally slow change in required boron concentration, and it. allows sufficient time for the operator tq collect the required data, which includes performin a boron concentration analysis, and complete the cal ulation.
- 1. 10 CFR 50, Appendix A, GDC 26.
[ ., . REFERENCES
- 2. FSAR, Section 15.4.1.4.
b e N I
~ -
(continued) B 3.1-11 AMENDHENT NO. SAN ON0FRE--UNIT 3 e
^ - ~ ' - - - - - - - - . . _ _ _ , _ _ _ _
INSERT The reactivity effects of items c, d, e, and f above, are nominally constant, and are bound while the RCS boron j concentration is maintained greater than the refueling boron concentration specified for MODE 6 and all CEAs inserted. Therefore, a SDM a 3.0% is assured by determining at least once per 24 hours that: l
- a. The core has not been critical since the refueling (e.g. factors c through f are unchanged). !
- b. The reactor coolant system boron concentration is I greater than or equal to the refueling boron concentration required by TS 3.9.1(?) .
C. All CEAs are inserted. l l d. No more than one charging pump is functional, by verifying that power is removed from the remaining charging pumps, when the reactor coolant level is below 4 I the hot leg centerline. 1
n -- Reactiv_ijy Balance B 3.1.3 83.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Reactivity Balance ' BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29 (Ref.1), reactivity . shall be controllable, such that, subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during nomal operation and anticipated operational occurrences. Therefore, a . reactivity balance is used to compare the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control element assembly (CEA) worth, or operation at Conditions not consistent with those assumed in the predictions of core reactivity, and could potentially r6sult in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, " SHUTDOWN MARGIN (SDM)-T y q > 200 F") in ensuring the reactor can be brought safely.,to sJ cold, subcritical conditions. When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state Sower conditions. The positive reactivity inherent in t1e core design is balanced by the negative ! reactivity of the control components, thermal feedback, ! neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers producing zero net reactivity. Excess reactivity can be inferred from the critical boron curve, which provides a prediction of the
~
soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement'of the RCS , boron concentration for comparison with the predicted value i with other variables fixed (such as CEA height, temperature, and power) provides a convenient method of ensuring that ! core reactivity is within design expectations, and that the ! calculational models used to generate the safety analysis , are adequate.
., (continued) .
SAN ONOFRE--UNIT 3 B 3.1 AMENDMENT NO. .
- 13. -
Reactivity Balance B 3.1.3 BASES O BACKGROUND In order to achieve the required fuel cycle energy output, (continued) . the ' uranium enrichment in the new fuel loading and in the fuel remaining from the previous cycle (s), provides excess positive reactivity beyond that required to sustain steady state operation throughout the cycle. Whe the reactor is ' L..r . - . m ,j.the excess critical at RTP' M r i n t. positive reactivity is compensated by burnable absorbers, > CEAs, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concen.tration. When the core is producing THERMAL POWER, the fuel- is being depleted and excess reactivity is decreasing. As the fu.el depletes, the RCS boron con:entration is reduced to decrease hegative reactivity and ma'ntain constant THERMAL POWER. The critical boron curve is based on steady state operation ' at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design " analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated. APPLICABLE Accurate prediction of core reactivity is either an explicit SAFETY ANALYSES or implicit assumption in the accident analysis evaluations. 3 Every ~ accident evaluation (Ref. 2) is, therefore, dependent ' upon accurate evaluation of core reactivity. In particular, SDM, and reactivity transients such as CEA withdrawal accidents or CEA ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, _ operating plant data, and analytical benchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods provide an
.. accurate representation of the core reactivity. ;
Design calculations and-safety analyses are performed for , each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boron concentration requirements for , reactivity control during fuel depletion. : The comparison between measured'and predicted initial core reactivity provides a normalization for~ calculational models i used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then 0 (continued) SAN ONOFRE--UNIT 3 B 3.1- AMENDHENT NO. IS :
Reactitity Balance B 3.1.3 , l BASES l O l l APPLICABLE the assumptions used in the reload cycle design analysis or l SAFETY ANALYSES the calculational models used to predict soluble boron ! (continued) requirements may not be accurate. If reasonable agreement ; between measured and predicted core reactivity exists at B0C, then the prediction may be normalized to the measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted critical boron curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred. - The normalization of predicted RCS boron concentration to the measured value is to be performed prior to reaching 60 EFPD following startup from a refueling outage, with the CEAs in their normal positions for power operation. The normalization is performed near BOC, so that core reactivity relative to predicted values can be continually monitored and evaluated as core coriditions change during the cycle. The reactivity balance satisfies Criterion 2 of the NRC Policy Statement.
.)
LCO Large' differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the nuclear design methodology are larger than expected. A limit on the reactivity balance of i 1% Ak/k has been established, based on engineering judgment. A 11% Ak/k deviation in reactivity from that
. predicted is larger than expected for normal operation, and should therefore be evaluated.
When measured core reactivity is within 11% Ak/k of the predicted value at steady state thermal conditions, thd core is considered to be operating within acceptable design limits. Since deviatiens from the limit are detected by comparing predicted and measured,normally steady state RCS critical boron concentrations, the difference between measured and predicted values would be'approximately 100 ppm (depending on the boron worth) before the limit is reached. G (continued) O SAN ON0FRE--UNIT 3 B 3.1- AMENDMENT NO. It -
Reactivity Balance 2 B 3.1.3 ] BASES q LC0 These values are well within the uncertainty limits for l (continued) . analysis of boron concentration samples, so that spurious l violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely. APPLICABILITY The limits on core reactivity must be maintained during MODES I and 2 because a reactivity balance must exist when , the reactor is critical or producing THERMAL POWER. As the ! fuel depletes, core conditions are changing, and - , confirmation of the reactivity balance ' ensures the core is operating as designed. This Specification does not apply in MODES 3, 4, and 5 because the reactor is shut down and the reactivity balance is not changing. In MODE 6, fuel loading results in a continually changing ' core reactivity. Boron concentration requirements (LC0 3.9.1, " Boron Concentration") ensure that fuel movements are performed within the bo'unds of the safety analysis. A SDM demonstration is required by the LCS during , the first startup following operations that could have altered core reactivity (e.g., fuel movement, or CEA , replacement,orshuffling). r ACTIONS A.1 and A.2 Should an anomaly develop between measured and predicted ! core reactivity, an evaluation of the core design and safety i analysis must be performed. Core conditions are evaluated to determine their consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within the bounds of , the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required .
~
Completion Time of 72 hours is based on the low probability of a DBA occurring during this period, and allows sufficient - time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis. Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be (continued) SAN ON0FRE--UNIT 3 8 3.1- AMENDHENT NO. II ' "t
Reactiv.ity Balance B 3.1.3 l BASES ACTIONS 'A.1 and A.2 (continued) resolved. If the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to - demonstrate that core reactivity 'is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in.the calculation technique, then the calculational models must be revised to provide more accurate predictions. If any of these results are demonstrated and it is concluded that the
' reactor core is acceptable for continued operation, then the boron letdown curve may be renormalized, and power operation may continue. . If operational restrictions or additional SRs are necessary to ensure the reactor core is acceptable for "
continued operation, then they must,be defined. The required Completion Time of 72 hours is adequate for preparing whatever operating restrictions or Surveillances that may be required to allow continued reactor operation.
,7 .,
- ' B.1 If the core reactivity cannot be restored to within ;
11% Ak/k, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brougnt to at least MODE 3 within 6 hours. If the SDM for MODE 3 is not met, then boration as required by TS 3.1.1.1 ACTION A.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching
- MODE 3 from full power conditions in an orderly manner and
- without challenging plant systems.
SURVEILLANCE SR 3.1.3.1 REQUIREMENTS C. ore reactivity is verified by periodic comparisons of - measured and predicted RCS boron concentrations. The ' comparison is made considering that other core conditions are fixed or stable including CEA position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration.
- (continued) k)
SAN ON0FRE--UNIT 3 8 3.1- AMENDMENT NO.
+
l Reactiv.ity Balance ; B 3.1.3 i BASES SURVEILLANCE SR 3.1.3.1 (continued) REQUIREMENTS
'The SR is modified by three Notes. The first Note indicates !
that the normalization of predicted core reactivity to the measured value (if performed) may take place within the . first 60 effective full power days (EFPD) after each fuel , loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark l for the design calculations. .The required subsequent ' Frequency of every 31 EFPD following the initial 60 EFPD after entering MODE 1, is acceptable, based on the slow rate of core changes due to fuel depletion and the presence of other indicators for prompt indication of an anomaly. A Note, "Only required after 60 EFPD," is added to the Frequency column to allow this. 'The Second Note indicates that the performance of SR 3.1.3.1 is not rec uired prior to-entering MODES 1 or 2. This Note is requirec to allow entry into MODES 1 or 2 to verify core reactivity because Applicability is for MODES 1 and 2. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.
- 2. ' SONGS Units 2 and 3 UFSAR; Section 15.
l 1 SAN ON0FRE--UNIT 3 8 3.I- AMENDME T NO. 17 -
CEA Alignment B 3.1.5 8 3.1 REACTIVITY CONTROL SYSTEMS Control Element Assembly (CEA) Alignment !
' B 3.1.5 i BASES The OPERABILITY (e.g., trippability) of the shutdown and l BACKGROUND regulating CEAs is an initial assumption in all safety '
analyses that assume CEA insertion upon reactor trip. Maximum CEA misalignment is an initial assumption in the safety analyses that directly affects core power ' distributions and assumptions of available SDM. . i ity and power
.The apalicable criteria for these react v Appendix A,
.distrisution design requirements are 10 CFR 5 Criteria for Emergency Core Cooling Cooled Nuclear Power Plants" (Ref. 2 Mechanical or electrical failures My cause aCEA CEA to become' inoperable or to become misaligned from its group. l inoperability or misalignment may cause inc reduction in theCEA Therefore, total alignmentavailable CEA worth and operability are for reactor shutdown.
related to core operation in design power peaking limits and the core design requirement of a minimum SDM. . Limits on CEA alignment and operability have been established, and all CEA positions are monitored and controlled during power operation to ensure-that the power ; distribution and reactivity limits defined by the design power peaking and SOM limits are preserved. M**[g' ' CEAs are moved by their control element drive m pr ' rte 4dtLw9m
. (CEDMs). ~
t
% inch) at a time, but at varying rates St:;:Q20 C4.As de Drive Mechanism Control System (CE0MCS). '
I
& Partt g
( C4As p " The CEAs are arranged into groups that i are radia1 } 'F symetric.
. introduce radial asymetries in the core power distribut on.-
The shutdown and regulating CEAs provide the required reactivity worth for immediate reactor shutdown upon reactor trip). control during nonnal operation and (power level - l . (continued)
- AMENDMENT NO.
8 3.1-22 SAN ON0FRE--UNIT 3 . 9 84 r vs -g g *
- yye-eggr g sy g-y f S gt= g e op e terrispt aev-M #
y m r- w g _ ry p ** ,-+
- -r,m- w m-tee rvp *r- - *M*-+-***e -
_ yp,pr j
M m. .........+e... 4 _....w. - .. ...~w. =e .+. == * ** CEA Alignment B 3.1.5 l BASES l BACKGROUND transients. 9:f 70' : : .t .J. , k ~zM ::'r '^a+- " : _T
.(continued) ;t "- o-- '- "^ 7&'# ; S;;t;;. Part length CEAs are not credited in the safety analyses for shutting down the reactor, as are the regulating and shutdown grou s. The part length CEAs are used g;kigfor ASI control awwA Q ,g,.4y (w \sesQ <Wret d**rms noemd opsres'm aa,.4 mg.m ~.
The axial position of shutdown and regulating CEAs is indicated by two separate and independent systems, which are the Plant Computer CEA Position Indication System and the ) Reed Switch Position Indication. System. l l The Plant Computer CEA Position Indication System counts the comands sent to the CEA gripper coils from the CEDMCS that moves the CEAs. There is one step counter for each group of CEAs. Individual CEAs in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Plant Computer CEA Position .Ind.ication System is considered highly precise (t one step or i 14 inch). If a ' CEA does not move one step for each comand signal, tne step counter will still count the command and incorrectly reflect the position of the CEA. The Reed Switch Position Indication System provides a highly l t] accurate indication of actual CEA position, but at a lower precision than the step counters. This system is h::f :: # y a .;m ...i,- :--.'"
#-- a series of reed switches spaced along a tube with a center to center distance of 1.5 inches, which is two steos.- To increase the reliability of the system, there are redUndc.t reed switches at each position.
APPLICABLE CEA misal'gnment accidents are analyzed in the safety SAFETY ANALYSES analyds (Ref. 3). 'The accident analysis defines CEA misoperation as any event, with the exception of sequential y group withdrawals, which could result from a single
- malfunction in the reactivity control systems. For example, CEA misalignment may be caused by a malfunction of the CEDM, CEDMCS, or by operator error. A stuck CEA may be caused by mechanical jaming of the CEA fingers or of the gripper.
Inadvertent withdrawal of a single CEA may be caused by
- '-- ' " ' t-t * - ' 6:f. t :' th ~^" t:'. d ' ;; ;; M i
gM:;:7 : ' ' ' '
. ... , $. : ; :.:. ' ...,0. ~ .".. A dropped CEA
- Sm9l e m*I6ne.ts'ow of +A4. CE.DitCS er by c1scader e.rrer ,
(continued) d) SAN ONOFRE--UNIT 3 8 3.1-23 AMENDMENT NO.
=. ..
_ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ . _ __ )
w- mm;- wg a.i.-- s .aa. a- . w ..wa s : . .-n.s. sc-. .;;.,- . ;- CEA Alignment B 3.1.5 BASES O APPLICABLE subgroup could be caused by an electrical failure in the CEA SAFETY ANALYSES coil power programmers. (continued) The acceptance criteria for addressing CEA inoperability or r*salignment are that:
- a. There shall be no violations of:
- 1. specified acceptable fuel design limits, or
- 2. Reactor Coolant System (RCS) pressure boundary I integrity; and j I
- b. The core must remain subcritical after accident transients.
Three types of misalignment are distinguished. During movement of a group, one CEA may stop moving while the other CEAs in the group continue. This condition may cause excessive power peaking. The seccad type of misalignment occurs if one CEA fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to detennine that sufficient reactivity worth is held in the remaining CEAs to meet the SDM reauiraman+ mith g,5)* the maximum worth CEA stuck fully withdrawnFIf a CEA is stuck in the fully withdrawn position, its worth is added to the SDM requirement, since the safety analysis does not take two stuck CEAs into account. The third type of misalignment occurs when one CEA drops partially or fully into the reactor core. This event causes an initial power reduction followed by a return towards the original power due to positive reactivity feedback from the negative moderator temperature coefficient. Increased peaking during the power increase may result in excessive local linear heat rates l , (LHRs). Another type of misalignment occurs if one CEA fails to insert upon a reactor trip and remains stuck fully l, withdrawn. This condition is assumed in the evaluati.on to determine that the required SDM is met with the maximum worth CEA also fully withdrawn (Ref. 5). l l ' l (continued) l SAN ONOFRE--UNIT 3 B 3.1-24 AMENDMENT NO. 9
CEA Alignment B 3.1.5 BASES APPLICABLE The effect of any misoperated CEA on the core power 5AFETY ANALYSES distribution will be assessed by the CEA calculators, and an (continued) appropriately augmented power distribution penalty factor will be supplied as input to the core protection calculators (CPCs). As the reactor core responds to the reactivity changes caused by the misoperated CEA and the ensuing - reactor coolant and Doppler feedback effects, the CPCs will initiate a~ low DNBR or high local power density trip signal if specified acceptable fuel design limits (SAFDLs) are approached.
.Since the CEA drop incidents result in the most rapid approach to SAFDLs caused by a CEA misoperation, the accident analysis analyzed a single full length CEA drop, a single part length CEA drop, and a part length CEA subgroup drop. The most rapid approach to the DNBR SAFDL may be caused by either a single full length drop or a part length CEA subgroup drop depending upon initial conditions. The most rapid approach to the fuel centerline melt SAFDL.is caused by a single part length CEA drop.
In the case of the full length CEA drop, a prompt decrease ,.. in core average power and a distortion in radial power are
~) initially produced, which when conservatively coupled result in local power and heat flux increases, and a decrease in DNBR. For plant operation within the DNBR and local power density (LPD) LCOs, DNBR and LPD trips can normally be avoided on a dropped CEA.
For a part length CEA subgroup drop, a distortion in power distribution, and a decrease in core power are produced. As the dropped part length CEA, subgroup is detected, an gplg appropriate power distribution penalty bythe CPCs, and a reactor trip signallow on,DNBRMs. factor ismoy 4uppL bt- w generated. For the part length CEA drop, both core average power and three dimensional peak to average power density increase promptly. As the dropped part length CEA is detected, core power and an appropriately augmented power distribution penalty factor are supplied to the CPCs. I (continued) U SAN ON0FRE--UNIT 3 B 3.1-25 AMENDHENT NO.
y - . CEA Alignment B 3.1.5
. BASES (continued) j
. l ACTIONS A.1. A.2.1. A.2.2. A.3.1. a A.3.2. B.h D.l.L D.12E, mad D3 A CEA may become misaligned, yet remain trippable. In this condition, the CEA can still perform its required function of adding negative reactivity should a reactor trip be necessary. ,
If'one or more regulating CEAs are misaligned by 7 inches but trippable, continued operation in MODES 1 and 2 may continue, provided, within I hour, the power is reduced in' accordance with Figure 3.1.5-1, and SDM is a 5.15% Ak/k, and
'within 2 hours the misaligned CEA(s) is aligned within .
7 inches of its group or the misaligned CEA's aligned within 7 inches of the misaligneds). CEA(group is - w sM Xenon redistribution in the core starts to occur as soon as a CEA becomes misaligned. Reducing THERMAL POWER in accordance with 47: ? . . 5 ' (4 " +" :: x; x.7:.3 =' g 4he.CotJ ensures acceptable power distributions are maintained (Ref. 6). For small misalignments (< 7 inches) of M CEAd there is: *
- a. A small effect on the time dependent long term power distributions relative to those used in generating n)
-. LCOs and limiting safety system settings (LSSS) setpoints;
- b. A small effect on the available SDM; and
- c. A small effect on the ejected CEA worth used in the accident analysis.
WithalargeCEAmisalignment(a7 inches),however,this
. misalignment would cause distortion of the core power distribution. This distortion may, in turn, have a significant effect on:
- a. The available SDM; -
- b. The time dependent, long term power distributions relative to those used in generating LCOs and LSSS setpoints; and
- c. The ejected CEA worth used in the accident analysis.
(continued) t) SAN ON0FRE--UNIT 3 B 3.1-27 AMENDMENT NO.
CEA Alignment B 3.1.5 BASES 9.ljS.Lt. 2.1.1, wJ 3 3 O -l ACTIONS A .1. A . 2 .1. A . 2 . 2 . A . 3 .1. 2rf6 A . 3 . 2. (continued) Therefore, this condition is limited to the single CEA misalignment, while still allowing 2 hours for recovery. l In both cases, a 2 hour time period is sufficient to:
- a. Identify cause of a misaligned CEA;
- b. Take appropriate corrective action to realign the .
CEAs; and
,c . Minimize the effects of xenon redistribution.
In this condition, an additional allowance must be made for . the worth of the affected CEA when calculating the available .! SDM. With one or more misaligned CEAs, SDM must be verified l for CEAs at the existing nonaligned, positions. SDM is } calculated by performing a react ~ivity balanc'e calculation ; according to procedure, considering the listed effects in ! SR 3.1.1.1. This is necessary since the OPERABLE CEAs must i still meet the single failure criterion. If additional i negative . reactivity is required to provide the necessary : SDM, it must be provided by increasing the RCS boron ; concentration. One hour allows sufficient time to perform ' the SDM calculation and make any required boron adjustment' t to the RCS. l B.1. B.2.1. B.2.2. and B.3 1 If one or more shutdown CEAs are misaligned by > 7 inches but trippable, continued operation in MODES 1 and 2 may i continue, provided, within 1 hour, the power is reduced in . ;
'- accordance with Figure 3.1.5-1,- and SDM is a: 5.15% Ak/k..and within2hoursthemisalignedCEA(s)'isalignedwithin '
- 7. inches of its group. ,
. l C.I. C.2.1. and C.2.2 , ,
.If one or'more part length CEAs are misaligned by > 7 inches continued operation in MODES 1 and 2 may continue, provided power is reduced in accordance with the appropriate figure I within 1 hour, and within 2 hours the misaligned CEA(s).is
. (continued)
SAN ONOFRE--UNIT 3 B 3.1-28 AMENDMENT NO.
i; CEA Alignment B 3.1.5-BASES O ACTIONS C.I. C.2.1. and C.2.2 (continued
. restored to within 7 inches of its group, or the misaligned CEA's group is aligned within 7 inches of the misaligned CEA.
A ough a part length CEA has less of an effect on core ~ flux than a' full length CEA, a misaligned part length CEA l will still result in xenon redistribution and affect core power distribution. . Requiring realignment within 2 hours minimizes these effects and ensures acceptable power distribution is maintained.
" D1 The ACTION statements applicable to inoperable CEA position indicators permit continued operatipns when the positions of j CEAs with inoperable position indicators can be verified by-the " Full In" or " Full Out" limits: Setting the "RSPT/CEAC Inoperable" addressable constant in the CPCs to indicate to the CPCs that one or both of the CEACs is inoperable does l not necessarily constitute the inoperability of the RSPT rod indications from the respective CEAC. Operability of the ;
q CEAC rod indications is determined from the nonnal V surveillance. y of P M T \t*'1% If a Required Action <or associated Completion Time of Condition A, Condition B, Condition C or Condition D is not ' met, one regulating or shutdown CEA is untrippable, or more than one full length4CEA misaligned, the unit is required to be brought to MODE 3. By being brought to MODE.3, the unit ,
~
is brought outside its MODE of applicability. When a Required Action cannot be completed within the required Completion Time, a controlled shutdown should be comenced. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems. If a CEA.is .intrippable, it is not available for reactivity insercion dur.ng a reactor trip. With an untrippable CEA,
. . (continued)
+
SAN ONOFRE--UNIT 3 8 3.1-29 AMENDMENT NO. O
CEA Alignment B 3.1.5 i BASES
,o I t'
ACTIONS _E_d (continued) meeting the insertion limits of LCO 3.1.6, " Shutdown Control Element Assembly (CEA) Insertion Limits," and LCO 3.1.7,
" Regulating Control Element Assembly (CEA) Insertion Limits," does not ensure that adequate SDM exists.
Therefore, the plant must be' shut down in order to evaluate the SDM required boron concentration and power level for critical operation.
- Continued operation is not allowed in.the case of more than one CEA(s) misaligned from any other CEA in its group by
> 7 inches, or with one full length CE untrippable. This
'is because these cases are indicative of a h;; ;' "" ..Mcm
'-'" ' - ^ '
power distribution. = d ~ perF"-bf ours.de, % .n.+ig candtMens ysumaJ in
%e. sdMy ansiysis.
SURVEILLANCE SR 3.1.5.1 REQUIREMENTS Verification that individual CEA positions are within 7 inches (indicated reed switch positions) of all other CEAs in the group at a 12 hour Frequency allows the operator to detect a CEA that is beginning to deviate from its expected ; position. The specified Frequency takes into account other ! CEA position information that is continuously available to the operator in the control room, so that during actual CEA motion, deviations can immediately be detected. ; SR 3.1.5.2 ,
. OPERABILITY of at least two CEA position indicator channels is required to determine CEA positions, and thereby ensure compliance with the CEA alignment and insertion limits. The CEA full in and full out limits provide an additional :
independent means for determining the CEA positions when the CEAs are at either their fully inserted or fully withdrawn , positions. SR 3.1.5.3 Verifying each full length CEA is trippable would require that each CEA be tripped. In M.0 DES 1 and 2 tripping each- i (continued) SAN ON0FRE--UNIT 3 8 3.1-30 AMENDMENT NO. i i
.vw -, ,
1 Shutdown CEA Insertion Limits B 3.1.6 ' B 3.1 REACTIVITY CONTROL SYSTEMS l B 3.1.6 Shutdown Control Element Assembly (CEA) Insertion Limits BASES BACKGROUND The insertion limits of the shutdown CEAs are initial ' assumptions in all safety analyses that assume CEA insertion upon reactor trip. The insertion limits directly affect' v core power distributions and assumptions of available SDM, ejected CEA worth, and initial reactivity insertion rate. The. ap)licable criteria for these reactivity and power distriaution design requirements are 10 CFR 50, Appendix A, ,
'GDC 10, " Reactor Design," and GDC 26, " Reactivity Limits" (Ref.1), and 10 CFR 50.46, " Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on shutdown CEA insertion have been established, and all CEA positions are monitored and controlled during power operation tb ensure that the ,
reactivity limits, ejected CEA worth, and SDM limits are preserved. The shutdown CEAs are arranged into grou)s that are radially symmetric. Therefore, movement of the slutdown CEAs does not introduce radial asymmetries'in the core power distribution. The shutdown and regulating CEAs provide the required reactivity worth for immediate reactor shutdown upon a reactor trip. I The design calculations are performed with the assumption that the shutdown CEAs are withdrawn prior to the regulating CEAS. The shutdown CEAs can be fully withdrawn without the core going critical. This.provides available negative reactivity for SDM in the event of boration errors. The shutdown CEAs are controlled manually r tr" :M::11fby ! the control room operator. During normal unit operation, the shutdown CEAs are fully withdrawn. The shutdown CEAs must be completely withdrawn from the core prior to - withdrawing regulating CEAs during an approach to
~
criticality. The shutdown CEAs are then left in this position until receipt of a reactor trip signal and they are ; inserted into the reactor core to add negative reactivity i and shutdown the reactor. ! i i (continued) Jt SAN ON0FRE--UNIT 3 8 3.1-34 AMENDMENT NO. ,
. , _ , . , --~-%m,., s.,m-,.ry-. ._,e-
Regulating CEA Insertion Limits. B 3.1.7 l B 3.1 REACTIVITY CONTROL SYSTEMS O' B 3.1.7 Regulating Control Element Assembly (CEA) Insertion Limits- l l BASES I BACKGROUND The insertion limits of the regulating CEAs are initial " assumptions in all safety analyses that assume CEA insertion upon reactor trip. The insertion limits directly affect core power distributions, assumptions of available SDM, and initial reactivity insertion rate. The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10. " Reactor Design,"andGDC26,"ReactivityLimits"(Ref.1),and 10 CFR 50.46, " Acceptance Criteria for Emergency Core Cooling) (Ref. 2 . Systems for Light Water Nuclear Power Reactors" Limits on regulating CEA insertion have been established, . and all CEA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking, ejected CEA worth, reactivity insertion rate, and SDM limits are preserved.
) The regulating CEA groups operate with a predetennined amount of position overlap, in order to approximate a linear relation between CEA worth and position ' .. y ... -
L v. G . The regulating CEA groups are withdrawn and operate in a predetennined sequence. Specification 3.1.7 and the "g core Drotection calculato willnot'permitTGroup5)tobe " 9YC" W5 Mlimits
. inserted more than6 are specified in t Group The group sequence and overlap )
e COLR. E' Lee,g. ' agrowP (4,9,; The regulating CEAs are used for precise reactivity control of the reactor. The positions of the regulating CEAs are manually controlled. They are capable of addin very quickly (compared to borating or diluting)g reactivity The power density at any point in the core must be limited to maintain specified acceptable fuel design limits, including limits that preserve the criteria specified in 10 CFR 50.46 (Ref. 2). Together, LCO 3.1.7; LCO 3.2.4,
" Departure from Nucleate Boilin LCO 3.2.5, " AXIAL SHAPE INDEX (g Ratio (DNBR)"; and ASI),"providelimitson control component operation and on monitored process variables to ensure the core operates within LC0 3.2.1, (continued)
SAN ONOFRE--UNIT 3 B 3.1-39 AMENDMENT N0. I
. . . . . ~ _ _ _ __ _ --
.- - - - - - - - _ _ , _ m . m., __
m Regulating CEA Insertion Limits B 3.1.7 BASES h, i APPLICABLE increased power peaking and corresponding increased local SAFETY ANALYSES .LHRs. (continued) The SDM requirement is ensured by limiting the regulating and shutdown CEA insertion limits, so that the allowable inserted worth of the CEAs is such that sufficient , reactivity is available in the CEAs to shut down the reactor ' to hot zero power with a reactivity margin that assumes the maximum worth CEA remains fully withdrawn upon trip (Ref.4). _
.1 Operation at the insertion limits or ASI may approach th, maximum allowable linear heat generation rate or peaking
' factor, with the allowed T, present. Operation at the insertion limit may also indicate the maximum ejected CEA worth could be equal to the limiting value in fuel cycles high ejected CEA worths.
that have sufficienti1 - - - -y The regulating and shutdown CEA insertion limits ensure that safety analyses assumptions for reactivity insertion rate, SDM, ejected CEA worth, and power distribution peaking factorsarepreserved(Ref.5). The regulating CEA insertion limits satisfy Criterion 2 of the NRC Policy Statement. The limits on regulating CEA sequence, r and physical LCO' insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected CEA worth is maintained, and ensuring adequate
- negative reactivity insertion on trip. The overlap between regulating banks arovides more uniform rates of reactivity insertion and wit 1drawal.hl : :;.Rud :.. ....id:!: 0
~~p+- m p~r ;nkit '9 ;;. 3A ni3 ::A ..m i m s The power dependent insertion limit (PDIL) alam circ 6it is required to be OPERABLE for notification that the CEAs are '
outside the required insertion limits. When the PDIL alam circuit is inoperable, the verification of CEA positions is increased to ensure improper CEA alignment is identified before unacceptable flux distribution occurs. N on.rkt of ths. Pewis**m3 growPs pa rg.f.e43 l
. {;greur martesak, m.o sm, e.a.
pr ud ee.PrwMcJec msseth itWM(continued) the. 5.q I' ol B 3.1-42 AMENDMENT NO. l SAN ONOFRE--UNIT 3 l l 4
Regulating CEA Insertion Limits B 3.1.7 BASES (continued) I APPLICABILITY The regulating CEA sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES 1 and 2. These limits must be maintained, since the preserve the assumed power distribution, ejected CEA wort , DM M p r ti i , . A ... m :e. assumptions. Applicability in MODES 3, 4, and 5 is not required, since neither the power distribution nor ejected CEA worth assumptions would be exceeded in these MODES. SDM is preserved in MODES 3, 4, and 5 by adjustments to the soluble boron concentration. This LCO is modified by a Note indicating the LCO requirement is suspended during SR 3.1.5.3. This SR
. verifies the freedom of the CEAs to move, and requires the regulating CEAs to move below the LCO limits, which would nomally violate the LCO.
ACTIONS A.1.1. A.1.2. A.2.1, and A.2.2 Operation beyond the transient insertion limit may result in a loss of SDM and excessive peaking factors. If the regulating CEA insertion limits are not met, then SDM must (^) be verified by perfoming a reactivity balance calculation, " considering the listed reactivity effects in Bases Section SR 3.1.1.1. One hour is sufficient time for conducting the calculation and comencing boration if the SDM is not within limits. The transient insertion Jimit should not 3e
. violated during normal operatiorf,thi: i;iet-;4 $ wever, veokf&s
,may occur during transients when the operator is manually controlling the CEAs in response to changing plant conditions. When the . regulating groups are inserted beyond either withdraw the regulating groups _
g the limits or thetransientinsertionlimits,actiong:p...betakento to reduce THERMAL POWER to less than or equal to that allowed for the actual CEA insertion limit. Two hours provides a reasonable time to accomplish this, allowing the operator to deal with current plant-conditions while limiting peaking factors to acceptable levels. B.1 and B.2 If the CEAs are inserted between the long term steady state insertion limits /the transient insertio n limits for an.fL (continued) O . SAN ONOFRE--UNIT 3 8 3.1'-43 AMENDMENT NO.
.i
Regulating CEA Insertion Limits B 3.107 BASES ACTIONS B.1 and B.2 (continued) intervals > 4 hours per 24 hour period, ' d +' :Sct t:q br+"dy:+:t: ';ns tM " 2 t: :;; _. A peakin can develop that are of immediate concern (Ref. 6)g factors Additionally, since the CEAs can be in this condition without misalignment, penalty factors are not 4,m . o i#S w.,1 by the core protection calculators to compensate for the developing peaking factors. Verifying the short term steady state insertion limits are not exceeded ensures that the peaking factors that do develop are within those allowed for
. continued operation. Fifteen minutes provides adequate time for the operator to verify if the short term steady state insertion limits are exceeded.
Experience has shown that rapid )ower increases in areas of the core, in which thet flux has ieen depressed, can result in fuel damage as the LHR in those areas rapidly increases. Restricting the rate of THERMAL POWER increases to s 5!s RTP per hour, following CEA insertion beyond the long tenn. steady state insertion limits, ensures the power transients experienced by the fuel will not result in fuel failure (Ref.7). -
/
C.1 With the regulating CEAs inserted between the long term
,f.c fe M steady' state insertion limit and the transient insertion limit =d i t' +': = r: :;;rn:M:;; t% 5 effective full p( power days (EFPD) per 30 EFPD, op14 EFPD per 365 EFPD ,
i iiii, u , Uic wie e L-- " ~~PM! ^ "a't -;1:nd -;;/ g b g yf=" " "'t% flux patterns outside those assumed in the long term burnup assumptions. In this case, the CEAs must be returned to within the long term steady state insertion limits, or the core must be placed in a condition in which the abnormal fuel burnu) cannot continue. A Completion Time of 2 hours is a reasona)le time to return the CEAs to within the long term steady state insertion limits. The required Completion Time of 2 hours from initial j discovery of a regulating CEA group outs.ide the limits until its restoration to within the long term steady state limits, i shown on the figures in the COLR, allows sufficient time for I (continued) Ui SAN ON0FRE--UNIT 3 8 3.1-44 AMENDMENT NO. 1 t
== -. - - . . - - . - . . - . . . .. ._:.. _. . Regulating CEA Insertion Limits B 3.1.7 l BASES ACTIONS C.1 (continued) gppp
' borated water to enter e Reactor Coolant System from the chemical addition and keup systems, and to cause the regulating CEAs to wit draw to the acceptable region. It is reasonable to continu operation for 2 hours after it is discovered that the S or 14-dedf EFPD limit has been exceeded. This Completion Time is based on limiting the potential xenon redistribution, the low probability of an accident, and the steps required to complete the action.
D.1.1. D.1.2. D.2.1. and D.2.2 If the regulating CEA insertion limits are not met, then SDM must be verified by performing a reactivity balance calculation, considering the effects in SR 3.1.1.1 bases. One hour is sufficient time for conducting the calculation and comencing boration if the SDM'is not within limits. With the Core Operating Limit Supervisory System out of service, operation beyond the short term steady state insertion limits can _ result in peaking factors that could
.) approach the DNB or local power density trip setpoints.
Eliminating this condition within 2 hours limits the magnitude of the peaking factors to acceptable levels (Ref.8). Restoring the CEAs to within the limit or reducing THERMAL. POWER to that- fraction of RTP that is allowed by CEA group position, using the lirr.its specified in the COLR, ensures acceptable peaking factors are maintained. E.1
~
With the PDIL circuit inoperable, performing SR 3.1.7.1 within 1 hour and every 4 hours.thereafter ensures improper CEA alignments are identified before unacceptable . flux distributions occur. F.1 When a Required Action cannot be completed within the required Completion Time, a controlled shutdown should be comenced. The allowed Completion Time of 6 hours is (continued)
)
SAN ONOFRE--UNIT 3 8 3.1-45 AMENDHENT NO.
)
Part length CEA Insertion Limits i B 3.1.8 i j B 3.1 REACTIVITY CONTROL SYSTEMS l B 3.1.8 Part Length Control Element Assembly (CEA) Insertion Limits l BASES BACKGROUND The insertion limits of the part length CEAs are initial assumptions in all safety analyses. The insertion limits directly affect core power distributions. The applicable criteria for these power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, " Reactor Design" (Ref.1), and 10 CFR 50.46, " Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Plants" (Ref. 2). Limits on part length CEA insertion have been establ-ished, and all CEA positions are monitored and controlled during power operation to ensure that the power distribution defined by the design power peaking limits is preserved. g yp The e ' g!'CEAs are used for, precis eactivity control of the reactor. The positions of the re;chtirgCEAs are manually controlled. They are capable of addin very quickly (compared to borating or diluting)g reactivity . The power density at any point in the core must be limited to maintain specified acceptable fuel design limits, including limits that preserve the criteria specified in 10 CFR 50.46 (Ref. 2). Together, LC0 3.13, ""q;L.../ Part l9N Control Element Assembly (CEA) Insertion Limits"; 4GO-3H=r8w . LC0 3.2.4, " Departure From Nucleate Boiling Ratio (DNBR)"; and LC0 3.2.5, " AXIAL SHAPE INDEX (ASI)," provide limits on control component operation and on monitored process variables to ensure the core operates within the linear heat rate (LHR) (LCO 3.2.1, " Linear Heat Rate (LHR)"); planar
' peaking factor an Factors (Fxy)"); (F,y)d LC0 3.2.4 limits in the COLR.(LCO 3.2.2, " Plan l
Operation within the limits given in Fi;tn ?. M of the COLR prevents power peaks that would exceed the loss of
? coolant accident (LOCA) limits derived by the Emergency Core f CoolingSystemsanaljsis. Operation within the F,y and 9 departure from nucleate boiling (DNB) limits given in the COLR prevents DNB during a loss of forced reactor coolant flow accident. _
The establishment of limiting safety system settings and LCOs requires that the expected long and short term behavior (continued) SAN ONOFRE--UNIT 3 B 3.1-48 AMENDHENT NO. 4 e
~ +w . ,%.. mr .--a--- ogqm. * **se= ==essee
Part length CEA Insertion Limits B 3.1.8 4 BASES APPLICABLE d. The CEAs must be capable of shutting down the reactor SAFETY ANALYSES . with a minimum required SDM, with the highest worth CEA stuck fully withdrawn, GDC 26 (Ref. 1). (continued) , Regulating CEA position, part length CEA position, ASI, and T, are process variables that together characterize and control the three dimensional power distribution of the reactor core. Fuel cladding damage does not occur when the core is operated outside these LCOs during nonnal operation. However, fuel cladding damage could result, should an accident occur with simultaneous violation of one or more of
'these LCOs. Changes in the power distribution can cause ,
N y %tkc,gA eased power peaking and corresponding increased local , ocstrtien lehe*rs we w., e i EA insertiot limiti s tisfy driterioi 2_of _ St Onakscs asswenybgThe1he_NRC )olic.y 1:atament./Ttre ~patt' length 'C Ws TrrrFqtnred" ser Gje4.ted @ dtre to ne poteniial~peiking factor violations that could mg g pw r. ccur if part length.CEAs exceed insertion limits. - ~ ~ c[.StrMe'en p, P",4 -Q , :- l LC0 The limits on part length CEA insertion, as defined in the f COLR, must be maintained because they serve the function of preserving power distributionja $.mi e.asorey de e,gwed C.,s4 leegdg. wh. ss assen+een.) s6 l APPLICABILITY- The part length insertion limits shall be' maintained with the reactor in MODE 1 > 20% RTP. These limits must be maintained, since they preserve the assumed power W :g, % e.J distrib1tioit Applicability dn lower MODES is not required,
~
g , g ' since t.ie power distribution (ssumgions would Is not be**.a 16% RTP sal
, ,g ,g exceeded in'these MODES.
I'"'D'46:c TM[LCO has been modified by a Note suspending the LCO requirement while exercising part' length CEAs. Exercising l FT ., ' M./ part length CEAs may require moving them outside their'
""W 1 i.nsertion limits.
3*
~
(continued)
~
v 8 3.1-50 AMENDMENT NO. SAN ON0FRE--UNIT 3
Boration Systems - Operating B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEM l 7' B 3.1.9 Boration Systems - Operating BASES l The boron injection system ensures that negative The reactivity controlrequired components is to : available during each mode of facility operation. perform this function include 1) borated water sources, 2) charging pumps, 3 separate flow paths, 4) boric acid makeup pumps, and 5) an emergency power supply from OPERABLE diesel generators. With the RCS average temperature above 200 F, a minimuiii of two separate anc redundant b'oron injection systems are provided to ensure single functional capability the event an assumed failure renders one of the systems inoperable Allowable out-of-service periods ensure that minor component repair or corrective action may be completed without undue risk to overall facility safety from in.iection system failures during the repair period. The boration capability of'either system is sufficient to provide a. SHUTDOWN MARGIN from expected operating conditions of 3.0% delta k/k after xenon decay The maximum expected boration capability requirements and cooldown to 200*F. occurs at E0L from full power equilibrium xenon conditions and requires boric acid solution from the boric acid makeup tanks in the allowable concentration and volumes of Specification 3.1.9 plus approximately 13,000 gallons of 2350 ppm borated water from the refueling water tank or approximately 26,000 s. gallons of 2350 ppm borated water from the refueling water tank alone. With the RCS temperature below 200*F one injection system is acceptable without single failure consideration on the basis of the stable reactiv ty condition of the reactor and the additional restrictions prohibiting CORE ALTERATIONS and positive reactivity changes in the event the single injectio system becomes inoperable. _ The boron capability required below 200 F is based upon providingThis a 3% delt K/k SHUTDOWN MARGIN after xenon decay and cooldown from 200'F to 140*F. condition requires 4150 gallons of 2350 ppm borated water from either the efueling water tank or boric acid solution from a boric acid makeup tank. The water volume limits are specified relative to the top of the highest suction connection to the tank. (Water volume below this datum is not considered recoverable for purposes of this specification.) Vortexing, internal structures and instrument error are considered in determining the tank level corresponding to the speci' led water volume limits.
~ ~
(continued) 8 3.1-53 AMENDMENT NO. SAN ONOFRE--UNIT 3 A - _ _ _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ - - _ __.. --___o- eea.. w.-, away te amm erge wat+e.r at t T *T**Ps a Ne---- C
Boration Systems - Operating B 3.1.9 s BASES (continued) rW
- W r: m ,
The OPERABILITY of one boron injection system during REFUELING ensures th this system is available for reactivity control while in MODE 6. The limits on water volune cd boron concentration of the RWST also ensure a , pH value greater than 7.0 fcr the solution recirculated within containment l after a LOCA. This pH minimizes the effect of chloride and caustic stress ' The maximum RWST volume is
~
corrosion on mechanical systems and components. not specified since analysis of pH limits and containment flooding post-LOCA considered RWST overflow conditions. , AMENDHENT NO. .. SAN ONOFRE--UNIT 3 8 3.1-54
Boration Systems - Shutdown < B 3.1.10 B 3.1 REACTIVITY CONTROL SYSTEM n) B 3.1.10 Boration Systems - Shutdown l BASES _ The boron injection r.ystem ensures that negative reactivity control t is ired to available during each mode of facility operation. The com charging pumps, 3) perform this function include 1) borated water sources, 2)ponen s l l separate flow paths, 4) boric acid makeup pumps, and 5) an emergency power supply from OPERABLE diesel generators. With the RCS average temperature above 200 F, a minimum of two separate and redundant boron injection systems are provided to ensure single functional capability the event an assumed failure renders one of the systems inoperable. Allowable out-of-service periods ensure that minor component repair or corrective action may be completed without undue risk to overall facility safet The toration capability of either system is sufficient to provide a SHUlDOWN MARGIN.from expected operating conditions of 3.0% delta k/k after xenon decay-The maximum expected boration capability requirements and cooldown to 200 F. occurs at EOL from full power equilibrium xenon conditions and requires boric acid solution from the boric acid makeup tanks in the allowable concentration and volumes of Specification 3.1.9 plus approximately 13,000 gallons of 2350 ppm borated water from the refueling water tank or approximately 26,000 gallons of 2350 ppm borated water from the refueling & m_ i . water m m tank alone. With the RCS temperature below 200*F one injection system is acceptable without single failure consideration on the basis of the stable reactivity condition of the reactor and the additional restrictions prohibiting CORE ALTERATIONS and positive reactivity changes in the event the single injection system becomes inoperable., .Whu .tspudig posess rs%tivit % ps NPmWft' 4.suainens de no? Mat 4 % hs, conspdwtet . y s The boron capability required below 200*F is based upon providing a 3% delta This K/k SHUTOOWN MARGIN after xenon decay and cooldown from 200*F to 140*F. condition requires 4150 gallons of 2350 ppm borated water from either the refueling wa tank or oric ac d solution from a boric acid makeup tank. The water volume 1 mits are saecifie relative to the top of the highest ' suction connection to the tank. (Watervolumebelowthisdatumisnot considered recoverable for purposes of this specification.) Vortexing, internal structures and instrument error are considered in determining the tank level corresponding to the specified water volume limits. s (continued)
~
AMENDMENT NO. SAN ON0FRE--UNIT 3 B 3.1-55 ,
l Borated Water SourcQs - Shutdown B 3.1.11 ' B 3.1 REACTIVITY CONTROL SYSTEM , - B 3.1.11 Borated Water Sources - Shutdown i BASES
=
The boron injection system ensures that negative The reactivity com control t is ired to available during each mode of facility operation. charging pumps, 3) perform this function include 1) borated water sources, 2)pon separate flow paths, 4) boric acid makeup pumps, and 40 an emergency power supply from OPERABLE diesel generators. a minimum of two separate and With the RCS average temperature above 20 *F redundant boron injection systems are provided to ensure single functional capability the event an assumed failure renders one of the systems inoperable. Allowable out-of-service periods ensure that minor component repair or corrective action may be~ completed without undue risk to overall facility safety from injection system failures during the repair p f The boration capability of either system is sufficien't to provide a SHUT 00WN MARGIN from expected operating conditions of'3.0% delta k/k after xenon decay The maximum expected boration capability requirement and cooldown to 200*F. occurs at E0L from full power equilibrium xenon conditions and requires boric , acid solution from the boric acid makeup tanks in the allowable concentration y i" and volumes of Specification 3.1.11 plus approximately 13,000 gallons of 2350 ppm borated water from the refueling water tank or approximately 26,000 gallons of 2350 ppm borated water from the refueling water tank alone.y With the RCS temperature below 200 F one inject on system is acceptable without single failure consideration on the basis of the stable reactivity condition of the reactor and the additional restrictions prohibiting CORE ALTERATIONS and positive reactivity changes in the event the single injection system becomes inoperable. i f The boron capability required below 200*F is based upon providing a 3% delta This i K/k SHUTDOWN MARGIN after xenon decay and cooldown from 200*F to 140*F. ) condition requires 4150 gallons'of 2350 ppm borated water from either the l refueling water tank or boric acid solution from a boric acid makeup tank. The water volume limits are specified relative to the top of the highest suction connection to the tanc. (Water volume below this datum is not considered recoverable for purposes of this specification.) Vortexing, internal structures and instrument error are considered in determining the tank level corresponding to the specified water volume limits. T b etguire) Muk.4, of berated w*te Pesai k re u t.' ) as* ? sose aa ,.u,r m.s,su ,r..n os %%
.~ .-
(continued) Marv4 hee. i 8 3.1-57 AMENDMENT NO. SAN ONOFRE--UNIT 3
Borated Water Sources - Shutdown B 3.1.11
~
BASES (continued) The OPERABILITY of one boron injection system during REFUELING ensures that this system is available for reactivity control while in MODE 6. v.v v - The limits on water volume and boron concentration of the RWST also ensure a pH value greater than 7.0 for the solution recirculated within containment after a LOCA. This pH minimizes the effect of chloride and caustic stress corrosion on mechanical systems and components. The maximum RWST volume is not specified since analysis of pH limits and containment flooding post-LOCA 9
~
B 3.1-58 AMENDHENT NO. SAN ON0FRE--UNIT 3
STE-MGOES 2 ana 3 B 3.1.12 .,
?
BASES core are consistent with the design predictions and that the core can be operated as designed (Ref. 4). I PHYSICS TESTS procedures are writtenThe and procedures approved ininclude accordance with established fomats.
- all information necessary to pemit a detailed execution of testing required to ensure that the design intent is met.
PHYSICS TESTS are perfomed in accordance with these procedures and test results are approved prior to continuedExamples of power escalation and long tem power operation. j j PHYSICS TESTS include detemination of critical boron concentration, CEA group worths, reactivity coefficients, - { flux symetry, and core power distribution. It is acceptable to suspend certain LCOs for PHYSICS
'-- =^+ = "aadad ':. TESTS
- on,~
l APPLICABLE #"^' d="^^': because ::: '/^: f
" "'55 'EE'? "i +' --- ^
SAFETY ANALYSES tr ; s . i,.ts.a~ , "..~.,
,,,,.7.
< w '9g;- l.4+. m pme ;;; emy 4,
A Q d:q::Miimits on powe 2:t:iL;im and shutdown capability are maintaine during PHYSICS Gn.e 4 TESTS.
' i
) Reference 5 defines the requirements for initial testing of l the facility, including PHYSICS TESTS. Requirements for ' ( reload fuel cycle PHYSICS TESTS are. defined in f l PHYSICS TESTS for reload ! ANSI /ANS-19.6.1-1985 (Ref. 4). fuel cycles are given in Table 1 of ANSI /ANS-19.6.1-1985. l' Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long As long as the as the fuel design criteria are not violated. linear heat rate (LHR) remains within its limit, fuel design criteria are preserved. In this test, the following LCOs are suspended:
> 200*F"; and
- a. LCO 3.1.1, " SHUTDOWN MARGIN (SDM) -T,,,
- b. LCO 3.1.4, " Moderator Temperature Coefficient (MTC)";
- c. LC0 3.1.5, " Control Element Assembly (CEA) Alignment";
- d. LCO 3.1.6, " Shutdown Control Element Assembly (CEA)
Insertion Limits"; 4 4 . AMENDHENT NO. B 3.1-60 SAN ON0FRE--UNIT 3
STE-MODES 2 and 3 l B 3.1.12 ; I Q BASES
- e. LCO 3.1.7, " Regulating Control Element Assemb.ly (CEA)
. Insertion Limits."
- f. LC0 3.1.8, "Part length CEA Insertion Limits";
- g. LCO 3.3.1, "RPS Instrumentation - Operating," '
Table 3.3.1-1, ALLOWABLE VALUE for FUNCTION 2 and footnote (d) for FUNCTIONS 14 and 15. i Therefore, this LCO places limits on the minimum amount of ' CEA worth required to be available for reactivity control when CEA worth measurements are performed. eight, The individual insertion, LCOs and alignment and cited above govern MTC. Additionally, thq. SDN, CEA governing Reactor Coolant System (RCS) flow, reactof inlet temperature Te, and pressurizer pressure contribute to maintaining departure from nucleate boiling (DNB) parameter limits. The initial condition criteria for accidents sensitive to core power distribution are preserved by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46,
" Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 6). The criteria for the loss of forced reactor coolant flow accidents are specified in Reference 7. Operation within the LHR limit preserves the LOCA criteria; operation within the DNB parameter limits preserves the loss of flow criteria.
SRs are conducted as necessary to ensure that LHR and DNB parameters remain within limits during PHYSICS TESTS. Performance of these SRs allows PHYSICS TESTS to be conducted without decreasing the margin of safety. Requiring that shutdown reactivity equivalent to at least the highest estimated CEA worth (of those CEAs actually
; withdrawn) be available for trip insertion from the OPERABLE y CEAs, provides a high degree of assurance that shutdown capability is maintained for the most challenging postulated accident, a stuck CEA. Since LCO 3.1.1 is suspended,
'how'ever, there is not the same degree of assurance during this test that the reactor would always be shut down if the APPLICABLE highest worth CEA was stuck out and calculational SAFETY ANALYSIS uncertainties or the estimated highest CEA worth was not as (continued) expected (the single failure criterion is not met). , ,
i Thisf'tuati.on is judged acceptable, however, because d u.
#"=1 d==y "M : n: _ ::: ;;"' The.
- g g , !:d :::; 9 1-g h S
*. % %A59n = i,basis
,x arm. wan+ M w arIS 8 3.1-61 AMENDMENT NO.
SAN ONOFRE--UNIT 3 _. _ _ _ _ _ _ _ -. _m_.
STE-MODES 2 and 3 l l BASES risk of experiencing a stuck CEA and subsequent criticality is reduced during this PHYSICS TEST exception by the requirements to determine CEA positions every 2 hours; by the trip of each CEA to be withdrawn within 7 days prior to suspending the SDM; and by ensuring that shutdown reactivity equivalent to the reactivity worth of the estimated highest worth withdrawn CEA (Ref. 5) is available every 2 hours. PHYSICS TESTS include measurement of core parameters or exercise of control components that affer.t pracess variables. Among the process variables invvived are total planar radial peaking factor, total integrated radial peaking factor, T , and ASI, which represent initial condition input (power leaking) to the accident analysis. Also involved are the slutdown and regulating CEAs, which affect power peaking and are required for shutdown of the reactor. The limits for these variables are specified for each fuel cycle in the COLR. ,, PHYSICS TESTS meet the criteria for inclusion in the Technical Specifications since the components and process variable LCOs suspended during PHYSICS TESTS meet criteria 1, 2, and 3 of the NRC Policy Statenent. , LC0 This LCO provides that a minimum amount of CEA worth is imediately available for reactivity control when-ce racchdPHyWis ggy ---- - --* ^ ^* are perfonned. This STE is required to permit the periodic verification of the actual versus predicted core reactivity condition occurring as a result of fuel burnup or fuel cycling operations. The requirements of LCO 3.1.1, LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, LCO 3.1.7, LCO 3.1.8, and LCO 3.3.1 (Adjustment of 10'*% Bistable to 55% and Adjustment of Hi Log Power Trip to 55%) may be suspended. { APPLICABILITY This LCO is applicable in MODES 2 and 3. Although PHYSICS TESTS are conducted in MODE 2, sufficient negative reactivity is inserted during .the performance of surveillance 3.1.12.2 to result in temporary entry into HODE 3. Be'cause the intent is to immediately return to . , se, B 3.1-62 AMENDMENT NO. SAN ONOFRE -UNIT 3 I
STE-MODES 2 and 3 B 3.1.12 Q BASES rei tests ,
...e m , the STE allows
. MODE 2 to continue ~ ' __.......- .. ;
~
limited operation to 6 consecutive hours in MODE 3 as indicated by the Note, without having to borate to meet the SDM requirements of LCO 3.1.1. ACTIONS A1 With any CEA not fully inserted and less than the minimum
- required reactivity ecuivalent available for insertion, or ,
with all CEAs insertec and the reactor suberitical by less , than the reactivity equivalent of the. highest worth
' withdrawn CEA, restoration of the minimum SDM requirements must be accomplished by increasing the RCS boron concentration. The required Completion Time of 15 minutes for initiating boration allows the operator sufficient time to align the valves and start the boric acid pumps and is ,
consistent with the Completion Time of LCO 3.1.1. SURVEILLANCE SR 3.1.12.1 REQUIREMENTS Verification of the position of each partially or fully withdrawn full length or part length CEA provides assurance that the CEAs are in the expected positions through the . PHYSICS TESTS. A 2 hour Frequency is sufficient to verify that each CEA position is acceptable. SR 3.1.12.2
~
Prior demonstration that each CEA to be withdrawn from the i core during PHYSICS TESTS is capable of full insertion, when ; tripped from at least a 50% withdrawn position, ensures that ~ the CEA will insert on a trip signal. The 7 day Frequency A ensures that the CEAs are OPERABLE prior to reducing SDM to
.F less than the limits of LCO 3.1.1.
SURV "LLANCE SR 3.1.12.3 REQUI! EMENTS (con' inued) Verifying that the required shutdown reactivity equivalent . J of at least the highest estimated CEA worth (of those CEAs actually withdrawn) is available ensures that the shutdown capability is preserved. A 2 hour Frequency is sufficient to verify the appropriate acceptance criteria. SAN ON0FRE--UNIT 3 B 3.1-63 AMENDMENT NO. __ _a ,_
ST Eo,- MOD, nE 1 BASES , core are consistent with the design predictions and that the core can be operated as designed (Ref. 4). BACKGROUND PHYSICS TESTS procedures are written and approved in accordance with established formats. The procedures include (continued) all infonnation necessary to permit a detailed execution of testing required to ensure that design intent is met. .' PHYSICS TESTS are perfo'nned in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation. Examples of PHYSICS TESTS include determination of critical boron concentration, CEA group worths, reactivity I coefficients, flux symetry, and core power distribution. l APPLICABLE It is acceptable to suspend certain.LCOs for PHYSICS TESTS ' SAFETY ANALYSES because ful de..wi-criteri; -. = m wwstdsd.- Len : . oi g yeridan+ nernve Anrinn PWVRf rR TFCTR wf 9 -ca? ?- - ;7; 'A g ' I"*"?" dad , #"Ol demagc uia6cisa are picserveu uccouss Oy
*JJa*=J limitson !!=r h=; d*M,mmaintained during PHYSICS M **(***
TESTS
- l Peadsc .L.Or.6m , %
Reference 5 defines requirements for initial testing of the , facility, including PHYSICS TESTS. Requirements for reload l l fuel cycle PHYSICS TESTS are defined in ANSI /ANS-19.6.1-1985 l (Ref. 4). Although these PHYSICS TESTS are generally ' accomplished within the limits of all LCOs, conditions may ; occur when one or more LCOs must be suspended to make l completion of PHYSICS TESTS possible or practical. This is i I acceptable as long as the fuel design criteria are not ' violated. As long as the linear heat rate (LHR) remains l within its limit, fuel design criteria are preserved. During PHYSICS TESTS, the following LCOs may be suspended: g LCO 3.1.7, " Regulating Control Element Assembly (CEA) Insertion Limits (Fly)";
% LCO 3.1.8, "Part length Control Element Assembly (CEA)
Insertion Limits"; Factors"; i
' LC0 LCO 3.2.2, 3.2.3, " Planar POWER
" AZIMUTHAL Radial TILT Peaking (T,)"; and l LCO 3.2.5, " Axial Shape Index".
(continued) , i < ! I Ni B 3.1-66 AMENDMENT NO. SAN ONOFRE--UNIT 3
N B 3.1.13 BASES I The safety analysis (Ref. 6) places limits on allowable I APPLICABLE ! SAFETY ANALYSES THERMAL POWER during PHYSICS TESTS and requires that the LHR parameter be maintained within limits. The power plateau of l (continued) 5 85% RTP ensures that LHR is maintained within acceptable i limits. The individual LCOs governing CEA grouPT+I insertion h-f % ~.,, ASI, total planar radial peaking factor,
- f!:1 ;: " ; '::t , and T , preserve the WLHR + limits.' A tAdditionally,
; t:f the LCOs governing Reactor Coolant System (RCS) flow, reactor inlet temperature (Te),
and pressurizer pressure contribute to maintaining DNB
. parameter limits. The initial condition criteria for accidents sensitive to core power distribution are preserved by the LHR and DNB parameter limits. The criteria for the loss of coolant accident (LOCA) are specified in 10 CFR 50.46, " Acceptance Criteri.a for Emergency Core Cooling)
(Ref. 7 . The Systems criteria for fo.rLight Water the loss Nuc.reactor of forced lear Power Reactors coolant flow accident are specified in Reference 7. Operation within the LHR limit preserves the LOCA criteria; operation within the DNB parameter limits preserves the loss of flow criteria. During PHYSICS TESTS, one or more of the LCOs that nonnally preserve the LHR and DNB parameter limits may be suspended. The results of the accident analysis are not adversely impacted, however, if LHR is verified to be within its limit while the LCOs are suspended. Therefore, SRs are placed as necessary to ensure that LHR remains within its limit during PHYSICS TESTS. Performance of these Surveillances allows PHYSICS TESTS to be conducted without decreasing the margin of safety. PHYSICS TESTS include measurement of core parameters or exercise of control components that affect process . variables. Among the process variables involved are total
* 's planar radial peaking factor,10td Stegrated.nadiakr
.- ;)peakug-f::t:r, T , and ASI, which represent initial
. condition input (power peaking) to the accident analysis.
Also involved are th Mf:#,and regulating CEAs, which affect power peaking nd are required for shutdown of the reactor. The limit for these variables are specified for each fuel cycle in 1 he COLR. N !**jn-(continued) B 3.1-67 AMENDMENT NO. SAN ON0FRE--UNIT 3 A
. . . . . . . . . ~ . . ..,.. . . . - . . _ . , , ,
STE -H00E 1 B 3.1.13 l BASES - I APDLICABLE PHYSICS TESTS meet the criteria for inclusion in the SAFETY ANALYSES . Technical Specifications, since the component and process li variable LCOs suspended during PHYSICS TESTS meet ' (continued) Criteria 1, 2, and 3 of the NRC Policy Statement. rev o LCO This LCO pemits individual CEA# to be positioned outside of their nomal group heights and insertion limits during the perfomance of PHYSICS TESTS, such as those required to:
- a. Measure CEA worth;
- b. Detemine the reactor stability index and damping :
factor under xenon oscillation conditions;
- c. Determine power distributions for rodded CEA configurations;
- d. Measure rod shadowing factors; and
- e. Measure temperature and power coefficients.
~ r yce%%h-Additionally, it permits the center CEA to be misaligned s
during PHYSICS TESTS to detemine the isothermal temperature coefficient (ITC), MTC, and power
-r coefficient.
e y - The requirements of LCO 3.1.7, LCO 3.1.8, LCO 3.2.2, LCO 3.2.3, and LCO 3.2.5 may be suspended during the perfomance of PHYSICS TESTS provided:
- a. THERMAL POWER is restricted to test power plateau, which shall not exceed 8% RTP; and
- b. LHR does not exceed the limit specified in the COLR.
APPLICABIL f This LCO is applicable in MODE 1 because the reactor must be
,!, critical at various THERMAL POWER levels to perfom the PHYSICS TESTS described in the LCO section. Limiting the test power plateau to 5 8% RTP ensures that LHR is maintained within. acceptable limits. ,
l I (continued) ,, j U
~ _ -
B 3.1-68 AMENDMENT NO. SAN ONOFRE--UNIT 3 e 9
we%a B 3.1.13 p BASES (continued) ACTIONS A.1 If THERMAL POWER exceeds the test power plateau in MODE 1, THERMAL POWER must be reduced to restore the additional thermal margin provided by the reduction. The 15 minute Completion Time ensures that prompt action shall be taken to reduce THERMAL POWER to within acceptable limits. B.1 If the LHR requirement is not met, THERMAL POWER must be reduced promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. Power reduction will continue until the LHR is within the limit. C.1 and C.2 If Required Action A.1 or B.1 cannot be completed within the required Completion Time, PHYSICS TESTS must be suspended within 1 hour, and the reactor must be brought to MODE 3. Allowing i hour for suspending PHYSICS TESTS allows the operator sufficient time to change any abnormal CEA configuration back to within the limits of LCO 3.1.7 and LC0 I 3.1.8. Bringing the reactor to MODE 3 within 6 hours increases thent,al margin and is consistent with the Required Actions of the power distribution LCOs. The required Completion Time of 6 hours is adequate for perfonning a controlled shutdown from full power conditions in an orderly manner and without challenging plant systems, and is consistent with the power distribution LCO Completion Times.
~
SURVEILLANCE SR 3.1.13.1 REQUIREMENTS Verifying that THERMAL POWER is equal to or less than that allowed by the test power plateau, as specified in the PHYSICS TEST procedure .and-eegtrived47the= Safety-analysW ((. r-ensures that adequate LHR margin is maintained while LCOs are suspended. The 1 hour Frequency is sufficient, based upon the slow rate of power change and increased operational controls in place during PHYSICS TESTS. Monitoring LHR ensures that the limits are not exceeded. e
+
SAN ON0FRE--UNIT 3 8 3.1-69 AMENDMENT NO. l
'*9 *' e '" mi3e-SM meM4* Wr - eee _ ee
STE - Center CEA Misalignment and Regulating CEA Insertion Limits B 3.1.14
^
(' B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.14 Special Test Exceptions (STE) - Center CEA Misalignment and ,
. Regulating CEA insertion Limits l
BASES BACKGROUND The primary purpose of the Cent r CEA Hisalignment and h Regulating CEA insertion Limits s to pemit relaxation of existing LCOs to allow the perfonnance of PHYSICS TESTS. These tests are conducted to determine the isothermal i temperature coefficient, moderator temperature coefficient : and power coefficient. i Section XI of 10 CFR 50, Appendix B, " Quality Assurance ! Criteria for Nuclear Power Plants and Fuel Processing i Plants" (Ref.1), requires that a test program be ;
. established to ensure that structures, systems, and components will perfom satisfactorily in service. All functions necessary to ensure that specified design .
conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. Testing ; is required as an integral part of the design, fabrication, ' construction, and operation of the power plant. Requirements for notification of the NRC, for the purpose of ! conducting tests and experiments, are specified in 10 CFR 50.59, " Changes, Tests, and Experiments" (Ref. 2). The key objectives of a test program are to (Ref. 3):
- a. Ensure that the facility has been adequately designed; '
b., Validate the analytical models used in design and analysis;
- c. Verify assumptions used for predicting plant response; s
\
Y if. Ensure that installation of equipment in the facility O has been accomplished in accordance with the design; and
- e. Verify that operating and emergency procedures are i adequate. l l
9 (continued)~ a l SAN ONOFRE--UNIT 3 B 3.1-71 AMENDMENT NO. ! i
. .n .. .
l
STE-Center CEA Misalignment and 1 Regulating CEA Insertion Limits B 3.1.14
- BASES BACKGROUND To accomplish these objectives, testing is required prior to initial criticality and after each refueling shutdown during (continued) startup, low power operation, power ascension, and at power operation. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core un be operated as designed (Ref. 4).
rHYSICS TESTS 3rocedures are written and approved in i accordance wit) established formats. The procedures include j all infonnation necessary to permit a detailed execution of
. testing required to ensure that the design intent is met.
PHYSICS TESTS are performed in accordance with these { procedures and test results are approved prior to continued power escalation and long term power operation. Examples of PHYSICS. TESTS include determination of critical boron concentration, CEA group worths,' reactivity coefficients, flux symetry, and core power . distribution. APPLICABLE It is acceptable to suspend certain LCOs for PHYSICS TESTS SAFETY ANALYSES because fuel damage criteria are not exceeded. Even if an accident occurs during PHYSICS TESTS with one or more LCOs suspended, fuel damage criteria are preserved because adequate limits on power distribution and shutdown capability are maintained during PHYSICS TESTS. Reference 5 defines the requirements for initial testing of the facility, including PHYSICS TESTS. Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI /ANS-19.6.1-1985 (Ref. 4). PHYSICS TESTS for reload fuel cycles are given in Table 1 of ANSI /ANS-19.6.1-1985. Although these PHYSICS TESTS are generally accomplished within the limits of all LCOs, conditions may occur when one or more.LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as I the fuel design criteria are not violated. As long as the linear heat rate (LHR) and departure from W Mboiling ratio (DNBR) remains within their limitf fuel design criteria are preserved. nyg,,[g44 g, (continued) 8 3.1-72 AMENDMENT NO. SAN ON0FRE--UNIT 3
RPS .?strumentation-Operating B 3.3.1
') BASES BACKGROUND Measurement Channels (continued) bistables, and most provide indication in the control room.
Measurement channels used as an input to the RPS are not used for control functions h afe, s e m m d et a &A povrh. ou p s 4 e--- APS/r5FA5 When a channel monitoring a parameter exceeds a fetSM WW~ predetermined setpoint, indicating an unsafe condition, the
- bistable monitoring the parameter in that channel will trip.S" ##
Tripping bistables monitoring the same parameter in two or Ch
- more channels will de-energize Matrix Logic, which in turn de-energizes the Initiation Logic. This causes all eight RTCBs to open, interrupting power to the CEAs, allowing them to fall into the core.
Three of the four measurement and bistable channels are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 1). The fourth channel provides additional flexibility by allowing one channel to be removed from service (trip channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic. Thus, even with a channel inoperable, no single additional failure in the RPS can either cause an inadvertent trip or prevent a required trip from occurring. Adequate channel to channel independence includes physical and electrical independence of each channel from the others. This allows operation in two-out-of-three logic with one channel removed from service until following the next MODE 5 , entry. Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control, this arrangement meets the requirements of IEEE Standard 279-1971 (Ref. 4). The CPCs perfonn the calculations required to derive the DNBR and LPD parameters and their associated RPS trips. Four separate CPCs perfonn the calculations independently, one for each of the four RPS channels. The CPCs provide outputs to drive display indications (DNBR margin, LPD margin, and calibrated neutron flux power levels) and provide DNBR-Low and LPD-High 'pretrip and trip signals. The CPC channel outputs for the DNBR-Low and LPD-High trips operate contacts in the Matrix Logic in a manner identical to the other RPS trips. (continued) J i I SAN ON0FRE--UNIT 3 B 3.3-3 AMENDMENT NO.
RPS Instrumentation -0perating B 3.3.1 l A ?3 BASES RPS Loaic (continued) f BACKGROUND When a coincidence occurs in two RPS channels, all four matrix relays in the affected matrix de-energize. This in turn de-energizes all four breaker control relays, which simultaneously de-energize the undervoltage and energize the shunt trip attachments in all eight RTCBs, tripping them open. Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. The Initiation Logic consists of the tri ppt r scurce, matrix relays and their associated to rcts, all interconnecting wiring, and solid st te h"# Ery) elays through the K-relay contacts in the TCB control c cuitty. It is possible to change the two-out-of-four RPS Logic to a two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions of the Matrix Logic. Trip channel bypassing a bistable effectively shorts the bistable relay contacts in the three matrices associated with that channel. Thus, the bistables will function normally, producing normal trip indication and annunciation, but a reactor trip will not occur unless two additional channels indicate a trip condition. Trip channel bypassing can be simultaneously performed on any number of ; parameters in any number of channels, providing each parameter is bypassed in only one channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing. Two-out-of-three logic also prevents inadvertent trips caused by any single channel failure in a trip condition. In addition to the trip channel bypasses, there are also operating bypasses on select RPS trips. These bypasses are enabled manually in all four RPS channels when plant conditions do not warrant the specific trip protection. All operating bypasses are automatically removed when enabling (continued)
) -
SAN ON0FRE--UNIT 3 B 3.3-8 AMENOMENT N0.
RPS Instrumentation-Operating B 3.3.1 n) BASES BACKGROUND RPS Loaic (continued) bypass conditions are no longer satisfied. Operating bypasses are normally implemented in the bistable, so that normal tri) indication is also disabled. Trips with ' operating )ypasses include Pressurizer Pressure-Low, Logarithmic Power Level-High, Reactor Coolant Flow-Low, and CPC (DNBR-Low and LPD-High). i ! Reactor Trio Circuit Breakers (RTCBs) The reactor trip switchgear, addressed in LCO 3.3.4, consists of eight RTCBs, which are operated in four sets of two breakers (four channels). Power input to the reactor trip switchgear comes from two full capacity MG sets / operated in parallel, such that the loss of either MG set does not de-energize the CEDMs. There are two separate CEDM i I power supply buses, each bus powering half of the CEDMs. Power is supplied from the MG sets to each bus via two I redundant paths (trip legs). Trip legs 1A and IB supply power to CEDM bus 1. Trip legs 2A and 28 supply power to i CEDM bus 2. This ensures that a fault or the openin breaker in one trip leg (i.e., for testing purposes)g will of a not interrupt power to the CEDM buses. Each of the four trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits. The eight RTCBs are operated as four sets of two breakers (fourchannels). For example, if a breaker receives an open signal in trip leg in Btrip for(leg CEDM A (forbus CEDM bus
- 2) will also 1), ananidentical receive open breaker signal. This arrangement ensures that power is interrupted to both CCDM buses, thus preventing trip of only half of the CEAs (a half trip). Any one ino aker in a channel will make the entire channel operable.
,s dlakd.
EachsetofRTCBsisopertef-tetd-K-rby either ay.a There anual reactor are four trip push button or an P h Manual Trip push button: , arranged in o sets of two. Depressing both push bu" tons in e r set will result in a reactor trip. ; (continued'
)
- y. ,
SAN ONOFRE--UNIT 3 B 3.3-9 AMENDMENT NO.
' i I
RPS instrun.entation-Operating B 3.3.1 m I BASES ~ BACKGROUND Reactor Trio Circuit Breakers (R.TCBs1 (continued) Ml,69 f When a Manual Trip is bm ste using the control room push buttons, the RPS trip paths and K-relays are bypassed, and the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS. Manual Trip circuitry includes the push button and-interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip attachments but excludes the K-relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the Initiation Logic. Functional testing of the entire RPS, from bistable input through the opening of individual sets of RTCBs, can be' perfomed either at power or shutdcwn and is nomally UFSAR, Section 7.2 p(erformed on a quarterly basis.Ref. 8), explains RPS testing in m APPLICABLE Desian Basis Definition SAFETY ANALYSES The RPS is designed to ensure that the following operational criteria are met: )
. The associated actuation will occur when the parameter monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied;
- Separation and redundancy are maintained to permit a channel to be out of service for-testing or maintenance while still maintaining redundancy within the RPS instrumentation network.
Each of the analyzed accidents and transients can Se detected by one or more RPS Functions. The accident analysis takes credit for most of the RPS trip Functions. Those functions for which no credit is taken, termed equipment protective functions, are not needed from a safety perspective. (continued) j 1 w 8 3.3-10 AMENDMENT NO. SAN ONOFRE--UNIT 3
RPS Instrumentation-Operating B 3.3.1 bI BASES 1 APPLICABLE 2. Locarithmic Power Level-High i SAFETY ANALYSES ! (continued) The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the i RCPB in the event of an unplanned criticality from a shutdown condition. In MODES 2, 3, 4, and 5, with the RTCBs closed and the , CEA Drive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when l ' THERMAL POWER is < 1E-4% RTP. For events originating J above this power level, other trips provide adequate protection. MODES 3, 4, and 5, with the RTCBs closed, are addressed in LCO 3.3.2, " Reactor Protective System : (RPS) Instrumentation-Shutdown." ' In MODES 3, 4, or 5, with the RTCBs open or the CEAs not capable of withdrawal, the Logarithmic Power Level-High trip does not have to be OPERABLE. However, the indication and alann portion of two logarithmic channeis must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. The indication and alann functions are addressed in LCO 3.3.13. " Logarithmic Power Monitoring Channels." ,
- 3. Pressurizer Pressure-Hiah The Pressurizer Pressure-High trip provides protection ,
for the high RCS pressure SL. In conjunction with the i i pressurizer safety valves and the main steam safety _ valves (MSSVs), it provides protection against l overpressurization of the RCPB during the following events- l
~
. Loss of Electrical Load Without a Reactor Trip l
Being Generated by the Turbine Trip-(A00);
)
- Loss of Condenser Vacuum (A00);
- CEA Withdrawal From Low Power Conditions (A00);
- Chemical and Volume Control System Malfunction (A
(continued)
'l l B 3.3-12 AMENDMENT NO.
SAN ONOFRE--UNIT 3 l
l' . RPS Instrumentation-Operating B 3.3.1 BASES .C) APPLICABLE 4. Pressurizer Pressure-low SAFETY ANALYSES (continued) The Pressurizer Pressure-Low trip is provided to trip the reactor to assist the ESF System in the event of loss of coolant accidents (LOCAs). During a LOCA, the SLs may be exceeded; however, the consequences of the accident will be acceptable. A Safety Injection Actuation Signal (SIAS) and CCAS are initiated simultaneously.
- 5. Containment Pressure-Hiah The Containment Pressure-High trip prevents exceeding the containment design pressure psig durin basis LOCA or main steam line break (MSLB)g accident. a design During a LOCA or MSLB the SLs may be exceeded; however, the consequences of the accident will be acceptable. An SIAS, CCAS, CIAS are initiated l simultaneously.
6, 7. Steam Generator Pressure-Low The Steam Generator #1 Pressure-Low and Steam (p wsed a w.m r o wi. #2 rre _ .-..ssure
. .- Low
. . -tripsip7s.
e t = t id;
= ti;r;tccti:1
- e. , _ _
rs e k p # M M e }d!de: r ;::: Of :ter: th: rd . ;J;i.g cei;id, =:;ntr:11:d
" . This trip is needed to shut down i e
M4 Igte,w, reactor and assist the ESF System in t he even t of rm414 h6vb, b 4 the an MSLB or main feedwater line break accident. A main st am isolation signal (MSIS) is initiated J g 4 Aw si nultaneously. care M , Q D tLoss" '
}8 AstA**'.
8, 9. team Generator level-Low The Steam Generator #1 Level-Low and Steam Generator #2 Level-Low trips ensure that a reactor trip signal is generated for the following events to help prevent exceeding the design pressure of the RCS due to the loss of the heat sink:
. Inadvertent Opening of a Steam Generator Atmospheric Dump Valve (A00);
(continued) mf SAN ONOFRE--UNIT 3 8 3.3-13 AMENDMENT NO.
A a ._ . RPS Instrumentation-Operating B 3.3.1
- i. BASES LCO 2. Locarithmic Power level-Hioh (continued)
MODE 3, 4, or 5 when the RTCBs are shut and the CEA Drive System is capable of CEA withdrawal. The MODES 3, 4, and 5 Condition is addressed in LC0 3.3.2. The Allowable Value is high enough to provide an operating envelope that prevents unnecessary Logarithmic Power Level-High reactor trips during normal plant operations. The Allowable Value is low enough for the system to maintain a margin to unacceptable fuel cladding damage should a CEA withdrawal event occur. The Logarithmic Power Level-High trip may be bypassed when THERMAL POWER is above 1E-4% RTP to allow the reactor to be brought to power during a reactor
& startup. This bypass is automatically removed when THERMAL POWER decreases below 1E-4% RTP. Above IE-4% RTP, the Linear Power Level-High and Pressurizer i Pressure-High trips provide protection for reactivity transients. 33.13 The t
trip may be manually ypassed during "70: L:;;;; physics 5f*M g
- Tut E y t0m5 M 8 %ygting During this pursuant cpu uni." to testing, LC the Linear Power Level-High trip and administrative controls provide the required protection.
- 3. Pressurizer Pressure-Hich This LC0 requires four channels of Pressurizer Pressure-High to be OPERABLE in MODES 1 and 2.
- The Allowable Value is set below the nominal lift setting of the pressurizer code safety valves, and its f
operation avoids the undesirable operation of these valves during normal plant operation. In the event of a complete loss of electrical load from 100% power, this setpoint ensures the reactor trip will take place, thereby limiting further heat input to the RCS and consequent pressure rise. The pressurizer safety. valves may lift to prevent overpressurization of the RCS. (continued) 8 3.3-18 AMENDMENT NO. SAN ONOFRE--UNIT 3
)
i l RPS Instrumentation-Operating B 3.3.1 m .I I BASES LC0 8, 9. Steam Generator Level-Low (continued) cause a reactor trip during nonnal plant operations. The same bistable providing the reactor trip also initiates emergency feedwater to the affected generator via the Emergency Feedwater Actuation Signals (EFAS). The minimum setpoint is governed by EFAS requirements. The reactor trip will remove the heat source (except decay heat), thereby conserving i the reactor heat sink. This and the Steam Generator (1 and 2) Level- ! p may be manually bypassed simultaneously whe old J 1eg temperature is below the specified limit t llow for CEA withdrawal during testing. The b s is automatically removed when cold leg rature ches 200*F. go . h% A !d ~ - Le*J T 11s LCO requires tour chonnc h of Rcoctor Coolant Flow-Low to be OPERABLE in MODES 1 and 2. The Allowable Value is set low enough to allow for slight variations in reactor coolant flow during
' normal plant operations while providing the required protection. Tripping the reactor ensures that the resultant power to flow ratio provides adecuate core ,
cooling to maintain DNBR under the expectec, pressure l conditions for this event. The Reactor Coolant Flow-Low trip may be manually bypassed when reactor power is less than 1E-4% RTP. This allows for de-energization of one or more RCPs (e.g., for plant cooldown), while maintaining the l ability to keep the shutdown CEA banks withdrawn from the core if desired. LCO 3.4.5, "RCS Loops-MODE 3," LC0 3.4.6, "RCS Loops-MODE 4," and LCO 3.4.7, "RCS Loops -MODE 5, , Loops Filled," ensure adequate RCS flow rate is ! maintained. The bypass is automatically removed when THERMAL POWER increases above 1E-4% RTP, as sensed by the wide range (logarithmic) nuclear instrumentation. When below the power range, the Reactor Coolant Flow-Low is not required for plant protection. t (continued) g i 8 3.3-21 AMENDMENT NO. SAN ONOFRE--UNIT 3
- 2. .
RPS Instrumentation -Operating B 3.3.1 BASES LC0 11. Local Power Density-Hiah (continued) This LC0 requires four channels of LPD-High to be OPERABLE. The LCO on the CPCs ensures that the SLs are maintained during all A00s and the consequences of accidents are acceptable. A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety Function. The CPC channels may be manually bypassed below 1E-4% RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warran;. the trip protection. The bypass effectively removes the ONBR-Low and'LPD-High trips from the RPS Logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied. This operating bypass is required to perfonn a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also l allows system tests at low power with Pressurizer Pressure-Low or RCPs off. 3112 During special testing pursuant to LC0 0.1.1^, the CPC channels may be manually bypassed when THERMAL POWER is below 5% RTP to allow special testing without generating a reactor trip.
- 12. Departure from Nucleate Boilina Ratio-(DNBR)-Low This LCO requires four channels of DNBR-Low to be OPERABLE.
The LCO on the CPCs ensures th'at the SLs are maintained during all A00s and the consequences of accidents are acceptable. i (continued)
?
d B 3.3-22 AMENDMENT NO. SAN ON0FRE--UNIT 3
, 1 RPS Instrumentation-Operating B 3.3.1 l I
. s, I BASES LC0
- 12. Departure from Nucleate Boilina Ratio (DNBR)-Low (continued)
A CPC is not considered inoperable if CEAC inputs to the CPC are inoperable. The Required Actions required in the event of CEAC channel failures ensure the CPCs are capable of performing their safety Function. The CPC channels may be manually bypassed below IE-4% RTP, as sensed by the logarithmic nuclear instrumentation. This bypass is enabled manually in all four CPC channels when plant conditions do not warrant the trip protection. The bypass effectively removes the DNBR-Low and LPD-High trips from the RPS logic circuitry. The operating bypass is automatically removed when enabling bypass conditions are no longer satisfied. This operating bypass is required to perform a plant startup, since both CPC generated trips will be in effect whenever shutdown CEAs are inserted. It also allows system tests at low power with Pressurizer Pressure-Low or RCPs off.
$. (. I 8-During special testing pursuant to LCO M.it, the CPC channels may be manually bypassed when THERMAL POWER is below 5% RTP to allow special testing without generating a reactor trip.
Bvoasses The LCO on bypass pennissive removal channels requires that the automatic bypass removal feature of all four operating bypass channels,be OPERABLE for each RPS Function with an operating bypass in the MODES addressed in the specific LC0 for each Function. All four bypass removal channels must be-OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed. This LCO applies to the bypass removal feature only. If the bypass enable Function is failed so as to prevent entering a bypass condition, operation may continue. In the case of the Logarithmic Power Level-High trip (Function 2), the absence of a bypass will limit maximum power to below the trip setpoint. L (continued) y B 3.3-23 AMENDHENT NO. , SAN ON0FRE--UNIT 3
u RPS Instrumentation -0perating B 3.3.1 BASES APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The reactor trips are designed to take the reactor subcritical, which maintains the SLs during A00s and assists the ESFAS in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:
- The Logarithmic Power Level-High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed, to provide protection for boron dilution and CEA withdrawal events.
The Logarithmic Power Level-High trip in these lower MODES is addressed in LCO 3.3.2. The Logarithmic Power Level-High trip is bypassed prior to MODE 1 entry and is not required in MODE 1. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LCO 3.3.4. g,eteen afa daA w h A ACTIONS The most common causes of annel inoperability are outright failure or drift of the b stable or process module sufficient to exceed the t h = :: d h u i by the plant specific setpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the perfonnance of a CHANNEL FUNCTIONAL TEST when the process instrument is set up for adjustment to
$6 Dring it to withirQgecifiat'^n. If the trip setpoint is less conservative than the Allowable ~ Value in Table 3.3.1-1,
- g. the channel is declared inoperable immediately, and the appropriate Condition (s) must be entered immediately.
In the event a channel's trip set)oint is found nonconservative with respect to t1e Allowable Value, or the transmitter, instrument loop, signal processing electronics, or RPS bistable trip unit is found inoperable, then all affected functions provided by that channel must be declared inoperable, and the unit must enter the Condition.for the particular protection Function affected. (continued) y SAN ONOFRE--UNIT 3 8 3.3-24 AMENDMENT NO.
RPS lastrumentation-0perating B 3.3.1 BASES
)
SURVEILLANCE SR 3.3.1.4 (continued) REQUIREMENTS n located in the control room to detect deviations in outputs. The Frequency is modified by a Note indic ting is Surveillance need only be performed within 12 hour after reaching 20% RTP. The 12 hours after reaching 20% required for plant stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at lower power levels. A second Note in the SR indicates the , SR may be suspended during PHYSICS TESTS. The conditional suspension of the daily calibrations under strict-administrative control is necessary to allow special testing j to occur. . g ear.e. YS p g,, SR 3.3.1.5 g The RCS flow rate indicated by each CPC is veri f ed to less than or equal to the RCS total flow rate ev ery days. The Note indicates the Surveillance is perfomedgwithin 12 hours after THERMAL POWER is t 8S% RTP. This check (and, if necessary, the adjustment of the CPC addressable flow constant coefficients) ensures that the DNBR setpoint is conservatively adjusted with respect to actual flow indications as detennined by a calorimetric calculation. Operating experience has shown the specified Frequency is adequate, as instrument drift is minimal and changes in actual flow rate are minimal over core life. I SR 3.3.1.6 The three vertically mounted excore nuclear instrumentation detectors in each channel are used to determine APD for use in the DNBR and LPD calculations. Because the detectors are mo6nted outside the reactor vessel, a portion of,the signal from each detector is from core sections not adjacent to the detector. SR 3.3.1.6 ensures that the preassigned gains are still proper. The 92 day Frequency is adequate because the demonstrated long term drift of the instrument channels is minimal. (continued) l 8 3.3-31 AMENDMENT NO. SAN ONOFRE--UNIT 3 l
. . . . . . . . . - - - - _ _ - - _ _ _ - _ _ _ _ _ _---_--_------_----_--------------_----------___----_---------_-__--_a
~
~ '
RPS Instrumentation-Operating B 3.3.1 # l .- BASES , SURVEILLANCE SR 3.3.1.7 i REQUIREMENTS A CHANNEL FUNCTIONAL TEST on each channel is performed every (continued) 92 days to ensure the entire channel will perfom its intended function when needed. The SR is modified by two , Notes. Note 1 is a requirement to verify the correct CPC addressable constant values are installed in the CPCs when the CPC CHANNEL FUNCTIONAL TEST is performed. Note 2 allows the - FUNCTIONAL TEST for the Logarithmic Power , L e ig channels to be perfomed 2 hours after ' owe rops below 1E-4% RTP and is required to be performed on1 if e RTCBs are closed. Not required if perfomed g he surveillance interval. In add 4+"- te g a suppiy m , the RPS CHANNEL + FUNCTIONAL TEST consists of three o7erlapping tests as described in Reference 8. These tests verify that the RPS is capable of perfoming its intended function, from bistable input through the RTCBs. They include: Bistable Tests A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the : specified tolerance around the setpoint. This is done with the affected RPS channel trip channel bypassed. . The requirements for this= =M are hJe - in outlined . Reference 9. Matrix Loaic Tests 1 Matrix Logic tests are addressed in LC0 3.3.4. This test is perfomed one matrix at a time. It verifies that a coincidence in the two input channels for each Function removes power from the matrix relays. During testing, holding power is applied to the matrix relay test coils and > prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence
~
logic, such as may be caused by faulty bistable relay or trip channel bypass contacts. (continued) 8 3.3-32 AMENDMENT NO. SAN ON0FRE--UNIT 3 t e
RPS Instrumentation-Operating B 3.3.1 9 BASES SURVEILLANCE SR 3.3.1.8 (continued) REQUIREMENTS between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis, j ( g u M. Operating experience has shown this Frequency to be 7 m satisfactory. The detectors are excluded from CHANNEL w Y CALIBRATION because they are passive devices with minima) drift and because of the difficulty of simulating : d^+~+^- a f meaningful signal. Slow changes in compensated for by performing the daily calorimetric ] calibration (SR 3.3.1.4) and the quarterly linear subchannel gain check (SR 3.3.1.6). In addition, the associated control room indications are monitored by the operators. SR 3.3.1.9 SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION every 24 months. CHANN'EL CALIBRATION is a complete check of the instrument channel including the sensor. The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. Measurement error determination, setpoint error determination, and calibration adjustment must be performed consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis. The Frequency is based upon the assumption of a 24 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis as well as operating experience and consistency with the typical 24 month fuel cycle. The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION (continued) 8 3.3-34 AMENDMENT N0. SAN ONOFRE--UNIT 3
~ m RPS Instrumentation-Operating B 3.3.1 r, I BASES
; a-SURVEILLANCE SR 3.3.1.9 (continued) c., 6g REQUIREMENTS ive devices with minimal drift and because they are p because of the d d:t::t:r aof iculty simulating a meaningful signal.
;,;,:tj are compensated for by Slow changes i performing the daily calorimetric calibration (SR 3.3.1.4) and the quarterly linear subchannel gain check (SR 3.3.1.6).
SR 3.3.1.10 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on the CPCs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY including alann and trip Functions. The basis for the 24 month Frequency is that the CPCs perform a continuous self monitoring function that eliminates the need for frequent CHANNEL FUNCTIONAL TESTS. This CHANNEL FUNCTIONAL TEST essentially validates the self monitoring function and checks for a small set of . failure modes that are undetectable by the self monitoring function. Operating experience has shown that undetected CPC or CEAC ' failures do not occur in any given 24 month interval. SR 3.3.1.11 The three excore detectors used by each CPC channel for ' axial flux distribution infonnation are far enough from the core to be exposed to flux from all heights in the core, although it is desired that they only read their particular level. The CPCs adjust for this flux overlap by using shape annealing matrix elements in the CPC software. After refueling, it is necessary to re-establish the shape annealing matrix elements for the'excore detectors based on more accurate incore detector readings. This is necessary because refueling could possibly produce a significant 4 change in the shape annealing matrix coefficients. Incore detectors are inaccurate at low power levels < 15%. THERMAL POWER should be significant but < 85$s to perform an accurate axial shape calculation used to derive the shape annealing matrix elements. l (continued) B 3.3-35 AMENOMENT NO. , SAN ONOFRE--UNIT 3 l l 1
RPS Instrumentation-Operating B 3.3.1 I BASES SURVEILLANCE SR 3.3.1.11 (continued) REQUIREMENTS By restricting power to 5 85% until shape annealing matrix elements are verified, excessive local power peaks within the fuel are avoided. Operating experience has shown this Frequency to be acceptable. SR 3.3.1.12 SR 3.3.1.12 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.1.7, except SR 3.3.1.12 is applicable only to bypass functions and is performed once within 92 days prior to each startup. Proper operation of bypass pennissives is critical during plant startup t,ecause the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to
- startup. The allowance to conduct this Surveillance wi 92 days of startup is based on the reliability analy s es presented in topical report CEN-327, "RPS/ESFAS Ext nde Interval Evaluation" (Ref. 9). Once the operating typas e are removed, the bypasses must not fail in such a way-t the associated trip Function gets inadvertently bypassed.
This feature is verified by the trip Function CHANNEL FUNCTIONAL TEST, SR 3.3.1.7. Therefore, further testing of the bypass function after startup is unnecessary. SR 3.3.1.13 l This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on an 24 month STAGGERED TEST BASIS. This results in the interval between successive surveillances of a given channel of n x 24 months, where n is the number of channels in the function. The Frequency of 24 months is based upon operating experience, which has shown that random failures (continued) 8 3.3-36 AMENOMENT N0. SAN ON0FRE--UNIT 3
z.,_ 1 RPS Instrumentation-Operating B 3.3.1
% .<1 BASES SURVEILLANCE SR 3.3.1.13 (continued)
REQUIREMENTS of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. Also, response times cannot be determined at
)ower, since equipment operation is required. Testing may ae ')erfomed in one measurement or in overlapping segments, witi verification that all components are tested.
A Note is added to indicate that the neutron detectors are excluded from RPS RESPONSE TIME testing because they are passive devices with minimal drift and because of the I g< - ,f difficulty of simulating a meaningful signal. Slow changes inua+ nt;c . ... t-;.. f are compensated for by ,. th'e daily calorimetric calibration (SR 3.3.1.4)perfoming nW5 6*I4 . W N"'T l REFERENCES 1. 10 CFR 20. 2 10 CFR 100. 9 3. RC Safety Evaluation Report. j t 1 s
! 4 IEEE Standard 279-1971, April 5, 1972.
- 5. SONGS Units 2 and 3 UFSAR, Chapter 15.
- 6. 10 CFR 50.49.
- 7. PPS Setpoint Calculation CE-NPSD-570, Revision 3.
- 8. UFSAR, Section 7.2.
- 9. CEN-327, June 2,1986, including Supplement 1, March 3, 1989.
(continued)
- i. _ )
B 3.3-37 AMENDHENT NO. SAN ONOFRE--UNIT 3 f
RPS Instrumentation-Shutdown B 3.3.2
) BASES BACKGROUND The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of (continued) 10 CFR 100 (Ref. 2) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.
The RPS is segmented into four interconnected nodules.
~
These modules are:
- Measurement channels;
- Bistable trip units;
- RPS Logic; and
. Reactor trip circuit breake'rs (RTCBs). M' I This LC0 applies only to the Logarithmic Power evel-High trip in MODES 3, 4, and 5 with the RTCBs clos d. In MODES 1 and 2, this trip Function is addressed in LC 3.3.1,
" Reactor Protective System (RPS) Instrumenta ion-0)erating." LCO 3.3.13, % g iLim m . ..q Monitoring.
^
C1annels," applies when the RTCBs are open. hi uic vosu of Len ,3 13, m 1n y % : :h;;ac;,o,, , m,;, cu , v7-mnni+r* ; n;;tm =, :'.thed. Uie trip tunction is not r @ir:d. Measurement Channels and Bistable Trio Units The measurement chant,els providing input to the Logarithmic Power Level-High trip consist of the four logarithmic nuclear instrumentation channels detecting neutron flux leakage from the reactor vessel. Other aspects of the Logarithmic Power Level-High trip are similar to the other measurement channels and bistables. These are addressed in the Background section of LCO 3.3.1. Functional testing of the entire RPS, from bistable input through the o>ening of individual sets of RTCBs, can be perfomed eitler at power or shutdown and is normally perfomed on a quarterly basis. Nuclear instrumentation can (continued) , SAN ONOFRE--UNIT'2'l B 3.3-39 AMENDMENT NO.
RPS Instrumentation -Shutdown B 3.3.2 ) BASES (continued) APPLICABLE be similarly tested. , ection 7.2 (Ref. 3), provides SAFETY ANALYSES mcre detail c.n RP estj g. he RPS functions to maintain the SLs during A s an ti es the consequence of DBAs in all MODES in whi h the s are closed. Each of the analyzed transients and accidents can be detected by one or more RPS Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. Noncredited l Functions include the Steam Generator Water Level-High ant the L: t e# ' 0:d . The Steam Generator Water Level-High end M.7 l
@a ' nee nf i n'd t-ipr-2r((purelyequipmentprotective,and thek use minimizes the potential for equipment damage.
*{3 The Logarithmic Power Level-High trip protects the integrity of the fuel cladding and helps protect the RCPB in the event of an unplanned criticality from a shutdown condition.
In MODES 2, 3, 4, and 5, with the RTCBs closed, and the Control Element Assembly (CEA) Orive System capable of CEA withdrawal, protection is required for CEA withdrawal events originating when THERMAL POWER is < 1E-4% RTP. J/For events , originating above this power level, other trips provice adequate protection. MODES 3, 4, and 5, with the D.iCBs closed, are addressed in this LCO. MODE 2 is addressed in LC0 3.3.1. In H0 DES 3, 4, or 5, with '.he RTCBs open or the CEAs not evel -High i capable of withdrawal, the Logarithmic trip does not have to be OPERABLE. .unmm PowergJ.he o o t indication and alann portion :t t e "prithi; A.,nM must be OPERABLE to ensure proper indication of neutran pep"1=+1on ana +n inA4-et 3 hernn atin+<nn .vont X n; ind; & n og _*1 g r== functinne men s Adrac e d j a L ^ 3,3, D, The RPS satisfies Criterion 3 of the NRC Policy Statement. LC0 The LC0 requires the Logarithmic Power Level-High RPS Function to be OPERABLE. Failure of any required portion of the instrument channel renders the affected channel (s) inoperable and reduces the reliability of the affected Function. (continued) SANON0FRE--UNITK3 8 3.3-40 AMENDMENT NO.
+. RPS Instrt. mentation - Shutdown B 3.3.2 f%
, ! BASES LC0 and Pressurizer Pressure-High trips provide protection for (continued) reactivity transients.
The trip may be manually bypassed during physics testing pursuant to LC0 3.4.17, "RCS Loops-Test Exceptions." ; During this testing, the Linear Power Level-High trip and administrative controls provide the required protection. l 1 APPLICABILITY Most RPS trips are required to be OPERABLE in MODES 1 and 2 because the reactor is critical in these MODES. The trips
.are designed to take the reactor subcritical, which l maintains the SLs during A00s and assists the Engineered Safety Features Actuation System (ESFAS) in providing acceptable consequences during accidents. Most trips are not required to be OPERABLE in MODES 3, 4, and 5. In MODES 3, 4, and 5, the emphasis is placed on return to power events. The reactor is protected in these MODES by ensuring adequate SDM. Exceptions to this are:
- The Logarithmic Power Level-High trip, RPS Logic RTCBs, and Manual Trip are required in MODES 3, 4, and 5, with the RTCBs closed and any CEA capable of being withdrawn, to provide protection for boron dilution and CEA withdrawal events. The Logarithmic Power Level-High trip in these lower MODES is addressed in this LCO. The RPS Logic in MODES 1, 2, 3, 4, and 5 is addressed in LC0 3.3.4, " Reactor Protective System (RPS) Logic and Trip Initiation."
The ApdicairMTty is modified by a Note Inac a" he trip to )ypassed when THERMAL POWER is > 1E-4% , an the pass is automatically removed when THER R is 1E-4% RTP. ACTIONS The most common causes of channel inoperability are outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by the plant specific satpoint analysis. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This detennination is generally made during the performance of a CHANNEL FUNCTIONAL TEST (continued) u SAN ONOFRE--UNIT Q B 3.3-42 AMENDMENT N0.
RPS Instrumentation-Shutdoen B 3.3.2 BASES f] SURVEILLANCE Matrix Loaic Tests. REQUIREMENTS (continued) Matrix Logic Tests are addressed in LC0 3.3.4. This test is perfonned one matrix at a time. It verifies that a l coincidence in the two input channels for each Functi)njg) l removes power from the matrix relays. Duringtestinggpower is applied to the matrix relay test coils and prevents the matrix relay contacts from assuming their de-energized state. This test will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts. Trio Path Test Trip path (Initiation Logic) tests are addressed in LC0 3.3.4. These tests are similar to the Matrix Logic tests except that test power is withheld from one matrix relay at a time, allowing the :. itiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result. The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 6) . The excore channels use preassigned test signals to verify proper channel alignment. The excore logarithmic channel test signal is inserted into the preamplifier input, so as to i test the first active element downstream of the detector. l l (continued) S B 3.3-48 AMENDMENT NO. SAN ONOFRE--UNIT M
i RPS Instrumentation-Shutdown B 3.3.2
] BASES SURVEILLANCE SR 3.3.2.4 (continued)
REQUIREMENTS The Frequency is based upon the assumption of an 24 month calibration interval for the determination of the magnitude of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 24 month fuel cycle. The Surveillance is modified by a Note to indicate that the neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices with minimal drift and because of the difficulty of simulating a meaningful signal. Slow changes in St::tr ==iti My are compensated for by performing the daily calorimetric calibration (SR 3.3.1.4). In*%s of nsa.W$ SR 3.3.2.5 wi '** T This SR ensures that the RPS RESPONSE TIMES are verified to be less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall-or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the RTCBs open. Response times are conducted on a 24 month STAGGERED TEST BASIS. This results in the interval between successive tests of a given channel of n x 24 months, where n is the number of channels in the Function. The 24 month Frequency is based upon operating experience, which has shown that random failures of instrumentation components causing serious response time degradation, but not channel failure, are. infrequent occurrences. Also, response times cannot be determined at power, since equipment operation is required.. Testing may be perfonned in one measurement or in overlapping segments, with verification that all components are tested. d I (continued)
+/.
SAN ON0FRE--UNIT K2 B 3.3-50 ' AMENDMENT NO. I
c, i CEACs l B 3.3.3
-) BASES BACKGROUND different fraction of these limits based on probability of (continued) occurrence. Meeting the acceptable dose limit for an l accident category is considered having acceptable consequences for that event. l The RPS is segmented into four interconnected modules.
These modules are:
. Measurement channels;
. Bistable trip units; ;
i e RPS Logic; and
. Reactor trip circuit breakers (RTCBs).
This LC0 addresses the CEACs. LC0 3.3.1, " Reactor Protective System (RPS) Instrumentation-Operating," provides a description of this equipment in the RPS. - The excore nuclear instrumentation, the core protection ; calculators (CPCs), and the CEACs are considered components ; in the measurement channels of the Linear Power Level-High,
} Logarithmic Power Level-High, DNBR-Low, and Local Power Density (LPD)-High trips. The CEACs are addressed by this Specification.
All four CPCs receive control element assembly (CEA) deviation penalty factors from each CEAC and use the larger , N the W actors from the two CEACs in the calculation of DNBR and LPD. CPCs are further described in the Background section of LC0 3.3.1. The CEACs perfonn the calculations required to determine the position of CEAs within their subgroups for the CPCs. Two independent CEACs compare the position of each CEA to its subgroup position. If a deviation is detected by either CEAC, an annunciator sounds and appropriate " penalty factors" are transmitted to all CPCs. .These penalty' factors conservatively adjust the effective operating margins to the DNBR-Low and LPD-High trips. Each CEAC also drives a single cathode ray tube (CRT), which is switchable between CEACs. The CRT displays individual CEA positions and current values of the penalty factors from the selected CEAC. (continued) v 8 3.3-53 AMENDMENT NO. SAN ON0FRE--UNIT 3
CEACs B 3.3.3 BASES [} ACTIONS A.1 and A.2 (continued) position of all CEAs and provides verification of the proper operation of the remaining CEAC. An OPERABLE CEAC will not generate penalty factors until deviations of a 9.7 inches within a subgroup are encountered. The Completion Time of once per 4 hours is adequate based on operating experience, considering the low probability of an undetected CEA deviation coincident with an undetected failure in the remaining CEAC within this limited time frame. As long as Required Action A.1 is accomplished as specified, the inoperable CEAC can be restored to OPERABLE status within 7 days. The Completion Time of 7 days is adequate for most repairs, while minimizing risk, considering that dropped CEAs are detectable by the redundant CEAC, and other LCOs specify Required Actions nec.essary to maintain DNBR and LPD margin. r B.1. B.2. B.3. B.4. and 8.5 Condition B applies if the Required Action and associated Completion Time of Required Action A are not met, or if both CEACs are inoperable. Actions associated with this Condition involve disabling the Control E'ement Drive Mechanism Control System (CEDMCS), while providing increased assurance that CEA deviations are not occurring and informing all OPERABLE CPC channels, via a software flag. 4 4 that/. bee CEAC6)pe failed. This will ensure that the large e f.d ur associated with two CEAC failures will be applied to CPC calculations. The penalty factor for two-Og) failed CEACs is sufficiently large that power must be-maintained significantly < 100% RTP if CPC generated reactor trips are to be avoided. The Completion Time of 4 hours is adequate to accomplish these actions while minimizing risks. The Required Actions are as follows: fLd Meeting the DNBR margin requirements of LCO 3.2.4, "DNBR," ensures that power level and ASI are within a conservative region of operation based on actual core conditions. (continued) 8 3.3-56 AMENDMENT NO. SAN ON0FRE--UNIT 3 l
- g. ,-
CEACs l B 3.3.3 l e) BASES ACTIONS L2 (continued) The " full out" CEA reed switches provide acceptable indication of CEA position. Therefore, the CEAs will remain fully withdrawn, except as required for.specified testing or flux control via group #6. This verification ensures that undesired perturbations in local fuel burnup are prevented. B.3 N *feU M ', p 5 The"RSPT/CEhcInoperable"addre able constant ' each of inoperable. the CPCs is set to indicate tha .JM4h CEA24) This provides a conservative penalty factor to ensure that a conservative effective margin is maintained by the CPCs in the computation of DNBR and LPD trips. B.4 The CEDMCS is placed and maintained in "0FF," except during CEA motion pemitted by Required Action B.2, to prevent inadvertent motion and possible misalianment of the CEAs. . B.5 A comprehensive set of comparison checks on individual CEAs within groups must be made within 4 hours. Verification that each CEA is within 7 inches of other CEAs in its group provides a check that no CEA has deviated from its proper position within the group. ' C_d 1 Condition C applies if the CPC channel B or C cabinet . receives a high temperature alann. There is one temperature- , sensor in each of the four CPC bays. Since CPC bays B and C also house CEAC calculators-1 and 2, respectively, a high tem)erature in either of these bays may also indicate a pro)lem with the associated CEAC. If a CPC channel B or C cabinet high temperature alarm is received, it is possible for the CEAC to be affected and not be completely reliable. Therefore, a CHANNEL FUNCTIONAL . TEST must be performed.within 12 hours. The Completion Time of 12 hours is adequate, considering the low probability of (continued) B 3.3-57 AMENDMENT NO. SAN ONOFRE--UNIT 3
CEACs B 3.3.3
. BASES SURVEILLANCE SR 3.3.3.4 (continued)
REQUIREMENTS The Frequency is based upon the assumption of an 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis and includes operating experience and consistency with the typical 24 month fuel cycle. SR 3.3.3.5 Every 24 months, a CHANNEL FUNCTIONAL TEST is performed on the CEACs. The CHANNEL FUNCTIONAL TEST shall include the injection of a signal as close to the sensors as practicable to verify OPERABILITY, including alarm and trip Functions. ] The basis for the 24 month Frequency is that the CEACs e a ctfntihuous self monitoring function that elimina es the reed for frequent CHANNEL FUNCTIONAL TESTS. This CHANNEL FU CTIONAL TEST essentially validates the self 477Cs,onitorin function and checks for a small set of failure mod that are undetectable by the self monitoring function. perating experience has shown that undetected CPC C failures do not occur in any given 24 month SR 3.3.3.6 The isolation characteristics of each CEAC CEA position isolation amplifier and each optical isolator for CEAC to CPC data transfer are verified once per refueling to ensure l I' that a fault in a CEAC or a CPC channel will not render another CEAC or CPC channel inoperable. The CEAC CEA position isolation amplifiers, mounted in CPC cabinets A and D, prevent a CEAC fault from propagating back to CPC A or D. The optical isolators for CPC to CEAC data transfer prevent a fault originating in any CPC channel from propagating back to any CEAC throug' .his data link. The Frequency is based on plant operating experience with regard to channel OPERABILITY,.which demonstrates the failure of a channel in any 24 month interval is rare. (continued) 8 3.3-61 AMEN 0HENT NO. SAN ON0FRE--UNIT 3 l l _ _ _ _ _ __ _ J
RPS Logic and Trip Initiation B 3.3.4 gr, I BASES BACKGROUND RPS Loaic (continued) each have six contacts in series, one from each matrix, and perform a logical OR function, opening the RTCBs if any one or more of the six logic matrices indicate a coincidence condition. Each trip path is responsible for opening one set of two of the eight RTCBs. The RTCB control relays (K-relays), when de-energized, interrupt power to the breaker undervoltage trip attachments and simultaneously apply powerActuation to the shuntof trip attachments on each of the two breakers. either the undervoltage or shunt trip attachment is sufficient to open the RTCB and interrupt power from the motor generator (MG) sets to the control element drive , mechanisms (CEDMs). When a coincidence occurs in two RPS channels, all four. matrix relays in the affected matrix de-energize. This in turn de-energizes all four breaker control relays, which simultaneously de-energize the undervoltage and energize the , shunt trip attachments in all eight RTCBs, tripping them open. Matrix Logic refers to the matrix power supplies, trip ' channel bypass contacts, and interconnecting matrix wiring ' between bistable relay cards, up to but not including the matrix relays. source,
- athall The Initiation Logic consists of the ttacts, po ,
matrix relays and their associated elays interconnecting wiring, and solid tate b Hiosy) cui try. , through the K-relay contacts in t e RTCB control Logic to a It is possible to change the two-out-o two-out-of-three logic for a given input parameter in one channel at a time by trip channel bypassing select portions l of the Matrix Logic. Trip channel bypassing a bistable ' effectively shorts the bistable relay contacts in the three ' matrices associated with that channel. Thus, the bistables , will function nomally, producing nomal trip indication and ' annunciation, but a reactor trip will not occur unless two ' additional channels indicate a trip condition. Trip channel
~
bypassing can be simultaneously perfomed on any number of i (continued) AMENDMENT N0. SAN ONOFRE--UNIT 3 B 3.3-65
E i ,, RPS Logic and Trip Initiation B 3.3.4 I BASES BACKGROUND RPS Loaic (continued) parameters in any number of channels, providing each An parameter is bypassed in only one channel at a time. interlock prevents simultaneous trip channel bypassing of the same parameter in more than one channel. Trip channel bypassing is normally employed during maintenance or testing. Reactor Trio Circuit Breakers (RTCBs) The reactor trip switchgear consists of eight RTCBs, which are operated in four sets of two breakers (four channels). Power input to the reactor trip switchgear comes from two full capacity MG sets operated in parallel such that theThere loss of either MG set does not de-energize the CEDHs. are two separate CEDM power supply buses, each bus powering half of the CEDMs. Power is supplied from the MG sets to each bus via two redundant paths (trip legs). This ensures that a fault or the opening of a breaker in one trip leg (i.e., for testing purposes) will not interrupt power to the CEDM buses. Each of the four trip legs consists of two RTCBs in series. The two RTCBs within a trip leg are actuated by separate initiation circuits. The eight RTCBs are operated as four sets of two breakers (fourchannels). For example, if a breaker receives an open signal in trip leg B for CEDM bus 2) will also receive an open in trip (leg A (for CEDM bus 1), an identical breaker signal. This arrangement ensures that power is interrupted to both CEDM buses, thus preventing trip of only half of the control element assemblies (CEAs) (a half trip). Any one inoperable breaker in a channel will make the entire channel inoperable. Each set of RTCBsj'rs operated by either a Manual Trip push
'M M button or an RP y a A der-K-relay. There are four Manual
~
Trip push buttons, arranged in two sets of two. Depressing both push buttons in either set will result in a reactor r trip. l 1 l \ (continued) t B 3.3-66 AMENDMENT N0. SAN ONGTPE--UNIT 3 j __
~ ^ - - - - - -- - - _ _ _ _ _ _ . . _ _ _ _ _ .
l l RPS Logic and Trip Initiation i B 3.3.4 l BASES l, l Reactor Trio Circuit Breakers (RICBsl (continued) BACKGROUND ggA 14A When a Manual Trip is f"thtM using the control room push buttons, the RPS trip paths and K-relays are bypassed, and , the RTCB undervoltage and shunt trip attachments are actuated independent of the RPS. Manual Trip circuitry includes the push button and i interconnecting wiring to both RTCBs necessary to actuate both the undervoltage and shunt trip attachments, but excludes the K-relay contacts and their interconnecting wiring to the RTCBs, which are considered part of the Initiation Logic. I Functional testing of the entire RPS, from bistable input through the openi,3 of the individual sets of RTCBs, can be performed either at power or shutdown and is nonnallyFSAR performed on a quarterly basis. explains RPS testing in more detail.
. j 1
Reactor Protective System (RPS) Loaic i APPLICABLE - SAFETY ANALYSES The RPS Logic provides for automatic trip initiation to l maintain the SLs during A00s and assist the ESF systemsAll in ensuring acceptable consequences during accidents. transients and accidents that call for a reactor trip assume , the RPS Logic is functioning as designed. r 1 Reactor Trio Circuit Breakers (RTCBsl All of the transient and accident analyses that call for a , reactor trip assume that the RTCBs operate and interrupt power to the CEDMs. i i Manual Trio r There are no accident analyses that take credit for'the
- Manual Trip; however, the Manual Trip is part of the RPS ,
circuitry. -it is used by the operator to shut down the , reactor whenever any parameter is rapidly trending toward ! its trip setpoint. A Manual Trip accomplishes the same T results as any one of the automatic trip Functions. (continued)-
~AMENDMENT NO.
B 3.3-67 ; SAN ONOFRE--UNIT 3 [ t i
RPS Logic and Trip Initiation B 3.3.4
')
- BASES LC0 4. Manual Trin (continued)
Hanual Trip push buttons are also provided at the reactor trip switchgear (locally) in case the control room push buttons become inoperable or the control room becomes uninhabitable. These are not part of the RPS and cannot be credited in fulfilling the LC0 OPERABILITY requirements. Furthennore, LC0 ACTIONS need not be entered due to failure of a local Manual Trip. The RPS Logic, RTCBs, and Manual Trip are required to be APPLICABILITY OPERABLE in any MODE when the CEAs are capable of being withdrawn off the bottom of the core (i.e., RTCBs closed and power available to the CEDMs) . This ensures that the reactor can be tripped when necessary, but allows for maintenance and testing when the reactor trip is not needed. In MODES 3. 4. and 5 with the RTCBs open, the CEAs are not these Functions do not have to be LWf withdrawal anf.zri" ;:n;- 1;;;L channels OPERABLE. However, two, gpa) must be OPERABLE to ensure proper indication of neutron population and to indicate a boron dilution event. This is addressed in LCO 3.3.13, "p;prit'-!c P:: r Monitoring Channel s ." h l When the number of inoperable channels in a trip Function ACTIONS l exceeds that specified in any related Condition associated with the same trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 is immediately ( entered if applicable in the current MODE of operation. Ad Condition A applies if one Matrix Logic channel is l inoperable in any applicable MODE. Loss of a single vital l instrument bus will de-energize one of the two matrix power supplies in up to three matrices. This is considered a single matrix failure, providing the matrix relays associated with the failed power supplies de-energize as required. The above statement is supported by a Note. (continued) l AMENDMENT NO. SAN ONOFRE--UNIT 3 8 3.3-71 l
- ~ . - RPS Logic and Trip Initiation B 3.3.4 BASES ACTIONS D.1 (centinued) If the affected RTCB cannot be opened Required Action E is entered. This would only occur if there is a failure in the Manual Trip circuitry or the RTCB(s). E.1 and E.2 Condition E is entered if Required Actions associated with Condition A, B, or D are not met within the required Completion Time or, if for one or more Functions, more than one Manual Trip, Hatrix Logic, Initiation Logic, or RTCB channel is inoperable for reasons other than Condition A or D. If the RTCBs associated with the inoperable channel cannot be opened, the reactor must be shut down within 6 hours and all the RTCBs opened. A Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required plant conditions from full power conditions in an orderly manner and without challenging plant systems and for opening RTCBs. All RTCBs should then be opened, placing the plant in a MODE where the LC0 does not apply and ensuring no CEA withdrawal occurs. 3.3.4.1 E A I3*4' shk SURVEILLANCE SR l REQUIREMENTS A CHANNEL FUNCTIONAL TEST on each RP Logic channel and RTCB channel is performed every 92 day o ensure the entire 4 channel will perfo its intended function when needed. wsq 31 %$ tee RPS CHAENEL FUNCTIONAL TEST consists of These three tests overlapping tests as described in Reference 3. verify that the RPS is capable of performing its intended function, from bistable input through the RTCBs. The first test, the bistable test,. is addressed by SR 3.3.1.7 in LCO 3.3.1. This SR addresses the two tests associated with the RPS Logic: Matrix Logic and Trip Path. l l l (continued) B 3.S-74 AMENDHENT NO. SAN ONOFRE--UNIT 3
i RPS Logic and Trip Initiation l B 3.3.4 )
^
BASES SURVEILLANCE Matrix Loaic Tests REQUIREMENTS These tests are performed one matrix at a time. They verify (continued) that a coincidence in the two input channels for each Function removes power from the matrix relays. During h
.% prevents the matrix relay contacts from assuming the de-energized state. The Matrix Logic tests will detect any short circuits around the bistable contacts in the coincidence logic such as may be caused by faulty bistable relay or trip channel bypass contacts.
Trio Path Tests These tests are similar to the Matrix Logic tests, except that test power is withheld from one matrix relay at a time, allowing the initiation circuit to de-energize, opening the affected set of RTCBs. The RTCBs must then be closed prior to testing the other three initiation circuits, or a reactor trip may result. The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 5). 3 l l SR 3.3.4.[ Each RTCB is actuated by an undervoltage coil and a shunt i trip coil. The system is designed so that either de-energizing the undervoltage coil or energizing the shunt When an trip coil will cause the circuit breaker to open. RTCB is opened, either during an automatic reactor trip or by using the manual push buttons in the control room, the undervoltage coil is de-energized and the shunt trip coil is ' energized. This makes it impossible to determine if one of the coils or associated circuitry is fective. ! l Therefore, once every 18 mont , a THANNEL FUNCTIONAL TEST 84 I is perfonned that individu y tests all n . - vi undervoltage coils and alt?:n :: : cf shunt trip coil M l suk P-rc 5. During undervoltage coil testing, the shunt trip coils must remain de-energized, preventing their operation. Conversely, during shunt trip coil testing, the undervoltage coils must remain energized, preventing their operation. This Surveillance ensures that every undervoltage coil and (continued) AMENDMENT NO. SAN ONOFRE--UNIT 3 B 3.3-75
r RPS Logic and Trip Initiation B 3.3.4 c. BASES 3 SURVEILLANCE SR 3.3.4 I (continued) REQUIREMENTS every shunt trip coil is capable of performing its intended function and that no single active failure of any RTCB component will prevent a reactor trip. h uns io montn sur-vel i i asic6 Fy"r ) -;, Lo,yj y,, C,u usuu iv periusm
# cr the ::ndithn; ti.m oppiy auring a plant outage and -
Pr petrth' fer :: : p h..omd sion>icus ;f it.; L.vui;;onse ev.m .- . Operating m: p;-c h .....J ,,; m we i couv. m experience has shown these components usually pass the Surveillance when perfonned at the Frequency of once every 18 months. SR 3.3.4./4 A CHANNEL FUNCTIONAL TEST on the Manual Trip channels is performed prior to a reactor startup to ensure the entire The channel will perform its intended function if required. Manual Trip Function can only be tested at shutdown. However, the simplicity of this circuitry and the absence of drift concern make this Frequency adequate. Additionally, operating experience has shown that these components usually pass the Surveillance when perfonned at a Frequency of once every 7 days prior to each reactor startup. REFERENCES 1. 10 CFR 50, Appendix A.
- 2. 10 CFR 100.
- 3. SONGS Units 2 and 3 UFSAR, Section 7.2.
- 4. NRC Safety Evaluation Report.
- 5. CEN-327, June 2, 1986, including Supplement 1, March 3, 1989.
8 3.3-76 AMENDMENT NO. SAN ON0FRE--UNIT 3
o i SOC and Coolant C:rcnlation-High Water Level B 3.9.4 BASES APPLICABLE If the reactor coolant temperature is not maintained below , SAFETY ANALYSES 200'F, boiling of the reactor coolant could result. This i l could lead to inadequate cooling of the reactor fuel due to a resulting loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a . reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity, and because of the possible addition of water to the reactor vessel with a lower boron concentration , than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant would eventually. challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the SDC System is required to be operational in MODE 6, with the water level a 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit de-energizing of the SDC pump for short durations under the condition that the boron concentration is not diluted. This conditional de-energizing of the SDC pump does not result in a challenge to the fission product barrier. 3 SDC and Co ant Circulation-High Water Level satisfies Criterio of the NRC Policy Statement. 3 . I LC0 Only one SDC loop is required for decay heat removal in MODE 6, with water level n 23 ft above the top of the reactor vessel flange. Only one SDC loop is required because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one SDC loop must be in operation to provide:
- a. Removal of decay heat;
- b. Mixing of borated coolant to minimize the possibility of a criticality; and
- c. Indication of reactor coolant temperature. 6 An OPERABLE SDC loop includes an SLC pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the low end temperature.
(conti.nued) , b B 3.9-17 AMENDMENT NO. SAN ON0FRE--UNIT 3 . L -n.
----n---- 4
ESFAS Instrumentation l B 3.3.5 ' l 1 l BASES BACKGROUND Measurement Channels (continued) 5Q Adequate channel to channel independ ce includes physical and electrical independence of eac channel from the others. Furthermore, each channel must be energized from separate inverters and station batteries. P' rt: tht h;; demonstrated adequate channel to channel independence emay operate in two-out-of-three logic configuration, with one channel removed from service, until following the nex' MODE 5 entry. M MS Since no single failure will either cause or prevent a protective system actuation, and no protective channel feeds a control channel, this arrangement meets the requirements ; of IEEE Standard 279-1971 (Ref. 4). Bistable Trio Units : Bistable trip units, mounted in the Plant Protection System (PPS) cabinet, receive an analog input from the measurement channels, compare the analog input to trip setpoints, and provide contact output to the Matrix Logic for each ESFAS
) Function. They also provide local trip indication and remote annunciation.
There are four channels of bistables, designated A through D, for each ESFAS Function, one for each measurement ' channel. In cases where two ESF Functions share the same input and trip setpoint (e.g., containment pressure input to - CIAS and SIAS), the same bistable may be used to satisfy both functions. Similarly, bistables may be shared between the RPS and ESFAS (e.g., Pressurizer Pressure-Low input to the RPS and SIAS). Bistable output relays de-energize when a trip occurs, in turn de-energizing bistable relays mounted in the PPS relay card racks. The contacts from these bistable relays are arranged into [ six coincidence matrices, comprising the Matrix Logic. If , bistables monitoring the same parameter in at least two ' channels trip, the Matrix Logic will generate an ESF actuation (two-out-of-four logic). ; (continued) SAN ONOFRE--UNIT 3 8 3.3-79 AMENDMENT NO. R
i
\
1 ESFAS Instrumentation B 3.3.5 BASES BACKGROUND ESFAS Loaic (continued) four channels sense the same input parameter trip. This is , called a two-out-of-four trip logic. i Bistable relay contact outputs from the four channels are configured into six logic matrices. Each logic matrix -l checks for a coincident trip in the same parameter in two j bistable channels. The matrices are designated the AB, AC, , AD, BC, BD, and CD matrices to reflect the. bistable channels
~
being monitored. Each logic matrix contains four normally energized matrix relays. When a coincidence is detected in j the two channels being monitored by the logic matrix, all , four matrix relays de-energize. j The matrix relay contacts are arranged into trip paths, with one relay contact from each matrix relay in each of the four trip paths. Each trip path controls two initiation ~ relays. Each of the two initiation relays in each trip path controls ; AcontactfintheActuationLogicforonetrainofESF. Each of the two channels of Actuation Logic, mounted in the Auxiliary Relay Cabinet (ARCS), is responsible for actuating _}
.. one train of ESF equipment. Each ESF Function has separate l Actuation Logic in each ARC. i The contacts from the Initiation Logic are configured in a selective two-out-of-four logic in the Actuation Logic, similar to the configuration employed by the RPS in the i RTCBs. This logic controls ARC mounted subgroup. relays, which are nomally energized. Contacts from these relays, when de-energized, actuate specific ESF equipment.
When a coincidence occurs in two ESFAS channels, all four matrix relays in the affected matrix will de-energize. This in turn will de-energize all eight initiation relays, four used in each Actuation Logic. , Matrix Logic refers to the matrix power supplies, trip channel bypass contacts, and interconnecting matrix wiring between bistable relay cards, up to but not including the matrix relays. Matrix contacts on the bistable relay cards are excluded from the Matrix Logic definition, since they are addressed as part of the measurement channel. (continued) SAN ONOFRE--UNIT 3 8 3.3-81 AMENDMENT NO. I
;t
1 ESFAS Instrumentation B 3.3.5 BASES BACKGROUND ESFAS Loaic (continued) shares an operating bypass with the Pressurizer Pressure-Low reactor trip. . g' ManualESFASinitiationcapabilityisprovideQtopermitthe operator to manually actuate an ESF System when necessary. l
~
~
Two sets of two push buttons (located in_the control room) , for each ESF Function are provided, and each set actuates both trains. Each Manual Trip push button opens one trip path, de-energizing one set of two initiation relays, c.'1e affecting each train of ESF. Initiation relay contacts are arranged in a selective two-out-of-four configuration in the Actuation Logic. By arranging the push buttons in two sets of two, such that both push buttons in a set must be depressed, it is possible to ensure that Manual Trip will not be prevented in the event of a' single random failure. Each set of two push buttons is designated a single channel in LC0 3.3.6. APPLICABLE Each of the analyzed accidents can be detected by one or
]u .- SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be the secondary, or backup, actuation signal for one or more other accidents.
ESFAS protective Functions are as follows:
- 1. Safety In.iection Actuation Sional SIAS ensures acceptable consequences during large break loss of coolant accidents (LOCAs), small break LOCAs, control element assembly ejection accidents, l and main steam line breaks (MSLBs) inside containment.
To provide the required protection, either a high containment pressure or a low pressurizer pressure signal will initiate SIAS. SIAS initiates the : Emergency Core Cooling Systems (ECCS) and performs several other functions such as initiating a
~
i
._ . (continued)
-h SAN ONOFRE--UNIT 3 8 3.3-83 AMENDMENT NO.
i ESFAS Instrumentation B 3.3.5 BASES APPLICABLE 1.. Safety Iniection Actuation Signal _ (continued) SAFETY ANALYSES Containment Cooling Actuation Signal (CCAS), initiating control room isolation, and starting the diesel generators. , CCAS mitigates containment overpressurization when required by either a manual CCAS actuation or an automatic SIAS Function.
- 2. Containment Soray Actuation Sianal CSAS actuates containment spray, preventing ,
containment overpressurization during-large break i LOCAs, small break LOCAs, and MSLBs or feedwater line 3 breaks (FWLBs) inside containment. CSAS is initiated ; by high high containment pressure and an SIAS. This configuration reduces the likelihood of inadvertent containment spray.
- 3. Containment Isolation Actuation Sianal
/g
) CIAS ensures acceptable mitigating actions during large and small break LOCAs, and MSLBs or FWLBs inside -
containment. CIAS is initiated by high containment pressure.
- 4. Main Steam Isolation Sianal M go,.uwwfw' ]
MSIS ensures acceptable conseque es during an MSLB or l FWLB (between the steam generato and the main i feedwatercheckvalve),either1 1 side or outside i containment. MSIS isolates both steam generators if eithergeneratorindicatesaloQpressurecondition. This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events.. S. Recirculation Actuation Sianal At the end of the injection phase of a LOCA, the refueling water storage tank (RWST) will be nearly empty. Continued cooling must be provided by the ECCS- l to remove' decay heat. The source of water for the j ECCS pumps is automatically switched to the i
\
I
/ (continued)
SAN ONOFRE--UNIT 3 B 3.3-84 AMENDMENT NO. 1
ESFAS instrumentation B 3.3.5 l BASES LC0 b. Pressurizer Pressure-Low (continued) The Allowable Value for this trip is set low enough to prevent actuating the ESF Functions (SIAS) during normal plant operation and pressurizer pressure transients. The setting is high enough that, with the specified accidents, the ESF systems will actuate to perform as expected, mitigating the consequences of the accident. The Pressurizer Pressure-Low trip setpoint, - which provides SIAS, and RPS trip, may be manually decreased to a floor value of 300 psia to allow for a controlled cooldown and depressurization of the RCS without causing a reactor trip, or SIAS. The margin between actual pressurizer pressure and the trip setpoint must be maintained less than or equal to the specified value (400 psia) to ensure a reactor trip, and SIAS will occur if required during RCS cooldown ; and depressurization. _.) From this reduced setting, the trip setpoint will increase automatically as pressurizer pressure increases, tracking actual RCS pressure until the trip setpoint is reached. p When the trip setpoint has been lo red below the bypass permissive setpoint of psia, the Pressurizer Pressure-Low reactor trip, and SIAS actuation may be manually bypassed in preparation for shutdown cooling. When RCS pressure rises above the bypass removal setpoint, the bypass is a dsma$ removed. Bvoass Removal This LCO requires four channels of bypass removal for Pressurizer Pressure-Low to be OPERABLE in MODES 1, 2, and 3.
. (continued)
SAN ON0FRE--UNIT 3 8 3.3-87 AMENDMENT NO. t'
ESFAS Instrumentation B 3.3.5 BASES LC0 Bypass Removal (continued) l Each of the four channels enables and disables ; the bypass capability for a single channel. Therefore, this LCO applies to the bypass removal l feature only. If the bypass enable function is ! failed so as to prevent entering a bypass condition, operation may continue. Because the i trip setpoint has a floor value of 300 psia, a - channel trip will result if pressure is decreased below this setpoint without bypassing. l The bypass removal Allowable Value was chosen because MSLB events originating from below this setpoint add less positive reactivity'than that which can be compensated for by required SDM.
- 2. Containment Soray Actuation Sianal cS@
C"fS i; initi;t;d Ith r. ;il, _ v. t s.;ti;;11y. For en automatidtuation, it is necessary to have a Containment Pressure-High High signal, coincident with
^- an SIAS. The SIAS requirement should always be ) satisfied on a legitimate CSAS, since the Containment Pressure-High signal used in the SIAS will initiate before the Containment Pressure-High High. This ensures that a CSAS will not initiate unless required.
- a. Containment Pressure-Hiah Hiah 1 This LC0 requires four channels 'of Containment i Pressure-High High to be OPERABLE in MODES 1, 2, and 3.
The Allowable Value for this trip is set high enough to allow for first response ESF systems (containment cooling systems) to attempt to mitigate the consequences of an accident before resorting to spraying borated water onto containment equipment. The setting is low enough to initiate CSAS in time to prevent containment pressure from exceeding design. (continued) SAN ONOFRE--UNIT 3 B 3.3-88 AMENDMENT NO.
ESFAS Instrumentation B 3.3.5 1 BASES LC0 a. Steam Generator Pressure-Low (continued) The Allowable Value for this trip is set below the full load operating value for steam pressure so as not to interfere with normal plant operation. However, the settin to provide an MSIS (Function during 4)g is an high enough excessive steam demand event. An excessive steam demand event causes the RCS to cool down, resulting in a positive reactivity addition to . the core. ! HSIS limits this cooldown by isolating both steam generators if the pressure in either drops below the trip setpoint. An RPS trip on Steam Generator Pressure-Low is initiated simultaneously, using the same bistable. The Steam Generator Pressure-Low bistable output is also used in the EFAS logic.(Function 7) to aid in determining if a steam generator is intact. The Steam Generator Pressure-Low trip setpoint q may be manually' decreased as steam generator - ~
/ pressure is reduced. This prevents an RPS trip or MSIS actuation during controlled plant cooldown. The margin between actual p;;;3m :;= &
g pressure and the trip setpoint must be maintained less than or equal to the specified value of 200 psi to ensure a reactor tri and MSIS will occur when required. Tiu wi*L i = st to & % Is 6 t.eopsi, as % 61 j W wn.W p W
- 5. Recirculation ctuation Sianal
- a. Refuelino Water Storace Tank level-Low This LC0 requires four channels of RWST Level-Low to be OPERABLE in MODES 1, 2, 3, and 4.
The upper limit on the Allowable Value for this . trip is set low enough to ensure RAS does not initiate before sufficient water is transferred to the containment sump.. Premature recirculation-could impair the reactivity control function of safety injection by limiting the amount of boron injection.
. (continued)
SAN ONOFRE--UNIT 3 B 3.3-90 AMENDMENT NO.
ESFAS Instrumentation B 3.3.5 l BASES c LC0 c. Steam Generator Pressure-Low (continued) The Steam Generator Pressure-Low input is derived from the Steam Generator Pressure-Low RPS bistable output. This output is also used as an MSIS input. The Allowable Value for this trip is set below the full load operating value for steam pressure . so as not to interfere with nonnal plant operation. However, the settin to provide an MSIS (Function 4)ganis high enough during excessive steam demand event. An excessive steam demand is one indicator of a potentially ruptured steam generator; thus, this EFAS input, in conjunction with the SGPD Function, prevents the feeding of a potentially ruptured steam generator. Em c. Stcc;. Occc cctuc Irc=: Le:: (centMucd) O The Steam Generator Pressure-Low trip setpoint .
'I may be manually decreased as steam generator pressure is reduced. This prevents an RPS trip u] or MSIS actuation during controlled plant cooldown. The margin between actual 7;casuri:cr A ~
ph pressure and the trip setpoint must be maintained less than or equal to the specified value of 200 psi to ensure that a reactor trip and MSIS Mg 4 gccurgn required. Th. l~f wiil /wh% 1
~ 4 2., ( as aNw
%_ W - - h w "-' swr MebA A M uk 1 is &1 ,
y r' i r APPLICABILITY In MODES 1, 2 and 3 there is sufficient energy in the primary and secondary systems to warrant automatic ESF > System responses to:
. Close the main steam isolation valves to preclude a positive reactivity addition;
. Actuate emergency feedwater to preclude the loss of the steam generators as a heat sink (in the event the normal feedwater system is not available); ,
1
~. (continued)
SAN ON0FRE--UNIT 3 B 3.3-93 AMENDMENT N0. t
l ESFAS Instrumentation < B 3.3.5 BASES ACTIONS D.1 and D.2 (continued) per LC0 3.0.3, as explained in Condition B. Completion Times are consistent with Condition B. Ar- 4. hea s e~) u s, s
, g . g E.1 and ,.2 ,
gh A.,ub Se M f the Required Actions and associate i Completion Times of D Condition A, B, C, or D cannot be met, the plant must be M SA IMV brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least g3g g ~' art . _ _ -
) MODE 3 within 6 hours and to MODE 4 within 12 hours. The
%ht - M ' .~V allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full g;Ud power conditions in an orderly manner and without nging plant systems,
/oMitA2T-1 i SUR R 3.3.5.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 12 hours ensures
~}
that a gross failure of instrumentation has not occurret A CHANNEL CHECK is a comparison of the parameter indicc%i cn one channel to a similar )arameter on other channeh. 11. i s based on the assumption t1at instrument channels n nitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK : will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based ; on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the j sensor or the signal processing equipment has drifted i outside its limit. If the channels are within the match criteria, it is an indication that the channels are OPERABLE. The Frequency, about once every shift, is based on operating experience that demonstrates channel failure is rare. Thus, (continued) SAN ONOFRE--UNIT 3 B 3.3-99 /JiENDMENT N0.
- -...x .e a a.
4h..m.+-- m
- t I
l J lNSERT I _ F.t_a d J.L LC & ApLM khhs_aCenectm44. Qb _Tlas
.* wh_4Ac.,_ ,, _. o c. ~+ Lef__4 &
Recircuktw_ Ach4_Sp,_ 44.___pCa.) Mk , W9 6& ta a. p.oss __mhtec _ A Leo das u+ a:. u w ,- s_ n a u 4 ._3._m he,3t+__(, af- ha.sf Aeof_3 soin s 4 4,ar.s w_/n _ m w _ s_ _ wt A in 16 G a.. rh aesa_c psee~- Ti% % - M _ ut a so a h is , base A_ cm _ op+}.< . snpwieuee., b (A Ks aless pla d cauf Nior S .ln an
- _ _, 9 _ - a , _ a _ n ; u _ e w e. 7 ; 9 _ p . c p ,..
ee w _ra u 9 ^84-*
"*"W**'*W
- _ .m.mw. ,.,_w.-.. .eam.wa.4 N
em. .---e-%M ee e t
ESFAS Instrumentation B 3.3.5 BASES (continued) SURVEILLANCE SR 3.3.5.1 (continued) REQUIREMENTS perfo nc f the CHANNEL CHECK guarantees that undet te e- channel failure is limited to 12 hours. Since the robability of two random failures in redundant channe in any 12 hour period is low, the CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during nomal operational use of displays associated with the LCO required channels. SR 3.3.5.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure the entire channel will perfonn its intended function when needed. The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and 3 SR 3.3.6.2, tests the entire ESFAS from the bistable input s / through the actuation of the individual subgroup relays. These overlapping tests are described in Reference 1. SR 3.3.5.2 and SR 3.3.6.1 are nomally perfonned together and in conjunction with ESFAS testing. SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized. These tests verify that the ESFAS is capable of performing its intended function,.from bistable input through the actuated components. SRs 3.3.6.1 and 3.3.6.2 are addressed in LCO 3.3.6. SR 3.3.5.2 includes bistable tests. A test signal is superimposed on the input in one channel at a time to verify that the bistable trips within the s)ecified tolerance around the setpoint. 'This is done with t1e affected PPS trip channel bypassed. SR 3.3.5.3 and SR 3.3.5.4 CHANNEL CALIBRATION is a complete check of the instrument channel including the detector and the bypass removal functions. The Surveillance verifies that the channel (continued)
- ]
SAN ONOFRE--UNIT 3 B 3.3-100 AMENDMENT N0.
ESFAS Instrumentation B 3.3.5 BASES (h) SURVEILLANCE SR 3.3.5.3 and SR 3.3.5.4 (continued) REQUIREMENTS responds to a measured parameter within the necessary range and' accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive surveillances. Measurement error determiration, setpoint error detennination, and calibration adjmtt.ent must be perfonned consistent with the plant specific setpoint analysis. The channel shall be left calibrated consistent with the assumptions of the current plant specific setpoint analysis. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.
/
SR 3.3.5.5 This Surveillance ensures that the train actuation response
~
times are within the maximum values assumed in the safety l analyses. l _. -) . Response time testing acceptance criteria are included in i Reference 10. l l ESF RESPONSE TIME tests are conducted on a STAGGERED TEST BASIS of once every 24 months. The 24 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. se 3.s.s. A SR 3.3.5.6 is a CHANNEL FUNCTIONAL TEST similar to SR 3.3.5.2, except SR 3.3.5.6 is perfonned within 92 days prior to startup and is only applicable to bypass functions. Since the Pressurizer Pressure-Low bypass is identical for both the RPS and ESFAS, this is the same Surveillance performed for the RPS in SR 3.3.1.13. (continued) SAN ONOFRE--UNIT 3 B 3.3-101 AMENDMENT NO.
ESFAS Logic and Manual Trip B 3.3.6 BASES BACKGROUND - Matrix Logic, (continued) - Initiation Logic (trip paths), and
- Actuation Logic.
This LC0 addresses ESFAS Logic. Bistables and measurement channels are addressed in LC0 3.3.5, " Engineered Safety Features Actuation System (ESFAS) Instrumentation." The role of the measurement channels and bistables is described in LCO 3.3.5. The role of the ESFAS Logic is described below. ESFAS Loaic I The ESFAS Logic, consisting of Matrix, Initiation and Actuation Logic, employs a scheme that provides an ESF actuation of both trains when bistables in any two of the four channels sense the same input parameter trip. This is called a two-out-of-four trip logic. Bistable relay contact outputs from the four channels are configured into six Matrix Logics. Each Matrix Logic checks
^
for a coincident trip in the same parameter in two bistable l channels. The matrices are designated the AB, AC, AD, BC, BD, and CD matrices, to reflect the bistable channels being monitored. Each Matrix Logic contains four normally energized matrix relays. When a coincidence is detected in the two channels being monitored by the Matrix Logic, all four matrix relays de-energize. The matrix relay contacts are arranged into tri) paths, with one lay contact from each matrix relay in eac1 of the four rip pa Each trip path controls two initiation relays. Each of tne two initiation relays in each trip path controls j A contact /intheActuationLogicforonetrainofESF. I Eacha e two channels of Actuation Logic, mounted in the ufiliary Relay Cabinets (ARCS), is responsible for actuating one train of ESF' equipment. Each ESF Function has separate Actuation Logic in each ARC. The contacts from the Initiation Logic are configured in a selective two-out-of-four logic in the Actuation Logic, similar to the configuration employed by the RPS in the RTCBs. This logic controls ARC mounted subgroup relays, (continued) SAN ONOFRE--UNIT 3 B 3.3-104 AMENDMENT N0.
i ESFAS Logic and Manual Trip B 3.3.6 BASES i BACKGROUND ESFAS loqic (continued) ] channel at a time. An interlock prevents simultaneous trip channel bypassing of the same parameter in more than one i channel. Trip channel bypassing is nonnally employed during maintenance or testing. Trip channel bypassing is addressed in LC0 3.3.5. Manual ESFAS initiation capability is provided to permit the , Syst Aoperator s.rupw to#manually actuate das an w ES:kaw.,em when necessary4 M S s.k(cL M Wh b.c. Two sets of two push butt _ons (1 tedinthecontrolroom)pde%% , foreachESFFunctiordTeprovid_ and each set actuates bothtrainsgceptivi ruu) Each Manual Trip push button opens one t 4 p a n, ae-energizing one set of two initiation relays, one affecting each train of ESF. Initiation relay contacts are arranged in a selective two-out-of-four configuration in the Actuation Logic. By arranging the push buttons in two sets of two, such that both pu.sh buttons in a set must be depressed, it is possible to ensure that Manual Trip will not be prevented in the event of a single random failure. Each set of two push buttons is' designated a single channel in this LCO. >
] ~'
W,M 46m . RAS does not have manual pushbuttons on the Control Room panels.J RAS manual actuation 4e-available from the
@ Q3 g, Manual pushbuttons on the ESFAS panels. These pushbuttons wcLJA N operate contacts in the Actuation Logic, so Initiation Logic '
p is not required for a manual actuation. h gbM n sk swss M in L W.J y J s APPLICABLE Each of the analyzed accidents can be detected by one or SAFETY ANALYSES more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. ESFAS Functions are as follows:
- 1. Safety In.iection Actuation Signal SIAS ensures acceptable consequences during large l break loss of coolant accidents (LOCAs), small break ;
(continued) SAN ONOFRE--UNIT 3 8 3.3-106 AMENDMENT NO. l l
ESFAS Logic and Manual Trip B 3.3.6 BASES APPLICABLE 1. Safety In_iection Actuation Signal (continued) SAFETY ANALYSES LOCAs, control element assembly ejection accidents, SJ Ob .gndgn steam nd line breaks (MSLBs) inside or outside
% Wh containmen g To provide the required protection, either a high containment pressure or a low pressurizer pressure signal will initiate SIAS. SIAS initiates the Emergency Core _ Cooling Systems (ECCS) and performs several other Functions, such as initiating a containment coolin'g actuation, initiating control room isolation, and starting the diesel generators.
- 2. Containment Isolation Actuation Signal CIAS ensures acceptable mitigating actions during large and small break LOCAs and during MSLBs or feedwater line break: (FWLBs) inside containment.
CIAS is initiated by high containment pressure.
- 3. Containment Coolina Actuation Sianal CCAS mitigates containment overpressurization when
) required by either a manual CCAS actuation or an automatic SIAS Function.
- 4. Recirculation Actuation Signal At the end of the injection phase of a LOCA, the refueling water storage tank (RWST) will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. Switchover from RWST to containment sump must occur before the RWST empties to prevent damage to the ECCS pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support pump suction.
Furthennore, early switchover must not occur to ensure sufficient borated water is injected from the RWST to ensure the reactor remains shut down in the recirculation mode. An RWST Level-Low signal initiates the. RAS. f i l 7 (continued) SAN ON0FRE--UNIT 3 B 3.3-107 AMENDMENT NO.
ESFAS Logic and Manual Trip B 3.3.6 ! BASES APPLICABLE 5. Containment Spray Actuation Sianal g ;;, s u s SAFETY ANALYSES (continued) CSAS actuates containment spray, preventin containment overpressurization during lar e break LOCAs, small break LOCAs, and MSLBs or LBs inside containment. CSAS is initiated by hi high containment pressure and a coinciden . This configuration reduces the likelihood of inadvertent containment spray.
- 6. Main Steam Isolation Signal ;
MSIS ensures acceptable consequences during an MSLB either inside or outside containment or FWLB (between the steam generator and the main feedwater check valve). MSIS isolates both steam generators if either generator indicates a low pressure condition. This prevents an excessive rate of heat extraction and subsequent cooldown of the RCS during these events. 7, 8. Emeroency Feedwater Actuation Sional (SG) specific
,) ^ EFASA sists of two str = ; .; . .
signals (EFAS-1 and EFAS-2);. EFAS-1 initiates-emergency feed to SG #1, and EFAS-2 initiates emergency feed to SG #2. p M .A:m M
- Q w :: "')
M EFASamaTntains a ster ;--- -tMheat sink during e g st k. T M : n ;;,.c.. = t i m-t"-= a"a"+ '-d an MSLB or FWLB M I W)
* ,(f; O %ay N
vent ei her insideor w%(e-L or outside+conJainment# Low s eam generator water level initiates emergeYc=y lo% h w.p Wal. feed to the affected steam generator, providin generator is not identified (by the circuitry)g as the GM- faulted (an MSLB or FWLB). EFAS logic includes steam generator specific inputs y from the Steam Generator Pressure-Low bistable comparator (also used in MSIS) and the SG Pressure Difference-Migh (SG #1 > SG #2 or SG #2 > SG #1, bistable comparators) to determine if a rupture in either generator has occurred. Rupture is assumed if the affected generator has a low pressure condition, unless that generator is (continued) (~ ) e SAN ONOFRE--UNIT 3 B 3.3-108 AMENDMENT N0.
ESFAS Logic and Manual Trip i B 3.3.6 BASES APPLICABLE 7, 8. Emeroency Feedwater Actuation Signal (continued) SAFETY ANALYSES significantly higher in pressure than the other generator. This latter feature allows feeding the intact steam generator even if both are below the MSIS setpoint, while preventing the ruptured generator from being fed. Not feeding a ruptured generator prevents containment overpressurization during the analyzed events. The ESFAS satisfies Criterion 3 of the NRC Policy Statement. LC0 The LCO requires all channel components necessary to provide an ESFAS actuation to be OPERABLE. The requirements for each Function are listed below. The reasons for the applicable MODES for each Function are addressed under APPLICABILITY. ']
- 1. Safety Iniection Actuation Sion A,g g ;,, , f g
Automatic SIAS is required M in444ete CCAS and CSAS. Automatic SIAS occurs in Pressurizer Pressure-Low or Containment Pressure-High and is explained in Bases ; 3.3.S.
- a. Manual Trio ,
This LC0 requires two channels of SIAS Manual Trip to be OPERABLE in MODES 1, 2, 3, and 4.
- b. Matrix Looic This LC0 requires six channels of SIAS Matrix Logic to be OPERABLE in MODES 1, 2, and 3.
- c. Initiation Loaic i
This LC0 requires four channels of SIAS i Initiation Logic to be OPERABLE in MODES 1, 2, 3, and 4. l (continued) & I SAN ONOFRE--UNIT 3 B 3.3-109 AMENDMENT NO. I
I ESFAS Logic and Manual Trip B 3.3.6 BASES r] LC0 d. Actuation Loaic I (continued) This LC0 requires two channels of SIAS Actuation Logic to be OPERABLE in MODES 1, 2, 3, and 4.
- 2. Containment Isolation Actuation Sional w=A j For Containment Pre re-High, the SIAS and CIAS '
share the same channels, bistables, and matrices and matrix relays. The remainder of the-initiation i channels, the manual channels, and the Actuation Logic ! are separate. Since their applicability is also the ! same, they have identical actions. j
- a. Manual Trio l This LCO requires two channels of CIAS Manual ,
Trip a 6 unannei:, oi 51A3 nanua; T. rto be j OPERABLE in MODES 1, 2, 3, and 4.
- b. Hatrix Loaic
. This LC0 requires six channels of CIAS Matrix Logic to be OPERABLE in MODES 1, 2, and 3.
- c. Initiation Loaic This LC0 requires four channels of CIAS Initiation Logic to be OPERABLE in MODES 1, 2, 3, and 4. j
- d. Actuation loaic This LCO requires two channels of CIAS Actuation 1 Logic to be OPERABLE in MODES 1, 2, 3, and'4. l
- 3. Containment Coolina Actuation Sianal ..
nut- aba*Cf p Y ~ The CCAS Function saa be m..= M y actuated on an/SIAS. It can also be manually actuated using two channels of CCAS push buttons, configured similarly to all other ESFAS Manual Trips except for RAS. CCAS therefore l shares the SIAS l l (continued) '
.\
v SAN ONOFRE--UNIT 3 B 3.3-110 AMENDMENT NO.
n ESFAS Logic and Manual Trip 8 3.3.6 O 8^S'S LC0 3. Containment Coolina Actuation Sianal (continued) W r = r4 channels, bistables, coincidence matrices, and matrix relays. It has separate manual channels and Actuation Logic,
- a. Manual Trio e
This LC0 requires two channels of CCAS Manual g M g STAS Trip ;r !!",S tr.ual T.-Q to be OPERABLE in NS # wiess fe. 1 MODES 1, 2, 3, and 4. g g 3ggr , ek d5 *f # d /. Initiation Loaic g,, Pt k ceA5 bk i l ;, woes 132 , .%4 5
# tv *W3 This LC0 requires four channels of CCAS Initiation Logic to be OPERABLE in MODES 1, 2, 3, W Y, a leiWah Y "5
t and 4. ~ 4-Seetien.$. e, /. Actuation Loaic g, - Mosix. LWc~ This LC0 requires two hhannels of CCAS Actuation Logic to be OPERABLE in MODES 1, 2, 3, and 4. t Q s t.c o $ *!<*o 8 h c b a*(5
' of, SWs gaW Lejc b b
-; ogg pg,g 1e, p.eonsb isd l 3<
- 4. Re, irculation Actuation Sic nal
- a. Matrix Loaic w t This LC0 requires six channels of RAS Matrix 4,. cW%(s of SW5 j L gic to be OPERABLE in MODES 1, 2, -a*4 3dpaad 4. l
- p. g, t, c, ae , .(s o
;, s. )~ M I ' b. Initiation Loaic ekesul *f 4ese 5*h e* 'g s j This LCO requires tmrachannels of RAS uAs l e iet h ' L*$1G 9 Initiation,t.ogic to be OPERABLE in MODES 1, 2, 3, ,
- and 4. 4 '
yc,kannek g g , of %Wg ,b b'$ $' Actuation loaic , s This LC0 requires two channels of RAS Actuation ! Logic to be OPERABLE in MODES 1, 2, 3,-and 4.
- 5. Containment Sorav Actuation Sional l
CSAS is initiated either manually or automatically. For an automatic actuation it is necessary to have a
~ (continued)
U' B 3.3-111 AME!1DME!1T NO. SAN ON0FRE--UNIT 3
ESFAS Logic and Manual Trip B 3.3.6 O BASES LC0 5. Containment Soray Actuation Sianal (continued) Containment Pressure-High High signal, coincident with
, g . ]QTn2SIAS. The SIAS requirement should always be satisfied on a legitimate CSAS, since the Containment Pressure-High signal used in the SIAS will initiate before the Containment Pressure-High High input signal to CSAS. This ensures that a CSAS will not initiate unless required.
- a. Manual Trio This LCO requires two channels of CSAS Hanual Trip to be OPERABLE in MODES 1, 2, and 3.
- b. Automatic SIAS (Function 1)
This LC0 requires four channels of Automatic'SIAS input to CSAS to be OPERABLE in MODES 1, 2 and
.4 io. 3cPas. .h,&J.1+
- .~s.* Ob'3 Aa* kic The Automatic SIAS occurs on Pressurizer Pressure-Low or Containment Pressure-High and is a> explained above.
- c. Hatrix Loaic M
eksds of M Aam This LC0 requires six channels of CSAS Logic to be OPERABLE in H0 DES 1, 2, and 3. EL Matrix L@d m4. e,uwt. N w htiws m.9lu4 w14 M k *** W fa disable t4IVcer +/* y*
'd. 7 nitiation loaic CkA**46 Cnu.Crks eusMus .
This LCO requires four channels of CSAS I d e b . % 38 a far- ekamufs efSH$ Initiation Logic to be OPERABLE in H0 DES 1, 2, and 3. mil.n,of i4 c4a w C es S MS I 4 nt h Q tc q daaW. A cessgl5 ekam( of cs4s k%h. i e. Actuation Loaic , %4 . This LCO requires two channels of CSAS Actuation Logic to be OPERABLE in MODES 1, 2, and 3. Q (continued) SAN ON0FRE--UNIT 'R 2 B 3.3-112 AMENDMENT NO.
ESFAS Logic and Manual Trip B 3.3.6 BASES APPLICABILITY . Actuate emergency feedwater to preclude the loss of (continued) the steam generators as a heat sink (in the event the nonnal feedwater system is not available);
. Actuate ESF systems to prevent or limit the release of fission product radioactivity to the environment by isolating containment and limiting the containment pressure from exceeding the containment design pressure during a design basis LOCA or MSLB; and
. Actuate ESF systems to ensure sufficient borated inventory to pennit adequate core cooling and reactivity control during a design basis LOCA or MSLB accident.
In MODES 4, 5, and 6, automatic actuation of these Functions is not required because adequate time is available to evaluate plant conditions and respond by manually operating the ESF components if required. < at.k a k V ESFAS hJ T,-?p capability is required in MODE 4 for SIAS, f CIAS, CCAS, and RAS even though automatic actuation is not bO Because of the large number of components ., p g ,eccAS 11Muire4{by actuated these Functions, ESFAS actuation is simplified v r aaM4" J gas.e use of the Manual Trip push bpttopsp 4 sas,crAS,W$
- Mi gp
,MI , anCEFASYve reilii8v
% m l'eW.omponents, 44%,h which c p.
can be actuated individually if required in MODE 4, and the systems may be disabled or reconfigured, making system level Manual Trip impossible and unnecessary. g, ctg M, _ automatic The ESFAS logic must be OPERABLE in the same MODES as the and Manual Trip. In MODE 4, only the portion of thegSFAS logic responsible for the required Manual Trip W must be OPERABLE. In MODES 5 and 6, the systems initiated by ESFAS are either reconfigured or disabled for shutdown cooling operation. Accidents in these MODES are slow to develop and would be mitigated by manual operation of individual components. l l ACTIONS When the number o' ,1 operable channels in a trip Function exceeds those specii ed in dny related Condition associated with the same tr u f_nction, then the plant is outside the e i (continued) O SAN ON0FRE--UNIT 3 B 3.3-116 AMENDMENT NO.
ESFAS Logic and Manual Trip B 3.3.6 s %., f BASES ACTIONS safety analysis. Therefore, LCO 3.0.3 should be entered (continued) immediately, if applicable in the current MODE of operation. A Note has been added to the ACTIONS to clarify the application of the Ccmpletion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Time for the inoperable channel of a Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function. A.1 Condition A applies if one Matrix Logic channel is inoperable. Since matrix power supplies in a given matrix g (e.g., AB, BC, etc.) are common to all ESFAS Functions, a
" single ksk sd @ ower w sup &mply failureJ IV may V affect 'n-mor than one ma Failures of individual bistables and their relays are considered measurement channel failures. This section describes f.ailures of the Matrix Logic not addressed in the above, such as the failure of matrix relay power supplies, or the failure of the trip channel bypass contact in the bypass condition. Loss of a single vital bus will de-energize one of the two power supplies in each of three matrices. This will result in two initiation circuits de-energizing, reducing the ESFAS Actuation Logic to a l one-out-of-two logic in both trains.
This Condition has been modified by a Note stating that for the purposes of this LCO, de-energizing up to three matrix power supplies due to a single failure, such as loss of a vital instrument bus, is to be treated as a single matrix channel failure, providing the affected matrix relays de-energize as designed. Although each of the six matrices within an ESFAS Function uses separate power suppli'es, the matrices for the different ESFAS Functions share power ; supplies. Thus, failure of a matrix power supply may force entry into the Condition specified for each of the affected ESFAS Functions. The channel must be restored to OPERABLE status within 48 hours. This provides the operator with time to take appropriate actions and still ensures that any risk involved in operating with a failed channel is acceptable. Operating () s_ (continued) SAN ON0FRE--UNIT 3 B 3.3-117 AMENDMENT NO. i
ESFAS Logic and Manual Trip B 3.3.6 gn 11 BASES ACTIONS A.1 (continued) I l experience has demonstrated that the probability of a random failure of a second Matrix Logic channel is low during any given 48 hour period. If the channel cannot be restored to OPERABLE status with 48 hours, Condition E or Condition F, as appropriate, is entered. B.1 l Condition B applies to one Manual Trip or Initiation Logic channel inoperable.c The channel must be restored to OPERABLE status within 48 hours. Operating experience has demonstrated that the probability of a random failure in a second channel is low during any given 48 hour period. Failure of a single Initiation Logic channel may open one contact affecting both Actuation Logic channels. For the purposes of this Specification, the Actuation Logic is not inoperable. This prevents the need to enter LC0 3.0.3 in the event of an Initiation Logic channel failure. The Actions differ from those involving one RPS manual channel inoperable, because in the case of the RPS, opening RTCBs can be easily performed and verified. Opening an initiation relay contact is more difficult to verify, and subsequent st u t Eg~of th % tact is always possible. (A)$cfX 4S 1a Ccndition C applies to the failure of both Initiation Logic channels affecting the same trip leg. In this case, the Actuation Logic channels are not inoperable, since they are in one-out-of-two logic and capable of performing as required. This obviates the need to enter LC0 3.0.3 in the event of a matrix or vital bus power failure. Both Initiation Logic channels in the same trip leg will-de-energize if a matrix power supply or vital instrument bus is lost. This will open the Actuation Logic contacts, (' - (continued)
%,))
SAN ONOFRE--UNIT 3 B 3.3-118 AMENDMENT NO.
u__
, ,., e
)
3ASEWT 2/_3 i ' For the EFAS function only, the contact This will opened cause must the be invalve cycling series with the Interposing relay. L a actuated by that relay to go to the open position and remain there, and will cause a contact to open in series with the subgroup relays. opening only the contact in series with the subgroup relays would preserve the ability to deenergize the subgroup relays, but would leave the cycling valve unable to go ' to the EFAS actuated position. With one EFAS cycling valve held open by a deenergized EFAS Interposing relay, an MSIS actuation will not be able to takeOther that cycling valve to its MSIS actuated position (closed) . MSIS actuated valves will prevent feeding the affected steamThis generator, but there will only be single valve isolation. single ~ valve isolation is acceptable for_the short ceriod of time allowed to restore _the channe.L l 5 I I I i 1 t i
'.i.
1 1 l I 4. h T.
- L:
e,
~5
~.
+
e;
'" i
ESFAS Logic and Manual Trip B 3.3.6 . t i BASES l' 4 i ACTIONS D.1 (continued) Failure of a single Initiation Logic channel, matrix channel ! power supply, or vital instrument bus may open one or both l contacts in the same trip leg in both Actuation Logic channels. For the purposes of this Specification, the ! Actuation Logic is not inoperable. This obviates the need ; to enter LCO 3.0.3 in the event of. a vital bus, matrix, or , initiation channel failure. l Required Action D 1 is modified by a Note to indicate that one channel of Actuation Logic may be bypassed for up to I hour for Surveillance, provided the other channel is . OPERABLE. This allows perfonnance of a PPS CHANNEL FUNCTIONAL TEST on \' an OPERABLE ESFAS train without generating an ESFAS actuation in the inoperable train. ; E.1 and E.2 e343 . If the Required Actio and associated Completion Times of ! Conditions for MSIS, or EFAS cannot be met, the plant must i be brought to a MODE in which the LCO does not apply. To l achieve this status,.the plant must be brought to at least : I MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating i experience, to reach the required plant conditions from full : power conditions in an orderly manner and without , challenging plant systems. j i F.1 and F.2 ) If the Required Actions and associated Completion Times for SIAS, CIAS, RAS, 49*S or CCAS are not met, the plant must , l be brought to a MODE in which the LCO does not apply. To { achieve this status, the plant must be brought to at least !
. MODE 3 within 6 hours and to MODE 5 within 36 hours. The !
allowed Completion Times are reasonable, based on operating experience ~, to reach the required plant conditions from full. i power conditions in an orderly manner and without ! challenging plant systems. i (continued)- l l 3 V} ; SAN ONOFRE--UNIT 3- B 3.3-120 AMENDMENT NO. ; i i
ESFAS Logic and Manual Trip B 3.3.6 BASES (continued) SURVEILLANCE SR 3.3.6.1 ) i REQUIREMENTS A CHANNEL FUNCTIONAL TEST is perfomed every 92 days to ensure the entire channel will perfom its intended function ; when needed. ! The CHANNEL FUNCTIONAL TEST is part of an overlapping test sequence similar to that employed in the RPS. This i sequence, consisting of SR 3.3.5.2, SR 3.3.6.1, and l SR 3.3.6.2, tests the entire ESFAS from the bistable input : through the actuation of the individual subgroup relays. i These overlapping tests are described in Reference 1. ) SR 3.3.5.2 and SR 3.3.6.1 are normally perfomed together and in conjunction with ESFAS testing. SR 3.3.6.2 verifies that the subgroup relays are capable of actuating their respective ESF components when de-energized. These tests verify that the ESFAS is capable of perfoming its intended function, from bistable input through the actuated components. SR 3.3.5.2 is addressed in LCO 3.3.5. SR 3.3.6.1 includes Matrix Logic tests and trip path (Initiation Logic) tests. Matrix locic Tests l These tests are perfomed one matrix at a time. They verify ! that a coincidence in the two input channels for each function removes power to the matrix relays. During
@D 'tustTiig","2 power is applied to the matrix relay test coils, preventing the matrix relay contacts from assuming their da energized state. The Matrix Logic tests will detect any short circuits around the bistable contacts in the coincidence logic, such as may be caused by faulty bistable relay or trip channel bypass contacts.
Trio Path (Initiation loaic) Tests l 1 These tests are similar to the Matrix Logic tests, except that test )ower is withheld from one matrix relay at a time, allowing t1e initiation circuit to de-energize, opening one contact in each Actuation Logic channel.
- The initiation circuit lockout relay must be reset (except for EFAS, which lacks initiation circuit lockout relays) prior to testing the other three initiation circuits, or an ESFAS actuation may result.
(continued) SAN ON0FRE--UNIT 3 B 3.3-121 AMENDMENT NO. l
ESFAS Logic and Manual Trip B 3.3.6 ym ' BASES SURVEILLANCE Trio Path (Initiation Loaic) Tests (continued) REQUIREMENTS Automatic Actuation Logic operation is verified during Initiation Logic testing by verifying that current is interrupted in each trip leg in the selective two-out-of-four actuation circuit logic whenever the initiation relay is de-energized. A Note is added to indicate that testing of Actuation Logic shall include verification of the proper operation of each initiation relay. The Frequency of 92 days is based on the reliability analysis presented in topical report CEN-327, "RPS/ESFAS Extended Test Interval Evaluation" (Ref. 2). SR 3.3.6.2 get___
'D~)
*5Y #
[IndividualESFASsubgrouprelaysmusta4sebetested,oneat i a time, to verify the individual ESFAS components will gg._ c, ( actuate when required. Proper operation of the individual g i subgroup r.!1ays is verified by de-energizing each relay in cM r
@esponse outo .c a mtestonesignal,de
.m m m m a =t c )nnectedmcomponent gi m i.. or pair of 4 1 & M3 j
% f._
_,,mu contacts is observed to acjuate when the relay deenergizes. qN The 184 day Frequency is based on operating experience and ensures individual relay problems can be detected within this time frame. The actual justification is based on CEN-403, " Relaxation of Surveillance Test Interval for ESFAS Subgroup Relay Testing" (Ref. 3). 4 def$ c~fm Some components cannot be tested at power since their k 4csf S,h )
~
actuation might lead to plant trip or equipment damage. Reference 1 lists those relays exempt from testing at power,
.L. with an explanation of the reason for each exception.
M#GD Relays not tested at power must be tested in accordance with 4 (ud the Note to this SR. SR 3.3.6.3 A CHANNEL FUNCTIONAL TEST ir performed on the manual ESFAS actuation circuitry, de-enerjizing relays and providing manual actuation of the function. SURVEILLANCE SR 3.3.6.3 (continued) i ) (continued) U _ SAN ONOFRE--UNIT 3 B 3.3-122 AMENDMENT N0.
ESFAS Logic -and Manual Trip i B 3.3.6 l [~ t - i BASES , This test verifies that theatrip push buttons are capable of 1' opening contacts in the Actuation Logic as designed. The 24 month Frequency is based on the need to perform this
- Surveillance under the conditions that' apply during a plant' i outage and the potential for an unplanned transient if-the !
Surveillance were performed with the reactor at power. ! Operating experience has shown these components usually pass the Surveillance when performed at a Frequency of once every 24 months. i REFERENCES 1. SONGS Units 2 and 3 UFSAR, Section 7.3. .
-i
- 2. CEN-327, May 1986, including Supplement 1, March 1989. ,
i
- 3. CEN-403, j i
h i i h e i
?
l t
-j
?
i
' ^ '
1 < Ai _l SAN ONOFRE--UNIT 3 B 3.3-123 AMENDMENT NO. E r , -
. - - -- - - ~ - y
DG - LOVS j B 3.3.7 l ( B 3.3 ( INSTRUMENTATION B 3.3.7 Diesel Generator (DG)-Loss of Voltage Start (LOVS) BASES BACKGROUND The DGs provide a source of emergency power when offsite power is either unavailable or insufficiently stable to allow safe unit operation. Undervoltage protection will generate a LOVS in the event a Loss of Voltage or Degraded Voltage condition occurs. There are two LOVS Functions for each 4.16 kV vital bus. Four undervoltage relays with inverse time characteristics are provided on each 4.16 kV Class 1E instrument bus ice the purpose of detecting a loss of bus voltage. Four - undervoltage relays with definite time characteristics are provided for the purpose of detecting a sustained degraded voltage condition. The relays are combined in a two-out-of-four logic to generate a LOVS if the voltage is below 75% for a short time or below 90% for a long time. . The LOVS initiated actions are described in "0nsite Power Systems" (Ref. 1). Trio Setooints and Allowable Values The trip setpoints and Allowable Values are based on the ., analytical limits presented in " Accident Analysis," Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and. processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, and instrument drift, Allowable Values %;iied m F ; p. o 2.? ? 1 =re conservatively adjusted with respect to _ the analytical limits. The actual nominal trip setpoint is normally still more conservative than that required by the plant specific setpoint calculations. If the measured trip-setpoint does not exceed the documented Surveillance acceptance criteria, the undervoltage relay is considered OPERABLE. ; Setpoints in accordance with the Allowable Values will ' ensure that the consequences of accidents will be acceptable, providing the plant is operated from within the LCOs at the onset of the accident and the equipment functions as designed. (continued) - SAN ON0FRE--UNIT 3 8 3.3-124 ' AMENDMENT N0. t
DG - LOVS B 3.3.7 BASES ACTIONS Note 1 was added to ensure review by the Onsite Review (continued) Committee is performed to discuss the desirability of maintaining the channel in the bypassed condition. A.1 and A.2 Condition A applies if one channel is inoperable for one Function per DG bus. ; If the channel cannot be restored to OPERABLE status, the affected channel should either be bypassed or tripped within 1 hour (Required Action A.1). Placing this channel in either Condition ensures that logic is in a known configuration. In trip, the LOVS Logic is one-out-of-three. In bypass, the LOVS Logic is two-out-of-three, r d ir.tc.lv a:, pievcm M n; ;f :. a and-ch - :1 fer t': ff::t:d F=:tica. The 1 hour Completion Time is sufficient to perfonn these Required Actions. Once Required Action A.1 has been complied with, Required
- Action A.2 allows prior to entering MODE 2 following the 1 next MODE 5 entry to repair the inoperable channel. If the channel cannot be restored to OPERABLE status, the plant cannot enter MODE 2 following the next MODE 5 entry. The time allowed to repair or trip the channel is reasonable to repair the affected channel while ensuring that the risk involved in operating with the inoperable channel is l acceptable. The prior to entering MODE 2 following the next l MODE 5 entry Completion Time is based on adequate channel independence, which allows a two-out-of-three channel operation since no single failure will cause or prevent a reactor trip.
B.1 and B.2 Condition B applies if two channels are inoperable for one Function. The Required Action is modified by a Note stating that LCO 3.0.4 is not applicchis. The Note was added to allow the changing of MODES even though two channels are inoperable, with one channel bypassed and one tripped. In this configuration, the protection system is in a r' (continuedi SAN ON0FRE--UNIT 3 B 3.3-128 AMENDMENT NO.
I l DG - LOVS i 8 3.3.7 i r s. BASES ACTIONS B.1 and B.2 (continued) l one-out-of-two logic, which is adequate to ensure that no random failure will prevent protection system operation. If the channel cannot be placed in bypass or trip within I hour, the Conditions and Required Actions for the associated DG made inoperable by DG-LOVS instrumentation are required to be entered. Alternatively, one affected channel is required to be bypassed and the other is tripped, in accordance with Required Action B.2. This places the Function in one-out-of-two logic. The 1 hour Completion Time is sufficient to perform the Required Actions. af d i One of the two inoperable channels will need to be re tored to OPERABLE status prior to the next required CHAN FUNCTIONAL TEST because channel surveillance tes g on an OPERABLE channel requires that the OPERABLE ch nel be placed in bypass. However, it is not P"BL to bypass more than one DG-LOVS channel, and placing a second channel in trip will result in a loss of voltage diesel start signal. Therefore, if one DG-LOVS channel is in trip and a second channel is in bypass, a third inoperable channel . would place the unit in LC0 3.0.3. After one channel is restored to OPERABLE status, the provisions of Condition A still apply to the remaining inoperable channel. ' C.1 Condition C applies when more than two undervoltage or Degraded Voltage channels on a single bus are inoperable. Required Action C.1 requires all but two channels to be restored to OPERABLE status within 1 hour. With more than two channels inoperable, the logic is not capable of providing the DG-LOVS signal for valid Loss of. Voltage or Degraded Voltage conditions. The 1 hour Completion Time is reasonable to evaluate and take action to correct the degraded condition in an orderly manner = and takes into account the low probability of an event requiring LOVS occurring during this interval. 7 (continued) SAN ONOFRE--UNIT 3 B 3.3-129 AMENDMENT N0. ,
l' CPIS B 3.3.8 BASES LC0 b. Airborne Radiation and Containment Area Radiation (continued) The LC0 on the radiation channels requires that each channel be OPERABLE for each Actuation Logic channel, since they are'not totally redundant to each other. Th'e trip setpoint of twice background is selected to allow detection of small deviations from nonna r.dThe absolute value of the trip setpoint'in M00 @6 differs from the setpoint in MODES 1,.2, 3, and 4 so that a fuel handling accident can be detected in the lower O,+y %background Ceauw men e radiation expected in-there M
- c. ()prsza m n 00e.ns inoce e Do :
Actuation loaic (gaw pe,n-)p4,aw A ir tur n c. g+.apaen mo ne t rn;mA One channel of Actuation Logic is required, since the Wh6; M $5 valves can be shut independently of the CPIS signal either manually.from the control room or using either the SIAS or CIAS push button. l t APPLICABILITY In MODES 1, 2, 3, and 4, the minipurge valves may be open. In these MODES, it is necessary to ensure the valves will shut in the event of a primary leak in containment whenever - i
~
any of the containment purge valves are open. With the purge valves open during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, a fuel handling accident would require CPIS on high radiation in containment. The APPLICABILITY is modified by a Note, which states that l the CPIS Specification is only required when the penetration is not isolated by at least one closed and de-activated ! automatic valve, closed manual valve, or blind flange. je 1 i (continued) SANONOFRE--UNIT 1,2 B3.3-13% AMENDMENT N0.
CPIS B 3.3.8 BASES
- b. Airborne Radiation and Containment Area Radiation LC0 oue (continued) The LCO on the radiation channels requires that-each ,
channel be OPERABLE for each Actuation Logic channel since-they are~not-tota 11y redundant to-eac-h-ot The trip setpoint of twice background is selected to The allow detection of small deviations from normal. absolute value of the trip setpoint in MODES 5 and 6 differs from the setpoint in MODES 1, 2, 3, and 4 so that a fuel handling accident can be detected in the lower background radiation expected in these MODES.
- c. Actuation Loaic One channel of Actuation Logic is required, since the valves can be shut independently of the CPIS signal either manually from the control room or using either the SJAS or CIAS push button.
APPLICABILITY In MODES 1, 2, 3, and 4, the minipurge valves may be open. In these MODES, it is necessary to ensure the valves will shut in the event of a primary leak in containment whenever any of the containment purge valves are open. , With the purge valves open during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, a fuel handling accident would require CPIS on high radiation in containment. The APPLICABILITY is modified by a Note, which states that the CPIS Specification is only required when the penetration is not isolated by at least one closed and de-activated automatic valve, closed manual valve, or blind flange. l l l i (con'tinued) ( B 3.3-135 AMENDMENT NO. SAN ON0FRE--UNIT 3 i
w' . . ,: . CRIS B 3.3.9 BASES (continued)* _ This test ve'rifies that the trip push buttons are capable of openi.ng contacts in the Actuation Logic as designed, L' i (continued) l
+)
AMENDMENT NO. B 3.3-148 SAN ONOFRE--UNIT D ( 1
CRIS. B 3.3.9 BASES (continued) h.- SURVEILLANCE SR 3.3.9.5 (continued) REQUIREMENTS de-energizing the inittation relays and providing Manual The 18 month Frequency is based on Trip of the function.the need to perform this Surveillancel under that apply during a plant outage and the potential for an ! unplanned transient ifOperating. the Surveillance were perfonned with experience has shown these j - the reactor at power. 1 components usually pass the Surveillance when performed at a Frequency of once every 18 months.
- 1. SONGS Units 2 and 3 UFSAR, Chapter 15.
REFERENCES
- 2. PPS Selection of Trip Valves Document.
- 3. 10 CFR 50, Appendix A, GDC 19.
=
,,...m m*==*=* " " '
N8' Pp 'fM oweb g%g 0AA . 4 s AMENDMENT NO. B 3.'3-149
-SAN ONOFRE--UNIT N .
FHIS B 3.3.10 .; 8 3.3 INSTRUMENTATION B 3.3.10 Fuel Handling Isolation Signal (FHIS) i BASES BACKGROUND This LCO encompasses FHIS, which actuation / is a plant I specific instrumentation channelAhat performs an actuation . Function required for plant protection but is not otherwise : included in LC0 3.3.6, " Engineered Safety Features Actuation i System (ESFAS) Logic and Maqu'al Trip," or LCO 3.3.7, " Diesel Generator (DG)-Loss of Vo}tage Start (LOVS)." This is a- ; non-NuclearSteamSupplyfystemESFASFunctionthat,because of differences in purpose, design, and operating requirements, is not in'cluded in LCO 3.3.6 and LC0 3.3.7. ' The FHIS provides p,r/ from radioactive contamination otection in the spent fuel; pool area in the event that a spent fuel ; element ruptures /during handling. i The FHIS wil tect radioactivity from fission products in < the fuel an will initiate appropriate actions so the release the environment is limited. More detail is provided .n Reference 1. - s The FHIS ijncludes two independent, redundant subsystems, includingfactuationtrains. Each train employs a separate sensor t detect gaseous activity. Since the two sensors detect d fferent types of activity, they are not considered redunda t to each other. However, since there is a separate sensor n each train, the trains are redundant. If the bista e monitoring the sensor indicates an unsafe condi ion, that train will be actuated (one-out-of-two logi . The two trains actuate separate equipment. Tr D Setooints and Allowable Values :
/ .
Trip setpoints used in the bistables are based on the i analytical limits (Ref. 2). The selection of these trip , setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, , instrumentation uncertainties, and instrument drift, ' Allowable Values specified in LC0 3.3.10 are conservatively ; adjusted with respect to the analytical limits. A detailed ' description of-the methodology used to calculate the trip
) (continued) .I a
l SAN ON0FRE--UNIT 3 8 3.3-150 AMENDMENT NO.
FHIS B 3.3.10 /) BASES BACKGROUND Trip Setooints and Allowable Values) (continued)
/
setpoints,includingtheirexplicituncertainties,is provided in " Plant Protection Sfstem Selection of Trip Setpoint Values" (Ref. 3). The actual nominal trip setpoint entered into the bistable is'normally still more , conservative than that specified by the Allowable Value to account for changes in r.andom measurement errors detectable by a CHANNEL FUNCTIONAL TEST. One example of such a change in measurement error is drift during the surveillance
~
interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE. Setpoints in accordance with the Allowable Value will ensure
~
the consequences of Design Basis Accidents will be acceptable, providing the plant is operated from within the LCOs at thejonset of the accident and the equipment
~
functions as designed.
/ _
/
APPLICABLE The FHIS is required to isolate the normal Fuel Handling SAFETY ANALYSES Building ost Accident Cleanup (PACU) System and
! automatica lly initiate the recirculation and filtration systems ir the event of the fuel handling accident in the fuel hand ing building, as described in Reference 2. The FHIS hel ensure acceptable consequences for the dropping of a spe~ fuel bundle breaching up to 60 fuel pins.
The FHI satisfies the requirements of Criterion 3 of the NRCPo)'icyStatement.
/
LC0 3.3.10 requires one channel of FHIS to be OPERABLE. The LC0 r,e' quired channel consists of Actuation Logic, Manual Trip,
.and gaseous radiation monitor. The specific Allowable Values for the setpoints of the FHIS are listed in the SRs.
Only the Allowable Values are specified for each trip Function in the SRs. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable, provided that the difference between the nominal trip setpoint and the Allowable Value is r s (continued) SAN ONOFRE--UNIT 3 8 3.3-151 AMENDMENT N0.
FHIS B 3.3.10
~
/{ BASES
/ t LC0
/
equal to or greater than the drift allowance assumed for (continued) each trip in the transient an ccident analyses. l The Allowable Value specified is more conservative than the analytical limit assumed p the transient and accident ! analysis in order to account for instrument uncertainties , appropriate to the trip' Function. These uncertainties are defined in the " Plant / Protection System Selection of-Trip Setpoint Values" (Ref. 3). The Bases for the'LC0 on the FHIS are discussed below for each Function
-a. Manual Trio The 0 on Manual Trip ensures that the FHIS Function ca easily be initiated if any parameter is trending idly toward its setpoint. Components can be :
ac ated independently of'the FHIS. Both available ~ ~~ chan.els are required to ensure a single failure will i not disable automatic initiation capability. ;
) +
- b. Airbforne Radiation Th LC0 on the two Airborne Radiation channels re uires that each channel be OPERABLE for the rp' quired Actuation Logic channel, since they are.not :
redundant to each other. l
- c. Actuation Logic j Two channels of Actuation Logic are required to be OPERABLE to ensure no single random failure can !
prevent automatic actuation. t APPLICABILITY One FHIS channel is required to be OPERABLE during movement of irradiated fuel in the fuel building. . The FHIS isolates - ' the fuel building area in the event of a fuel handling accident. i ACTIONS An FHIS channel is inoperable when it does not satisfy the OPERABILITY criteria for the channel's function. The most h (continued) j i SAN ON0FRE--UNIT 3 B 3.3-152- AMENDMENT NO. s
FHIS B 3.3.10 ~/ .! BASES ACTIONS comon cause of channel inoperability is outright failure or (continued) drift of the bistable or process module sufficient to exceed , the tolerance allowed by the plant specific setpoint analysis. Typically, the drift is not large and would result in a delay of actuation rather than a total loss of function. This determination isgenerally made during the performance of a CHANNEL FUNCUONAL TEST when the process instrument is set up for adjustment to bring it within specification. If the trip'setpoint is not consistent with , the Allowable value in LCO 3.3.10, the channel must be declared inoperable ime'diately and the appropriate Conditions must be entered. In the event a chankel's trip setpoint is found nonconservative wi'th respect to the Allowable Value, or the sensor, instrutpe'nt loop, signal processing electronics, or bistable is fptnd inoperable, then all affected Functions that channel are required to be declared.. providedby/andtheLC0Conditionenteredfortheparticular inoperabl protecti e function affected. A.h and A.2 Condition A applies to FHIS Manual Trip, Actuation Logic, andf required gaseous radiation monitor inoperable during mo/ement of irradiated fuel in the fuel handling building. The Required Actions are to restore required channels to 1 OPERABLE status, or place one OPERABLE PACU train in operation, or suspend movement of irradiated fuel in the
/ fuel building. These Required Actions are. required to be
[com)leted imediately. The Completion Time accounts for the hig1er likelihood of releases in the fuel building during fuel handling. ,
/ ,
SURVEILLANCE SR 3.3.10.1 Perfonnance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A , CHANNEL CHECK is a comparison of-the parameter indicated on ! one channel to a similar aarameter on other channels. It is based on the assumption tlat instrument channels monitoring the same parameter should read approximately the same value. * (continued) , i SAN ON0FRE--UNIT 3 B 3.3-153 AMENDMENT N0. ,
FHIS B 3.3.10 ym - i BASES SURVEILLANCE SR 3.3.10.1 (continued) f REQUIRMENTS / Significant deviations between the two' instrument channels could be an indication of excessive ' instrument drift in one , of the channels or of something even more serious. CHANNEL ' CHECK will detect gross channel failure; thus, it is key to ; verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the. channel instrument uncertainties, including indication and readability. If a channel is outside the match cr.iteria, it may be an indication that the transmitter or the outside its limit./ signal processing equipment has drifted
/
The Frequency /about once every shift, is based on operating experience fiat demonstrates the rarity of channel failure. Thus, rmance of the CHANNEL CHECK guarantees that ; undete d overt channel failure is limited to 12 hours. Since the probability of two random failures in redundant channels in any 12 hour period is low, the CHANNEL CHECK minimiz'es the chance of loss of protective function due to failure of redundant channels. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel OPERABILITY during nonnal operational use of the displ,ays associated with the LC0 required channels. SR 3.3.10.2 1 >
/
A CHANNEL FUNCTIONAL TEST is performed on the required fuel ! building radiation monitoring channel to ensure the entire !
/ channel will perform its intended function. ,
The setpoint shall be left set consistent with the - assumptions of the current plant specific setpoint analysis. . The Frequency of 92 days is based on plant operating :' experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of
- a given Function in any 92 day. Frequency is a rare event.
i
/ (continued)
- Q) i SAN ON0FRE--UNIT 3 B 3.3-154 AMENDMENT NO. 3 , --
FHIS . B 3.3.10 '
-l BASES !
t SURVEILLANCE SR 3.3.10.3 REQUIREMENTS
/
(continued) Properoperationoftheindividualinitiationrelaysis verified by actuating these relaysfduring the CHANNEL FUNCTIONAL TEST of the Actuation Logic every 18 months. This will actuate the Function,~ operating all associated equipment. Proper operation of the equipment actuated by each train is thus verified. The Frequency of 18 months is based on plant operating experience with regard to channel OPERABILIiY and drift, which demonstrates that failure of ' more than one channel of a given Function during any 18 month Frequency is j a rare event. , A Note to the SR indicates that this Surveillance includes verification of opbration for each initiation relay. '
/
SR 3.3.10.4 1 Every 18 mopths, a CHANNEL FUNCTIONAL TEST is performed on the FHIS Manual Trip channel. This Surveillance verifies that the trip push buttons are' . capable of opening contacts in the Actuation Logic as - designed, de-energizing the initiation relays and providing , Manual Trip of the Function. Operating experience has shown these components usually pass the Surveillance when performed at a Frequency of once every 18 months. i SR' 3.3.10.5 COANNELCALIBRATIONisacompletecheckoftheinstrument fchannel including the sensor. The Surveillance verifies l
/ that the channel responds to a measured parameter within the
,/ necessary range and accuracy. CHANNEL CALIBRATION leaves .
/ the channel adjusted to account for instrument drift between
/ successive calibrations to ensure that the channel remains -
/ operational between successive tests. Measurement error T determination, setpoint error determination, and calibration adjustment must be perfonned consistent with the plant ,
specific setpoint analysis. The channel shall be left ' calibrated consistent with the assumptions of the current l plant specific setpoint analysis. ; P (continued) < -) SAN ONOFRE--UNIT 3 B 3.3-155 AMENDMENT NO.
FHIS f' B 3.3.10 ; BASES j I
't SURVEILLANCE SR 3.3.10.5 (continued) l REQUIREMENTS /
As found and as left channel calibration values are , recorded. If the as found calibration is outside its- ' Allowable Value, the plant..sriecific setpoint analysis may be revised as appropriate, if'the history of this setpoint. and all other pertinent information indicate a need for setpoint : revision. The setpoint analysis shall be revised before the . next time this channel is calibrated. -t The Frequency isfbased upon the assumption of an 24 month calibration interval for the determination of the magnitude of equipment , drift in the setpoint analysis. '
/ .
f
/
REFERENCES 1. SONGS Units 2 and 3 UFSAR, Chapter 9. l!
- 2. ONGS~ Units 2 and 3 UFSAR, Chapter 15. l
- 3. glantProtectionSystemSelectionofTripSetpoint l Vaiues." :
l
/ ;
/ '
/
/
*=/
/ 1
/
/ -)
-l l l
l ~
/
s I
-d SAN ONOFRE--UNIT 3 8 3.3-156 AMENDMENT NO.
t PAM Instrumentation B 3.3.11 BASES r{ g LCO 2, 3. Reactor Coolant System (RCS) Hot and Cold tea (continued) Temperature RCS Hot and Cold Leg Temperatures are Category I variables provided for verification of core cooling and long term surveillance. Reactor outlet temperature inputs to the PAMI are provided by two fast response resistance elements and associated transmitters in each loop. !Lm channcia-gccrid; indicati;r T!^" a rance of 32aF to 7nnor, t
- 4. Reactor Coolant System Pressure (wide rance)
RCS Pressure (wide range) is a Category I variable, provided for verification of core cooling and RCS integrity long term surveillance. Nids manyc RC3 lvvy pi cssui c is~medduttuU 'y pIchduit
.teerrdmitters witn a span of u psig to avuu psag. The pressure transmitters are located inside the , containment. Redundant monitoring cap ~ ability is r provided by two trains of instrumentation.
Operator actions to maintain a controlled cooldown, such as adjusting steam generator pressure or level, ; would use this indication. Furthermore, RCS pressure is one factor that may be used in decisions to terminate reactor coolant pump operation. -
- 5. Reactor Vessel Water Level Reactor Vessel Water Level is provided for :'
verification and long term surveillance of core cooling. The Reactor Vessel Water level Monitoring System provides a direct measurement of the collapsed liquid level above the fuel alignment plate. The collapsed level represents the amount of liquid mass that is in ! the reactor vessel above the core. ; r (continued) 4,h t SANON0FRE--UNIT 1L72 B 3.3-160 AMENDMENT N0. F f
PAM Instrumentation B 3.3.11
, m.,
I BASES LC0 5. Reactor Vessel Water Level (continued) Heasurement of the collapsed water level is selected because it is a direct indication of the water inventory. The collapsed level is obtained over the same temperature and pressure range as the saturation measurements, thereby encompassing all operating and accident conditions where it must function. Also, it functions during the recovery interval. Therefore, it is designed'to survive the high steam temperature that may occur during the preceding core recovery interval. The level range extends from the top of the vessel down to the top of the fuel alignment plate. The response time is short enough to track the level during small break LOCA events. The resolution is sufficient to show the initial level drop, the key locations near the hot-leg elevation, and the lowest levels just above the alignment plate. This provides the operator with adequate indication to track the progression of the accident and to detect the consequences of its mitigating actions or the t functionality of automatic equipment. A channel is eight sensors in a probe. A channel is OPERABLE if four or more sensors, one sensor in the upper head and three sensors in the lower % re OPERABLE. p-
- 6. Containment Sump Water Level (wide rance)
Containment Sump Water Level is provided for verification and long term surveillance of RCS integri ty.
- 7. Containment Pressure (wide rance)
Containment Pressure is provided for verification of RCS and containment OPERABILITY.
/ 1 (continued) %/
SAN ON0FRE--UNIT 13 B 3.3-161 AMENDMENT N0.
f PAM Instrumentation B 3.3.11 i BASES LC0 11. Pressurizer Level (continued) i Pressurizer Level is used to determine whether to l terminate safety injection (SI), if still in progress, or to reinitiate SI if it has been stopped. Knowledge' of pressurizer water level is also used to verify the plant conditions necessary to establish natural circulation in the RCS and'to verify that the plant is maintained in a safe shutdown condition.
- 12. Steam Generator Water level Steam Generator Water Level is provided to monitor operation of decay heat removal via the steam generators. The Category I. indication of steam generator level is the wide range level instrumentation. Temperature compensation of this ,
indication is performed manually by the operator. Redundant monitoring capability is provided by two trains of instrumentation. Operator action is based on the control room indication of Steam Generator Water Level. The RCS response during a design basis small break LOCA is dependent on the break size. For a certain range of i break sizes, the boiler condenser mode of heat transfer is necessary to remove decay heat. Wide - range level is a Type A variable because the operator must manually raise and control the steam generator level to establish boiler condenser heat transfer. Operator action is initiated on a loss of subcooled margin. Feedwater flow is increased until the indicated extended startup range level reaches the boiler condenser setpoint.
- 13. Condensate Storace Tank (CST) Level CST Level is provided to ensure water supply.for AFW.
The CST provides the ensured, safety grade water supply for the'AFW System. The CST cons 4sts of ts _ v; (continued) SAN ON0FRE--UNIT 1 3 B 3.3-163 AMENDMENT N0. ) l l i j
PAM Instrumentation B 3.3.11 gr .,
) BASES LC0 13. Condensate Storaae Tank (CST) Level (continued) '
unk: cenaccted by c c; = ; cutict hccd;, . CST Level is displayed on a control room indicator, strip chart , recorder, and plant computer. In addition, a control . room annunciator alarms on low level. CST Level is considered a Type A variable because the control room meter and annunciator are considered the primary indication used by the operator. The DBAs that require AFW are the loss of electric power, steam line break (SLB), and small break LOCA. The CST is the initial source of water for the AFW System. 14, 15, 16, 17. Core Exit Temperature
. Core Exit Temperature is provided for verification and .i' long term surveillance of core cooling.
An evaluation was made of the minimum number of valid core exit thermocouples necessary for inadequate. core ! cooling. detection. The evaluation determined the complement of core exit thermocouples necessary to detect initial core recovery and trend the ensuing core heatup. The evaluations account for core nonuniformities including incore effects of the radial decay power distribution and excore effects of condensate runback in the hot legs and nonunifonn , inlet temperatures. Based on these evaluations, adequate or inadequate core cooling detection is. : ensured with two valid core exit thennocouples per ; quadrant. , The design of the Incore Instrumentation System I includes a Type K (chromel alumel) thermocouple within ; each of the 56 incore instrument detector assemblies. The junction of each thermocouple is located a few inches above the fuel assembly, inside a structure that supports and shields the incore instrument l l (^ (continued) v)- _ SANON0FRE--UNIT 1.? 8 3.3-164 AMENDMENT NO.
i PAM Instrumentation B 3.3.11
- p s, i
")
BASES LC0 14, 15, 16, 17. Core Exit Temperature (continued) detector assembly string from flow forces in the outlet plenum region. These core exit thermocouples monitor the temperature of the reactor coolant as it exits the fuel assemblies. The cor xit UiermUcouples nave, a usabl- , ra from 32af to 2300*F, although acc is r uced at temperatu g above-1800* .
- 18. Auxiliary Feedwater (AFW) Flow AFW Flow-is provided to monitor operation of decay heat removal via the steam generators.
aru c1%t ;d, ,Lcom gync,,iv, is uciciminea irum a 4+ficiential pressure measurement caliL,oicd to a spur. _af 0-gg.;. iv 6uu gpm. Each differential pressure transmitter provides an input to a control room indicator and the plant computer. Since the primary indication used by the operator during an accident is the control room indicator, the PAMI Specification deals specifically with this portion of the instrument channel. AFW Flow is also used by the operator to verify. that , the AFW System is delivering the correct flow to each ' steam generator. However, the primary indication used by the operator to ensure an adequate inventory is steam generator level. l l
- 19. Containment Pressure (Narrow Ranae) l 1
Containment Pressure is provided for verification of containment OPERABILITY. ,
'1 i
-l
() (continued) SAN ON0FRE--UNIT is3 8 3.3-165 AMENDMENT N0.
PAM Instrumentation B 3.3.11 BASES SURVEILLANCE SR 3.3.11.2 (continued) REQUIREMENTS Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted. outside its limit. If the channels are within the match criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale. The Frequency of 31 days is based upon plant operating experience with regard to channel 0PERABILITY and drif t, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is a rare event. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel during normal operational use of the displays associated with this LCO's required channels. SR 3.3.11.3 A 31 day CHANNEL FUNCTIONAL TEST is required for the Containment Area Radie. tion Monitor only. SR 3.3.11.4 g A CHANNEL CALIBRATION is performed every months or approximately every refueling. CHANNEL ALIBRATION is a-complete check'of the instrument channel including the sensor. The Surveillance verifies the channel responds to
.the measured parameter within the necessary range and accuracy.
The Frequency is based upon operating experience and ; consistency with the typical industry refueling cycle and is : justified by the_ assumption of an y month calibration interval for the determination of the magnitude of equipment . drift. g j i , , (continued) Q) B 3.3-172 AMENDMENT NO. SANONOFRE--UNITk3 ,
PAM instrumentation B 3.3.11 f ; BASES SURVEILLANCE SR 3.3.11.5 REQUIREMENTS (continued) A CHANNEL CALIBRATION is performed every 24 months for the Containment Area Radiation Monitor. I REFERENCES 1. SONGS Units 2 and 3 Regulatory Guide 1.97 Instrumentation Report #90065, Rev. O, dated October 1, 1992. 1
- 2. Regulatory Guide 1.97, Revision 2.
REFERENC 3. NUREG-0737, Supplement 1. (contin d)
- 4. NRC Safety Evaluation Report (SER).
l I i
%._)
SAN ONOFRE--UNIT D B 3.3-173 AMENDMENT NO.
Remote Shutdown-System , B 3.3.12 l l p C BASES APPLICABLE 10 CFR 20, Appendix A, GDC 19 (Ref. 1) , SAFETY ANALYSES (continued) The Remote Shutdown System has been identified as. an , important contributor to the reduction of plant accident . risk and, therefore, has been retained in the Technical l' Specifications, as indicated in the NRC Policy Statement. i LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation necessary to place , and maintain the plant in MODE 3 from a location other than - the control room. The instrumentation required are listed in Table 3.3.12-1 in the accompanying LCO. Instrumentation is required for:
. Reactivity Control (initial and long term);
i
. Vital Auxiliaries ;
. RCS Inventory Control; j
. RCS Pressure Control; ;
. Decay Heat Removal; and !
. Safety support systems for the above Functions, as well as service water, component c'ooling water, and i onsite power including the diesel generators.
A Function of a Remote Shutdown System is OPERABLE if all instrument channels needed to support the remote shutdown - Functions are OPERABLE. In some cases, Table 3.3.12-1 may l indicate that the required information :r :rNi ceroL;;;G - is available from several alternative sources. In these , cases, the Remote Shutdown System is OPERABLE as long as one ; channel of any of the alternative infomation s cv..L ui !
. souses. for each Function is OPERABLE.
The Remote Shutdown System instrumentation W rentre! circuits covered by this LC0 do not need to be energized to be considered OPERABLE. This LC0 is intended to ensure that I i (continued) . SAN ON0FRE - UNIT 3 B 3.3-175 AMENDMENT N0. ! l
)
Remote Shutdown System B 3.3.12 BASES LC0 the instrument yd sou vi-circuits will be OPERA.BLE if , (continued) plant conditions require that the Remote Shutdown System be placed in operation. APPLICABILITY The Remote Shutdown System LC0 is applicable in MODES 1, 2, and 3. This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room. This LC0 is not applicable in MODE 4, 5, or 6. In these MODES, the unit is already subcritical and in the condition of reduced RCS energy. Under these conditions, considerable time is available to restore necessary instrument e t i j Functions if control room instruments or control become unavailable. l l ACTIONS A Note has been included that excludes the MODE change restrictions of LCO 3.0.4. This exception allows entry into l an applicable MODE while relying on the ACTIONS, even though ! _) the ACTIONS may eventually require a plant shutdown. This , is acceptable due to the low probability of an event l requiring this system. j Note 2 has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.12-1. The Completion Time (s) of the inoperable channel (s)/ train (s) of a function will be tracked separately for each Function starting from the time the Condition was entertd for that function. A.1 Condition A addresses the situation where one or more functions of the Remote Shutdown System are inoperable. This includes any Function listed in Table 3.3.12-1 es .mli
" - --o a1 and transfer switches.
The Required Action is to restore the Functions to OPERABLE status within 30 days. The Completion Time is based on
- (continued).
%)
SAN ON0FRE - UNIT 3 B 3.3-176 AMENDMENT NO.
b Source Range Monitoring Channels . B 3.3.13 r . B 3.3 INSTRUMENTATION , B 3.3.13 Source Range Monitoring Channels BASES The set'ere venga-monbrittg7hWnels provide neutron flui BACKGROUND Iso rower indication from < 1E-7% RTP to > 100% RTP. They r rovide reactor protection when the reactor trip circui I t reakers (RTCBs) are shut, in the form of a Logarithmic F ower Level-High trip. I T11s LC0 addresses MODES 3, 4, and 5 with the RTCBs op n. W hen the RTCBs are shut, the source range monitoring g hannels jcSystem (RPS) are addressed by LC0 3.3.2, " Reactor Protecti7 e l Instrumentation-Shutdown." 5 ower W 1en the RTCBs are open, two of the four wide range plwer. ? I c hannels must be available to monitor neutron flux pc RABLE , Ijn this application, the RPS channels need not be OPE By < s;ince the reactor trip Function is not required. (TCBs moni oring neutron flux (wide range) power when the e afeopen,lossofSDMcausedbyborondilutioncanb ected as an increase in flux. Alarms are also provided i en power increases above the fixed bistable setpoi nts. or plants employing separate post accident, wide ra nge
, these ;
qaclear instrumentation channels _with adequate rang c an be substituted for the source range range chan 1s. Two e c lannels must be OPERABLE to provide sing 1 p rotection anJA.facnitate d tietscrion of channel failure by pQovid" g4MANNEL CHECK capability. . CSW) The source ranggmonitoring channels are necessary to i APPLICABLE SAFETY ANALYSES monitor core reactivity changes. They are the primary means for detecting and triggering operator actions to respond to reactivity transients initiated from conditions in which the RPS is not required to be OPERABLE. They also trigger operator actions to anticipate RPS actuation in the event of reactivity transients starting from shutdown or low power conditions. The source range monitoring channel's LCO requirements support compliance with 10 CFR 50, Appendix A, GDC 13 (Ref. 1). Reference 2 describes the specific source range monitoring channel features that are critical to c.emply with the GDC. (continued) s B 3.3-179 AMENDMENT NO. SAN ONOFRE--UNIT 3
..v -- - Mb h ::
i l j'"-' -
, . . ,; - 7.7
^ ' ' - ,
'l " "
, p . ya <
1
\pSM L
~
=Ad[57 r;::D ~ The source range (startup) monitoring channels '
provide neutron flux countrate level indication from 0.1 to 500,000 cps. They also provide a [
- Boron Dilution. Monitor and alarm in the Control Room to alert the operator of a boron dilution -
l event. This LCO addresses MODES 3, 4, and 5 with the ; RTCBs open. LCO 3.9.2 addresses the source range ; monitors during Mode 6 refueling operations. , Both source range monitoring channels must be l available to monitor neutron flux level when the l RTCBs are open. By monitoring source range countrate level, loss of SDM caused by a boron , l dilution event can Thebe detected Boron as Monitor Dilution an increase provides in , neutron flux. an alarm when the countrate level exceeds the
! setpoint which is adjusted to 0.5 volt above background. 1
)
l 1 i I i f (I i ! l ! i I
Source Range Monitoring Channels B 3.3.13 BASES The OPERABILITY of source range monitoring channels APPLICABLE SAFETY ANALYSES is necessary to meet the assumptions of the safety analyses and provide for the mitigation of accident and transient (continued) conditions. i The source range monitoring channels satisfy Criterion 3 of ] the NRC Policy Statement. The LCO on the source range monitoring channels ensures that LC0 adequate information is available to verify core reactivity conditions while shut down. A minimum of two source range monitoring channels are required to be OPERABLE. a; Ther;ferc, SONGS ivui:;ltipic dianuch f:fer; ::pe h h es
# perfe rir; thi; fa ctier..
my ha tchr:ted Ple the plen+e = c+411 re plyia; with LOO : p o c..mnis. In MODES 3, 4, and 5, with RTCBs open or the Control Element APPLICABILITY
' Assembly (CEA) Drive System not capable of CEA withdrawal, source range monitoring channels must be OPERABLE to monitor In MODES 1 and 2, and in core power for reactivity changes.
MODES 3. 4. and 5. with the RTCBs shut and the CEAs capable gW' .d .
-- of withdrawal, the,J r:: rn;: - it:. ;.; channels are addressed as part of the RPS in LCO 3.3.1, " Reactor
@M Protective System (RPS) Instrumentation-Operating," and LCO 3.3.2, " Reactor Protective System (RPS) b AM Instrumentation -Shutdown."
The requirements for source range neutron flux monitoring in MODE 6 are addressed in LCO 3.9.2, " Nuclear Instrumentation." The source range nuclear instrumentation channels provide neutron flux coverage extending an additional one to two decades below the logarithmic channels for use during refueling, when neutron flux may be extremely I low. I (continued) AMENDMENT NO. SAN ON0FRE--UNIT 3 8 3.3-180
~ l Source Range Monitoring Channels l 8 3.3.13 , BASES ~ SURVEILLANCE SR 3.3.13.1 (continued) REQUIREMENTS verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. [ Agreement criteria are determined by the plant staff and should be based on a combination of the channel instrument uncertainties including control isolation, indication, and readability. If a channel is outside of the match criteria, it may be an indication that the transmitter or the signalIf processing equipment has drif ted outside of its limits. the channels are within the match criteria, it is an indication that the channels are OPERABLE. , The Frequency, about once every shift, is. based on operating - experience that demonstrates the rarity of channel failure. Thus, the performance of CHANNEL CHECK ensures that - undetected overt channel failure is limited to 12 hours. Since the probability of two random failures in redundant channels in any 12 hour period is extremely low, CHANNEL CHECK minimizes the chance of loss of protective function due to failure of redundant channels. CHANNEL CHECK supplements i.ess formal, but more frequent, checks of channel OPERABILITY during normal operational use of displays associated with the LC0 required channels. 51 **O p sor- 7 SR 3.3.13.2 A CHANNEL FUNCTIONAL TEST is performed every 92 days to ensure that the entire channel is capable of properly used to indicating neutron flux. Internal test circuitry i feed ;- :fj;;t;i test signalsIt intois notthe-pc...el;iser necessary to testto the verify channel alignment. detector, because generating a meaningful test signal is difficult; the detectors are of simple construction, and any . failures in the detectors will be ap)arent as change in l channel output. This Frequency is t1e same as that employed for the same channels in the other applicable MODES. , i 4 (continued) :
\,
AMENDMENT NO. SAN ONOFRE--UNIT 3 B 3.3-182 L
+
a
s.a e::s.. .. 3.3 4.1 l
't B 3.4 REACTOR COOLANT SYSTEM (RCS) f B 3.4.1. RCS Pressure, Temperature, and Flow Limits !
BASES 4
+
These Bases address requirements for maintaining RCS BACKGROUND pressure, temperature, and flow rate within limits assumed' ,i in the safety analyses. The safety analyses (Ref.1) of normal operating conditions and anticipated operational- j occurrences assume initial conditions within the normal i steady state envelope. The limits placed on DNB related q parameters ensure that these parameters will no ~ j provide assurance that the minimum departure from nucleate boiling ratio (DNBR) will meet the required criteria for ; each of the transients analyzed. . The LCO limits for minimum and max.imum RCS pressures as i measured at the pressurizer are consistent with operation ! within the nominal operating envelope and are bounded by i those used as the initial pressures.in the analyses. The LCO limits for minimum and maximum RCS cold leg . l temperatures are consistent with operation at the-indicated power level and are bounded by those used as the initial temperatures in the analyses. i
.u.a.: d ., s,p..h c.p f a u. s.:ely a-.!n n 4.L u o Since RChlow is subjec-t-t-o-vagiat4cns-during-plant life . l. ',i 2, de ./ed ,q-7
' and due to poten44a4 instrument enors-of--the-f-lemeters-- i '
which-are-used-to-measure-RGS-flow-rate, monitoring of this ( * " * '*r h parameter during plant op(eration will for beminimum specified b
,}}