Text

Bases for Section 2.0 Safety Limits and Limiting Safety System Settings
	ML23040A046
Person / Time
Site:	Millstone
Issue date:	08/01/1975
From:	; Dominion Energy Nuclear Connecticut
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML23040A044	List: ML23040A045; ML23040A046; ML23040A047;
References
	23-001
	Download: ML23040A046 (1)
	v • d • e

August 1, 1975 BASES FOR SECTION 2.0 SAFETY LIMITS AND LIMITING SAFETY SYSTEM SETTINGS

THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2

May 1, 2002 2.1 SAFETY LIMITS BASES 2.1.1 REACTOR CORE The restrictions of this safety limit prevent overheating of the fuel cladding and possible cladding perforation which would result in the release of fission products to the reactor coolant.

Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate at or less than the fuel centerline melt linear heat rate limit. Centerline fuel melting will not occur for this peak linear heat rate. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.

Operation above the upper boundary of the nucleate boiling regime could result in excessive cladding temperatures because of the onset of departure from nucleate boiling (DNB) and the resultant sharp reduction in heat transfer coefficient. DNB is not a directly measurable parameter during operation and therefore THERMAL POWER and Reactor Coolant Temperature and Pressure have been related to DNB through the HTP correlation. The HTP DNB correlation has been developed to predict the DNB flux and the location of DNB for axially uniform and non-uniform heat flux distributions. The local DNB heat flux ratio, DNBR, defined as the ratio of the heat flux that would cause DNB at a particular core location to the local heat flux, is indicative of the margin to DNB.

The value of the DNBR during steady state operation, normal operational transients, and anticipated transients is limited to be no less than the DNB correlation limit. The correlation limit corresponds to a 95 percent probability at a 95 percent confidence level (i.e., 95/95 limit) that DNB will not occur and is chosen as an appropriate margin to DNB for all operating conditions.

The curves of Figure 2.1-1 show the loci of points of THERMAL POWER, Reactor Coolant System pressure and maximum cold leg temperature with four Reactor Coolant Pumps operating for which the minimum DNBR is no less than the 95/95 limit for DNB correlation. The limits in Figure 2.1-1 were calculated for reactor coolant inlet temperatures less than or equal to 580F. The dashed line at 580F coolant inlet temperatures is not a safety limit; however, operation above 580F is not possible because of the actuation of the main steam line safety valves which limit the maximum value of reactor inlet temperature. Reactor operation at THERMAL POWER levels higher than 111.6% of RATED THERMAL POWER is prohibited by the high power level trip setpoint specified in Table 2.2-1. The area of safe operation is below and to the left of these lines.

MILLSTONE - UNIT 2 B 2-1 Revised by NRC Letter A15689 Amendment No. 7, 52, 61, 139, 226, 255,

October 6, 1980 THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2 B 2-2 Amendment No. 52, 61

LBDCR 04-MP2-016 February 24, 2005 SAFETY LIMITS BASES:

The conditions for the Thermal Margin Safety Limit curves in figure 2.1-1 to be valid are shown on the figure.

The reactor protective system in combination with the Limiting Conditions for Operation, is designed to prevent any anticipated combination of transient conditions for reactor coolant system temperature, pressure, and THERMAL POWER level that would result in a DNBR below the 95/95 limit for DNB correlation. and preclude the existence of flow instabilities.

2.1.2 REACTOR COOLANT SYSTEM PRESSURE The restriction of this Safety Limit protects the integrity of the Reactor Coolant System from overpressurization and thereby prevents the release of radionuclides contained in the reactor coolant from reaching the containment atmosphere.

The reactor pressure vessel and pressurizer are designed to Section III of the ASME Code for Nuclear Power Plant Components which permits a maximum transient pressure of 110%

(2750 psia) of design pressure. The Reactor Coolant System piping, valves and fittings, are designed to ANSI B31.7, Class I which permits a maximum transient pressure of 110% (2750 psia) of component design pressure. The Safety Limit of 2750 psia is therefore consistent with the design criteria and associated code requirements.

The entire Reactor Coolant System is hydrotested at 3125 psia to demonstrate integrity prior to initial operation.

MILLSTONE - UNIT 2 B 2-3 Amendment No. 7, 52, 61, 139, 226, Acknowledged by NRC letter dated 6/28/05

October 4, 2001 2.2 LIMITING SAFETY SYSTEM SETTINGS BASES:

2.2.1 REACTOR TRIP SET POINTS The Reactor Trip Setpoints specified in Table 2.2-1 are the values at which the Reactor Trips are set for each parameter. The Trip Values have been selected to ensure that the reactor core and reactor coolant system are prevented from exceeding their safety limits. Operation with a Trip Setpoint less conservative than its setpoint but within its specified Allowable Value is acceptable on the basis that each Allowable Value is equal to or less than the drift allowance assumed to occur for each trip used in the accident analyses.

Manual Reactor Trip The Manual Reactor Trip is a redundant channel to the automatic protective instrumentation channels and provides manual reactor trip capability.

Power Level-High The Power Level-High trip provides reactor core protection against reactivity excursions which are too rapid to be protected by a Pressurizer Pressure-High or Thermal Margin/Low Pressure trip.

The Power Level-High trip setpoint is operator adjustable and can be set no higher than 9.6% above the indicated THERMAL POWER level. Operator action is required to increase the trip setpoint as THERMAL POWER is increased. The trip setpoint is automatically decreased as THERMAL POWER decreases. The trip setpoint has a maximum value of 106.6% of RATED THERMAL POWER and a minimum setpoint of 14.6% of RATED THERMAL POWER.

Adding to this maximum value the possible variation in trip point due to calibration and instrument errors, the maximum actual steady-state THERMAL POWER level at which a trip would be actuated is 111.6% of RATED THERMAL POWER, which is the value used in the accident analyses.

Reactor Coolant Flow-Low The Reactor Coolant Flow-Low trip provides core protection to prevent DNB in the event of a sudden significant decrease in reactor coolant flow.

MILLSTONE - UNIT 2 B 2-4 Amendment No. 61, 226, Revised by NRC Letter dated October 4, 2001

May 1, 2002 LIMITING SAFETY SYSTEM SETTINGS BASES Reactor Coolant Flow-Low (Continued)

The low-flow trip setpoint and Allowable Value have been derived in consideration of instrument errors and response times of equipment involved to maintain the DNBR above the 95/95 limit for the DNB correlation under normal operation and expected transients.

Pressurizer Pressure-High The pressurizer Pressure-High trip, backed up by the pressurizer code safety valves and main steam line safety valves, provides reactor coolant system protection against overpressurization in the event of loss of load without reactor trip. This trips setpoint is approximately 100 psi below the nominal lift setting (2500 psia) of the pressurizer code safety valves and its concurrent operation with the power-operated relief valves avoids the undesirable operation of the pressurizer code safety valves.

Containment Pressure-High The Containment Pressure-High trip provides assurance that a reactor trip is initiated concurrently with a safety injection. The setpont for this trip is identical to the safety injection setpoint.

Steam Generator Pressure-Low The Steam Generator Pressure-Low trip provides protection against an excessive rate of heat extraction from the steam generators and subsequent cooldown of the reactor coolant. The trip setting is sufficiently below the full-load operating point so as not to interfere with normal operation, but still high enough to provide the required protection in the event of excessively high steam flow.

MILLSTONE - UNIT 2 B 2-5 Revised by NRC letter A15689 Amendment No. 52, 61, 139, 226,

February 20, 2003 LBDCR 2-21-02 LIMITING SAFETY SYSTEM SETTINGS BASES:

Steam Generator Water Level - Low The Steam Generator Water Level-Low Trip provides core protection by preventing operation with the steam generator water level below the minimum volume required for adequate heat removal capacity and assures that the design pressure of the reactor coolant system will not be exceeded.

Local Power Density-High The Local Power Density-High trip, functioning from AXIAL SHAPE INDEX monitoring, is provided to ensure that the peak local power density in the fuel which corresponds to fuel centerline melting will not occur as a consequence of axial power maldistributions. A reactor trip is initiated whenever the AXIAL SHAPE INDEX exceeds the allowable limits of Figure 2.2-2. The AXIAL SHAPE INDEX is calculated from the upper and lower ex-core neutron detector channels. The calculated setpoints are generated as a function of THERMAL POWER level. The trip is automatically bypassed below 15 percent power as sensed by the power range nuclear instrument Level 1 bistable.

The maximum AZIMUTHAL POWER TILT and maximum CEA misalignment permitted for continuous operation are assumed in generation of the setpoints. In addition, CEA group sequencing in accordance with the Specifications 3.1.3.5 and 3.1.3.6 is assumed. Finally, the maximum insertion of CEA banks which can occur during any anticipated operational occurrence prior to a Power Level-High trip is assumed.

Thermal Margin/Low Pressure The Thermal Margin/Low Pressure trip is provided to prevent operation when the DNBR is below the 95/95 limit for the DNB correlation.

MILLSTONE - UNIT 2 B 2-6 Amendment No. 38, 41, 52, 61, 139, 232 Corrected by letter dated 11/26/2003.

LBDCR 14-MP2-009 May 8, 2014 LIMITING SAFETY SYSTEM SETTINGS BASES:

Thermal Margin/Low Pressure (Continued)

The trip is initiated whenever the reactor coolant system pressure signal drops below either 1865 psia or a computed value as described below, whichever is higher. The computed value is a function of the higher of T power or neutron power, reactor inlet temperature, the number of reactor coolant pumps operating and the AXIAL SHAPE INDEX. The minimum value of reactor coolant flow rate, the maximum AZIMUTHAL POWER TILT and the maximum CEA deviation permitted for continuous operation are assumed in the generation of this trip function. In addition, CEA group sequencing in accordance with Specifications 3.1.3.5 and 3.1.3.6 is assumed. Finally, the maximum insertion of CEA banks which can occur during any anticipated operational occurrence prior to a Power Level-High trip is assumed.

Thermal Margin/Low Pressure trip setpoints are derived from the core safety limits. A safety margin is provided which includes allowances for equipment response times, core power, RCS temperature, and pressurizer pressure measurement uncertainties, processing errors, and a further allowance to compensate for the time delay associated with providing effective termination of the occurrence that exhibits the most rapid decrease in margin to the safety limit.

Loss of Turbine A Loss of Turbine trip causes a direct reactor trip when operating above 15% of RATED THERMAL POWER as sensed by the power range nuclear instrument Level 1 bistable. This trip provides turbine protection, reduces the severity of the ensuing transient and helps avoid the lifting of the main steam line safety valves during the ensuing transient, thus extending the service life of these valves. No credit was taken in the accident analyses for operation of this trip. Its functional capability at the specified trip setting is required to enhance the overall reliability of the Reactor Protection System.

The Wide Range Logarithmic Neutron Flux Monitor - Shutdown, Reactor Protection System Logic Matrices, Reactor Protection System Logic Matrix Relays, and Reactor Trip Breakers functional units are components of the Reactor Protective System for which OPERABILITY requirements are provided within the Technical Specifications (see Technical Specification 3.3.1.1, Reactor Protective Instrumentation). These functional units do not have specific trip setpoints or allowable values, similar to the manual reactor trip functional unit.

However, these functional units are provided here for completeness and consistency with the RPS Instrumentation identified in Technical Specification 3.3.1.1.

MILLSTONE - UNIT 2 B 2-7 Amendment No. 38, 52, 139, 153, 226, 232, 282

September 25, 2003 LIMITING SAFETY SYSTEM SETTINGS BASES:

DELETED MILLSTONE - UNIT 2 B 2-8 Amendment No. 32, 61, 139, 282

August 1, 1975 BASES FOR SECTIONS 3.0 AND 4.0 LIMITING CONDITIONS FOR OPERATION AND SURVEILLANCE REQUIREMENTS

THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2

February 26, 1991 3/4 LIMITING CONDITIONS FOR OPERATION AND SURVEILLANCE REQUIREMENTS 3/4.0 APPLICABILITY BASES Specification 3.0.1 through 3.0.4 establish the general requirements applicable to Limiting Conditions for Operation. These requirements are based on the requirements for Limiting Conditions for Operation stated in the Code of Federal Regulations, 10CFR50.36(c)(2):

Limiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When a limiting condition for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specification until the condition can be met.

Specification 3.0.1 establishes the Applicability statement within each individual specification as the requirement for when (i.e., in which OPERATIONAL MODES or other specified conditions) conformance to the Limiting Conditions for Operation is required for safe operation of the facility. The ACTION requirements establish those remedial measure that must be taken within specified time limits when the requirements of a Limiting Condition for Operation are not met.

There are two basic types of ACTION requirements. The first specifies the remedial measures that permit continued operation of the facility which is not further restricted by the time limits of the ACTION requirements. In this case, conformance to the ACTION requirements provides an acceptable level of safety for unlimited continued operation as long as the ACTION requirements continue to be met. The second type of ACTION requirement specifies a time limit in which conformance to the conditions of the Limiting Condition for Operation must be met. This time limit is the allowable outage time to restore an inoperable system or component to OPERABLE status or for restoring parameters within specified limits. If these actions are not completed within the allowable outage time limits, a shutdown is required to place the facility in a MODE or condition in which the specification no longer applies. It is not intended that the shutdown ACTION requirements be used as an operational convenience which permits (routine) voluntary removal of a system(s) or component(s) from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.

The specific time limits of the ACTION requirements are applicable from the point in time it is identified that a Limiting Condition for Operation is not met. The time limits of the ACTION requirements are also applicable when a system or component is removed from service for surveillance testing or investigation of operational problems. Individual specifications may include a specified time limit for the completion of a Surveillance Requirement when equipment is removed from service. In this case, the allowable outage time MILLSTONE - UNIT 2 B 3/4 0-1 Amendment Nos. 61, 151

LBDCR 04-MP2-016 February 24, 2005 3/4.0 APPLICABILITY BASES (Cont) limits of ACTION requirements are applicable when this limit expires if the surveillance has not been completed. When a shutdown is required to comply with ACTION requirements, the plant may have entered a MODE in which a new specification becomes applicable. In this case, the time limits of the ACTION requirements would apply from the point in time that the new specification becomes applicable if the requirements of the Limiting Condition for Operation are not met.

Specification 3.0.2 establishes that noncompliance with a specification exists when the requirements of the Limiting Condition for Operation are not met and the associated ACTION requirements have not been implemented within the specified time interval. The purpose of this specification is to clarify that (1) implementation of the ACTION requirements within the specified time interval constitutes compliance with a specification and (2) completion of the remedial measures of the ACTION requirements is not required when compliance with a Limiting Condition of Operation is restored within the time interval specified in the associated ACTION requirements.

Specification 3.0.3 establishes the shutdown ACTION requirements that must be implemented when a Limiting Condition for Operation is not met and the condition is not specifically addressed by the associated ACTION requirements. The purpose of this specification is to delineate the time limits for placing the unit in a safe operation defined by the Limiting Conditions for Operation and its ACTION requirements. It is not intended to be used as an operational convenience which permits (routing) voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable. This time permits the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the cooldown capabilities of the facility assuming only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the primary coolant system and the potential for a plant upset that could challenge safety systems under conditions for which this specification applies.

If remedial measure permitting limited continued operation of the facility under the provisions of the ACTION requirements are completed, the shutdown may be terminated. The time limits of the ACTION requirements are applicable from the point in time it is identified that a Limiting Condition for Operation is not met. Therefore, the shutdown may be terminated if the ACTION requirements have been met or the time limits of the ACTION requirements have not expired, thus providing an allowance for the completion of the required ACTIONS.

MILLSTONE - UNIT 2 B 3/4 0-2 Amendment Nos. 62, 151, Acknowledged by NRC letter dated 6/28/05

February 26, 1991 APPLICABILITY BASES (Cont)

The time limits of Specification 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the plant to be in the COLD SHUTDOWN MODE when a shutdown is required during the POWER MODE of operation. If the plant is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE of operation applies. However, if a lower MODE of operation is reached in less time than allowed, the total allowance time to reach COLD SHUTDOWN, or other applicable MODE, is not reduced. For example, if HOT STANDBY is reached in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the time allowed to reach HOT SHUTDOWN is the next 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months because the total time to reach HOT SHUTDOWN is not reduced from the allowable limit of 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . Therefore, if remedial measures are completed that would permit a return to POWER operation, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.

The same principle applies with regard to the allowable outage time limits of the ACTION requirements, if compliance with the ACTION requirements for one specification results in entry into a MODE or condition of operation for another specification in which the requirements of the Limiting Condition for Operation are not met. If the new specification becomes applicable in less time than specified, the difference may be added to the allowable outage time limits of the second specification. However, the allowable outage time limits of ACTION requirements for a higher MODE of operation may not be used to extend the allowable outage time that is applicable when a Limiting Condition for Operation is not met in a lower MODE of operation.

The shutdown requirements of Specification 3.0.3 do not apply in MODES 5 and 6, because the ACTION requirements of individual specifications define the remedial measures to be taken.

Specification 3.0.4 establishes limitations on MODE changes when a Limiting Condition for Operation is not met. It precludes placing the facility in a higher MODE of operation when the requirements for a Limiting Condition for Operation are not met and continued noncompliance to these conditions would result in a shutdown to comply with the ACTION requirements if a change in MODES were permitted. The purpose of this specification is to ensure that facility operation is not initiated or that higher MODES of operation are not entered when corrective action is being taken to obtain compliance with a specification by restoring equipment to OPERABLE status or parameters to specified limits. Compliance with ACTION requirements that permit continued operation of the facility for an unlimited period of time provides an acceptable level of safety for continued operation without regard to the status of the plant before or after a MODE change. Therefore, in this case, entry into an OPERATIONAL MODE or other specified condition may be made in accordance with the provision of the ACTION requirements.

The provisions of this specification should not, however, be interpreted as endorsing the failure to exercise good practice in restoring systems or components to OPERABLE status before plant startup.

MILLSTONE - UNIT 2 B 3/4 0-3 Amendment Nos. 62, 151

LBDCR 04-MP2-016 February 24, 2005 APPLICABILITY BASES (Con't)

When a shutdown is required to comply with ACTION requirements, the provisions of Specification 3.0.4 do not apply because they would delay placing the facility in a lower MODE of operation.

Specification 3.0.5 delineates what additional conditions must be satisfied to permit operation to continue, consistent with the ACTION statements for power sources, when a normal or emergency power source in not OPERABLE. It specifically prohibits operation when one division is inoperable because its normal or emergency power source is inoperable and a system, subsystem, train, component or device in another division is inoperable for another reason.

The provisions of this specification permit the ACTION statements associated with individual systems, subsystems, trains, components, or devices to be consistent with the ACTION statements of the associated electrical power source. It allows operation to be governed by the time limits of the ACTION statement associated with the Limiting Condition for Operation for the normal or emergency power source, not the individual ACTION statements for each system, subsystem, train, component or device that is determined to be inoperable solely because of the inoperability of its normal emergency power source.

For example, Specification 3.8.1.1 requires in part that two emergency diesel generators be OPERABLE. The ACTION statement provides for a 72-hour out-of-service time when one emergency diesel generator is not OPERABLE. If the definition of OPERABLE were applied without consideration of Specification 3.0.5, all systems, subsystems, trains, components and devices supplied by the inoperable emergency power source would also be inoperable. This would dictate invoking the applicable ACTION statement for each of the applicable Limiting Conditions for Operation. However, the provisions of Specification 3.0.5 permit the time limits for continued operation to be consistent with the ACTION statement for the inoperable emergency diesel generator instead, provided the other specified conditions are satisfied. In this case, this would mean that the corresponding normal power source must be OPERABLE, and all redundant systems, subsystems, trains, components, and devices must be OPERABLE, or otherwise satisfy Specification 3.0.5 (i.e., be capable of performing their design function and have at least one normal or one emergency power source OPERABLE). If they are not satisfied, ACTION is required in accordance with this specification.

As a further example, Specification 3.8.1.1 requires in part that two physically independent circuits between the offsite transmission network and the onsite Class 1E distribution system be OPERABLE. The ACTION statement provides a 24-hour out-of-service time when both required offsite circuits are not OPERABLE. If the definition of OPERABLE were applied without consideration of Specification 3.0.5, all systems, subsystems, trains, components and devices supplied by the inoperable normal power sources, both of the offsite circuits, would also be inoperable. This would dictate invoking the applicable ACTION statements for each of the applicable LCOs. However, the provisions of Specification 3.0.5 permit the time limits for continued operation to MILLSTONE - UNIT 2 B 3/4 0-4 Amendment Nos. 70, 151, Acknowledged by NRC letter dated 6/28/05

LBDCR 04-MP2-016 February 24, 2005 BASES (Cont) be consistent with the ACTION statement for the inoperable normal power sources instead, provided the other specified conditions are satisfied. In this case, this would mean that for one division the emergency power source must be OPERABLE (as must be the components supplied by the emergency power source) and all redundant systems, subsystems, trains, components and devices in the other divisions must be OPERABLE, or likewise satisfy Specification 3.0.5 (i.e., be capable of performing their design functions and have an emergency power source OPERABLE).

In other words, both emergency power sources must be OPERABLE and all redundant systems, subsystems, trains, components and devices in both divisions must also be OPERABLE. If these conditions are not satisfied, ACTION is required in accordance with this specification.

In MODES 5 and 6 Specification 3.0.5 is not applicable, and thus the individual ACTION statements for each applicable Limiting Condition for Operation in these MODES must be adhered to.

Specification 3.0.6 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required ACTION(s)) to allow the performance of surveillance requirements to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the allowed surveillance requirements. The Specification does not provide time to perform any other preventive or corrective maintenance.

An example of demonstrating the OPERABILITY of equipment being returned to service is reopening a containment isolation valve that has been closed to comply with the Required ACTIONS and must be reopened to perform the surveillance requirements.

An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of a surveillance requirement on another channel in the other trip system.

A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of a surveillance requirement on another channel in the same trip system.

MILLSTONE - UNIT 2 B 3/4 0-5 Amendment No. 151, 152, 230, Acknowledged by NRC letter dated 6/28/05

October 15, 2002 BASES ( Cont)

Specification 4.0.1 through 4.0.5 establish the general requirements applicable to Surveillance Requirements. These requirements are based on the Surveillance Requirements stated in the Code of Federal Regulations, 10CFR50.36(c)(3):

Surveillance requirements are requirements relating to test, calibration, or inspection to ensure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions of operation will be met.

Specification 4.0.1 establishes the requirement that surveillances must be met during the OPERATIONAL MODES or other conditions for which the requirements of the Limiting Conditions for Operation apply unless otherwise stated in an individual Surveillance Requirements. The purpose of this specification is to ensure that surveillances are performed to verify the OPERABILITY of systems and components and that parameters are within specified limits to ensure safe operation of the facility when the plant is in a MODE or other specified condition for which the associated Limiting Conditions for Operation are applicable. Failure to meet a Surveillance within the specified surveillance interval, in accordance with Specification 4.0.2 constitutes a failure to meet a Limiting Condition for Operation.

Systems and components are assumed to be OPERABLE when the associated Surveillance Requirements have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when either:

a. The system or components are known to be inoperable, although still meeting the Surveillance Requirements or

b. The requirements of the Surveillance(s) are known to be not met between required Surveillance performances.

Surveillance Requirements do not have to be performed when the facility is in an Operational Mode or other specified conditions for which the requirements of the associated Limiting Condition for Operation do not apply unless otherwise specified. The Surveillance Requirements associated with a Special Test Exception are only applicable when the Special Test Exception is used as an allowable exception to the requirements of a specification.

Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given Surveillance Requirement. In this case, the unplanned event may be credited as fulfilling the performance of the Surveillance Requirement. This allowance includes those Surveillance Requirements whose performance is normally precluded in a given Mode or other specified condition.

Surveillance Requirements, including Surveillances invoked by ACTION requirements, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met and performed in accordance with Specification 4.0.2, prior to returning equipment to Operable status.

Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with Specification 4.0.2. Post maintenance testing may not be MILLSTONE - UNIT 2 B 3/4 0-5a Amendment No. 230, 271

LBDCR No. 04-MP2-016 February 24, 2005 BASES ( Cont) possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

Some examples of this process are:

a. Auxiliary feedwater (AFW) pump turbine maintenance during refueling that requires testing at steam pressure > 800 psi. However, if other appropriate testing is satisfactorily completed, the AFW System can be considered OPERABLE. This allows startup and other necessary testing to proceed until the plant reaches the steam pressure required to perform the testing.

b. High pressure safety injection (HPSI) maintenance during shutdown that requires system functional tests at a specified pressure. Provided other appropriate testing is satisfactorily completed, startup can proceed with HPSI considered OPERABLE.

This allows operation to reach the specified pressure to complete the necessary post maintenance testing.

Specification 4.0.2 This specification establishes the limit for which the specified time interval for Surveillance Requirements may be extended. It permits an allowable extension of the normal surveillance interval to facilitate surveillance scheduling and consideration of plant operating conditions that may not be suitable for conducting the surveillance; e.g., transient conditions or other ongoing surveillance or maintenance activities. It also provides flexibility to accommodate the length of a fuel cycle for surveillances that are performed at each refueling outage and are specified with an 18-month surveillance interval. It is not intended that this provision be used repeatedly as a convenience to extend surveillance intervals beyond that specified for surveillances that are not performed during refueling outages. The limitation of Specification 4.0.2 is based on engineering judgment and the recognition that the most probable result of any particular surveillance being performed is the verification of conformance with the Surveillance Requirements. This provision is sufficient to ensure that the reliability ensured through surveillance activities is not significantly degraded beyond that obtained from the specified surveillance interval.

Specification 4.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified surveillance interval. A delay period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified surveillance interval, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with Specification 4.0.2, and not at the time that the specified surveillance interval was not met.

This delay period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with ACTION requirements or other remedial measures that might preclude completion of the Surveillance.

MILLSTONE - UNIT 2 B 3/4 0-5b Amendment No. 230, 271, Acknowledged by NRC letter dated 6/28/05

LBDCR 04-MP2-016 February 24, 2005 BASES (Con't)

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance. with a surveillance interval based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations, (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, Specification 4.0.3 allows for the full delay period of up to the specified surveillance interval to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

Specification 4.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by ACTION requirements.

Failure to comply with specified surveillance intervals for the Surveillance Requirements is expected to be an infrequent occurrence. Use of the delay period established by Specification 4.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified surveillance interval is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants. This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensees Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the entry into the ACTION requirements for the applicable Limiting Condition for Operation begins immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and entry into the ACTION requirements for the applicable Limiting Condition for Operation begins immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Allowed Outage Time of the applicable ACTIONS, restores compliance with Specification 4.0.1.

MILLSTONE - UNIT 2 B 3/4 0 -6 Amendment No. 271, Acknowledged by NRC letter dated 6/28/05

June 19, 2007 LBDCR 07-MP2-014 3/4.0 APPLICABILITY BASES (Cont)

Specification 4.0.4 establishes the requirement that all applicable surveillances must be met before entry into and OPERATIONAL MODE or other condition of operation specified in the Applicability statement. The purpose of this specification is to ensure that system and component OPERABILITY requirements or parameter limits are met before entry into a MODE or condition for which these systems and components ensure safe operation of the facility. This provision applies to changes in OPERATIONAL MODES or other specified conditions associated with plant shutdown as well as startup.

Under the provisions of this specification, the applicable Surveillance Requirements must be performed within the specified surveillance interval to ensure that the Limiting Conditions for Operation are met during initial plant startup or following a plant outage.

When a shutdown is required to comply with ACTION requirements, the provisions of Specification 4.0.4 do not apply because this would delay placing the facility in a lower MODE of operation.

Specification 4.0.5 establishes the requirement that inservice testing of ASME Code Class 1, 2, and 3 pumps and valves shall be performed in accordance with a periodically updated version of the ASME Code for Operation and Maintenance of Nuclear Power Plants (ASME OM Code) and applicable Addenda as required by 10 CFR 50.55a(f). These requirements apply except when relief has been provided in writing by the Commission.

This specification includes a clarification of the frequencies for performing the inservice testing activities required by the ASME OM Code and applicable Addenda. This clarification is provided to ensure consistency in surveillance intervals throughout the Technical Specifications and to remove any ambiguities relative to the frequencies for performing the required inservice testing activities.

Under the terms of this specification, the more restrictive requirements of the Technical Specifications take precedence over the ASME OM Code and applicable Addenda. The requirements of Specification 4.0.4 to perform surveillance activities before entry into an OPERATIONAL MODE or other specified condition takes precedence over the ASME OM Code provision which allows pumps and valves to be tested up to one week after return to normal operation.

MILLSTONE - UNIT 2 B 3/4 0-7 Amendment No. 151

REVERSE OF PAGE B 3/4 0-7 INTENTIONALLY LEFT BLANK

September 25, 2003 3/4.1 REACTIVITY CONTROL SYSTEMS BASES 3/4.1.1 REACTIVITY CONTROL SYSTEMS 3/4.1.1.1 SHUTDOWN MARGIN A sufficient SHUTDOWN MARGIN ensures that 1) the reactor can be made subcritical from all operating conditions, 2) the reactivity transients associated with postulated accident conditions are controllable within acceptable limits, and 3) the reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.

SHUTDOWN MARGIN requirements vary throughout core life as a function of fuel depletion, RCS boron concentration, and RCS Tavg. The most restrictive condition occurs at EOL, with Tavg at no load operating temperature, and is associated with a postulated steam line break accident and resulting uncontrolled RCS cooldown. In the analysis of this accident, the minimum SHUTDOWN MARGIN specified in the CORE OPERATING LIMITS REPORT is initially required to control the reactivity transient. Accordingly, the SHUTDOWN MARGIN required by Specification 3.1.1.1 is based upon this limiting condition and is consistent with FSAR accident analysis assumptions. For earlier periods during the fuel cycle, this value is conservative. The SHUTDOWN MARGIN is verified by performing a reactivity balance calculation, considering the listed reactivity effects:

a. RCS boron concentration;

b. CEA positions;

c. RCS average temperature;

d. Fuel burnup based on gross thermal energy generation;

e. Xenon concentration;

f. Samarium concentration; and

g. Isothermal temperature coefficient (ITC).

Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical and the fuel temperature will be changing at the same rate as the RCS temperature.

3/4.1.1.2 REACTIVITY BALANCE Reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control element assembly (CEA) worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SHUTDOWN MARGIN (SDM) or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1.1, SHUTDOWN MARGIN (SDM)) in ensuring the reactor can be brought safely to cold, subcritical conditions.

The normalization of predicted RCS boron concentration to the measured value is typically performed after reaching RATED THERMAL POWER following startup from a refueling outage, with the CEAs in their normal positions for power operation. The normalization is performed at BOC conditions, so that core MILLSTONE - UNIT 2 B 3/4 1-1 Amendment No. 139, 148, 185, 280

September 9, 2004 3/4.1 REACTIVITY CONTROL SYSTEMS BASES 3/4.1.1 REACTIVITY CONTROL SYSTEMS (Continued) 3/4.1.1.2 REACTIVITY BALANCE (Continued) reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.

When measured core reactivity is within 1% k/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits.

The limits on core reactivity must be maintained during MODES 1 and 2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. This Specification does not apply in MODES 3, 4 and 5 because the reactor is shut down and the reactivity balance is not changing.

In MODE 6, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.9.1, Boron Concentration) ensure that fuel movements are performed within the bounds of the safety analysis.

3/4.1.1.3 BORON DILUTION A minimum flow rate of at least 1000 GPM provides adequate mixing, prevents stratification and ensures that reactivity changes will be gradual during reductions in Reactor Coolant System boron concentration. The 1000 GPM limit is the minimum required shutdown cooling flow to satisfy the boron dilution accident analysis. This 1000 GPM flow is an analytical limit. Plant operating procedures maintain the minimum shutdown cooling flow at a higher value to accommodate flow measurement uncertainties. While the plant is operating in reduced inventory operations, plant operating procedures also specify an upper flow limit to prevent vortexing in the shutdown cooling system. A flow rate of at least 1000 GPM will circulate the full Reactor Coolant System volume in approximately 90 minutes. With the RCS in mid-loop operation, the Reactor Coolant System volume will circulate in approximately 25 minutes. The reactivity change rate associated with reductions in Reactor Coolant System boron concentration will be within the capability for operator recognition and control.

A maximum of two charging pumps capable of injecting into the RCS when RCS cold leg temperature is < 300F ensures that the maximum inadvertent dilution flow rate assumed in the boron dilution analysis is not exceeded.

MILLSTONE - UNIT 2 B 3/4 1-1a Amendment No. 139, 148, 185, 280, 283

LBDCR 09-MP2-017 September 15, 2009 REACTIVITY CONTROL SYSTEMS BASES 3/4.1.1.3 BORON DILUTION (Continued)

A charging pump can be considered to be not capable of injecting into the RCS by use of any of the following methods and the appropriate administrative controls.

1. Placing the motor circuit breaker in the open position.

2. Removing the charging pump motor overload heaters from the charging pump circuit.

3. Removing the charging pump motor controller from the motor control center.

4. Placing a charging pump control switch in the Pull-To-Lock (PTL) position.

3/4.1.1.4 MODERATOR TEMPERATURE COEFFICIENT (MTC)

The limitations on MTC are provided to ensure that the assumptions used in the accident and transient analyses remain valid through each fuel cycle. The surveillance requirements for measurement of the MTC during each fuel cycle are adequate to confirm the MTC value since this coefficient changes slowly due principally to the reduction in RCS boron concentration associated with fuel burnup. The confirmation that the measured MTC value is within its limit provides assurance that the coefficient will be maintained within acceptable values throughout each fuel cycle.

3/4.1.1.5 MINIMUM TEMPERATURE FOR CRITICALITY The MTC is expected to be slightly negative at operating conditions. However, at the beginning of the fuel cycle, the MTC may be slightly positive at operating conditions and since it will become more positive at lower temperatures, this specification is provided to restrict reactor operation when Tavg is significantly below the normal operating temperature.

3/4.1.2 DELETED 3/4.1.3 MOVEABLE CONTROL ASSEMBLIES The specifications of this section ensure that (1) acceptable power distribution limits are maintained, (2) the minimum SHUTDOWN MARGIN is maintained, and (3) the potential effects of a CEA ejection accident are limited to acceptable levels.

The ACTION statements which permit limited variations from the basic requirements are accompanied by additional restrictions which ensure that the original criteria are met.

MILLSTONE - UNIT 2 B 3/4 1-2 Amendment No. 33, 38, 139, 148, 218, 283,

Page B 3/4 1-3 has been removed from Technical Specifications September 25, 2003 BASES 3/4.1.3 MOVEABLE CONTROL ASSEMBLIES (Continued)

A CEA may become misaligned, yet remain trippable. In this condition, the CEA can still perform its required function of adding negative reactivity should a reactor trip be necessary. If one or more CEAs (regulating or shutdown) are misaligned by > 10 steps and < 20 steps but trippable, or one CEA is misaligned by 20 steps but trippable, continued operation in MODES 1 and 2 may continue, provided, within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the power is reduced to < 70% RATED THERMAL POWER, and within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months CEA alignment is restored. If negative reactivity insertion is required to reduce THERMAL POWER, boration shall be used. Regulating CEA alignment can be restored by either aligning the misaligned CEA(s) to within 10 steps of all other CEAs in its group or aligning the misaligned CEAs group to within 10 steps of the misaligned CEA. A Regulating CEA is considered fully inserted when either the Dropped Rod indication or lower Electrical Limit indication lights on the core mimic display are illuminated. A Regulating CEA is considered to be fully withdrawn when withdrawn 176 steps. Shutdown CEA alignment can only be restored by aligning the misaligned CEA(s) to within 10 steps of its group.

Xenon redistribution in the core starts to occur as soon as a CEA becomes misaligned. Reducing THERMAL POWER ensures acceptable power distributions are maintained. For small misalignments (< 20 steps) of the CEAs, there is:

a. A small effect on the time dependent long term power distributions relative to those used in generating LCOs and limiting safety system settings (LSSS) setpoints;

b. A negligible effect on the available SHUTDOWN MARGIN; and

c. A small effect on the ejected CEA worth used in the accident analysis.

With a large CEA misalignment ( 20 steps), however, this misalignment would cause distortion of the core power distribution. This distortion may, in turn, have a significant effect on the time dependent, long term power distributions relative to those used in generating LCOs and LSSS setpoints. The effect on the available SHUTDOWN MARGIN and the ejected CEA worth used in the accident analysis remain small. Therefore, this condition is limited to a single CEA misalignment, while still allowing 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for recovery.

In both cases, a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months time period is sufficient to:

a. Identify cause of a misaligned CEA;

b. Take appropriate corrective action to realign the CEAs; and

c. Minimize the effects of xenon redistribution.

If a CEA is untrippable, it is not available for reactivity insertion during a reactor trip. With an untrippable CEA, meeting the insertion limits of LCO 3.1.3.5 and LCO 3.1.3.6 does not ensure that adequate SHUTDOWN MARGIN exists. With one or more CEAs untrippable the plant is transitioned to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

MILLSTONE - UNIT 2 B 3/4 1-4 Amendment No. 38, 133, 139, 280

LBDCR 14-MP2-016 September 4, 2014 BASES 3/4.1.3 MOVEABLE CONTROL ASSEMBLIES (Continued)

The CEA motion inhibit permits CEA motion within the requirements of LCO 3.1.3.6, Regulating Control Element Assembly (CEA) Insertion Limits, and the CEA deviation circuit prevents regulating CEAs from being misaligned from other CEAs in the group. With the CEA motion inhibit inoperable, a time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed for restoring the CEA motion inhibit to OPERABLE status, or placing and maintaining the CEA drive switch in either the off or manual position, fully withdrawing all CEAs in group 7 to < 5% insertion. Placing the CEA drive switch in the off or manual position ensures the CEAs will not move in response to Reactor Regulating System automatic motion commands. Withdrawal of the CEAs to the positions required in the Required ACTION B.2 ensures that core perturbations in local burnup, peaking factors, and SHUTDOWN MARGIN will not be more adverse than the Conditions assumed in the safety analyses and LCO setpoint determination. Required ACTION B.2 is modified by a Note indicating that performing this Required ACTION is not required when in conflict with Required ACTIONS A.l or C.1.

Continued operation is not allowed in the case of more than one CEA misaligned from any other CEA in its group by 20 steps, or one or more CEAs untrippable. This is because these cases are indicative of a loss of SHUTDOWN MARGIN and power distribution changes, and a loss of safety function, respectively.

OPERABILITY of the CEA position indicators (Specification 3.1.3.3) is required to determine CEA positions and thereby ensure compliance with the CEA alignment and insertion limits and ensures proper operation of the CEA Motion Inhibit and CEA deviation block circuit.

The CEA Full In and Full Out limit Position Indicator channels provide an additional independent means for determining the CEA positions when the CEAs are at either their fully inserted or fully withdrawn positions. Therefore, the ACTION statements applicable to inoperable CEA position indicators permit continued operations when the positions of CEAs with inoperable position indicators can be verified by the Full In or Full Out limit Position Indicator channels.

CEA positions and OPERABILITY of the CEA position indicators are required to be verified at the frequency specified in the Surveillance Frequency Control Program with more frequent verifications required if an automatic monitoring channel is inoperable. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

The maximum CEA drop time permitted by Specification 3.1.3.4 is the assumed CEA drop time used in the accident analyses. Measurement with Tavg 515°F and with all reactor coolant pumps operating ensures that the measured drop times will be representative of insertion times experienced during a reactor trip at operating conditions.

MILLSTONE - UNIT 2 B 3/4 1-4a Amendment No. 133, 216, 280, Acknowledged by NRC letter dated 6/28/05

September 25, 2003 REACTIVITY CONTROL SYSTEMS BASES 3/4.1.3 MOVEABLE CONTROL ASSEMBLIES (Continued)

The LSSS setpoints and the power distribution LCOs were generated based upon a core burnup which would be achieved with the core operating in an essentially unrodded configuration. Therefore, the CEA insertion limit specifications require that during MODES 1 and 2, the CEAs be nearly fully withdrawn. The amount of CEA insertion permitted by the Long Term Steady State Insertion Limits of Specification 3.1.3.6 will not have a significant effect upon the unrodded burnup assumption but will still provide sufficient reactivity control. The Transient Insertion Limits of Specification 3.1.3.6 are provided to ensure that (1) acceptable power distribution limits are maintained, (2) the minimum SHUTDOWN MARGIN is maintained, and (3) the potential effects of a CEA ejection accident are limited to acceptable levels; however, long term operation at these insertion limits could have adverse effects on core power distribution during subsequent operation in an unrodded configuration. The PDIL alarm, CEA Motion Inhibit and CEA deviation circuit are provided by the CEAPDS computer.

The control rod drive mechanism requirement of specification 3.1.3.7 is provided to assure that the consequences of an uncontrolled CEA withdrawal from subcritical transient will stay within acceptable levels. This specification assures that reactor coolant system conditions exist which are consistent with the plant safety analysis prior to energizing the control rod drive mechanisms. The accident is precluded when conditions exist which are inconsistent with the safety analysis since deenergized drive mechanisms cannot withdraw a CEA. The drive mechanisms may be energized with the boron concentration greater than or equal to the refueling concentration since, under these conditions, adequate SHUTDOWN MARGIN is maintained, even if all CEAs are fully withdrawn from the core.

MILLSTONE - UNIT 2 B 3/4 1-5 Amendment No. 38, 116, 216, 280

REVERSE OF PAGE B 3/4 1-5 INTENTIONALLY LEFT BLANK

LBDCR 04-MP2-016 February 24, 2005 3/4.2 POWER DISTRIBUTION LIMITS BASES 3/4.2.1 LINEAR HEAT RATE The limitation on linear heat rate ensures that in the event of a LOCA, the peak temperature of the fuel cladding will not exceed 2200F.

Either of the two core power distribution monitoring systems, the Excore Detector Monitoring System and the Incore Detector Monitoring System, provide adequate monitoring of the core power distribution and are capable of verifying that the linear heat rate does not exceed its limits. The Excore Detector Monitoring System performs this function by continuously monitoring the AXIAL SHAPE INDEX with two OPERABLE excore neutron flux detectors and verifying that the AXIAL SHAPE INDEX is maintained within the allowable limits specified in the CORE OPERATING LIMITS REPORT using the Power Ratio Recorder. The power dependent limits of the Power Ratio Recorder are less than or equal to the limits specified in the CORE OPERATING LIMITS REPORT. In conjunction with the use of the excore monitoring system and in establishing the AXIAL SHAPE INDEX limits, the following assumptions are made: 1) the CEA insertion limits of Specifications 3.1.3.5 and 3.1.3.6 are satisfied, 2) the AZIMUTHAL POWER TILT restrictions of Specification 3.2.4 are satisfied, and 3) the TOTAL UNRODDED INTEGRATED RADIAL PEAKING FACTOR does not exceed the limits of Specification 3.2.3.

The Incore Detector Monitoring System continuously provides a direct measure of the peaking factors and the alarms which have been established for the individual incore detector segments ensure that the peak linear heat rates will be maintained within the allowable limits specified in the CORE OPERATING LIMITS REPORT. The setpoints for these alarms include allowances, set in the conservative direction. The Incore Detector Monitoring System is not used to monitor linear heat rate below 20% of RATED THERMAL POWER. The accuracy of the neutron flux information from the incore detectors is not reliable at THERMAL POWER < 20%

RATED THERMAL POWER.

3/4.2.3 AND 3/4.2.4 TOTAL UNRODDED INTEGRATED RADIAL PEAKING FACTORS FTr AND AZIMUTHAL POWER TILT - Tq The limitations on FTr and Tq are provided to 1) ensure that the assumptions used in the analysis for establishing the Linear Heat Rate and Local power Density - High LCOs and LSSS setpoints remain valid during operation at the various allowable CEA group insertion limits, and,

2) ensure that the assumptions used in the analysis establishing the DNB Margin LCO, and Thermal Margin/Low Pressure LSSS setpoints remain valid during operation at the various allowable CEA group insertion limits. If FTr or Tq exceed their basic limitations, operation may continue under the additional restrictions imposed MILLSTONE - UNIT 2 B 3/4 2-1 Amendment No. 38, 52, 122, 139, 148, 155, 194, 230, 280, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-016 September 4, 2014 POWER DISTRIBUTION LIMITS BASES by the ACTION statements since these additional restrictions provide adequate provisions to assure that the assumptions used in establishing the Linear Heat Rate, Thermal Margin/Low Pressure and Local Power Density - High LCOs and LSSS setpoints remain valid. An AZIMUTHAL POWER TILT > 0.10 is not expected and if it should occur, subsequent operation would be restricted to only those operations required to identify the cause of this unexpected tilt.

Core power distribution is a concern any time the reactor is critical. The Total Integrated Radial Peaking Factor - FTr LCO, however, is only applicable in MODE 1 above 20% of RATED THERMAL POWER. The reasons that this LCO is not applicable below 20% of RATED THERMAL POWER are:

a. Data from the incore detectors are used for determining the measured radial peaking factors. Technical Specification 3.2.3 is not applicable below 20% of RATED THERMAL POWER because the accuracy of the neutron flux information from the incore detectors is not reliable at THERMAL POWER

< 20% RATED THERMAL POWER.

b. When core power is below 20% of RATED THERMAL POWER, the core is operating well below its thermal limits, and the Local Power Density (fuel pellet melting) and Thermal Margin/Low Pressure (DNB) trips are highly conservative.

The surveillance requirements for verifying that FTr and Tq are within their limits provide assurance that the actual values of FTr and Tq do not exceed the assumed values. These surveillance frequencies are controlled under the Surveillance Frequency Control Program.

Verifying FTr after each fuel loading prior to exceeding 70% of RATED THERMAL POWER provides additional assurance that the core was properly loaded.

3/4.2.6 DNB MARGIN The limitations provided in this specification ensure that the assumed margins to DNB are maintained. The limiting values of the parameters in this specification are those assumed as the initial conditions in the accident and transient analyses; therefore, operation must be maintained within the specified limits for the accident and transient analyses to remain valid.

MILLSTONE - UNIT 2 B 3/4 2-2 Amendment No. 38, 52, 122, 139, 155, 230, 280

LBDCR 14-MP2-016 September 4, 2014 3/4.3 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (ESF) INSTRUMENTATION The OPERABILITY of the protective and ESF instrumentation systems and bypasses ensure that 1) the associated ESF action and/or reactor trip will be initiated when the parameter monitored by each channel or combination thereof exceeds its setpoint, 2) the specified coincidence logic is maintained, 3) sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance, and 4) sufficient system functional capability is available for protective and ESF purposes from diverse parameters.

The OPERABILITY of these systems is required to provide the overall reliability, redundance and diversity assumed available in the facility design for the protection and mitigation of accident and transient conditions. The integrated operation of each of these systems is consistent with the assumptions used in the accident analyses.

ACTION Statement 2 of Tables 3.3-1 and 3.3-3 requires an inoperable Reactor Protection System (RPS) or Engineered Safety Feature Actuation System (ESFAS) channel to be placed in the bypassed or tripped condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The inoperable channel may remain in the bypassed condition for a maximum of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . While in the bypassed condition, the affected functional unit trip coincidence will be 2 out of 3. After 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , the channel must either be declared OPERABLE, or placed in the tripped condition. If the channel is placed in the tripped condition, the affected functional unit trip coincidence will become 1 out of 3. One additional channel may be removed from service for up to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , provided one of the inoperable channels is placed in the tripped condition.

Plant operation with an inoperable pressurizer high pressure reactor protection channel in the tripped condition is restricted because of the potential inadvertent opening of both pressurizer power operated relief valves (PORVs) if a second pressurizer high pressure reactor protection channel failed while the first channel was in the tripped condition. This plant operating restriction is contained in the Technical Requirements Manual.

The reactor trip switchgear consists of eight reactor trip circuit breakers, which are operated in four sets of two breakers (four channels). Each of the four trip legs consists of two reactor trip circuit breakers in series. The two reactor trip circuit breakers within a trip leg are actuated by separate initiation circuits. For example, if a breaker receives an open signal in trip leg A, an identical breaker in trip leg B will also receive an open signal. This arrangement ensures that power is interrupted to both Control Element Drive Mechanism buses, thus preventing a trip of only half of the control element assemblies (a half trip). Any one inoperable breaker in a channel will make the entire channel inoperable.

The surveillance requirements specified for these systems ensure that the overall system functional capability is maintained comparable to the original design standards. These surveillance frequencies are controlled under the Surveillance Frequency Control Program.

The surveillance testing verifies OPERABILITY of the RPS by overlap testing of the four interconnected modules: measurement channels, bistable trip units, RPS logic, and reactor trip circuit breakers. When testing the measurement channels or bistable trip units that provide an automatic reactor trip function, the associated RPS channel will be removed from service, MILLSTONE - UNIT 2 B 3/4 3-1 Amendment No. 167, 188, 198, 225, 282, Acknowledged by NRC letter dated 6/28/05

LBDCR 06-MP2-036 October 12, 2006 3/4.3 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (ESF) INSTRUMENTATION (continued) declared inoperable, and ACTION Statement 2 of Technical Specification 3.3.1.1 entered. When testing the RPS logic (matrix testing), the individual RPS channels will not be affected. Each of the parameters within each RPS channel supplies three contacts to make up the 6 different logic ladders/matrices (AB, AC, AD, BC, BD, and CD). During matrix testing, only one logic matrix is tested at a time. Since each RPS channel supplies 3 different logic ladders, testing one ladder matrix at a time will not remove an RPS channel from the overall logic matrix. Therefore, matrix testing will not remove an RPS channel from service or make the RPS channel inoperable. It is not necessary to enter an ACTION Statement for any of the parameters associated with each RPS channel while performing matrix testing. This also applies when testing the reactor trip circuit breakers since this test will not remove an RPS channel from service or make the RPS channel inoperable.

ACTION Statements for the RPS logic matrices and RPS logic matrix relays are required to be entered during matrix testing as these functional units become inoperable when the HOLD button is depressed during testing.

The RPS bypasses and their allowable values are addressed in footnotes to Table 3.3-1. They are not otherwise addressed as specific table entries.

The RPS automatic bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip functions are not operationally bypassed when the safety analysis assumes the functions are available.

The RPS automatic bypass removal feature of all four operating bypass channels must be OPERABLE for each RPS function with an operating bypass in the MODES addressed in the specific LCO for each function. All four bypass removal channels must be OPERABLE to ensure that none of the four RPS channels are inadvertently bypassed.

ACTION Statements 7 and 8 apply to the RPS bypass removal feature only. If the bypass enable function is failed so as to prevent entering a bypass condition, operation may continue.

ACTION Statement 7 applies to one automatic bypass removal channel inoperable. If the bypass removal channel for any operating bypass cannot be restored to OPERABLE status, the associated RPS channel may be considered OPERABLE only if the bypass is not in effect.

Otherwise, the affected RPS channel must be declared inoperable, as in ACTION Statement 2, and the bypass either removed or the bypass removal channel repaired. The allowed outage times are the same as for ACTION Statement 2.

MILLSTONE - UNIT 2 B 3/4 3-1a Amendment No. 225, 230, 245, 282,

LBDCR 14-MP2-016 September 4, 2014 3/4.3 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (ESF) INSTRUMENTATION (continued)

ACTION Statement 8 applies to two inoperable automatic bypass removal channels. If the bypass removal channels cannot be restored to OPERABLE status, the associated RPS channel may be considered OPERABLE only if the bypass is not in effect. Otherwise, the affected RPS channels must be declared inoperable, and the bypass either removed or the bypass removal channel repaired. Also, ACTION Statement 8 provides for the restoration of the one affected automatic trip channel to OPERABLE status within the allowed outage time specified under ACTION Statement 2.

ACTION Statements 7 and 8 contain the term disable the bypass channel. Compliance with ACTION Statements 7 or 8 is met by placing or verifying the Zero Mode Bypass Switch(es) in Off. No further action (i.e., key removal, periodic verification, etc.) is required. These switches are administratively controlled via station procedures; therefore the requirements of ACTION Statements 7 and 8 are continuously met.

SR 4.3.1.1.2 and SR 4.3.2.1.2 specify a CHANNEL FUNCTIONAL TEST of the bypass function and automatic bypass removal once within 92 days prior to each reactor startup. The total bypass function shall be demonstrated OPERABLE periodically during CHANNEL CALIBRATION testing of each channel affected by bypass operation. The surveillance frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL FUNCTIONAL TEST is similar to the CHANNEL FUNCTIONAL TESTS already required by SR 4.3.1.1.1 and SR 4.3.2.1.1, except the CHANNEL FUNCTIONAL TEST is applicable only to bypass functions and is performed once within 92 days prior to each startup. The MPS2 RPS is an analog system while the design of the MPS2 ESFAS includes both an analog portion and a digital portion. With respect to the analog portion of the systems, a successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other TS tests at least once per refueling interval with applicable extensions. Proper operation of bypass permissives is critical during plant startup because the bypasses must be in place to allow startup operation and must be removed at the appropriate points during power ascent to enable certain reactor trips. Consequently, the appropriate time to verify bypass removal function OPERABILITY is just prior to startup. The allowance to conduct this test within 92 days of startup is based on the reliability analysis presented in topical report CEN-327, RPS/ESFAS Extended Test Interval Evaluation, which is referenced in NUREG-1432 and is applicable to MPS2. Once the operating bypasses are removed, the bypasses must not fail in such a way that the associated trip function gets inadvertently bypassed. This feature is verified by the trip function CHANNEL FUNCTIONAL TESTS SR 4.3.1.1.1 and SR 4.3.2.1.1. Therefore, further testing of the bypass function after startup is unnecessary.

MILLSTONE - UNIT 2 B 3/4 3-1b Amendment No.

LBDCR 14-MP2-016 September 4, 2014 3/4.3 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (ESF) INSTRUMENTATION (continued)

The ESFAS includes four sensor subsystems and two actuation subsystems for each of the functional units identified in Table 3.3-3. Each sensor subsystem includes measurement channels and bistable trip units. Each of the four sensor subsystem channels monitors redundant and independent process measurement channels. Each sensor is monitored by at least one bistable.

The bistable associated with each ESFAS Function will trip when the monitored variable exceeds the trip setpoint. When tripped, the sensor subsystems provide outputs to the two actuation subsystems.

The two independent actuation subsystems each compare the four associated sensor subsystem outputs. If a trip occurs in two or more sensor subsystem channels, the two-out-of-four automatic actuation logic will initiate one train of ESFAS. An Automatic Test Inserter (ATI), for which the automatic actuation logic OPERABILITY requirements of this specification do not apply, provides automatic test capability for both the sensor subsystems and the actuation subsystems.

The provisions of Specification 4.0.4 are not applicable for the CHANNEL FUNCTIONAL TEST of the Engineered Safety Feature Actuation System automatic actuation logic associated with Pressurizer Pressure Safety Injection, Pressurizer Pressure Containment Isolation, Steam Generator Pressure Main Steam Line Isolation, and Pressurizer Pressure Enclosure Building Filtration for entry into MODE 3 or other specified conditions. After entering MODE 3, pressurizer pressure and steam generator pressure will be increased and the blocks of the ESF actuations on low pressurizer pressure and low steam generator pressure will be automatically removed. After the blocks have been removed, the CHANNEL FUNCTIONAL TEST of the ESF automatic actuation logic can be performed. The CHANNEL FUNCTIONAL TEST of the ESF automatic actuation logic must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing the appropriate plant conditions, and prior to entry into MODE 2.

The periodic measurement of response time provides assurance that the protective and ESF action function associated with each channel is completed within the time limit assumed in the accident analyses. These surveillance frequencies are controlled under the Surveillance Frequency Control Program. No credit was taken in the analyses for those channels with response times indicated as not applicable. The Reactor Protective and Engineered Safety Feature response times are contained in the Millstone Unit No. 2 Technical Requirements Manual. Changes to the Technical Requirements Manual require a 10CFR50.59 review as well as a review by the Site Operations Review Committee.

MILLSTONE - UNIT 2 B 3/4 3-1c Amendment No.

LBDCR 04-MP2-016 February 24, 2005 INSTRUMENTATION BASES 3/4.3.1 AND 3/4.3.2 PROTECTIVE AND ENGINEERED SAFETY FEATURES (ESF)

INSTRUMENTATION (Continued)

SRAS LOGIC MODIFICATION ACTION Statement 4 of Table 3.3-3, which applies only to the SRAS logic, specifies that during surveillance testing the second inoperable channel must also be placed in the bypassed condition. For the SRAS logic, placing the second inoperable channel in the tripped condition (as in ACTION Statement 2) could result in the false generation of a SRAS signal due to an additional failure which causes a trip signal in either of the remaining channels at the onset of a LOCA. The false generation of the SRAS signal leads to unacceptable consequences for LOCA mitigation.

With ACTION Statement 4, during the two-hour period when two channels are bypassed, no additional failure can result in the false generation of the SRAS signal. However, an additional failure that prevents a trip of either of the two remaining channels may prevent the generation of a true SRAS signal while in this ACTION Statement. If no SRAS is generated at the appropriate time, operating procedures instruct the operator to ensure that the SRAS actuation occurs when the refueling water storage tank level decreases. Due to the limited period of vulnerability, and the existence of operator requirements to manually initiate an SRAS if an automatic initiation does not occur, this risk is considered acceptable.

STEAM GENERATOR BLOWDOWN ISOLATION Automatic isolation of steam generator blowdown will occur on low steam generator water level. An auxiliary feedwater actuation signal will also be generated at this steam generator water level. Isolation of steam generator blowdown will conserve steam generator water inventory following a loss of main feedwater.

SENSOR CABINET POWER SUPPLY AUCTIONEERING The auctioneering circuit of the ESFAS sensor cabinets ensures that two sensor cabinets do not de-energize upon loss of a D.C. bus, thereby resulting in the false generation of an SRAS.

Power source VA-10 provides normal power to sensor cabinet A and backup power to sensor cabinet D. VA-40 provides normal power to sensor cabinet D and backup power to cabinet A.

Power sources VA-20 and VA-30 and sensor cabinets B and C are similarly arranged.

If the normal or backup power source for an ESFAS Sensor Cabinet is lost, two sensor cabinets would be supplied from the same power source, but would still be operating with no subsequent trip signals present. However, any additional failure associated with this power source would result in the loss of the two sensor cabinets, consequently generating a false SRAS.

The 48-hour ACTION Statement ensures that the probability of a ACTION Statement and an additional failure of the remaining power source, while in this ACTION Statement is sufficiently small.

MILLSTONE - UNIT 2 B 3/4 3-2 Amendment No. 157, 179, 226, 245, Acknowledged by NRC letter dated 6/28/05

LBDCR 16-MP2-015 February 2, 2017 BASES(Continued) 3/4.3.3 MONITORING INSTRUMENTATION 3/4.3.3.1 RADIATION MONITORING INSTRUMENTATION The OPERABILITY of the radiation monitoring channels ensures that 1) the radiation levels are continually measured in the areas served by the individual channels and 2) the alarm or automatic action is initiated when the radiation level trip setpoint is exceeded.

The analyses for a Steam Generator Tube Rupture, Waste Gas System Failure, Cask Tip and Fuel Handling Accident credit the control room ventilation inlet duct radiation monitors with closure of the Unit 2 control room isolation dampers. In the event of a single failure in either channel (1 per train), the control room isolation dampers automatically close. The response time test for the control room isolation dampers includes signal generation time and damper closure.

The response time for the control room isolation dampers is maintained within the applicable facility surveillance procedure.

The containment airborne radiation monitors (particulate) provide early indication of leakage from the Reactor Coolant System as specified in Technical Specification 3.4.6.1.

MILLSTONE - UNIT 2 B 3/4 3-2a Amendment No. 157, 179, 225, 230, 245, 282, 284,

July 13, 1999 INSTRUMENTATION BASES 3/4.3.3.2 - DELETED 3/4.3.3.3 - DELETED 3/4.3.3.4 - DELETED 3/4.3.3.5 REMOTE SHUTDOWN INSTRUMENTATION The OPERABILITY of the remote shutdown instrumentation ensures that sufficient capability is available to permit shutdown and maintenance of HOT SHUTDOWN of the facility from locations outside of the control room. This capability is required in the event control room habitability is lost and is consistent with General Design Criteria 19 of 10 CFR 50.

MILLSTONE - UNIT 2 B 3/4 3-3 Amendment No. 25, 49, 237

February 20, 2020 LBDCR 20-MP2-001 INSTRUMENTATION BASES 3/4.3.3.6 DELETED 3/4.3.3.7 DELETED 3/4.3.3.8 ACCIDENT MONITORING INSTRUMENTATION The OPERABILITY of the accident monitoring instrumentation ensures that sufficient information is available on selected plant parameters to monitor and assess these variables during and following an accident. This capability is consistent with the recommendations of NUREG-0578, TMI-2 Lessons Learned Task Force Status Report and Short-Term Recommendations.

If a PORV Position Indicator, PORV Block Valve Position Indicator or Safety Valve Position Indicator becomes inoperable, an alternate method can be used for determining if there is loss of reactor coolant through an inadvertently open valve. Direct parameters (such as quench tank temperature, level and pressure or discharge pipe temperature) can be used to determine if a gross leakage of the reactor coolant is present through an inadvertently opened valve. Primary system and containment instrumentation parameters may also be used to identify a loss of inventory and diagnose whether the source of a leak is through a PORV or Safety Valve flow path. Once an alternate method is established, the applicable information is obtained once per shift. Use of an alternate method requires a special report (pursuant to TS 6.9.2 ) to be submitted within the next 10 days, if position indication is not restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The purpose of the special report is to notify the Commission of the inoperability and describe alternate methods in effect. The special report would also outline the cause of the malfunction and plans for restoring the affected position indicators to operable status. If an alternate method is initiated, OPERABILITY of the accident monitoring instrumentation channel must be restored by the end of the next scheduled refueling outage.

MILLSTONE - UNIT 2 B 3/4 3-4 Amendment No. 35, 49, 66, 100, 127, 191

November 28, 2000 THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2 B 3/4 3-5 Amendment No. 104, 245, 250

LBDCR 04-MP2-011 December 8, 2005 INSTRUMENTATION BASES 3/4.3.3.9 - DELETED 3/4.3.3.10 - DELETED 3/4.3.4 - DELETED MILLSTONE - UNIT 2 B 3/4 3-6 Amendment No. 104, 245, 250, 284,

May 1, 2002 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION The plant is designed to operate with both Reactor Coolant System (RCS) loops and associated reactor coolant pumps (RCPs) in operation, and maintain the DNBR above the 95/95 limit for the DNB correlation during all normal operations and anticipated transients. In MODES 1 and 2, both RCS loops and associated RCPs are required to be OPERABLE and in operation.

In MODE 3, a single RCS loop with one RCP and adequate steam generator secondary water inventory provides sufficient heat removal capability. However, both RCS loops with at least one RCP per loop are required to be OPERABLE to provide redundant paths for decay heat removal. In addition, as a minimum, one RCS loop must be in operation. Any exceptions to these requirements are contained in the LCO Notes.

In MODE 4, one RCS loop with one RCP and adequate steam generator secondary water inventory, or one shutdown cooling. (SDC) train provides sufficient heat removal capability.

However, two loops or trains, consisting of any combination of RCS loops or SDC trains, are required to be OPERABLE to provide redundant paths for decay heat removal. In addition, as a minimum, one RCS loop or SDC train must be in operation. Any exceptions to these requirements are contained in the LCO Notes.

In MODES 3 and 4, an OPERABLE RCS loop consists of the RCS loop, associated steam generator, and at least one RCP. The steam generator must have sufficient secondary water inventory for heat removal.

In MODE 5, with the RCS loops filled, the SDC trains are the primary means of heat removal. One SDC train provides sufficient heat removal capability. However, to provide redundant paths for decay heat removal either two SDC trains are required to be OPERABLE, or one SDC train is required to be OPERABLE and both steam generators are required to have adequate steam generator secondary water inventory. In addition, as a minimum, one SDC train must be in operation. Any exceptions to these requirements are contained in the LCO Notes.

By maintaining adequate secondary water inventory and makeup capability, the steam generators will be able to support natural circulation in the RCS loops. In addition, the ability to pressurize and control RCS pressure is necessary to support RCS natural circulation. If the pressurizer steam bubble has been collapsed and the RCS has been depressurized or drained sufficiently that voiding of the steam generator U-tubes may have occurred, the RCS loops should be considered not filled unless an evaluation is performed to verify the ability of the RCS to support natural circulation. If the RCS loops are considered not filled, the RCS must be refilled, pressurized, and the RCPs bumped (unless a vacuum fill of the RCS was performed) before the RCS loops can be considered filled.

In MODE 5, with the RCS loops not filled, the SDC trains are the only means of heat removal. One SDC train provides sufficient heat removal capability. However, to provide redundant paths for decay heat removal, two SDC trains are required to be OPERABLE. In addition, as a minimum, one SDC MILLSTONE - UNIT 2 B 3/4 4-1 Revised by NRC Letter A15689 Amendment No. 50, 66, 69, 139, 218, 249,

LBDCR 14-MP2-017 January 8, 2015 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued) train must be in operation. Any exceptions to these requirements are contained in the LCO Notes.

An OPERABLE SDC train, for plant operation in MODES 4 and 5, includes a pump, heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine RCS temperature. The flow path starts at the RCS hot leg and is returned to the RCS cold legs. Management of gas voids is important to SDC System OPERABILITY.

In MODE 4, an OPERABLE SDC train consists of the following equipment:

1. An OPERABLE SDC pump (low pressure safety injection pump);

2. The associated SDC heat exchanger from the same facility as the SDC pump;

3. The associated reactor building closed cooling water loop from the same facility as the SDC pump;

4. The associated service water loop from the same facility as the SDC pump; and

5. All valves required to support SDC System operation are in the required position or are capable of being placed in the required position.

In MODE 4, two OPERABLE SDC trains require 2 SDC pumps, 2 SDC heat exchangers, 2 RBCCW pumps, 2 RBCCW heat exchangers, and 2 SW pumps. In addition, 2 RBCCW headers and 2 SW headers are required to support the SDC heat exchangers, consistent with the requirements of Technical Specifications 3.7.3.1 and 3.7.4.1.

In MODE 5, an OPERABLE SDC train consists of the following equipment:

1. An OPERABLE SDC pump (low pressure safety injection pump);

2. The associated SDC heat exchanger from the same facility as the SDC pump;

3. An RBCCW pump, powered from the same facility as the SDC pump, and RBCCW heat exchanger capable of cooling the associated SDC heat exchanger;

4. A SW pump, powered from the same facility as the SDC pump, capable of supplying cooling water to the associated RBCCW heat exchanger; and

5. All valves required to support SDC System operation are in the required position or are capable of being placed in the required position MILLSTONE - UNIT 2 B 3/4 4-1a Revised by NRC Letter A15689 Amendment No. 50, 66, 69, 139, 218, 249

LBDCR 14-MP2-017 January 8, 2015 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued)

In MODE 5, two OPERABLE SDC trains require 2 SDC pumps, 2 SDC heat exchangers, 2 RBCCW pumps, 2 RBCCW heat exchangers, and 2 SW pumps. In addition, 2 RBCCW headers are required to provide cooling to the SDC heat exchangers, but only 1 SW header is required to support the SDC trains. The equipment specified is sufficient to address a single active failure of the SDC System and associated support systems.

In addition, two SDC trains can be considered OPERABLE, with only one 125-volt D.C.

bus train OPERABLE, in accordance with Limiting Condition for Operation (LCO) 3.8.2.4. 2-SI-306 and 2-SI-657 are both powered from the same 125-volt D.C. bus, on Facility 1. Should these valves reposition due to a loss of power, SDC would no longer be aligned to cool the RCS.

However, a designated operator is assigned to reposition these valves as necessary in the event 125-volt D.C. power is lost. Consistent with the bases for LCO 3.8.2.4, the 125-volt D.C. support system operability requirements for both trains of SDC are satisfied in MODE 5 with at least one 125-volt D.C. bus train OPERABLE and the 125-volt D.C. buses cross-tied.

The operation of one Reactor Coolant Pump or one shutdown cooling pump provides adequate flow to ensure mixing, prevent stratification and produce gradual reactivity changes during boron concentration reductions in the Reactor Coolant System. The reactivity change rate associated with boron reductions will, therefore, be within the capability of operator recognition and control.

SDC System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the required SDC train(s) and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.

Selection of SDC System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points, and to confirm the location and orientation of important components that can become sources of gas, or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration. Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.

The SDC System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criterion for gas MILLSTONE - UNIT 2 B 3/4 4-1b Amendment No. 50, 66, 69, 139, 218, 248, 249, Acknowledged By NRC July 5, 2007

LBDCR 14-MP2-017 January 8, 2015 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued) volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the SDC System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.

Accumulated gas should be eliminated or brought within the acceptance criteria limits.

Surveillance Requirements 4.4.1.3.4, 4.4.1.4.4, and 4.4.1.5.3 are performed for SDC System locations susceptible to gas accumulation and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval. The operating SDC pump and associated piping are exempted from this surveillance requirement, in that the operating train is self venting/flushing.

The monitoring frequency takes into consideration the gradual nature of gas accumulation in the SDC piping and the procedural controls governing system operation. The frequency is controlled by the Surveillance Frequency Control Program. The surveillance frequency may vary by each locations susceptibility to gas accumulation.

Surveillance Requirement 4.4.1.3.4 is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after entering MODE 4. In a rapid shutdown, there may be insufficient time to verify all susceptible locations prior to entering MODE 4.

The restrictions on starting a Reactor Coolant Pump in MODE 4 with one or more RCS cold legs 275F and in MODE 5 are provided to prevent RCS pressure transients, caused by energy additions from the secondary system, which could exceed the limits of Appendix G to 10 CFR Part 50. The RCS will be protected against overpressure transients and will not exceed the limits of Appendix G by:

1. Restricting pressurizer water volume to ensure sufficient steam volume is available to accommodate the insurge;

2. Restricting pressurizer pressure to establish an initial pressure that will ensure system pressure does not exceed the limit; and MILLSTONE - UNIT 2 B 3/4 4-1c Amendment No. 50, 66, 69, 139, 218, 248, 249, Acknowledged By NRC July 5, 2007

LBDCR 14-MP2-017 January 8, 2015 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued)

3. Restricting primary to secondary system delta-T to reduce the energy addition from the secondary system.

If these restrictions are met, the steam bubble in the pressurizer is sufficient to ensure the Appendix G limits will not be exceeded. No credit has been taken for PORV actuation to limit RCS pressure in the analysis of the energy addition transient.

The limitations on pressurizer water level, pressurizer pressure, and primary to secondary delta-T are necessary to ensure the validity of the analysis of the energy addition due to starting an RCP. The values for pressurizer water level and pressure can be obtained from control room indications. The primary to secondary system delta-T can be obtained from Shutdown Cooling (SDC) System outlet temperature and the saturation temperature for indicated steam generator pressure. If there is no indicated steam generator pressure, the steam generator shell temperature indicators can be used. If these indications are not available, other appropriate instrumentation can be used.

The RCP starting criteria values for pressurizer water level, pressurizer pressure, and primary to secondary delta-T contained in Technical Specifications 3.4.1.3, 3.4.1.4 and 3.4.1.5 have not been adjusted for instrument uncertainty. The values for these parameters contained in the procedures that will be used to start an RCP have been adjusted to compensate for instrument uncertainty.

The value of RCS cold leg temperature ( 275F ) used to determine if the RCP start criteria applies, will be obtained from SDC return temperature if SDC is in service. If SDC is not in service, or natural circulation is occurring, RCS cold leg temperature will be used.

Average Coolant Temperature (Tavg) values are derived under the following 3 plant conditions, using the designated formula as appropriate for use in Unit 2 operating procedures.

RCP Operation: (Tcold1 + Tco1d2 + Thotl + Thot2) / 4 = Tavg

Natural circulation only flow: (Tcold1 + Tco1d2 + Thotl + Thot2) / 4 = Tavg

SDC flow greater than 1000 gpm: (SDCoutlet + SDCinlet) / 2 = Tavg (exception: Tavg is not expected to be calculated by this definition during the initial portion of the initiation phase of SDC. The transition point from loop temperature average to SDC system average during cooldowns is when T351Y decreases below Loop Tcold)

MILLSTONE - UNIT 2 B 3/4 4-1d Amendment No. 50, 66, 69, 139, 218, 248, 249, 293 Acknowledged By NRC July 5, 2007

LBDCR 14-MP2-017 January 8, 2015 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued)

During operation with one or more Reactor Coolant Pumps (RCPs) providing forced flow and during natural circulation conditions, the loop Resistance Temperature Detectors (RTDs) represent the inlet and outlet temperatures of the reactor and hence the average temperature of the water that the reactor is exposed to. This holds during concurrent RCP/SDC operation also.

During Shutdown Cooling (SDC) only operation, there is no significant flow past the loop RTDs. Core inlet and outlet temperatures are accurately measured during those conditions by using T351Y, SDC return to RCS temperature indication, and T351X, RCS to SDC temperature indication. The average of these two indicators provides a temperature that is equivalent to the average RCS temperature in the core.

During the transition from Steam Generator (SG) and SDC heat removal to SDC only heat removal, actual core average temperature results from a mixture of both SDC flow and loop flow from natural circulation. This condition occurs from the time SDC cooling is initiated until SG steaming process stops removing heat. The temperature of this mixture cannot be measured or calculated. However, the average of the SDC temperatures is still appropriate for use. This provides a straightforward process for determining Tavg.

During some transient conditions, such as heatups on SDC, the value calculated by this average definition will be slightly higher than the actual core average. During other transients, such as cooldowns where SG heat removal is still taking place causing some natural circulation flow, the value calculated by the average definition will be slightly lower than actual core average conditions. For the purpose of determining MODE changes and technical specification applicability, these transient condition results are conservative.

The Notes in LCOs 3.4.1.2, 3.4.1.3, 3.4.1.4, and 3.4.1.5 permit a limited period of operation without RCPs and shutdown cooling pumps. All RCPs and shutdown cooling pumps may be removed from operation for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. This means that natural circulation has been established. When in natural circulation, a reduction in boron concentration with coolant at boron concentrations less than required to assure the SDM of LCO 3.1.1.1 is maintained is prohibited because an even concentration distribution throughout the RCS cannot be ensured. Core outlet temperature is to be maintained at least 10F below the saturation temperature so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

MILLSTONE - UNIT 2 B 3/4 4-1e Amendment No. 293, Acknowledged By NRC July 5, 2007

LBDCR 14-MP2-017 January 8, 2015 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION (continued)

Concerning TS 3.4.1.2, ACTION b.; 3.4.1.3, ACTION c.; 3.4.1.4, ACTION b.; and 3.4.1.5, ACTION b., if two required loops or trains are inoperable or a required loop or train is not in operation except during conditions permitted by the note in the LCO section, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1.1 must be suspended and action to restore one RCS loop or SDC train to OPERABLE status and operation must be initiated. The required margin to criticality must not be reduced in this type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO 3.1.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations.

The immediate completion times reflect the importance of decay heat removal. The ACTION to restore must continue until one loop or train is restored to operation.

Technical Specification 3.4.1.6 limits the number of reactor coolant pumps that may be operational during MODE 5. This will limit the pressure drop across the core when the pumps are operated during low-temperature conditions. Controlling the pressure drop across the core will maintain maximum RCS pressure within the maximum allowable pressure as calculated in Code Case No. N-514. Limiting two reactor coolant pumps to operate when the RCS cold leg temperature is less than 120F, will ensure that the requirements of 10 CFR 50 Appendix G are not exceeded. Surveillance 4.4.1.6 supports this requirement.

3/4.4.2 SAFETY VALVES The pressurizer code safety valves operate to prevent the RCS from being pressurized above its Safety Limit of 2750 psia. Each safety valve is designed to relieve 296,000 lbs per hour of saturated steam at the valve setpoint. The relief capacity of a single safety valve is adequate to relieve any overpressure condition which could occur during shutdown. If any pressurizer code safety valve is inoperable, and cannot be restored to OPERABLE status, the ACTION statement requires the plant to be shut down and cooled down such that Technical Specification 3.4.9.3 will become applicable and require the Low Temperature Overpressure Protection System to be placed in service to provide overpressure protection MILLSTONE - UNIT 2 B 3/4 4-1f Amendment No.

REVERSE OF PAGE B 3/4 4-1f INTENTIONALLY LEFT BLANK

LBDCR 04-MP2-016 February 24, 2005 3/4.4 REACTOR COOLANT SYSTEM BASES During operation, all pressurizer code safety valves must be OPERABLE to prevent the RCS from being pressurized above its safety limit of 2750 psia. The combined relief capacity of these valves is sufficient to limit the Reactor Coolant System pressure to within its Safety Limit of 2750 psia following a complete loss of turbine generator load while operating at RATED THERMAL POWER and assuming no reactor trip until the first Reactor Protective System trip setpoint (Pressurizer Pressure-High) is reached (i.e., no credit is taken for a direct reactor trip on the loss of turbine) and also assuming no operation of the pressurizer power operated relief valve or steam dump valves.

3/4.4.3 RELIEF VALVES The power operated relief valves (PORVs) operate to relieve RCS pressure below the setting of the pressurizer code safety valves. These relief valves have remotely operated block valves to provide a positive shutoff capability should a relief valve become inoperable. The electrical power for both the relief valves and the block valves is capable of being supplied from an emergency power source to ensure the ability to seal this possible RCS leakage path.

The PORVs are also used for low temperature overpressure protection when the RCS is cooled down to or below 275°F. This is covered by Technical Specification 3.4.9.3 and discussed in the respective Bases section. The discussion below only addresses the PORVs in MODES 1, 2 and 3.

With the PORV inoperable and capable of being manually cycled, either the PORV must be restored, or the flow path isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The block valve should be closed, but the power must be maintained to the associated block valve, since removal of power would render the block valve inoperable. Although the PORV may be designated inoperable, it may be able to be manually opened and closed and in this manner can be used to perform its function. PORV inoperability may be due to seat leakage, instrumentation problems, automatic control problems, or other causes that do not prevent manual use and do not create a possibility for a small break LOCA. Operation of the plant may continue with the PORV in this inoperable condition for a limited period of time not to exceed the next refueling outage, so that maintenance can be performed on the PORVs to eliminate the degraded condition. The PORVs should normally be available for automatic mitigation of overpressure events when the plant is at power.

Quick access to the PORV for pressure control can be made when power remains on the closed block valve.

If one block valve is inoperable, then it must be restored to OPERABLE status, or the associated PORV prevented from opening automatically. The prime importance for the capability to maintain closed the block valve is to isolate a stuck open PORV. Therefore, if the block valve cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the required ACTION is to prevent the associated PORV from automatically opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. This may be accomplished by MILLSTONE - UNIT 2 B 3/4 4-2 Amendment No. 50, 66, 69, 139, 218, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-001 May 20, 2014 3/4.4 REACTOR COOLANT SYSTEM BASES 3/4.4.3 RELIEF VALVES (Continued) various methods. These methods include, but are not limited to, placing the NORMAL/ISOLATE switch at the associated Bottle Up Panel in the ISOLATE position or pulling the control power fuses for the associated PORV control circuit.

Although the block valve may be designated inoperable, it may be able to be manually opened and closed and in this manner can be used to perform its function. Block valve inoperability may be due to seat leakage, instrumentation problems, or other causes that do not prevent manual use and do not create a possibility for a small break LOCA. This condition is only intended to permit operation of the plant for a limited period of time. The block valve should normally be available to allow PORV operation for automatic mitigation of overpressure events. The block valves must be returned to OPERABLE status prior to entering MODE 3 after a refueling outage.

If two PORVs are inoperable and not capable of being manually cycled, it is necessary to isolate the flow path by closing and removing the power to the associated block valves within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and to restore at least one PORV within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The Condition is modified by a Note stating it is not applicable if the second PORV train is intentionally declared inoperable. The Condition does not apply to voluntary removal of redundant systems or components from service. The Condition is applicable if one PORV is inoperable for any reason and the second PORV is discovered to be inoperable, or if both PORVs are discovered to be inoperable at the same time.

In the event of a loss of feedwater, the PORVs would be used to remove core heat. In order to minimize the consequences of a loss of feedwater while two PORVs are inoperable, Required Action c.3 requires that LCO 3.7.1.2, Auxiliary Feedwater Pumps, be met to ensure AFW is available. The inoperability of two PORVs during the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months allowed outage time has been shown to be acceptable based on the infrequent use of the Required Action and the small incremental effect on plant risk (Ref. 1). If one PORV is restored and one PORV remains inoperable, then the plant will be in Condition b. with the time clock started at the original declaration of having two PORVs inoperable.

If two block valves are inoperable, it is necessary to restore at least one block valve to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The Condition is modified by a Note stating it is not applicable if the second block valve is intentionally declared inoperable. The Condition does not apply to voluntary removal of redundant systems or components from service. The Condition is only applicable if one block valve is inoperable for any reason and the second block valve is MILLSTONE - UNIT 2 B 3/4 4-2a Amendment No. 22, 37, 52, 66, 97, 185, 218, 261

LBDCR 14-MP2-016 September 4, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.3 RELIEF VALVES (Continued) discovered to be inoperable, or if both block valves are discovered to be inoperable at the same time. In the event of a loss of feedwater, the PORVs would be used to remove core heat. In order to minimize the consequences of a loss of feedwater while two block valves are inoperable, Required Action e.1 requires that LCO 3.7.1.2, Auxiliary Feedwater Pumps, be verified to be met within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The inoperability of two block valves during the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months allowed outage time has been shown to be acceptable based on the infrequent use of the Required Actions and the small incremental effect on plant risk (Ref. 1).

SURVEILLANCE REQUIREMENT 4.4.3.1.c requires operating each PORV through one complete cycle of full travel at conditions representative of MODES 3 or 4. This is normally performed in MODE 3 or 4 as the unit is descending in power to commence a refueling outage.

This test will normally be a static test, whereby a PORV will be exposed to MODE 3 or 4 temperatures, the block valve closed, and the PORV tested to verify it strokes through one complete cycle of full travel. PORV cycling demonstrates its function. SURVEILLANCE REQUIREMENT 4.4.3.1.c is consistent with the NRC staff position outlined in Generic Letter 90-06, which requires that the PORV stroke test be performed at conditions representative of MODE 3 or 4. The surveillance frequency is controlled under the Surveillance Frequency Control Program. Testing in the manner described is also consistent with the guidance in NUREG 1482, Guidelines for Inservice Testing at Nuclear Power Plants, Section 4.2.10, that describes the PORVs function during reactor startup and shutdown to protect the reactor vessel and coolant system from low-temperature overpressurization conditions, and indicates they should be exercised before system conditions warrant vessel protection. If post maintenance retest is warranted, the affected valve(s) will be stroked under ambient conditions while in Mode 5, 6, or defueled. A Hot Functional Test is required to be performed in MODE 4 prior to entry into MODE 3. The actual stroke time in the open and close direction will be measured, recorded and compared to the test results obtained during pre-installation testing to assess acceptability of the affected valve(s).

SURVEILLANCE REQUIREMENT 4.4.3.2 verifies that a block valve(s) can be closed if necessary. This SURVEILLANCE REQUIREMENT is not required to be performed with the block valve(s) closed in accordance with the ACTIONS of TS 3.4.3. Opening the block valve(s) in this condition increases the risk of an unisolable leak from the RCS since the PORV(s) is already inoperable.

REFERENCE

1. WCAP-16125-NP-A, Justification for Risk-Informed Modifications to Selected Technical Specifications for Conditions Leading to Exigent Plant Shutdown, Revision 2, August 2010.

MILLSTONE - UNIT 2 B 3/4 4-2b Amendment No. 22, 37, 52, 66, 89, 111, 121, 138, 194

LBDCR 16-MP2-016 March 7, 2017 REACTOR COOLANT SYSTEM BASES 3/4.4.4 PRESSURIZER An OPERABLE pressurizer provides pressure control for the reactor coolant system during operations with both forced reactor coolant flow and with natural circulation flow. The maximum water level in the pressurizer ensures that this parameter is maintained within the envelope of operation assumed in the safety analysis. The maximum water level also ensures that the RCS is not a hydraulically solid system and that a steam bubble will be provided to accommodate pressure surges during operation. The steam bubble also protects the pressurizer code safety valves and power operated relief valve against water relief. With pressurizer water level not within the limit, action must be taken to restore the plant to operation within the bounds of the safety analyses. To achieve this status, the unit must be brought to at least HOT STANDBY with the reactor trip breakers open within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This takes the plant out of the applicable MODES and restores the plant to operation within the bounds of the safety analyses. The requirement that a minimum number of pressurizer heaters be OPERABLE enhances the capability of the plant to control Reactor Coolant System pressure and establish and maintain natural circulation.

If two required groups of pressurizer heaters are inoperable, restoring at least one group of pressurizer heaters to OPERABLE status is required within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The Condition is modified by a Note stating it is not applicable if the second group of required pressurized heaters is intentionally declared inoperable. The Condition is not intended for voluntary removal of redundant systems or components from service. The Condition is only applicable if one group of required pressurized heaters is inoperable for any reason and the second group of required pressurized heaters is discovered to be inoperable, or if both groups of required pressurized heaters are discovered to be inoperable at the same time. If both required groups of pressurizer heaters are inoperable, the pressurizer heaters may not be available to help maintain subcooling in the RCS loops during a natural circulation cooldown following a loss of offsite power. The inoperability of two groups of required pressurizer heaters during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed outage time has been shown to be acceptable based on the infrequent use of the Required Action and the small incremental effect on plant risk (Ref. 1).

The requirement for two groups of pressurizer heaters, each having a capacity of 130 kW, is met by verifying the capacity of the pressurizer proportional heater groups 1 and 2. Since the pressurizer proportional heater groups 1 and 2 are supplied from the emergency 480V electrical buses, there is reasonable assurance that these heaters can be energized during a loss of offsite power to maintain natural circulation at HOT STANDBY.

REFERENCE

1. WCAP-16125-NP-A, Justification for Risk-Informed Modifications to Selected Technical Specifications for Conditions Leading to Exigent Plant Shutdown, Revision 2, August 2010.

MILLSTONE - UNIT 2 B 3/4 4-2c Amendment No.

LBDCR 14-MP2-001 May 20, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.5 STEAM GENERATOR TUBE INTEGRITY LCO The LCO requires that steam generator (SG) tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the plugging criteria be plugged in accordance with the Steam Generator Program.

During a SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging. If a tube was determined to satisfy the plugging criteria but was not plugged, the tube may still have tube integrity.

In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall between the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesheet weld at the tube outlet. The tube-to-tubesheet weld is not considered part of the tube.

A SG tube has tube integrity when it satisfies the SG performance criteria. The SG performance criteria are defined in Specification 6.26, Steam Generator Program, and describe acceptable SG tube performance. The Steam Generator Program also provides the evaluation process for determining conformance with the SG performance criteria. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE.

Failure to meet any one of these criteria is considered failure to meet the LCO.

The structural integrity performance criterion provides a margin of safety against tube burst or collapse under normal and accident conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tube burst is defined as, The gross structural failure of the tube wall. The condition typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation. Tube collapse is defined as, For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero. The structural integrity performance criterion provides guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term significant is defined as An accident loading condition other than differential pressure is considered significant when the addition of such loads in the assessment of the structural integrity performance criterion could cause a lower structural limit or limiting burst/collapse condition to be established. For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circumferential degradation, the classification of axial thermal loads as primary or secondary loads will be evaluated on a case-by-case basis. The division between primary and secondary classifications will be based on detailed analysis and/or testing.

MILLSTONE - UNIT 2 B 3/4 4-2d Amendment No.

LBDCR 14-MP2-001 May 20, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.5 STEAM GENERATOR TUBE INTEGRITY (Continued)

LCO (Continued)

Structural integrity requires that the primary membrane stress intensity in a tube not exceed the yield strength for all ASME Code,Section III, Service Level A (normal operating conditions) and Service Level B (upset or abnormal conditions) transients included in the design specification. This includes safety factors and applicable design basis loads based on ASME Code,Section III, Subsection NB (Reference 4) and Draft Regulatory Guide 1.121 (Reference 5).

The accident induced leakage performance criterion ensures that the primary to secondary LEAKAGE caused by a design basis accident, other than a SGTR, is within the accident analysis assumptions. The accident analysis assumes that accident induced leakage does not exceed 150 GPD per SG. The accident induced leakage rate includes any primary to secondary LEAKAGE existing prior to the accident in addition to primary to secondary LEAKAGE induced during the accident.

The operational LEAKAGE performance criterion provides an observable indication of SG tube conditions during plant operation. The limit on operational LEAKAGE is contained in LCO 3.4.6.2, Reactor Coolant System Operational LEAKAGE, and limits primary to secondary LEAKAGE through any one SG to 75 gallons per day. This limit is based on the assumption that a single crack leaking this amount would not propagate to a SGTR under the stress conditions of a LOCA or a main steam line break. If this amount of LEAKAGE is due to more than one crack, the cracks are very small, and the above assumption is conservative.

APPLICABILITY Steam generator tube integrity is challenged when the pressure differential across the tubes is large. Large differential pressures across SG tubes can only be experienced during MODES 1, 2, 3, and 4.

RCS conditions are far less challenging during MODES 5 and 6 than during MODES 1, 2, 3, and 4. During MODES 5 and 6, primary to secondary differential pressure is low, resulting in lower stresses and reduced potential for LEAKAGE.

ACTIONS The ACTIONS are modified by a NOTE clarifying that the ACTIONS may be entered independently for each SG tube. This is acceptable because the ACTIONS provide appropriate compensatory actions for each affected SG tube. Complying with the ACTIONS may allow for continued operation, and subsequent affected SG tubes are governed by subsequent ACTION entry and application of associated ACTIONS.

MILLSTONE - UNIT 2 B 3/4 4-2e Amendment No.

LBDCR 14-MP2-001 May 20, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.5 STEAM GENERATOR TUBE INTEGRITY (Continued)

ACTIONS (Continued) a.1 and a.2 ACTION a. applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube plugging criteria but were not plugged in accordance with the Steam Generator Program as required by TS 4.4.5.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG plugging criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must be completed that demonstrates that the SG performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integrity determination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, ACTION b. applies.

A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not have tube integrity.

If the evaluation determines that the affected tube(s) have tube integrity, ACTION a.2 allows plant operation to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported by an operational assessment that reflects the affected tube(s). However, the affected tube(s) must be plugged prior to entering HOT SHUTDOWN following the next refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.

b.1 and b.2 If the ACTIONS and associated Completion Times of ACTION a. are not met or if SG tube integrity is not being maintained, the reactor must be brought to HOT STANDBY within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and COLD SHUTDOWN within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the desired plant conditions from full power conditions in an orderly manner and without challenging plant systems.

MILLSTONE - UNIT 2 B 3/4 4-2f Amendment No.

LBDCR 14-MP2-001 May 20, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.5 STEAM GENERATOR TUBE INTEGRITY (Continued)

SURVEILLANCE REQUIREMENTS TS 4.4.5.1 During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator Program ensures that the inspection is appropriate and consistent with accepted industry practices.

During SG inspections a condition monitoring assessment of the SG tubes is performed.

The condition monitoring assessment determines the as found condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period.

The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube plugging criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation. Inspection methods are a function of degradation morphology, non-destructive examination (NDE) technique capabilities, and inspection locations.

The Steam Generator Program defines the Frequency of TS 4.4.5.1. The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Reference 6). The Steam Generator Program uses information on existing degradations and growth rates to determine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next scheduled inspection. In addition, Specification 6.26 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections. If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected SGs is restricted by Specification 6. 26 until subsequent inspections support extending the inspection interval.

MILLSTONE - UNIT 2 B 3/4 4-2g Amendment No.

LBDCR 14-MP2-001 May 20, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.5 STEAM GENERATOR TUBE INTEGRITY (Continued)

SURVEILLANCE REQUIREMENTS (Continued)

TS 4.4.5.2 During a SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging. The tube plugging criteria delineated in Specification 6.26 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In addition, the tube plugging criteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria.

The Frequency of prior to entering MODE 4 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential.

BACKGROUND SG tubes are small diameter, thin walled tubes that carry primary coolant through the primary to secondary heat exchangers. The SG tubes have a number of important safety functions.

SG tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary systems pressure and inventory. The SG tubes isolate the radioactive fission products in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface between the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function is addressed by LCO 3.4.1.1, RCS STARTUP AND POWER OPERATION, LCO 3.4.1.2, RCS HOT STANDBY, LCO 3.4.1.3, RCS HOT SHUTDOWN, and LCO 3.4.1.4, RCS COLD SHUTDOWN-LOOPS FILLED.

SG tube integrity means that the tubes are capable of performing their intended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements.

SG tubing is subject to a variety of degradation mechanisms. Steam generator tubes may experience tube degradation related to corrosion phenomena, such as wastage, pitting, intergranular attack, and stress corrosion cracking, along with other mechanically induced phenomena such as denting and wear. These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG tube degradation.

MILLSTONE - UNIT 2 B 3/4 4-2h Amendment No.

LBDCR 14-MP2-001 May 20, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.5 STEAM GENERATOR TUBE INTEGRITY (Continued)

BACKGROUND (Continued)

Specification 6.26, Steam Generator (SG) Program, requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification 6.26, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification 6.26. Meeting the SG performance criteria provides reasonable assurance of maintaining tube integrity at normal and accident conditions.

The processes used to meet the SG performance criteria are defined by the Steam Generator Program Guidelines (Reference 1).

APPLICABLE SAFETY ANALYSES The steam generator tube rupture (SGTR) accident is the limiting design basis event for SG tubes and avoiding an SGTR is the basis for this Specification. The analysis of a SGTR event assumes a bounding primary to secondary LEAKAGE rate equal to the operational LEAKAGE rate limits in LCO 3.4.6.2, RCS Operational LEAKAGE, plus the leakage rate associated with a double-ended rupture of a single tube. The accident analysis for a SGTR assumes the contaminated secondary fluid is released to the atmosphere via safety valves or atmospheric dump valves.

The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their structural integrity (i.e., they are assumed not to rupture). In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE from any one SG of 150 gpd or from all SGs of 300 gpd as a result of accident induced conditions. For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO 3.4.8, RCS Specific Activity limits.

For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damaged fuel. The dose consequences of these events are within the limits of GDC 19 (Reference 2), 10 CFR 50.67 (Reference 3) or the NRC approved licensing basis (e.g., a small fraction of these limits).

Steam Generator tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

MILLSTONE - UNIT 2 B 3/4 4-2i Amendment No.

LBDCR 14-MP2-001 May 20, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.5 STEAM GENERATOR TUBE INTEGRITY (Continued)

REFERENCES

1. NEI 97-06, Steam Generator Program Guidelines.

2. 10 CFR 50 Appendix A, GDC 19.

3. 10 CFR 50.67.

4. ASME Boiler and Pressure Vessel Code,Section III, Subsection NB.

5. Draft Regulatory Guide 1.121, Basis for Plugging Degraded Steam Generator Tubes, August 1976.

6. EPRI, Pressurized Water Reactor Steam Generator Examination Guidelines.

MILLSTONE - UNIT 2 B 3/4 4-2j Amendment No.

August 08, 2007 07-MP2-012 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.1 LEAKAGE DETECTION SYSTEMS The RCS leakage detection systems required by this specification are provided to monitor and detect leakage from the Reactor Coolant Pressure Boundary. These detection systems are consistent with the recommendations of Regulatory Guide 1.45, Reactor Coolant Pressure Boundary Leakage Detection Systems.

Action c provides a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed outage time (AOT) when both the containment atmosphere particulate radioactivity monitoring channels are inoperable and containment sump level monitoring system is inoperable. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT is appropriate since additional actions will be taken during this limited time period to ensure RCS leakage, in excess of the unidentified leakage TS limit of 1 gpm (TS 3.4.6.2), will be readily detectable. This will provide reasonable assurance that any significant reactor coolant pressure boundary degradation is detected soon after occurrence to minimize the potential for propagation to a gross failure. This is consistent with the requirements of General Design Criteria (GDC) 30 and also Criterion 1 of 10 CFR 50.36(d)(2)(ii) which requires installed instrumentation to detect, and indicate in the control room, a significant abnormal degradation of the reactor coolant pressure boundary. The RCS water inventory balance calculation determines the magnitude of RCS unidentified leakage by use of instrumentation readily available to the control room operators. However, the proposed additional actions will not restore the continuous monitoring capability normally provided by the inoperable equipment.

The RCS water inventory balance is capable of identifying a one gpm RCS leak rate. The containment grab samples will also indicate an increase in RCS leak rate which would then be quantified by the RCS water inventory balance. Since these additional actions are sufficient to ensure RCS leakage is within TS limits, it is appropriate to provide a limited time period to restore at least one of the TS-required leakage monitoring systems.

MILLSTONE - UNIT 2 B 3/4 4-3 Amendment No. 121, 138, 228,

August 08, 2007 07-MP2-012 REACTOR COOLANT SYSTEM BASES 3/4.4.6.2 REACTOR COOLANT SYSTEM OPERATIONAL LEAKAGE LCO RCS operational LEAKAGE shall be limited to:

a PRESSURE BOUNDARY LEAKAGE No PRESSURE BOUNDARY LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not PRESSURE BOUNDARY LEAKAGE.

b UNIDENTIFIED LEAKAGE One gallon per minute (gpm) of UNIDENTIFIED LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.

c Primary to Secondary LEAKAGE through Any One Steam Generator The limit of 75 gallons per day per Steam Generator (SG) is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Reference 4) and the accident analysis described in the FSAR (Reference 3). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states, The RCS operational primary to secondary leakage through any one SG shall be limited to 150 gallons per day. The limit is based on operating experience with SG tube degradation mechanisms that result in tube leakage. The operational leakage rate criterion in conjunction with the implementation of the Steam Generator Program is an effective measure for minimizing the frequency of steam generator tube ruptures. The main steam line break (MSLB) accident analysis assumes a primary to secondary leakage of 150 gallons per day per SG.

MILLSTONE - UNIT 2 B 3/4 4-3a Amendment No.

LBDCR 09-MP2-004 May 28, 2009 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.2 REACTOR COOLANT SYSTEM OPERATIONAL LEAKAGE LCO (Continued) d IDENTIFIED LEAKAGE Up to 10 gpm of IDENTIFIED LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of UNIDENTIFIED LEAKAGE and is well within the capability of the RCS makeup system. IDENTIFIED LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include PRESSURE BOUNDARY LEAKAGE or CONTROLLED LEAKAGE. Violation of this LCO could result in continued degradation of a component or system.

The IDENTIFIED LEAKAGE and UNIDENTIFIED LEAKAGE limits listed in LCO 3.4.6.2 only apply to the RCPB within the containment. Leakage outside of the second isolation valve for containment, which is included in the RCS Leak Rate Calculation, is not considered RCS LEAKAGE and can be subtracted from RCS UNIDENTIFIED LEAKAGE. The definitions for IDENTIFIED LEAKAGE and UNIDENTIFIED LEAKAGE are provided in the technical specifications definitions section, Definition 1.14.

APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

ACTIONS a UNIDENTIFIED LEAKAGE or IDENTIFIED LEAKAGE in excess of the LCO limits must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion Time allows time to verify leakage rates and either identify UNIDENTIFIED LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

MILLSTONE - UNIT 2 B 3/4 4-3b Amendment No.

August 08, 2007 07-MP2-012 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.2 REACTOR COOLANT SYSTEM OPERATIONAL LEAKAGE ACTIONS (Continued) b If any PRESSURE BOUNDARY LEAKAGE exists, or primary to secondary LEAKAGE is not within limits, or if UNIDENTIFIED or IDENTIFIED LEAKAGE cannot be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential consequences. It should be noted that LEAKAGE past seals and gaskets is not PRESSURE BOUNDARY LEAKAGE. The reactor must be brought to HOT STANDBY within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and COLD SHUTDOWN within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In COLD SHUTDOWN, the pressure stresses acting on the reactor coolant pressure boundary are much lower, and further deterioration is much less likely.

SURVEILLANCE REQUIREMENTS 4.4.6.2.1 Verifying RCS LEAKAGE to be within the LCO limits ensures the integrity of the RCPB is maintained. PRESSURE BOUNDARY LEAKAGE would at first appear as UNIDENTIFIED LEAKAGE and can only be positively identified by inspection. UNIDENTIFIED LEAKAGE and IDENTIFIED LEAKAGE are determined by performance of an RCS water inventory balance.

The RCS water inventory balance must be performed with the reactor at steady state operating conditions (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal leakoff flows). The Surveillance is modified by two Notes. Note 1 states that this SR is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established.

MILLSTONE - UNIT 2 B 3/4 4-3c Amendment No.

August 08, 2007 07-MP2-012 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.2 REACTOR COOLANT SYSTEM OPERATIONAL LEAKAGE SURVEILLANCE REQUIREMENTS (Continued)

Steady state operation is required to perform a proper water inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal leakoff flows.

An early warning of PRESSURE BOUNDARY LEAKAGE or UNIDENTIFIED LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and the containment sump level. These leakage detection systems are specified in LCO 3.4.6.1, "Leakage Detection Systems."

Note 2 states that this SR is not applicable to primary to secondary LEAKAGE because LEAKAGE of 75 gallons per day cannot be measured accurately by an RCS water inventory balance.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Frequency is a reasonable interval to trend LEAKAGE and recognizes the importance of early leakage detection in the prevention of accidents.

4.4.6.2.2 This SR verifies that primary to secondary LEAKAGE is less than or equal to 75 gallons per day through any one SG. Satisfying the primary to secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Generator Program is met. If this SR is not met, compliance with LCO 3.4.5, "Steam Generator Tube Integrity," should be evaluated.

The 75 gallons per day limit is measured at room temperature as described in Reference 5. The operational LEAKAGE rate limit applies to LEAKAGE through any one SG. If it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary LEAKAGE should be conservatively assumed to be from one SG.

The Surveillance is modified by a Note which states that the Surveillance is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishment of steady state operation. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal leakoff flows.

MILLSTONE - UNIT 2 B 3/4 4-3d Amendment No.

LBDCR 14-MP2-016 September 4, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.2 REACTOR COOLANT SYSTEM OPERATIONAL LEAKAGE SURVEILLANCE REQUIREMENTS (Continued)

The frequency specified in the Surveillance Frequency Control Program is a reasonable interval to trend primary to secondary LEAKAGE and recognizes the importance of early leakage detection in the prevention of accidents. The primary to secondary LEAKAGE is determined using continuous process radiation monitors or radiochemical grab sampling in accordance with the EPRI guidelines (Reference 5).

BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the reactor coolant system (RCS). Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.

During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.

10 CFR 50, Appendix A, GDC 30 (Reference 1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Reference

2) describes acceptable methods for selecting leakage detection systems.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the IDENTIFIED LEAKAGE from the UNIDENTIFIED LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur detrimental to the safety of the facility and the public.

A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from these systems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS LEAKAGE detection.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analysis radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).

MILLSTONE - UNIT 2 B 3/4 4-3e Amendment No.

August 08, 2007 07-MP2-012 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.2 REACTOR COOLANT SYSTEM OPERATIONAL LEAKAGE APPLICABLE SAFETY ANALYSES - OPERATIONAL LEAKAGE Except for primary to secondary LEAKAGE, the safety analyses do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The safety analysis for an event resulting in steam discharge to the atmosphere assumes that primary to secondary LEAKAGE from any one steam generator (SG) of 150 gpd or from all SGs of 300 gpd as a result of accident induced conditions. The LCO requirement to limit primary to secondary LEAKAGE through any one SG to less than or equal to 75 gallons per day is significantly less than the conditions assumed in the safety analysis.

Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a main steam line break (MSLB) accident. To a lesser extent, other accidents or transients involve secondary steam release to the atmosphere, such as a steam generator tube rupture (SGTR). The leakage contaminates the secondary fluid.

The FSAR (Reference 3) analysis for SGTR assumes the contaminated secondary fluid is only briefly released via safety valves or atmospheric dump valves.

The MSLB is the more limiting accident for MPS2 control room dose. The safety analysis for the MSLB accident assumes 150 gpd primary to secondary LEAKAGE is through the affected generator and 150 gpd from the intact SG as an initial condition. The dose consequences resulting from the MSLB accident are well within the limits defined in 10 CFR 50.67 or the staff approved licensing basis (i.e., a small fraction of these limits).

The RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

MILLSTONE - UNIT 2 B 3/4 4-3f Amendment No.

March 18, 2008 LBDCR 08-MP2-013 REACTOR COOLANT SYSTEM BASES 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE 3/4.4.6.2 REACTOR COOLANT SYSTEM OPERATIONAL LEAKAGE REFERENCES 1 10 CFR 50, Appendix A, GDC 30.

2 Regulatory Guide 1.45, May 1973.

3 FSAR, Section 14 4 NEI 97-06, Steam Generator Program Guidelines.

5 EPRI, Pressurized Water Reactor Primary-to-Secondary Leak Guidelines.

3/4.4.7 DELETED 3/4.4.8 SPECIFIC ACTIVITY BACKGROUND The maximum dose that an individual at the exclusion area boundary can receive for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months following an accident, or at the low population zone outer boundary for the radiological release duration, is specified in 10 CFR 50.67 (Ref. 1). Doses to control room occupants must be limited per GDC 19. The limits on specific activity ensure that the offsite and Control Room Envelope (CRE) doses are appropriately limited during analyzed transients and accidents.

The RCS specific activity LCO limits the allowable concentration of radionuclides in the reactor coolant. The LCO limits are established to minimize the dose consequences in the event of a steam line break (SLB) or steam generator tube rupture (SGTR) accident.

The LCO contains specific activity limits for both DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133. The allowable levels are intended to ensure that offsite and CRE doses meet the appropriate acceptance criteria in the Standard Review Plan (Ref. 2).

MILLSTONE - UNIT 2 B 3/4 4-4 Amendment No. 115, 194, 266,

June 27, 2019 LBDCR 19-MP2-002 REACTOR COOLANT SYSTEM BASES 3/4.4.8 SPECIFIC ACTIVITY (continued)

APPLICABLE SAFETY ANALYSES The LCO limits on the specific activity of the reactor coolant ensure the resulting offsite and CRE doses meet the appropriate SRP acceptance criteria following a SLB or SGTR accident. The safety analyses (Refs. 3 and 4) assume the specific activity of the reactor coolant is at the LCO limits, and an existing reactor coolant steam generator (SG) tube leakage rate of 150 gpd exists.

The safety analyses assume the specific activity of the secondary coolant is at its limit of 0.05

µCi/gm DOSE EQUIVALENT I-131 from LCO 3.7.1.4, Activity.

The analyses for the SLB and SGTR accidents establish the acceptance limits for RCS specific activity. Reference to these analyses is used to assess changes to the unit that could affect RCS specific activity, as they relate to the acceptance limits.

The safety analyses consider two cases of reactor coolant iodine specific activity. One case assumes specific activity at 0.5 µCi/gm DOSE EQUIVALENT I-131 with a concurrent large iodine spike that increases the rate of release of iodine from the fuel rods containing cladding defects to the primary coolant immediately after a SLB (by a factor of 500), or SGTR (by a factor of 335), respectively. The second case assumes the initial reactor coolant iodine activity at 30.0

µCi/gm DOSE EQUIVALENT I-131 due to an iodine spike caused by a reactor or an RCS transient prior to the accident. In both cases, the noble gas specific activity is assumed to be 550

µCi/gm DOSE EQUIVALENT XE-133.

The SGTR analysis assumes a rise in pressure in the ruptured SG causes radioactively contaminated steam to discharge to the atmosphere through the atmospheric dump valves or the main steam safety valves. The atmospheric discharge stops when the turbine bypass to the condenser removes the excess energy to rapidly reduce the RCS pressure and close the valves.

The unaffected SG removes core decay heat by venting steam until the cooldown ends and the Shutdown Cooling (SDC) system is placed in service.

The SLB radiological analysis assumes that offsite power is lost at the same time as the pipe break occurs outside containment. The affected SG blows down completely and steam is vented directly to the atmosphere. The unaffected SG removes core decay heat by venting steam to the atmosphere until the cooldown ends and the SDC system is placed in service.

Operation with iodine specific activity levels greater than 0.5 µCi/gm but less than or equal to 30.0 µCi/gm is permissible for up to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months while efforts are made to restore DOSE EQUIVALENT I-131 to within the 0.5 µCi/gm LCO limit. Operation with iodine specific activity levels greater than 30.0 µCi/gm is not permissible.

MILLSTONE - UNIT 2 B 3/4 4-4a

June 27, 2019 LBDCR 19-MP2-002 REACTOR COOLANT SYSTEM BASES 3/4.4.8 SPECIFIC ACTIVITY (continued)

APPLICABLE SAFETY ANALYSES (CONTINUED)

The RCS specific activity limits are also used for establishing standardization in radiation shielding and plant personnel radiation protection practices.

RCS specific activity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The iodine specific activity in the reactor coolant is limited to 0.5 µCi/gm DOSE EQUIVALENT I-131, and the noble gas specific activity in the reactor coolant is limited to 550 µCi/gm DOSE EQUIVALENT XE-133. The limits on specific activity ensure that offsite and CRE doses will meet the appropriate SRP acceptance criteria (Ref. 2).

The SLB and SGTR accident analyses (Refs. 3 and 4) show that the calculated doses are within acceptable limits. Operation with activities in excess of the LCO may result in reactor coolant radioactivity levels that could, in the event of an SLB or SGTR, lead to doses that exceed the SRP acceptance criteria (Ref. 2).

APPLICABILITY In MODES 1, 2, 3, and 4, operation within the LCO limits for DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133 is necessary to limit the potential consequences of a SLB or SGTR to within the SRP acceptance criteria (Ref. 2).

In MODES 5 and 6, the steam generators are not being used for decay heat removal, the RCS and steam generators are depressurized, and primary to secondary leakage is minimal. Therefore, the monitoring of RCS specific activity is not required.

MILLSTONE - UNIT 2 B 3/4 4-4b

June 27, 2019 LBDCR 19-MP2-002 REACTOR COOLANT SYSTEM BASES 3/4.4.8 SPECIFIC ACTIVITY (continued)

ACTIONS

a. and b.

With the DOSE EQUIVALENT I-131 greater than the LCO limit, samples at intervals of four hours must be taken to demonstrate that the specific activity is 30 µCi/gm. Four hours is required to obtain and analyze a sample. Sampling is continued every four hours to provide a trend.

The DOSE EQUIVALENT I-131 must be restored to within limit within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The completion time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is acceptable since it is expected that, if there were an iodine spike, the normal coolant iodine concentration would be restored within this time period. Also, there is a low probability of a SLB or SGTR occurring during this time period.

A statement in ACTION b. indicates the provisions of LCO 3.0.4 are not applicable. This exception to LCO 3.0.4 permits entry into the applicable MODE(S), relying on ACTIONS a. and

b. while the DOSE EQUIVALENT I-131 LCO is not met. This exception is acceptable due to the significant conservatism incorporated into the RCS specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or proceeds to, power operation.

c.

If the required action and completion time of ACTION b. is not met, or if the DOSE EQUIVALENT I-131 is > 30 µCi/gm, the reactor must be brought to HOT STANDBY (MODE 3) within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and COLD SHUTDOWN (MODE 5) within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed completion times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

MILLSTONE - UNIT 2 B 3/4 4-4c

LBDCR 14-MP2-016 September 4, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.8 SPECIFIC ACTIVITY (continued)

ACTIONS (continued) d.

With the RCS DOSE EQUIVALENT XE-133 greater than the LCO limit, DOSE EQUIVALENT XE-133 must be restored to within limit within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The allowed completion time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is acceptable since it is expected that, if there were a noble gas spike, the normal coolant noble gas concentration would be restored within this time period. Also, there is a low probability of a SLB or SGTR occurring during this time period.

A statement in ACTION d. indicates the provisions of LCO 3.0.4 are not applicable. This exception to LCO 3.0.4 permits entry into the applicable MODE(S), relying on ACTION d. while the DOSE EQUIVALENT XE-133 LCO is not met. This exception is acceptable due to the significant conservatism incorporated into the RCS specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient-specific activity excursions while the plant remains at, or proceeds to, POWER OPERATION.

e.

If the required action and completion time of ACTION d. is not met, the reactor must be brought to HOT STANDBY (MODE 3) within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and COLD SHUTDOWN (MODE 5) within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed completion times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE REQUIREMENTS 4.4.8.1 Surveillance Requirement 4.4.8.1 requires performing a gamma isotopic analysis as a measure of the noble gas specific activity of the reactor coolant. This measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveillance Requirement provides an indication of any increase in the noble gas specific activity. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Trending the results of this Surveillance Requirement allows proper remedial action to be taken before reaching the LCO limit under normal operating conditions.

MILLSTONE - UNIT 2 B 3/4 4-4d

LBDCR 14-MP2-016 September 4, 2014 REACTOR COOLANT SYSTEM BASES 3/4.4.8 SPECIFIC ACTIVITY (continued).

SURVEILLANCE REQUIREMENTS (continued) 4.4.8.1 (continued)

Due to the inherent difficulty in detecting Kr-85 in a reactor coolant sample due to masking from radioisotopes with similar decay energies, such as F-18 and I-134, it is acceptable to include the minimum detectable activity for Kr-85 in the Surveillance Requirement 4.4.8.1 calculation. If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT XE-133 is not detected, it should be assumed to be present at the minimum detectable activity.

A Note modifies the Surveillance Requirement to allow entry into and operation in MODE 4, MODE 3, and MODE 2 prior to performing the Surveillance Requirement. This allows the Surveillance Requirement to be performed in those MODES, prior to entering MODE 1.

4.4.8.2 This Surveillance Requirement is performed to ensure iodine specific activity remains within the LCO limit during normal operation and following fast power changes when iodine spiking is more apt to occur. The frequency specified in the Surveillance Frequency Control Program is adequate to trend changes in the iodine activity level. The frequency of between 2 and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a power change 15% RTP within a 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months period is established because the iodine levels peak during this time following iodine spike initiation; samples at other times would provide inaccurate results.

The Note modifies this Surveillance Requirement to allow entry into and operation in MODE 4, MODE 3, and MODE 2 prior to performing the Surveillance Requirement. This allows the Surveillance Requirement to be performed in those MODES, prior to entering MODE 1.

REFERENCES

1. 10 CFR 50.67.

2. Standard Review Plan (SRP) Section 15.0.1 Radiological Consequence Analyses Using Alternate Source Terms.

3. FSAR, Section 14.1.5.

4. FSAR, Section 14.6.3.

MILLSTONE - UNIT 2 B 3/4 4-4e

March 18, 2008 LBDCR 08-MP2-013 REACTOR COOLANT SYSTEM BASES 3/4.4.9 PRESSURE/TEMPERATURE LIMITS All components in the Reactor Coolant System are designed to with-stand the effects of cyclic loads due to system temperature and pressure changes. These cyclic loads are introduced by normal load transients, reactor trips, and startup and shutdown operations. The various categories of load cycles used for design purposes are provided in Section 4.0 of the FSAR.

During startup and shutdown, the rates of temperature and pressure changes are limited so that the maximum specified heatup and cooldown rates are consistent with the design assumptions and satisfy the stress limits for cyclic operation. In addition, during heatup and cooldown evolutions, the RCS ferritic materials transition between ductile and brittle (non-ductile) behavior. To provide adequate protection, the pressure/temperature limits were developed in accordance with the 10CFR50 Appendix G requirements to ensure the margins of safety against non-ductile failure are maintained during all normal and anticipated operational occurrences. These pressure/

temperature limits are provided in Figures 3.4-2a and 3.4-2b and the heatup and cooldown rates are contained in Table 3.4-2.

During heatup, the thermal gradients in the reactor vessel wall produce thermal stresses which vary from compressive at the inner wall to tensile at the outer wall. These thermally induced compressive stresses at the inside wall tend to alleviate the tensile stresses induced by the internal pressure. Therefore, a pressure-temperature curve based on steady state conditions (i.e.,

no thermal stresses) represents a lower bound of all similar curves for finite heatup rates when the inner wall of the vessel is treated as the governing location.

The heatup analysis also covers the determination of pressure-temperature limitations for the case in which the outer wall of the vessel becomes the controlling location. The thermal gradients established during heatup produce tensile stresses at the outer wall of the vessel. These stresses are additive to the pressure induced tensile stresses which are already present. The thermally induced stresses at the outer wall of the vessel are tensile and are dependent on both the rate of heatup and the time along the heatup ramp; therefore, a lower bound curve similar to that described for the heatup of the inner wall cannot be defined. Subsequently, for the cases in which the outer wall of the vessel becomes the stress controlling location, each heatup rate of interest must be analyzed on an individual basis.

MILLSTONE - UNIT 2 B 3/4 4-5 Amendment No. 218,

July 1, 1998 REACTOR COOLANT SYSTEM BASES The heatup and cooldown limit curves (Figures 3.4-2a and 3.4-2b) are composite curves which were prepared by determining the most conservative case, with either the inside or outside wall controlling, for any heatup or cooldown rates of up to the maximums described in Technical Specification 3.4.9.1, Table 3.4-2. The heatup and cooldown curves were prepared based upon the most limiting value of the predicted adjusted reference temperature at the end of the service period indicated on Figures 3.4-2a and 3.4-2b.

Verification that RCS pressure and temperature conditions are within the limits of Figures 3.4-2a and 3.4-2b and Table 3.4-2, at least once per 30 minutes, is required when undergoing planned changes of 10F or 100 psi. This frequency is considered reasonable since the location of interest during cooldown is over two inches (i.e. 1/4 t location) from the interface with the reactor coolant. During heatup the location of interest is over six inches from the interface with the reactor coolant. This combined with the relatively large heat retention capability of the reactor vessel ensures that small temperature fluctuations such as those expected during normal heatup and cooldown evolutions do not challenge the structural integrity of the reactor vessel when monitored on a 30 minute frequency. The 30 minute time interval permits assessment and correction for minor deviations within a reasonable time.

During RCS heatup and cooldown the magnitude of the stresses across the reactor vessel wall are controlled by restricting the rate of temperature change and the system pressure. The RCS pressure/temperature limits are provided in Figures 3.4-2a and 3.4-2b, and the heatup and cooldown rates are contained in Table 3.4-2. The following guidelines should be used to ensure compliance with the Technical Specification limits.

1. When changing RCS temperature, with any reactor coolant pumps in operation, the rate of temperature change is calculated by using RCS loop cold leg temperature indications.

This also applies during parallel reactor coolant pump and shutdown cooling (SDC) pump operation because the RCS loop cold leg temperature is the best indication of the temperature of the fluid in contact with the reactor vessel wall. Even though SDC return temperature may be below RCS cold leg temperature, the mixing of a large quantity of RCS cold leg water and a small quantity of SDC return water will result in the temperature of the water reaching the reactor vessel wall being very close to RCS cold leg temperature.

2. When changing RCS temperature via natural circulation, the rate of temperature change is calculated by using RCS loop cold leg temperature indications.

3. When changing RCS temperature with only SDC in service, the rate of temperature change is calculated by using SDC return temperature indication.

MILLSTONE - UNIT 2 B 3/4 4-6 Amendment No. 94, 113, 170, 218

July 1, 1998 REACTOR COOLANT SYSTEM BASES

4. During the transition from natural circulation flow, to forced flow with SDC pumps, the rate of temperature change is calculated by using RCS loop cold leg temperature indications. SDC return temperature should be used to calculate the rate of temperature change after SDC is in service, RBCCW flow has been established to the SDC heat exchanger(s), and SDC return temperature has decreased below RCS cold leg temperature.

5. During the transition from parallel reactor coolant pump and SDC pump operation, the rate of temperature change is calculated by using RCS loop cold leg temperature indications until all reactor coolant pumps are secured. SDC return temperature should be used to calculate the rate of temperature change after all reactor coolant pumps have been secured.

6. The temperature change limits are for a continuous one hour period. Verification of operation within the limit must compare the current RCS water temperature to the value that existed one hour before the current time. If the maximum temperature increase or decrease, during this one hour period, exceeds the Technical Specification limit, appropriate action should be taken.

7. When a new, more restrictive temperature change limit is approached, it will be necessary to adjust the current temperature change rate such that as soon as the new rate applies, the total temperature change for the previous one hour does not exceed the new more restrictive rate.

The same principle applies when moving from one temperature change limit curve to another. If the new curve is above the current curve (higher RCS pressure for a given RCS temperature), the new curve will reduce the temperature change limit. It will be necessary to first ensure the new more restrictive temperature change limit will not be exceeded by looking at the total RCS temperature change for the previous one hour time period. If the magnitude of the previous one hour temperature change will exceed the new limit, RCS temperature should be stabilized to allow the thermal stresses to dissipate.

This may require up to a one hour soak before RCS pressure may be raised within the limits of the new curve.

If the new curve is below the current curve (lower RCS pressure for a given RCS temperature), the new curve will allow a higher temperature change limit. All that is necessary is to lower RCS pressure, and then apply the new higher temperature change limit.

8. When performing evolutions that may result in rapid and significant temperature swings (e.g. placing SDC in service or shifting SDC heat exchangers), the total temperature change limit for the previous one hour period must not be exceeded. If a significant temperature change is anticipated, and an RCS heatup or cooldown is in progress, the plant should be stabilized for up to one hour, before performing this type of evolution.

Stabilizing the plant for up to one hour will allow the thermal stresses, from any previous RCS temperature change, to dissipate. This will allow rapid RCS temperature changes up to the applicable Technical Specification temperature change limit.

MILLSTONE - UNIT 2 B 3/4 4-6a Amendment No. 218

LBDCR 05-MP2-003 December 27, 2005 REACTOR COOLANT SYSTEM BASES The reactor vessel materials have been tested to determine their initial RTNDT; the results of these tests are shown in Table 4.6-1 of the Final Safety Analysis Report. Reactor operation and resultant fast neutron irradiation will cause an increase in the RTNDT. Therefore, an adjusted reference temperature, based upon the fluence, can be predicted using the methods described in Revision 2 to Regulatory Guide 1.99.

The heatup and cooldown limit curves shown on Figures 3.4-2a and 3.4-2b include predicted adjustments for this shift in RTNDT at the end of the applicable service period, as well as adjustments for possible uncertainties in the pressure and temperature sensing instruments. The adjustments include the pressure and temperature instrument and loop uncertainties associated with the main control board displays, the pressure drop across the core (RCP operation), and the elevation differences between the location of the pressure transmitters and the vessel beltline region. In addition to these curve adjustments, the LTOP evaluation includes adjustments due to valve stroke times, PORV circuitry reaction times, and valve discharge backpressure.

The actual shift in RTNDT of the vessel material is established periodically during operation by removing and evaluating, in accordance with 10CFR50 Appendix H, reactor vessel material irradiation surveillance specimens installed near the inside wall of the reactor vessel in the core area. Since the neutron spectra at the irradiation samples and vessel inside radius are similar, the measured transition shift for a sample can be correlated to the adjacent section of the reactor vessel. The heatup and cooldown curves must be recalculated when the RTNDT determined from the surveillance capsule exceeds the calculated RTNDT for the equivalent capsule radiation exposure.

The pressure-temperature limit lines shown on Figures 3.4-2a and 3.4-2b for reactor criticality have been provided to assure compliance with the minimum temperature requirements of Appendix G to 10 CFR 50 for reactor criticality. For inservice leak and hydrostatic testing, use of the heatup curve on Figure 3.4-2a and associated rates provide a conservative limit in lieu of a curve developed specifically for inservice leak and hydrostatic testing. Therefore, a separate leak and hydrostatic curve is not explicitly included on Figure 3.4-2a.

The maximum RTNDT for all reactor coolant system pressure-retaining materials, with the exception of the reactor pressure vessel, has been determined to be 50°F. The Lowest Service Temperature limit is based upon this RTNDT since Article NB-2332 (Summer Addenda of 1972) of Section III of the ASME Boiler and Pressure Vessel Code requires the Lowest Service Temperature to be RTNDT + 100°F for piping, pumps and valves. Below this temperature, the system pressure must be limited to a maximum of 20% of the systems hydrostatic test pressure of 3125 psia. Operation of the RCS within the limits of the heatup and cooldown curves will ensure compliance with this requirement.

MILLSTONE - UNIT 2 B 3/4 4-6b Amendment No. 218, Acknowledged by NRC letter dated 12/19/06

LBDCR 06-MP2-041 November 2, 2006 REACTOR COOLANT SYSTEM BASES Included in this evaluation is consideration of flange protection in accordance with 10 CFR 50, Appendix G. The requirement makes the minimum temperature RTNDT plus 90F for hydrostatic test and RTNDT plus 120F for normal operation when the pressure exceeds 20 percent of the preservice system hydrostatic test pressure. Since the flange region RTNDT has been calculated to be 30°F, the minimum flange pressurization temperature during normal operation is 150°F (163°F with instrument uncertainty) when the pressure exceeds 20% of the preservice hydrostatic pressure. Operation of the RCS within the limits of the heatup and cooldown curves will ensure compliance with this requirement.

To establish the minimum boltup temperature, ASME Code Section XI, Appendix G, requires the temperature of the flange and adjacent shell and head regions shall be above the limiting RTNDT temperature for the most limiting material of these regions. The RTNDT temperature for that material is 30°F. Adding 13°F, for temperature measurement uncertainty, results in a minimum boltup temperature of 43°F. For additional conservatism, a minimum boltup temperature of 70°F is specified on the heatup and cooldown curves. The head and vessel flange region temperature must be greater than 70°F, whenever any reactor vessel stud is tensioned.

The Low Temperature Overpressure Protection (LTOP) System provides a physical barrier against exceeding the 10CFR50 Appendix G pressure/temperature limits during low temperature RCS operation either with a steam bubble in the pressurizer or during water solid conditions. This system consists of either two PORVs with a pressure setpoint 415 psia, or an RCS vent of sufficient size. Analysis has confirmed that the design basis mass addition transient discussed below will be mitigated by operation of the PORVs or by establishing an RCS vent of sufficient size.

The LTOP System is required to be OPERABLE when RCS cold leg temperature is at or below 275F (Technical Specification 3.4.9.3). However, if the RCS is in MODE 6 and the reactor vessel head has been removed, a vent of sufficient size has been established such that RCS pressurization is not possible. Therefore, an LTOP System is not required (Technical Specification 3.4.9.3 is not applicable).

Adjusted Referenced Temperature (ART) is the RTNDT adjusted for radiation effects plus a margin term required by Revision 2 of Regulatory Guide 1.99. The LTOP System is armed at a temperature which exceeds the limiting 1/4t ART plus 50F as required by ASME Section XI, Appendix G. For the operating period up to 54 EFPY, the limiting 1/4t ART is 175F which results in a minimum LTOP System enable temperature of at least 271F when corrected for instrument uncertainty. The current value of 275F will be retained.

MILLSTONE - UNIT 2 B 3/4 4-7 Amendment No. 50, 70, 94, 218, 266, 272, Acknowledged By NRC July 5, 2007

LBDCR 06-MP2-041 November 2, 2006 REACTOR COOLANT SYSTEM BASES The mass input analysis performed to ensure the LTOP System is capable of protecting the reactor vessel assumes that all pumps capable of injecting into the RCS start, and then one PORV fails to actuate (single active failure). Since the PORVs have limited relief capability, certain administrative restrictions have been implemented to ensure that the mass input transient will not exceed the relief capacity of a PORV. The analysis has determined two PORVs (assuming one PORV fails) are sufficient if the mass addition transient is limited to the inadvertent start of one high pressure safety injection (HPSI) pump and two charging pumps when RCS temperature is at or below 275F and above 190F, and the inadvertent start of one charging pump when RCS temperature is at or below 190F.

The LTOP analysis assumes only one PORV open due to single active failure of the other to open. Analysis has shown that one PORV is sufficient to prevent exceeding the 10CFR Appendix G pressure/temperature limits during low temperature operation. If the RCS is depressurized and vented through at least a 2.2 square inch vent, the peak RCS pressure, resulting from the maximum mass input transient allowed by Technical Specification 3.4.9.3, will not exceed 300 psig (SDC System suction side design pressure).

When the RCS is at or below 190F, additional pumping capacity can be made capable of injecting into the RCS by establishing an RCS vent of at least 2.2 square inches. Removing the pressurizer manway cover, pressurizer vent port cover or a pressurizer safety relief valve will result in a passive vent of at least 2.2 square inches. Additional methods to establish the required RCS vent are acceptable, provided the proposed vent has been evaluated to ensure the flow characteristics are equivalent to one of these.

Establishing a pressurizer steam bubble of sufficient size will be sufficient to protect the reactor vessel from the energy addition transient associated with the start of an RCP, provided the restrictions contained in Technical Specification 3.4.1.3 are met. These restrictions limit the heat input from the secondary system. They also ensure sufficient steam volume exists in the pressurizer to accommodate the insurge. No credit for PORV actuation was assumed in the LTOP analysis of the energy addition transient.

The restrictions apply only to the start of the first RCP. Once at least one RCP is running, equilibrium is achieved between the primary and secondary temperatures, eliminating any significant energy addition associated with the start of the second RCP.

The LTOP restrictions are based on RCS cold leg temperature. This temperature will be determined by using RCS cold leg temperature indication when RCPs are running, or natural circulation if it is occurring. Otherwise, SDC return temperature indication will be used.

MILLSTONE - UNIT 2 B 3/4 4-7a Amendment No. 218, Acknowledged By NRC July 5, 2007

LBDCR 09-MP2-017 September 15, 2009 REACTOR COOLANT SYSTEM BASES Restrictions on RCS makeup pumping capacity are included in Technical Specification 3.4.9.3. These restrictions are based on balancing the requirements for LTOP and shutdown risk.

For shutdown risk reduction, it is desirable to have maximum makeup capacity and to maintain the RCS full (not vented). However, for LTOP it is desirable to minimize makeup capacity and vent the RCS. To satisfy these competing requirements, makeup pumps can be made not capable of injecting, but available at short notice.

A charging pump can be considered to be not capable of injecting into the RCS by use of any of the following methods and the appropriate administrative controls.

1. Placing the motor circuit breaker in the open position.

2. Removing the charging pump motor overload heaters from the charging pump circuit.

3. Removing the charging pump motor controller from the motor control center.

4. Placing a charging pump control switch in the Pull-To-Lock (PTL) position.

A HPSI pump can be considered to be not capable of injecting into the RCS by use of any of the following methods and the appropriate administrative controls.

1. Racking down the motor circuit breaker from the power supply circuit.

2. Shutting and tagging the discharge valve with the key lock on the control panel (2-SI-654 or 2-SI-656).

3. Placing the pump control switch in the pull-to-lock position and removing the breaker control power fuses.

4. Placing the pump control switch in the pull-to-lock position and shutting the discharge valve with the key lock on the control panel (2-SI-654 or 2-SI-656).

These methods to prevent charging pumps and HPSI pumps from injecting into the RCS, when combined with the appropriate administrative controls, meet the requirement for two independent means to prevent pump injection as a result of a single failure or inadvertent single action.

These methods prevent inadvertent pump injections while allowing manual actions to rapidly restore the makeup capability if conditions require the use of additional charging or HPSI pumps for makeup in the event of a loss of RCS inventory or reduction in SHUTDOWN MARGIN.

MILLSTONE - UNIT 2 B 3/4 4-7b Amendment No. 218, 227, 243,

LBDCR 05-MP2-003 December 27, 2005 REACTOR COOLANT SYSTEM BASES If a loss of RCS inventory or reduction in SHUTDOWN MARGIN event occurs, the appropriate response will be to correct the situation by starting RCS makeup pumps. If the loss of inventory or SHUTDOWN MARGIN is significant, this may necessitate the use of additional RCS makeup pumps that are being maintained not capable of injecting into the RCS in accordance with Technical Specification 3.4.9.3. The use of these additional pumps to restore RCS inventory or SHUTDOWN MARGIN will require entry into the associated ACTION statement. The ACTION statement requires immediate action to comply with the specification.

The restoration of RCS inventory or SHUTDOWN MARGIN can be considered to be part of the immediate action to restore the additional RCS makeup pumps to a not capable of injecting status.

While recovering RCS inventory or SHUTDOWN MARGIN, RCS pressure will be maintained below the Appendix G limits. After RCS inventory or SHUTDOWN MARGIN has been restored, the additional pumps should be immediately made not capable of injecting and the ACTION statement exited.

An exception to Technical Specification 3.0.4 is specified for Technical Specification 3.4.9.3 to allow a plant cooldown to MODE 5 if one or both PORVs are inoperable. MODE 5 conditions may be necessary to repair the PORV(s).

3/4.4.10 DELETED MILLSTONE - UNIT 2 B 3/4 4-7c Amendment No. 218, 230, 243, 264, Acknowledged by NRC letter dated 12/19/06

May 8, 2002 BASES 3/4.4.11 DELETED MILLSTONE - UNIT 2 B 3/4 4-8 Amendment No. 120, 230, 266

REVERSE OF PAGE B 3/4 4-8 INTENTIONALLY LEFT BLANK

LBDCR 16-MP2-007 May 24, 2016 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.1 SAFETY INJECTION TANKS The OPERABILITY of each of the RCS SITs ensures that a sufficient volume of borated water will be immediately forced into the reactor core through each of the cold legs in the event the RCS pressure falls below the pressure of the SITs. This initial surge of water into the core provides the initial cooling mechanism during large RCS pipe ruptures.

The limits on SIT volume, boron concentration and pressure ensure that the assumptions used for SIT injection in the accident analysis are met.

If the boron concentration of one SIT is not within limits, it must be returned to within the limits within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this condition, ability to maintain subcriticality or minimum boron precipitation time may be reduced, but the reduced concentration effects on core subcriticality during reflood are minor. Boiling of the ECCS water in the core during reflood concentrates the boron in the saturated liquid that remains in the core. In addition, the volume of the SIT is still available for injection. Since the boron requirements are based on the average boron concentration of the total volume of three SITs, the consequences are less severe than they would be if a SIT were not available for injection. Thus, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to return the boron concentration to within limits.

If one SIT is inoperable, for a reason other than boron concentration or the inoperability of water level or pressure channel instrumentation, the SIT must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this condition, the required contents of three SITs cannot be assumed to reach the core during a LOCA.

Reference 1 provides a series of deterministic and probabilistic analysis findings that support 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months as being either risk beneficial or risk neutral in comparison to shorter periods for restoring the SIT to OPERABLE status. Reference 1 discusses recent best-estimate analysis that confirmed that for large-break LOCAs, core melt can be prevented by either operation of one LPSI pump or the operation of one HPSI pump and a single SIT. Reference 1 also discusses plant-specific probabilistic analysis that evaluated the risk-impact of the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months recovery period in comparison to shorter recovery periods.

If the SIT cannot be restored to OPERABLE status within the associated completion time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 Reference 1 CE NPSD-994, CEOG Joint Applications Report on Safety Injection Tank AOT/SIT Extension, April 1995.

MILLSTONE - UNIT 2 B 3/4 5-1 Amendment No. 61, 72, 159, 217, 220

LBDCR 14-MP2-017 January 8, 2015 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.1 SAFETY INJECTION TANKS (continued) within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to < 1750 psia within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed completion times are reasonable, based on operating experience, to reach the required plant condition from full power conditions in an orderly manner and without challenging plant systems.

If more than one SIT is inoperable, the unit is in a condition outside the accident analyses.

Therefore, LCO 3.0.3 must be entered immediately.

LCO 3.5.1.a requires that each reactor coolant system safety injection tank shall be OPERABLE with the isolation valve open and the power to the valve operator removed.

This is to ensure that the valve is open and cannot be inadvertently closed. To meet LCO 3.5.1.a requirements, the valve operator is considered to be the valve motor and not the motor control circuit. Removing the closing coil while maintaining the breaker closed meets the intent of the Technical Specification by ensuring that the valve cannot be inadvertently closed.

Removing the closing coil and verifying that the closing coil is removed (Per SR 4.5.1.e) meets the Technical Specification because it prevents energizing the valve operator to position the valve in the close direction.

Opening the breaker, in lieu of removing the closing coil, to remove power to the valve operator is not a viable option since:

1. Millstone Unit 2 Safety Evaluation Report (SER) Docket No. 50-336, dated May 10, 1974, requires two independent means of position indication.

2. Surveillance Requirement 4.5.1.a requires the control/indication circuit to be energized, to verify that the valve is open.

3. Technical Specification 3/4.3.2, Engineered Safety Feature Actuation System Instrumentation, requires these valves to open on a SIAS signal.

Opening the breaker would eliminate the ability to satisfy the above three items.

3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS The OPERABILITY of two separate and independent ECCS subsystems ensures that sufficient emergency core cooling capability will be available in the event of a LOCA assuming the loss of one subsystem through any single failure consideration. Either subsystem operating in conjunction with the safety injection tanks is capable of supplying sufficient core cooling to limit the peak cladding temperatures within acceptable limits for all postulated break sizes ranging from the double ended break of the largest RCS cold leg pipe downward. Management of gas voids is important to ECCS OPERABILITY.

MILLSTONE - UNIT 2 B 3/4 5-2 Amendment No. 61, 72, 159, 217, 220, 236, 283

LBDCR 15-MP2-011 January 14, 2016 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued)

Each Emergency Core Cooling System (ECCS) subsystem required by Technical Specification 3.5.2 for design basis accident mitigation includes an OPERABLE high pressure safety injection (HPSI) pump and a low pressure safety injection (LPSI) pump. Each of these pumps requires an OPERABLE flow path capable of taking suction from the refueling water storage tank (RWST) on a safety injection actuation signal (SIAS). Upon depletion of the inventory in the RWST, as indicated by the generation of a Sump Recirculation Actuation Signal (SRAS), the suction for the HPSI pumps will automatically be transferred to the containment sump. The SRAS will also secure the LPSI pumps. The ECCS subsystems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) as design basis accident mitigation equipment.

Charging pumps were originally classified as an ECCS subsystem, but over time, the flow from the pumps was removed from the safety analysis. Therefore, flow from the charging pumps is no longer required for design basis accident mitigation. The loss of coolant accident analysis has been revised and no credit is taken for charging pump flow. As a result, the charging pumps no longer meet the first three criteria of 10CFR 50.36 (c)(2)(ii) as design basis accident mitigation equipment required to be controlled by Technical Specifications. In addition, risk evaluations have been performed to demonstrate that the charging system is not risk significant as defined in 10CFR 50.36(c)(2)(ii) Criterion 4. Therefore, the charging pumps are no longer included as an ECCS subsystem.

The requirements for automatic actuation of the charging pumps and the associated boration system components (boric acid pumps, gravity feed valves, boric acid flow path valves), which align the boric acid storage tanks to the charging pump suction on a SIAS, and the requirement to periodically verify pump flow, have been relocated to the Technical Requirements Manual.

MILLSTONE - UNIT 2 B 3/4 5-2a Amendment No. 61, 72, 159, 217, 220, 236, 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 15-MP2-011 January 14, 2016 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued)

Surveillance Requirement 4.5.2.a verifies the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths to provide assurance that the proper flow paths will exist for ECCS operation. This surveillance does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time.

This surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirement 4.5.2.a is modified to exempt system vent flow paths opened under administrative control. The administrative controls are proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed.

Surveillance Requirement 4.5.2.b verifies proper valve position to ensure that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves could render both ECCS trains inoperable. Securing these valves in position by removing power to the valve operator ensures that the valves cannot be inadvertently misaligned or change position as the result of an active failure. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirements 4.5.2.c and 4.5.2.d, which address periodic surveillance testing of the ECCS pumps (high pressure and low pressure safety injection pumps) to detect gross degradation caused by impeller structural damage or other hydraulic component problems, is required by the ASME Code for Operation and Maintenance of Nuclear Power Plants (ASME OM Code). This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the performance assumed in the unit safety analysis. The surveillance requirements are specified in the Inservice Testing Program. The ASME OM Code provides the activities and frequencies necessary to satisfy the requirements.

MILLSTONE - UNIT 2 B 3/4 5-2b Amendment No. 45, 61, 72, 159, 185, 215, 216, 217, 220, 227, 236, 283

LBDCR 15-MP2-011 January 14, 2016 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued)

Surveillance Requirements 4.5.2.f, 4.5.2.g, and 4.5.2.h demonstrate that each automatic ECCS flow path valve actuates to the required position on an actual or simulated actuation signal (SIAS or SRAS), that each ECCS pump starts on receipt of an actual or simulated actuation signal (SIAS), and that the LPSI pumps stop on receipt of an actual or simulated actuation signal (SRAS). This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The surveillance frequency is controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

Surveillance Requirement 4.5.2.i verifies the high and low pressure safety injection valves listed in Table 4.5-1 will align to the required positions on an SIAS for proper ECCS performance. The safety injection valves have stops to position them properly so that flow is restricted to a ruptured cold leg, ensuring that the other cold legs receive at least the required minimum flow. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirement 4.5.2.j addresses periodic inspection of the containment sump to ensure that it is unrestricted and stays in proper operating condition. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirement 4.5.2.k verifies that the Shutdown Cooling (SDC) System open permissive interlock is OPERABLE to ensure the SDC suction isolation valves are prevented from being remotely opened when RCS pressure is at or above the SDC suction design pressure of 300 psia. The suction piping of the SDC pumps (low pressure safety injection pumps) is the SDC component with the limiting design pressure rating. The interlock provides assurance that double isolation of the SDC System from the RCS is preserved whenever RCS pressure is at or above the design pressure. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

ECCS piping and components have the potential to develop voids and pockets of entrained gases.

Preventing and managing gas intrusion and accumulation is necessary for proper operation of the ECCS and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel.

MILLSTONE - UNIT 2 B 3/4 5-2c Amendment No. 45, 159, 185, 215, 216, 220, 227, 236, 283

LBDCR 14-MP2-017 January 8, 2015 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES 3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued Surveillance Requirement 4.5.2.l verifies that the locations susceptible to gas accumulation in the ECCS are sufficiently full of water. Selection of ECCS locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.

Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.

The ECCS is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criterion for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the ECCS is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met. Accumulated gas should be eliminated or brought within the acceptance criteria limits.

ECCS locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.

The monitoring frequency takes into consideration the gradual nature of gas accumulation in the ECCS piping and the procedural controls governing system operation. The frequency is controlled by the Surveillance Frequency Control Program.The surveillance frequency may vay by each locations susceptibility to gas accumulation.

MILLSTONE - UNIT 2 B 3/4 5-2d Amendment No. 45, 159, 185, 215, 216, 218, 220, 227, 236, 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-017 January 8, 2015 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES:

3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued)

Only one ECCS subsystem is required by Technical Specification 3.5.3 for design basis accident mitigation. This ECCS subsystem requires one OPERABLE HPSI pump and an OPERABLE flow path capable of taking suction from the RWST on a SIAS. Upon depletion of the inventory in the RWST, as indicated by the generation of a SRAS, the suction for the HPSI pump will automatically be transferred to the containment sump. This ECCS subsystem satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) as design basis accident mitigation equipment.

Surveillance Requirement 4.5.3.1 specifies the surveillance requirements of Technical Specification 3.5.3 that are required to demonstrate that the required ECCS subsystem of Technical Specification 3.5.3 is OPERABLE. The required ECCS subsystem of Technical Specification 3.5.3 does not include any LPSI components. LPSI components are not required when Technical Specification 3.5.3 is applicable to allow the LPSI components to be used for SDC System operation.

In MODE 4 the automatic safety injection signal generated by low pressurizer pressure and high containment pressure and the automatic sump recirculation actuation signal generation by low refueling water storage tank level are not required to be OPERABLE. Automatic actuation in MODE 4 is not required because adequate time is available for plant operators to evaluate plant conditions and respond by manually operating engineered safety features components. Since the manual actuation (trip pushbuttons) portion of the safety injection and sump recirculation actuation signal generation is required to be OPERABLE in MODE 4, the plant operators can use the manual trip pushbuttons to rapidly position all components to the required accident position.

Therefore, the safety injection and sump recirculation actuation trip pushbuttons satisfy the requirement for generation of safety injection and sump recirculation actuation signals in MODE 4.

In MODE 4, the OPERABLE HPSI pump is not required to start automatically on a SIAS.

Therefore, the pump control switch for this OPERABLE pump may be placed in the pull-to-lock position without affecting the OPERABILITY of the pump. This will prevent the pump from starting automatically, which could result in overpressurization of the Shutdown Cooling System.

Only one HPSI pump may be OPERABLE in MODE 4 with RCS temperatures less than or equal to 275F due to the restricted relief capacity with Low-Temperature Overpressure Protection System. To reduce shutdown risk by having additional pumping capacity readily available, a HPSI pump may be made inoperable but available at short notice by shutting its discharge valve with the key lock on the control panel.

MILLSTONE - UNIT 2 B 3/4 5-2e Amendment No. 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-017 January 8, 2015 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

BASES:

3/4.5.2 and 3/4.5.3 ECCS SUBSYSTEMS (continued)

The provision in Specification 3.5.3 that Specifications 3.0.4 and 4.0.4 are not applicable for entry into MODE 4 is provided to allow for connecting the HPSI pump breaker to the respective power supply or to remove the tag and open the discharge valve, and perform the subsequent testing necessary to declare the inoperable HPSI pump OPERABLE. Specification 3.4.9.3 requires all HPSI pumps to be not capable of injecting into the RCS when RCS temperature is at or below 190F. Once RCS temperature is above 190F one HPSI pump can be capable of injecting into the RCS. However, sufficient time may not be available to ensure one HPSI pump is OPERABLE prior to entering MODE 4 as required by Specification 3.5.3. Since Specifications 3.0.4 and 4.0.4 prohibit a MODE change in this situation, this exemption will allow Millstone Unit No. 2 to enter MODE 4, take the steps necessary to make the HPSI pump capable of injecting into the RCS, and then declare the pump OPERABLE. If it is necessary to use this exemption during plant heatup, the appropriate ACTION statement of Specification 3.5.3 should be entered as soon as MODE 4 is reached.

3/4.5.4 REFUELING WATER STORAGE TANK (RWST)

The OPERABILITY of the RWST as part of the ECCS ensures that a sufficient supply of borated water is available for injection by the ECCS in the event of a LOCA. A minimum usable volume of 370,000 gallons is required for ECCS injection above the earliest or highest level of SRAS initiation accounting for indicator accuracy. The limits on RWST minimum volume and boron concentration ensure that 1) sufficient water is available within containment to permit recirculation cooling flow to the core, and 2) after a LOCA the reactor will remain subcritical in the cold condition following mixing of the RWST and the RCS water volumes. Small break LOCAs assume that all control rods are inserted, except for the control element assembly (CEA) of highest worth, which remains withdrawn from the core. Large break LOCAs assume that all CEAs remain withdrawn from the core.

MILLSTONE - UNIT 2 B 3/4 5-2f Amendment No.

LBDCR 05-MP2-001 February 10, 2005 EMERGENCY CORE COOLING SYSTEMS BASES 3/4.5.5 TRISODIUM PHOSPHATE (TSP)

BACKGROUND Trisodium phosphate (TSP) is placed on the floor or in the sump of the containment building to ensure that iodine, which may be dissolved in the recirculated reactor cooling water following a loss of coolant accident (LOCA), remains in solution. TSP also helps inhibit stress corrosion cracking (SCC) of austenitic stainless steel components in containment during the recirculation phase following an accident.

Fuel that is damaged during a LOCA will release iodine in several chemical forms to the reactor coolant and to the containment atmosphere. A portion of the iodine in the containment atmosphere is washed to the sump by containment sprays. The emergency core cooling water is borated for reactivity control. This borated water causes the sump solution to be acidic. In a low pH (acidic) solution, dissolved iodine will be converted to a volatile form. The volatile iodine will evolve out of solution into the containment atmosphere, significantly increasing the levels of airborne iodine. The increased levels of airborne iodine in containment contribute to the radiological releases and increase the consequences from the accident due to containment atmosphere leakage.

After a LOCA, the components of the core cooling and containment spray systems will be exposed to high temperature borated water. Prolonged exposure to the core cooling water combined with stresses imposed on the components can cause SCC. The SCC is a function of stress, oxygen and chloride concentrations, pH, temperature, and alloy composition of the components. High temperatures and low pH, which would be present after a LOCA, tend to promote SCC. This can lead to the failure of necessary safety systems or components.

Adjusting the pH of the recirculation solution to levels above 7.0 prevents a significant fraction of the dissolved iodine from converting to a volatile form. The higher pH thus decreases the level of airborne iodine in containment and reduces the radiological consequences from containment atmosphere leakage following a LOCA. Maintaining the solution pH above 7.0 also reduces the occurrence of SCC of austenitic stainless steel components in containment. Reducing SCC reduces the probability of failure of components.

MILLSTONE - UNIT 2 B 3/4 5-3 Amendment No. 217, Acknowledged by NRC letter dated 12/19/06

LBDCR 05-MP2-001 February 10, 2005 EMERGENCY CORE COOLING SYSTEMS BASES 3/4.5.5 TRISODIUM PHOSPHATE (TSP)

BACKGROUND (continued)

TSP is employed as a passive form of pH control for post LOCA containment spray and core cooling water. Baskets of TSP are placed on the floor or in the sump of the containment building to dissolve from released reactor coolant water and containment sprays after a LOCA.

Recirculation of the water for core cooling and containment sprays then provides mixing to achieve a uniform solution pH. The hydrated form (45- 57% moisture) of TSP is used because of the high humidity in the containment building during normal operation. Since the TSP is hydrated, it is less likely to absorb large amounts of water from the humid atmosphere and will undergo less physical and chemical change than the anhydrous form of TSP.

APPLICABLE SAFETY ANALYSES The LOCA radiological consequences analysis takes credit for iodine retention in the sump solution based on the recirculation water pH being 7.0. The radionuclide releases from the containment atmosphere and the consequences of a LOCA would be increased if the pH of the recirculation water were not adjusted to 7.0 or above.

LIMITING CONDITION FOR OPERATION The TSP is required to adjust the pH of the recirculation water to 7.0 after a LOCA. A pH 7.0 is necessary to prevent significant amounts of iodine released from fuel failures and dissolved in the recirculation water from converting to a volatile form and evolving into the containment atmosphere. Higher levels of airborne iodine in containment may increase the release of radionuclides and the consequences of the accident. A pH 7.0 is also necessary to prevent SCC of austenitic stainless steel components in containment. SCC increases the probability of failure of components.

The required amount of TSP is based upon the extreme cases of water volume and pH possible in the containment sump after a large break LOCA. The minimum required volume is the volume of TSP that will achieve a sump solution pH of 7.0 when taking into consideration the maximum possible sump water volume and the minimum possible pH. The amount of TSP needed in the containment building is based on the mass of TSP required to achieve the desired pH. However, a required volume is specified, rather than mass, since it is not feasible to weigh the entire amount of TSP in containment. The minimum required volume is based on the manufactured density of TSP. Since TSP can have a tendency to agglomerate from high humidity in the containment building, the density may increase and the volume decrease during normal plant operation. Due to possible agglomeration and increase in density, estimating the minimum volume of TSP in containment is conservative with respect to achieving a minimum required pH.

MILLSTONE - UNIT 2 B 3/4 5-4 Amendment No.

Acknowledged by NRC letter dated 12/19/06

LBDCR 14-MP2-016 September 4, 2014 EMERGENCY CORE COOLING SYSTEMS BASES 3/4.5.5 TRISODIUM PHOSPHATE (TSP) (continued)

APPLICABILITY In MODES 1, 2, and 3, the RCS is at elevated temperature and pressure, providing an energy potential for a LOCA. The potential for a LOCA results in a need for the ability to control the pH of the recirculated coolant.

In MODES 4, 5, and 6, the potential for a LOCA is reduced or nonexistent, and TSP is not required.

ACTIONS If it is discovered that the TSP in the containment building sump is not within limits, action must be taken to restore the TSP to within limits. During plant operation the containment sump is not accessible and corrections may not be possible.

The completion time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed for restoring the TSP within limits because 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is the same time allowed for restoration of other ECCS components.

If the TSP cannot be restored within limits within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months completion time, the plant must be brought to a MODE in which the LCO does not apply. The specified completion times for reaching MODES 3 and 4 were chosen to allow reaching the specified conditions from full power in an orderly manner without challenging plant systems.

SURVEILLANCE REQUIREMENTS Surveillance Requirement 4.5.5.1 Periodic determination of the volume of TSP in containment must be performed due to the possibility of leaking valves and components in the containment building that could cause dissolution of the TSP during normal operation. This periodic surveillance is required to determine visually that a minimum of 282 cubic feet is contained in the TSP baskets. This requirement ensures that there is an adequate volume of TSP to adjust the pH of the post LOCA sump solution to a value 7.0. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

MILLSTONE - UNIT 2 B 3/4 5-5 Amendment No.

Acknowledged by NRC letter dated 12/19/06

LBDCR 14-MP2-016 September 4, 2014 EMERGENCY CORE COOLING SYSTEMS BASES 3/4.5.5 TRISODIUM PHOSPHATE (TSP) (continued)

Surveillance Requirement 4.5.5.2 Testing must be performed to ensure the solubility and buffering ability of the TSP after exposure to the containment environment. Passing this test verifies the TSP is active and provides assurance that the stored TSP will dissolve in borated water at postulated post-LOCA temperatures. This test is performed by submerging a sample of 0.6662 0.0266 grams of TSP from one of the baskets in containment in 250 10 milliliters of water at a boron concentration of 2482 20 ppm, and a temperature of 77 5F. Without agitation, the solution is allowed to stand for four hours. The liquid is then decanted, mixed, and the pH measured. The pH must be 7.0.

The TSP sample weight is based on the minimum required TSP mass of 12,042 pounds, which at the manufactured density corresponds to the minimum volume of 223 ft3 (The minimum Technical Specification requirement of 282 ft3 is based on 223 ft3 of TSP for boric acid neutralization and 59 ft3 of TSP for neutralization of hydrochloric and nitric acids.), and the maximum sump water volume (at 77F) following a LOCA of 2,046,441 liters, normalized to buffer a 250 10 milliliter sample. The boron concentration of the test water is representative of the maximum possible concentration in the sump following a LOCA. Agitation of the test solution is prohibited during TSP dissolution since an adequate standard for the agitation intensity cannot be specified. The dissolution time of four hours is necessary to allow time for the dissolved TSP to naturally diffuse through the sample solution. In the containment sump following a LOCA, rapid mixing will occur, significantly decreasing the actual amount of time before the required pH is achieved. The solution is decanted after the four hour period to remove any undissolved TSP prior to mixing and pH measurement. Mixing is necessary for proper operation of the pH instrument. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

MILLSTONE - UNIT 2 B 3/4 5-6 Amendment No.

Acknowledged by NRC letter dated 12/19/06

LBDCR 15-MP2-009 August 25, 2015 3/4.6 CONTAINMENT SYSTEMS BASES 3/4.6.1 PRIMARY CONTAINMENT 3/4.6.1.1 CONTAINMENT INTEGRITY Primary CONTAINMENT INTEGRITY ensures that the release of radioactive materials from the containment atmosphere will be restricted to those leakage paths and associated leak rates assumed in the accident analyses. This restriction, in conjunction with the leakage rate limitation, will limit the SITE BOUNDARY radiation doses to within the limits of 10 CFR 50.67 during accident conditions.

Primary CONTAINMENT INTEGRITY is required in MODES 1 through 4. This requires an OPERABLE containment automatic isolation valve system. In MODES 1, 2, and 3 this is satisfied by the automatic containment isolation signals generated by low pressurizer pressure and high containment pressure. In MODE 4 the automatic containment isolation signals generated by low pressurizer pressure and high containment pressure are not required to be OPERABLE.

Automatic actuation of the containment isolation system in MODE 4 is not required because adequate time is available for plant operators to evaluate plant conditions and respond by manually operating engineered safety features components. Since the manual actuation (trip pushbuttons) portion of the containment isolation system is required to be OPERABLE in MODE 4, the plant operators can use the manual pushbuttons to rapidly position all automatic containment isolation valves to the required accident position. Therefore, the containment isolation trip pushbuttons satisfy the requirement for an OPERABLE containment automatic isolation valve system in MODE 4.

3/4.6.1.2 CONTAINMENT LEAKAGE The limitations on containment leakage rates ensure that the total containment leakage volume will not exceed the value assumed in the accident analyses. Pa is the peak calculated primary containment internal pressure for the design basis loss of coolant accident. The peak calculated primary containment internal pressure for the design basis main steam line break accident is greater than Pa. Since the radiological dose consequence analysis of both these accidents assume containment leakage at the technical specification allowed leakage rate, containment leakage testing will be performed at a value greater than or equal to the containment design pressure. As an added conservatism, the measured overall integrated leakage rate is further limited to < 0.75 La during performance of the periodic tests to account for possible degradation of the containment leakage barriers between leakage tests.

The surveillance testing for measuring leakage rates is in accordance with the Containment Leakage Rate Testing Program.

The Millstone Unit No. 2 FSAR contains a list of the containment penetrations that have been identified as secondary containment bypass leakage paths.

MILLSTONE - UNIT 2 B 3/4 6-1 Amendment No. 124, 203, 215, 234

LBDCR 15-MP2-009 August 25, 2015 3/4.6 CONTAINMENT SYSTEMS BASES 3/4.6.1.3 CONTAINMENT AIR LOCKS The limitations on closure and leak rate for the containment air locks are required to meet the restrictions on CONTAINMENT INTEGRITY and leak rate given in Specifications 3.6.1.1 and 3.6.1.2. The limitations on the air locks allow entry and exit into and out of the containment during operation and ensure through the surveillance testing that air lock leakage will not become excessive through continuous usage.

The ACTION requirements are modified by a Note that allows entry and exit to perform repairs on the affected air lock components. This means there may be a short time during which the containment boundary is not intact (e.g., during access through the OPERABLE door). The ability to open the OPERABLE door, even if it means the containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize the containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit, the OPERABLE door must be immediately closed.

ACTION a. is only applicable when one air lock door is inoperable. With only one air lock door inoperable, the remaining OPERABLE air lock door must be verified closed within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

This ensures a leak tight containment barrier is maintained by use of the remaining OPERABLE air lock door. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months requirement is consistent with the requirements of Technical Specification 3.6.1.1 to restore CONTAINMENT INTEGRITY. In addition, the remaining OPERABLE air lock door must be locked closed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and then verified periodically to ensure an acceptable containment leakage boundary is maintained. Otherwise, a plant shutdown is required.

ACTION b. is only applicable when the air lock door interlock mechanism is inoperable.

With only the air lock interlock mechanism inoperable, an OPERABLE air lock door must be verified closed within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This ensures a leak tight containment is maintained by use of an OPERABLE air lock door. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months requirement is consistent with the requirements of Technical Specification 3.6.1.1 to restore CONTAINMENT INTEGRITY. In addition, an OPERABLE air lock door must be locked closed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and then verified periodically to ensure an acceptable containment leakage boundary is maintained. Otherwise, a plant shutdown is required. In addition, entry into and exit from containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock) is permitted.

MILLSTONE - UNIT 2 B 3/4 6-1a Amendment No. 234, 267

LBDCR 15-MP2-009 August 25, 2015 CONTAINMENT SYSTEMS BASES Continued ACTION c. is applicable when both air lock doors are inoperable, or the air lock is inoperable for any other reason excluding the door interlock mechanism. With both air lock doors inoperable or the air lock otherwise inoperable, an evaluation of the overall containment leakage rate per Specification 3.6.1.2 shall be initiated immediately, and an air lock door must be verified closed within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . An evaluation is acceptable since it is overly conservative to immediately declare the containment inoperable if both doors in the air lock have failed a seal test or if overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed),

containment remains OPERABLE, yet only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (per Specification 3.6.1.1) would be provided to restore the air lock to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months requirement is consistent with the requirements of Technical Specification 3.6.1.1 to restore CONTAINMENT INTEGRITY. In addition, the air lock and/or at least one air lock door must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or a plant shutdown is required.

Surveillance Requirement 4.6.1.3.1 verifies leakage through the containment air lock is within the requirements specified in the Containment Leakage Rate Testing Program. The containment air lock leakage results are accounted for in the combined Type B and C containment leakage rate. Failure of an air lock door does not invalidate the previous satisfactory overall air lock leakage test because either air lock door is capable of providing a fission product barrier in the event of a design basis accident.

MILLSTONE - UNIT 2 B 3/4 6-1b Amendment No. 267

July 25, 2003 CONTAINMENT SYSTEMS BASES 3/4.6.1.4 INTERNAL PRESSURE The limitations on containment internal pressure ensure that the containment peak pressure does not exceed the design pressure of 54 psig during MSLB or LOCA conditions.

The maximum peak pressure is obtained from a MSLB event. The limit of 1.0 psig for initial positive containment pressure will limit the total pressure to less than the design pressure and is consistent with the accident analyses.

3/4.6.1.5 AIR TEMPERATURE The limitation on containment air temperature ensures that the containment air temperature does not exceed the worst case combined LOCA/MSLB air temperature profile and the liner temperature of 289F. The containment air and liner temperature limits are consistent with the accident analyses.

The temperature detectors used to monitor primary containment air temperature are located on the 38 ft. 6 in. floor elevation in containment. The detectors are located approximately 6 feet above the floor, on the southeast and southwest containment walls.

3/4.6.1.6 DELETED MILLSTONE - UNIT 2 B 3/4 6-2 Amendment No. 25, 72, 139, 204, 209, 219, 278

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.2 DEPRESSURIZATION AND COOLING SYSTEMS 3/4.6.2.1 CONTAINMENT SPRAY AND COOLING SYSTEMS The OPERABILITY of the containment spray system ensures that containment depressurization and cooling capability will be available in the event of a LOCA. The pressure reduction and resultant lower containment leakage rate are consistent with the assumptions used in the accident analyses.

The OPERABILITY of the containment cooling system ensures that 1) the containment air temperature will be maintained within limits during normal operation, and 2) adequate heat removal capacity is available when operated in conjunction with the containment spray system during post-LOCA conditions. Management of gas voids is important to Containment Spray System OPERABILITY.

To be OPERABLE, the two trains of the containment spray system shall be capable of taking a suction from the refueling water storage tank on a containment spray actuation signal and automatically transferring suction to the containment sump on a sump recirculation actuation signal. Each containment spray train flow path from the containment sump shall be via an OPERABLE shutdown cooling heat exchanger.

The containment cooling system consists of two containment cooling trains. Each containment cooling train has two containment air recirculation and cooling units. For the purpose of applying the appropriate ACTION statement, the loss of a single containment air recirculation and cooling unit will make the respective containment cooling train inoperable.

Either the containment spray system or the containment cooling system is sufficient to mitigate a loss of coolant accident. The containment spray system is more effective than the containment cooling system in reducing the temperature of superheated steam inside containment following a main steam line break. Because of this, the containment spray system is required to mitigate a main steam line break accident inside containment. In addition, the containment spray system provides a mechanism for removing iodine from the containment atmosphere. Therefore, at least one train of containment spray is required to be OPERABLE when pressurizer pressure is 1750 psia, and the allowed outage time for one train of containment spray reflects the dual function of containment spray for heat removal and iodine removal.

With one containment spray train inoperable, the inoperable containment spray train must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed outage time takes into account the redundant heat removal capability afforded by the Containment Spray System and reasonable time for repairs.

MILLSTONE - UNIT 2 B 3/4 6-3 Amendment No. 25, 61, 210, 215, 228, 236, 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-001 May 20, 2014 CONTAINMENT SYSTEMS BASES 3/4.6.2.1 CONTAINMENT SPRAY AND COOLING SYSTEMS (Continued)

With one required containment cooling train inoperable, the inoperable containment cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition are capable of providing greater than 100% of the heat removal needs (for the condition of one containment cooling train inoperable) after an accident.

With one containment spray train and one containment cooling train inoperable, one required containment spray train or one required containment cooling train must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months allowed outage time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Containment Spray System and Containment Cooling System, the iodine removal function of the Containment Spray System, and the low probability of a DBA occurring during this period.

With two required containment spray trains inoperable, at least one of the required containment spray trains must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Both trains of containment cooling must be OPERABLE or be in HOT SHUTDOWN within the next 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The Condition is modified by a Note stating it is not applicable if the second containment spray train is intentionally declared inoperable. The Condition does not apply to voluntary removal of redundant systems or components from service. The Condition is only applicable if one train is inoperable for any reason and the second train is discovered to be inoperable, or if both trains are discovered to be inoperable at the same time. In addition, LCO 3.7.6.1, Control Room Emergency Ventilation System, must be verified to be met within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The components in this degraded condition are capable of providing greater than 100% of the heat removal needs after an accident. The allowed outage time is based on Reference 1 which demonstrated that the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed outage time is acceptable based on the redundant heat removal capabilities afforded by the Containment Cooling System, the iodine removal capability of the Control Room Emergency Air Cleanup System, the infrequent use of the Required Action, and the small incremental effect on plant risk.

With two required containment cooling trains inoperable, one of the required containment cooling trains must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months allowed outage time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Containment Spray System and Containment Cooling System, the iodine removal function of the Containment Spray System, and the low probability of a DBA occurring during this period.

MILLSTONE - UNIT 2 B 3/4 6-3a Amendment No. 210, 215, 236, 278, 283

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.2.1 CONTAINMENT SPRAY AND COOLING SYSTEMS (Continued)

Surveillance Requirement 4.6.2.1.1.a verifies the correct alignment for manual, power operated, and automatic valves in the Containment Spray System flow paths to provide assurance that the proper flow paths will exist for containment spray operation. This surveillance does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position. Surveillance Requirement 4.6.2.1.1.a is modified to exempt system vent flow paths opened under administrative control. The administrative controls are proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirement 4.6.2.1.1.b, which addresses periodic surveillance testing of the containment spray pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems, is required by the ASME OM Code. This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the performance assumed in the unit safety analysis. The surveillance requirements are specified in the Inservice Testing Program. The ASME OM Code provides the activities and frequencies necessary to satisfy the requirements.

Surveillance Requirements 4.6.2.1.1.c and 4.6.2.1.1.d demonstrate that each automatic containment spray valve actuates to the required position on an actual or simulated actuation signal (CSAS or SRAS), and that each containment spray pump starts on receipt of an actual or simulated actuation signal (CSAS). This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. These surveillance frequencies are controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

MILLSTONE - UNIT 2 B 3/4 6-3b Amendment No. 210, 215, 236, 278, 283,

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.2.1 CONTAINMENT SPRAY AND COOLING SYSTEMS (Continued)

Surveillance Requirement 4.6.2.1.1.e requires verification that each spray nozzle is unobstructed following maintenance that could cause nozzle blockage. Normal plant operation and maintenance activities are not expected to trigger performance of this surveillance requirement. However, activities, such as an inadvertent spray actuation that causes fluid flow through the nozzles, a major configuration change, or a loss of foreign material control when working within the respective system boundary may require surveillance performance. An evaluation, based on the specific situation, will determine the appropriate method (e.g., visual inspection, air or smoke flow test) to verify no nozzle obstruction.

Containment Spray System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the required containment spray trains and may also prevent water hammer and pump cavitation.

Surveillance Requirement 4.6.2.1.1.f verifies that the locations susceptible to gas accumulation in the Containment Spray System are sufficiently full of water. Selection of Containment Spray System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration. Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.

The Containment Spray System is OPERABLE when it is sufficiently filled with water.

Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criterion for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the Containment Spray System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met. Accumulated gas should be eliminated or brought within the acceptance criteria limits.

MILLSTONE - UNIT 2 B 3/4 6-3c Amendment No. 210, 215, 236, 278, 283,

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.2.1 CONTAINMENT SPRAY AND COOLING SYSTEMS (Continued)

Containment Spray System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g.,

operating parameters, remote monitoring) may be used to monitor the susceptible location.

Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.

The monitoring frequency takes into consideration the gradual nature of gas accumulation in the Containment Spray System piping and the procedural controls governing system operation.

The frequency is controlled by the Surveillance Frequency Control Program. The surveillance frequency may vary by each locations susceptibility to gas accumulation.

Surveillance Requirement 4.6.2.1.2.a demonstrates that each containment air recirculation and cooling unit can be operated in slow speed for > 15 minutes to ensure OPERABILITY and that all associated controls are functioning properly. It also ensures fan or motor failure can be detected and corrective action taken. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirement 4.6.2.1.2.b demonstrates a cooling water flow rate of > 500 gpm to each containment air recirculation and cooling unit to provide assurance a cooling water flow path through the cooling unit is available. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirement 4.6.2.1.2.c demonstrates that each containment air recirculation and cooling unit starts on receipt of an actual or simulated actuation signal (SIAS). The surveillance frequency is controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

REFERENCE

1. WCAP-16125-NP-A, Justification for Risk-Informed Modifications to Selected Technical Specifications for Conditions Leading to Exigent Plant Shutdown, Revision 2, August 2010.

MILLSTONE - UNIT 2 B 3/4 6-3d Amendment No. 210, 215, 236, 278, 283,

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.3 CONTAINMENT ISOLATION VALVES The Technical Requirements Manual contains the list of containment isolation valves (except the containment air lock and equipment hatch). Any changes to this list will be reviewed under 10CFR50.59 and approved by the committee(s) as described in the QAP Topical Report.

The OPERABILITY of the containment isolation valves ensures that the containment atmosphere will be isolated from the outside environment in the event of a release of radioactive material to the containment atmosphere or pressurization of the containment. Containment isolation within the time limits specified ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a LOCA.

The containment isolation valves are used to close all fluid (liquid and gas) penetrations not required for operation of the engineered safety feature systems, to prevent the leakage of radioactive materials to the environment. The fluid penetrations which may require isolation after an accident are categorized as Type P, O, or N. The penetration types for each containment isolation valve are listed in FSAR Table 5.2-11, Containment Structure Isolation Valve Information.

Type P penetrations are lines that connect to the reactor coolant pressure boundary (Criterion 55 of 10CFR50, Appendix A). These lines are provided with two containment isolation valves, one inside containment, and one outside containment.

Type O penetrations are lines that are open to the containment internal atmosphere (Criterion 56 of 10CFR50, Appendix A). These lines are provided with two containment isolation valves, one inside containment, and one outside containment.

Type N penetrations are lines that neither connect to the reactor coolant pressure boundary nor are open to the containment internal atmosphere, but do form a closed system within the containment structure (Criterion 57 of 10CFR50, Appendix A). These lines are provided with single containment isolation valves outside containment. These valves are either remotely operated or locked closed manual valves.

With one or more penetration flow paths with one containment isolation valve inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration.

MILLSTONE - UNIT 2 B 3/4 6-3e Amendment No. 210, 215, 236, 278, 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.3 CONTAINMENT ISOLATION VALVES (Continued)

If the containment isolation valve on a closed system becomes inoperable, the remaining barrier is a closed system since a closed system is an acceptable alternative to an automatic valve.

However, ACTIONS must still be taken to meet Technical Specification ACTION 3.6.3.1.d and the valve, not normally considered as a containment isolation valve, and closest to the containment wall should be put into the closed position. No leak testing of the alternate valve is necessary to satisfy the ACTION statement. Placing the manual valve in the closed position sufficiently deactivates the penetration for Technical Specification compliance. Closed system isolation valves applicable to Technical Specification ACTION 3.6.3.1.d are included in FSAR Table 5.2-11, and are the isolation valves for those penetrations credited as General Design Criteria 57, (Type N penetrations). The specified time (i.e., 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) of Technical Specification ACTION 3.6.3.1.d is reasonable, considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3, and 4. In the event the affected penetration is isolated in accordance with 3.6.3.1.d, the affected penetration flow path must be verified to be isolated on a periodic basis, (Surveillance Requirement 4.6.1.1.a). This is necessary to assure leak tightness of containment and that containment penetrations requiring isolation following an accident are isolated. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

For the purposes of meeting this LCO, neither the containment isolation valve, nor any alternate valve on a closed system have a leakage limit associated with valve OPERABILITY.

Containment isolation valves may be opened on an intermittent basis provided appropriate administrative controls are established. The position of the NRC concerning acceptable administrative controls is contained in Generic Letter 91-08, Removal of Component Lists from Technical Specifications, and includes the following considerations:

(1) stationing an operator, who is in constant communication with the control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valve and that this action will prevent the release of radioactivity outside the containment.

The appropriate administrative controls, based on the above considerations, to allow containment isolation valves to be opened are contained in the procedures that will be used to operate the valves. Entries should be placed in the Shift Manager Log when these valves are opened and closed. However, it is not necessary to log into any Technical Specification ACTION Statement for these valves, provided the appropriate administrative controls have been established.

MILLSTONE - UNIT 2 B 3/4 6-3f Amendment No. 210, 215, 236, 278, 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.3 CONTAINMENT ISOLATION VALVES (Continued)

If a containment isolation valve is opened while operating in accordance with Abnormal or Emergency Operating Procedures (AOPs and EOPs), it is not necessary to establish a dedicated operator. The AOPs and EOPs provide sufficient procedural control over the operation of the containment isolation valves.

Opening a closed containment isolation valve bypasses a plant design feature that prevents the release of radioactivity outside the containment. Therefore, this should not be done frequently, and the time the valve is opened should be minimized. As a general guideline, a closed containment isolation valve should not be opened longer than the time allowed to restore the valve to OPERABLE status, as stated in the ACTION statement for LCO 3.6.3.1 Containment Isolation Valves.

A discussion of the appropriate administrative controls for the containment isolation valves, that are expected to be opened during operation in MODES 1 through 4, is presented below.

Manual containment isolation valve 2-SI-463, safety injection tank (SIT) recirculation header stop valve, is opened to fill or drain the SITs and for Shutdown Cooling System (SDC) boron equalization. While 2-SI-463 is open, a dedicated operator, in continuous communication with the control room, is required.

When SDC is initiated, SDC suction isolation remotely operated valves 2-SI-652 and 2-SI-651 (inside containment isolation valve) and manual valve 2-SI-709 (outside containment isolation valve) are opened. 2-SI-651 is normally operated from the control room. While in MODES 1, 2 or 3, 2-SI-651 is closed with manual disconnect switch NSI651 locked open to satisfy Appendix R requirements. It does not receive an automatic containment isolation closure signal, but is interlocked to prevent opening if Reactor Coolant System (RCS) pressure is greater than approximately 275 psia. When 2-SI-651 is opened from the control room, either one of the two required licensed (Reactor Operator) control room operators can be credited as the dedicated operator required for administrative control. It is not necessary to use a separate dedicated operator.

When valve 2-SI-709 is opened locally, a separate dedicated operator is not required to remain at the valve. 2-SI-709 is opened before 2-SI-651. Therefore, opening 2-SI-709 will not establish a connection between the RCS and the SDC System. Opening 2-SI-651 will connect the RCS and SDC System. If a problem then develops, 2-SI-651 can be closed from the control room.

MILLSTONE - UNIT 2 B 3/4 6-3g Amendment No. 210, 215, 216, 273, 278, 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES 3/4.6.3 CONTAINMENT ISOLATION VALVES (Continued)

The administrative controls for valves 2-SI-651 and 2-SI-709 apply only during preparations for initiation of SDC, and during SDC operations. They are acceptable because RCS pressure and temperature are significantly below normal operating pressure and temperature when 2-SI-651 and 2-SI-709 are opened, and these valves are not opened until shortly before SDC flow is initiated. The penetration flowpath can be isolated from the control room by closing either 2-SI-652 or 2-SI-651, and the manipulation of these valves, during this evolution, is controlled by plant procedures.

The pressurizer auxiliary spray valve, 2-CH-517, can be used as an alternate method to decrease pressurizer pressure, or for boron precipitation control following a loss of coolant accident. When this valve is opened from the control room, either one of the two required licensed (Reactor Operator) control room operators can be credited as the dedicated operator required for administrative control. It is not necessary to use a separate dedicated operator.

The exception for 2-CH-517 is acceptable because the fluid that passes through this valve will be collected in the Pressurizer (reverse flow from the Pressurizer to the charging system is prevented by check valve 2-CH-431), and the penetration associated with 2-CH-517 is open during accident conditions to allow flow from the charging pumps. Also, this valve is normally operated from the control room, under the supervision of the licensed control room operators, in accordance with plant procedures.

A dedicated operator is not required when opening remotely operated valves associated with Type N fluid penetrations (Criterion 57 of 10CFR50, Appendix A). Operating these valves from the control room is sufficient. The main steam isolation valves (2-MS-64A and 64B),

atmospheric steam dump valves (2-MS-190A and 190B), and the containment air recirculation cooler RBCCW discharge valves (2-RB-28.2A-D) are examples of remotely operated containment isolation valves associated with Type N fluid penetrations.

MSIV bypass valves 2-MS-65A and 65B are remotely operated MOVs, but while in MODE 1, they are closed with power to the valve motors removed via lockable disconnect switches located at their respective MCC to satisfy Appendix R requirements.

Local operation of the atmospheric steam dump valves (2-MS-190A and 190B), or other remotely operated valves associated with Type N fluid penetrations, will require a dedicated operator in constant communication with the control room, except when operating in accordance with AOPs or EOPs. Even though these valves can not be classified as locked or sealed closed, the use of a dedicated operator will satisfy administrative control requirements. Local operation of these valves with a dedicated operator is equivalent to the operation of other manual (locked or sealed closed) containment isolation valves with a dedicated operator.

MILLSTONE - UNIT 2 B 3/4 6-3h Amendment No. 210, 215, 216, 273, 278, 283

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES:

3/4.6.3 CONTAINMENT ISOLATION VALVES (Continued)

The main steam supplies to the turbine driven auxiliary feedwater pump (2-MS-201 and 2-MS-202) are remotely operated valves associated with Type N fluid penetrations. These valves are maintained open during power operation. 2-MS-201 is maintained energized, so it can be closed from the control room, if necessary, for containment isolation. However, 2-MS-202 is deenergized open by removing power to the valves motor via a lockable disconnect switch to satisfy Appendix R requirements. Therefore, 2-MS-202 cannot be closed immediately from the control room, if necessary, for containment isolation. The disconnect switch key to power for 2-MS-202 is stored in the Unit 2 control room, and can be used to re-power the valve at the MCC; this will allow the valve to be closed from the control room. It is not necessary to maintain a dedicated operator at 2-MS-202 because this valve is already in the required accident position.

Also, the steam that passes through this valve should not contain any radioactivity. The steam generators provide the barrier between the containment and the atmosphere. Therefore, it would take an additional structural failure for radioactivity to be released to the environment through this valve.

Steam generator chemical addition valves, 2-FW-15A and 2-FW-15B, are opened to add chemicals to the steam generators using the Auxiliary Feedwater System (AFW). When either 2-FW-15A or 2-FW-15B is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of these valves is expected during plant startup and shutdown.

The bypasses around the main steam supplies to the turbine driven auxiliary feedwater pump (2-MS-201 and 2-MS-202), 2-MS-458 and 2-MS-459, are opened to drain water from the steam supply lines. When either 2-MS-458 or 2-MS-459 is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of these valves is expected during plant startup.

The containment station air header isolation, 2-SA-19, is opened to supply station air to containment. When 2-SA-19 is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of this valve is only expected for maintenance activities inside containment.

The backup air supply master stop, 2-IA-566, is opened to supply backup air to 2-CH-517, 2-CH-518, 2-CH-519, 2-EB-88, and 2-EB-89. When 2-IA-566 is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of this valve is only expected in response to a loss of the normal air supply to the valves listed.

MILLSTONE - UNIT 2 B 3/4 6-3i Amendment No. 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 14-MP2-017 January 8, 2015 CONTAINMENT SYSTEMS BASES:

3/4.6.3 CONTAINMENT ISOLATION VALVES (Continued)

The nitrogen header drain valve, 2-SI-045, is opened to depressurize the containment side of the nitrogen supply header stop valve, 2-SI-312. When 2-SI-045 is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of this valve is only expected after using the high pressure nitrogen system to raise SIT nitrogen pressure.

The containment waste gas header test connection isolation valve, 2-GR-63, is opened to sample the primary drain tank for oxygen and nitrogen. When 2-GR-63 is opened, a dedicated operator, in continuous communication with the control room, is required. Operation of this valve is expected during plant startup and shutdown.

The upstream vent valves for the steam generator atmospheric dump valves, 2-MS-369 and 2-MS-371, are opened during steam generator safety valve set point testing to allow steam header pressure instrumentation to be placed in service. When either 2-MS-369 or 2-MS-371 is opened, a dedicated operator in continuous communication with the control room is required.

The determination of the appropriate administrative controls for these containment isolation valves included an evaluation of the expected environmental conditions. This evaluation has concluded environmental conditions will not preclude access to close the valve, and this action will prevent the release of radioactivity outside of containment through the respective penetration.

The containment purge supply and exhaust isolation valves are required to be sealed closed during plant operation since these valves have not been demonstrated capable of closing during a LOCA or steam line break accident. Such a demonstration would require justification of the mechanical OPERABILITY of the purge valves and consideration of the appropriateness of the electrical override circuits. Maintaining these valves closed during plant operations ensures that excessive quantities of radioactive materials will not be released via the containment purge system. The containment purge supply and exhaust isolation valves are sealed closed by isolating instrument air and removing power from the valves. This is accomplished by closing the instrument air isolation valves and pulling the control power fuses for each of the valves. The associated instrument air isolation valves and fuse blocks are then locked. This is consistent with the guidance contained in NUREG-0737 Item II.E.4.2 and Standard Review Plan 6.2.4, Containment Isolation System, Item II.f.

Surveillance Requirement 4.6.3.1.a verifies the isolation time of each power operated automatic containment isolation valve is within limits to demonstrate OPERABILITY. The isolation time test ensures the valve will isolate in a time period less than or equal to that assumed in the safety analysis. The isolation time and surveillance frequency are in accordance with the Inservice Testing Program.

MILLSTONE - UNIT 2 B 3/4 6-3j . Amendment No.

REVERSE OF PAGE B 3/4 6-3j INTENTIONALLY LEFT BLANK

LBDCR 14-MP2-016 September 4, 2014 CONTAINMENT SYSTEMS BASES 3/4.6.4 COMBUSTIBLE GAS CONTROL Surveillance Requirement 4.6.3.1.b demonstrate that each automatic containment isolation valve actuates to the isolation position on an actual or simulated containment isolation signal [containment isolation actuation signal (CIAS) or containment high radiation actuation signal (containment purge valves only)]. This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The surveillance frequency is controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

The OPERABILITY of the equipment and systems required for control of hydrogen gas ensures that this equipment will be available to maintain the hydrogen concentration within containment below its flammable limit during post-LOCA conditions.

The post-incident recirculation systems are provided to ensure adequate mixing of the containment atmosphere following a LOCA. This mixing action will prevent localized accumulations of hydrogen from exceeding the flammable limit.

MILLSTONE - UNIT 2 B 3/4 6-4 Amendment No. 233, Acknowledged by NRC letter dated 12/19/06

REVERSE OF PAGE B 3/4 6-4 INTENTIONALLY LEFT BLANK

LBDCR 18-MP2-004 February 21, 2019 CONTAINMENT SYSTEMS BASES 3/4.6.5 SECONDARY CONTAINMENT 3/4.6.5.1 ENCLOSURE BUILDING FILTRATION SYSTEM The OPERABILITY of the Enclosure Building Filtration System ensures that containment leakage occurring during LOCA conditions into the annulus will be filtered through the HEPA filters and charcoal adsorber trains prior to discharge to the atmosphere. This requirement is necessary to meet the assumptions used in the accident analyses and limit the SITE BOUNDARY radiation doses to within the limits of 10 CFR 50.67 during LOCA conditions.

With one Enclosure Building Filtration System Train inoperable, the inoperable train must be restored to OPERABLE status within 7 days. The components in this degraded condition are capable of providing 100% of the iodine removal needs after a DBA. The 7 day allowed outage time is based on consideration of such factors as the availability of the OPERABLE redundant Enclosure Building Filtration System Train and the low probability of a DBA occurring during this period.

If two Enclosure Building Filtration System Trains are inoperable, at least one Enclosure Building Filtration System Train must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The Condition is modified by a Note stating it is not applicable if the second Enclosure Building Filtration System train is intentionally declared inoperable. The Condition does not apply to voluntary removal of redundant systems or components from service. The Condition is only applicable if one train is inoperable for any reason and the second train is discovered to be inoperable, or if both trains are discovered to be inoperable at the same time. In addition, at least one train of containment spray must be verified to be OPERABLE within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . In the event of an accident, containment spray reduces the potential radioactive release from the containment, which reduces the consequences of the inoperable Enclosure Building Filtration System Trains.

The allowed outage time is based on Reference 1 which demonstrated that the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed outage time is acceptable based on the infrequent use of the Required Actions and the small incremental effect on plant risk.

Operating each Enclosure Building Filtration System train for greater than or equal to 15 continuous minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. Per TSTF-522, the filter heaters are not required for the filters to be OPERABLE since adsorption testing is performed at 95% relative humidity.

The laboratory testing requirement for the charcoal sample to have a removal efficiency of 95% is more conservative than the elemental and organic iodine removal efficiencies of 90%

and 70%, respectively, assumed in the DBA analyses for the EBFS charcoal adsorbers in the Millstone Unit 2 Final Safety Analysis Report. A removal efficiency acceptance criteria of 95%

MILLSTONE - UNIT 2 B 3/4 6-5 Amendment No. 208,

LBDCR 18-MP2-004 February 21, 2019 CONTAINMENT SYSTEMS BASES 3/4.6.5.1 ENCLOSURE BUILDING FILTRATION SYSTEM (Continued) will ensure the charcoal has the capability to perform its intended safety function throughout the length of an operating cycle.

Surveillance Requirement 4.6.5.1.b.l dictates the test frequency, method and acceptance criteria for the EBFS trains (cleanup trains). These criteria all originate in the Regulatory Position sections of Regulatory Guide 1.52, Rev. 2, March 1978 as discussed below:

Section C.5.a requires a visual inspection of the cleanup system be made before the following tests, in accordance with the provisions of section 5 of ANSI N510-1975:

in-place air flow distribution test

DOP test

activated carbon adsorber section leak test Section C.5.c requires the in-place Dioctyl phthalate (DOP) test for HEPA filters to section 10 of ANSI N510-1975. The HEPA filters should be tested in place (1) initially, (2) at the frequency specified in the Surveillance Frequency Control Program, and (3) following painting, fire, or chemical release in any ventilation zone communicating with the system. The testing is to confirm a penetration of less than or equal to 1%* at rated flow.

Section C.5.d requires the charcoal adsorber section to be leak tested with a gaseous halogenated hydrocarbon refrigerant, in accordance with section 12 of ANSI N510-1975 to ensure that bypass leakage through the adsorber section is less than or equal to 1%.** Adsorber leak testing should be conducted (1) initially, (2) at the frequency specified in the Surveillance Frequency Control Program, (3) following removal of an adsorber sample for laboratory testing if the integrity of the adsorber section is affected, and (4) following painting, fire, or chemical release in any ventilation zone communicating with the system.

REFERENCE

1. WCAP-16125-NP-A, Justification for Risk-Informed Modifications to Selected Technical Specifications for Conditions Leading to Exigent Plant Shutdown, Revision 2, August 2010

Means that the HEPA filter will allow passage of less than or equal to 1% of the test concentration injected at the filter inlet from a standard DOP concentration injection.

- Means that the charcoal adsorber sections will allow passage of less than or equal to 1% of the injected test concentration around the charcoal adsorber sections.

MILLSTONE - UNIT 2 B 3/4 6-5a Amendment No. 208,

LBDCR 14-MP2-001 May 20, 2014 CONTAINMENT SYSTEMS BASES 3/4.6.5.2 ENCLOSURE BUILDING The OPERABILITY of the Enclosure Building ensures that the releases of radioactive materials from the primary containment atmosphere will be restricted to those leakage paths and associated leak rates assumed in the accident analyses. This restriction, in conjunction with operation of the Enclosure Building Filtration System, will limit the SITE BOUNDARY radiation doses to within the limits of 10 CFR 50.67 during accident conditions.

One Enclosure Building Filtration System train is required to establish a negative pressure of 0.25 inches W.G. in the Enclosure Building Filtration Region within one minute after an Enclosure Building Filtration Actuation Signal is generated. The one minute time requirement does not include the time necessary for the associated emergency diesel generator to start and power Enclosure Building Filtration System equipment.

To enable the Enclosure Building Filtration System to establish the required negative pressure in the Enclosure Building, it is necessary to ensure that all Enclosure Building access openings are closed. For double door access openings, only one door is required to be closed and latched, except for normal passage. For single door access openings, that door is required to be closed and latched, except for normal passage.

If a required door that is designated to automatically close and latch is not capable of automatically closing and latching, the door shall be maintained closed and latched, or personnel shall be stationed at the door to ensure that the door is closed and latched after each transit through the door. Otherwise, the access opening (door) should be declared inoperable and appropriate technical specification ACTION statement entered.

MILLSTONE - UNIT 2 B 3/4 6-5b Amendment No. 208,

REVERSE OF PAGE B 3/4 6-5b INTENTIONALLY LEFT BLANK

May 7, 2003 3/4.7 PLANT SYSTEMS BASES 3/4.7.1 TURBINE CYCLE 3/4.7.1.1 SAFETY VALVES The OPERABILITY of the main steam line code safety valves (MSSVs) ensures that the secondary system pressure will be limited to within 110% of the design pressure during the most severe anticipated system operational transient. The Loss of Electrical Load with Turbine Trip and the single main steam isolation valve (MSIV) closure event were evaluated at various power levels with a corresponding number of inoperable MSSVs. The limiting anticipated system operational transient is the closure of a single MSIV.

The specified valve lift settings and relieving capacities are in accordance with the requirements of Section III of the ASME Boiler and Pressure Vessel Code, 1971 Edition. The total rated capacity of the main steam line code safety valves is 12.7 x 106 lbs/hr. This is sufficient to relieve in excess of 100% steam flow at RATED THERMAL POWER.

The LCO requires all MSSVs to be OPERABLE. An alternative to restoring the inoperable MSSV(s) to OPERABLE status is to reduce power so that the available MSSV relieving capacity meets ASME Code requirements for the power level. POWER OPERATION is allowed with inoperable MSSVs as specified within the limitations of the ACTION requirements.

Less than the full number of OPERABLE MSSVs requires limitations on allowable THERMAL POWER and adjustment to the Power Level-High trip setpoint in accordance with ACTIONS a.1 and a.2. The 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months provided for ACTION a.1 is a reasonable time period to reduce power level and is based on the low probability of an event occurring during this period that would require activation of the MSSVs. ACTION a.2 provides for 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months to reduce the Power Level-High trip setpoint. This time for ACTION a.2 is based on a reasonable time to correct the MSSV inoperability, the time required to perform the power reduction, operating experience in resetting all channels of a protective function, and on the low probability of the occurrence of a transient that could result in steam generator overpressure during this period.

As described in Section 2.2.1 of the BASES, during a power reduction the Power Level-High trip setpoint automatically tracks THERMAL POWER downward so that it remains a fixed increment above the current power level, subject to a minimum value. Therefore, during short term reduced power evolutions e.g., MSSV testing, it is permissible to only reduce THERMAL POWER in accordance with ACTION a.1 (the protective function of ACTION a.2 is automatically provided due to the nature of the Power Level-High trip setpoint), provided that the MSSV testing can be completed within the 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months provided for ACTION a.2.

MILLSTONE - UNIT 2 B 3/4 7-1 Amendment No. 52, 61, 211, 275

LBDCR 04-MP2-016 February 24, 2005 3/4.7 PLANT SYSTEMS BASES 3/4.7.1 TURBINE CYCLE 3/4.7.1.1 SAFETY VALVES (Continued)

The OPERABILITY of the MSSVs is defined as the ability to open within the setpoint tolerances, relieve steam generator overpressure. and reseat when pressure has been reduced. The lift setpoints for the MSSVs are listed in Table 4.7-1. This table allows a +/- 3% setpoint tolerance (allowable value) on the lift setting for OPERABILITY to account for drift over a cycle. Each MSSV is demonstrated OPERABLE, with lift settings as shown in Table 4.7-1, in accordance with Specification 4.0.5. A footnote to Table 4.7-1 requires that the lift setting be restored to within +/- 1% of the setpoint (trip setpoint) following testing to allow for drift. While the lift settings are being restored to a tolerance of +/- 1%, the MSSV will remain OPERABLE with lift settings out of tolerance by as much as +/- 3%.

MILLSTONE - UNIT 2 B 3/4 7-1a Amendment No. 52, 61, 211, 275, Acknowledged by NRC letter dated 6/28/05

LBDCR 11-MP2-013 August 25, 2011 3/4.7 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS The OPERABILITY of the auxiliary feedwater pumps ensures that the Reactor Coolant System can be cooled down to less than 300F from normal operating conditions in the event of a total loss of off-site power.

The FSAR Chapter 14 Loss of Normal Feedwater: (LONF) analysis evaluates the event occurring with and without offsite power available, and a single active failure. This analysis has determined that one motor driven AFW pump is not sufficient to meet the acceptance criteria.

Therefore, two AFW pumps (two motor-driven AFW pumps, or one-motor driven AFW pump and the steam-driven AFW pump) are required to meet the acceptance criteria for this moderate frequency event. To meet the requirement of two AFW pumps available for mitigation, all three pumps must be OPERABLE to accommodate the failure of one pump. This is consistent with the limiting condition for operation and ACTION statements of Technical Specification 3.7.1.2.

Although not part of the bases of Technical Specification 3.7.1.2, the less conservative FSAR Chapter 10 Best Estimate Analysis of the LONF event was performed to demonstrate that one motor-driven AFW pump is adequate to remove decay heat, prevent steam generator dryout, maintain Reactor Coolant System (RCS) subcooling, and prevent pressurizer level from exceeding acceptable limits. This best estimate analysis is performed to demonstrate the automatic start of both motor driven AFW pumps on low steam generator level satisfies the automatic AFW initiation requirements of NUREG-0737 Item II.E.1.2. Automatic start of the turbine driven AFW pump is not required. From this best estimate analysis of the LONF event, an evaluation was performed to demonstrate that a single motor-driven AFW pump has sufficient capacity to reduce the RCS temperature to 300F (in addition to decay heat removal) where the Shutdown Cooling System may be placed into operation for continued cooldown. As a result of these evaluations, one motor-driven AFW pump (or the steam-driven AFW pump which has twice the capacity of a motor-driven AFW pump) can meet the requirements to remove decay heat, prevent steam generator dryout, maintain RCS subcooling, prevent the pressurizer from exceeding acceptable limits, and reduce RCS temperature to 300°F.+

The Auxiliary Feed Water (AFW) system is OPERABLE when the AFW pumps and flow paths required to provide AFW to the steam generators are OPERABLE. Technical Specification 3.7.1.2 requires three AFW pumps to be OPERABLE and provides ACTIONS to address inoperable AFW pumps. The AFW flow path requirements are separated into AFW pump suction flow path requirements, AFW pump discharge flow path to the common discharge header requirements, and common discharge header to the steam generators flow path requirements.

There are two AFW pump suction flow paths from the Condensate Storage Tank to the AFW pumps. One flow path to the turbine driven AFW pump, and one flow path to both motor driven AFW pumps. There are three AFW pump discharge flow paths to the common discharge header, one flow path from each of the three AFW pumps. There are two AFW discharge flow paths from the common discharge header to the steam generators, one flow path to each steam generator. With 2-FW-44 open (normal position), the discharge from any AFW pump will be supplied to both steam generators through the associated AFW regulating valves.

MILLSTONE - UNIT 2 B 3/4 7-2 Amendment No. 52, 61, 63, 211, 223, 236, 283, Acknowledged by NRC letter dated 6/28/05

LBDCR 04-MP2-016 February 24, 2005 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS (Continued) 2-FW-44 should remain open when the AFW system is required to be OPERABLE (MODES 1, 2, and 3). Closing 2-FW-44 places the plant in a configuration not considered as an initial condition in the Chapter 14 accident analyses. Therefore, if 2-FW-44 is closed while the plant is operating in MODES 1, 2, or 3, two AFW pumps should be considered inoperable and the appropriate ACTION requirement of Technical Specification 3.7.1.2 entered to limit plant operation in this configuration.

A flow path may be considered inoperable as the result of closing a manual valve, failure of an automatic valve to respond correctly to an actuation signal, or failure of the piping. In the case of an inoperable automatic AFW regulating valve (2-FW-43A or B), flow path OPERABILITY can be restored by use of a dedicated operator stationed at the associated bypass valve (2-FW-56A or B) as directed by OP 2322. Failure of the common discharge header piping will cause both discharge flow paths to the steam generators to be inoperable.

An inoperable suction flow path to the turbine driven AFW pump will result in one inoperable AFW pump. An inoperable suction flow path to the motor driven AFW pumps will result in two inoperable AFW pumps. The ACTION requirements of Technical Specification 3.7.1.2 are applicable based on the number of inoperable AFW pumps.

An inoperable pump discharge flow path from an AFW pump to the common discharge header will cause the associated AFW pump to be inoperable. The ACTION requirements of Technical Specification 3.7.1.2 for one AFW pump are applicable for each affected pump discharge flow path.

AFW must be capable of being delivered to both steam generators for design basis accident mitigation. Certain design basis events, such as a main steam line break or steam generator tube rupture, require that the affected steam generator be isolated, and the RCS decay heat removal safety function be satisfied by feeding and steaming the unaffected steam generator.

If a failure in an AFW discharge flow path from the common discharge header to a steam generator prevents delivery of AFW to a steam generator, then the design basis events may not be effectively mitigated. In this situation, the ACTION requirements of Technical Specification 3.0.3 are applicable and an immediate plant shutdown is appropriate.

Two inoperable AFW System discharge flow paths from the common discharge header to both steam generators will result in a complete loss of the ability to supply AFW flow to the steam generators. In this situation, all three AFW pumps are inoperable and the ACTION requirements of Technical Specification 3.7.1.2. are applicable. Immediate corrective action is required.

However, a plant shutdown is not appropriate until a discharge flow path from the common discharge header to one steam generator is restored.

MILLSTONE - UNIT 2 B 3/4 7-2a Amendment No. 283, Acknowledged by NRC letter dated 6/28/05

November 10, 2005 LBDCR 04-MP2-013 3/4.7 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS (Continued)

If the turbine-driven auxiliary feedwater train is inoperable due to an inoperable steam supply in MODES 1, 2, and 3, or if the turbine-driven auxiliary feedwater pump is inoperable while in MODE 3 immediately following REFUELING, action must be taken to restore the inoperable equipment to an OPERABLE status within 7 days. The 7 day allowed outage time is reasonable, based on the following:

a. For the inoperability of the turbine-driven auxiliary feedwater pump due an inoperable steam supply, the 7 day allowed outage time is reasonable since the auxiliary feedwater system design affords adequate redundancy for the steam supply line for the turbine-driven pump.

b. For the inoperability of a turbine-driven auxiliary feedwater pump while in MODE 3 immediately subsequent to a refueling, the 7 day allowed outage time is reasonable due to the minimal decay heat levels in this situation.

c. For both the inoperability of the turbine-driven pump due to an inoperable steam supply and an inoperable turbine-driven auxiliary feedwater pump while in MODE 3 immediately following a refueling outage, the 7 day allowed outage time is reasonable due to the availability of redundant OPERABLE motor driven auxiliary feedwater pumps, and due to the low probability of an event requiring the use of the turbine-driven auxiliary feedwater pump.

When one steam supply to the turbine-driven auxiliary feedwater pump is inoperable, the turbine-driven auxiliary feedwater pump is inoperable. In this case, although the turbine-driven auxiliary feedwater pump with a single operable steam supply is capable of performing its safety function in the absence of a single failure, the turbine-driven auxiliary feedwater pump is considered inoperable due to the lack of redundancy with respect to steam supplies.

The required ACTION dictates that if the 7 day allowed outage time is reached the unit must be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in HOT SHUTDOWN within the following 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The allowed time is reasonable, based on operating experience, to reach the required conditions from full power conditions in an orderly manner and without challenging plant systems.

MILLSTONE - UNIT 2 B 3/4 7-2b Amendment No. 52, 61, 63, 211, 236, 283,

LBDCR 14-MP2-016 September 4, 2014 3/4.7 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS (Continued)

A Note limits the applicability of the inoperable equipment condition b. to when the unit has not entered MODE 2 following a REFUELING. Required ACTION b. allows one auxiliary feedwater pump to be inoperable for 7 days vice the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed outage time in required ACTION c. This longer allowed outage time is based on the reduced decay heat following REFUELING and prior to the reactor being critical.

With one of the auxiliary feedwater pumps inoperable in MODE 1, 2, or 3 for reasons other than ACTION a. or b., ACTION must be taken to restore the inoperable equipment to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This includes the loss of both steam supply lines to the turbine-driven auxiliary feedwater pump. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed outage time is reasonable, based on redundant capabilities afforded by the auxiliary feedwater system, time needed for repairs, and the low probability of a DBA occurring during this time period. Two auxiliary feedwater pumps and flow paths remain to supply feedwater to the steam generators.

If all three AFW pumps are inoperable in MODE 1, 2, or 3, the unit is in a seriously degraded condition with no safety related means for conducting a cooldown, and only limited means for conducting a cooldown with non-safety related equipment. In such a condition, the unit should not be perturbed by any action, including a power change that might result in a trip. The seriousness of this condition requires that action be started immediately to restore one AFW pump to OPERABLE status. Required ACTION e. is modified by a Note indicating that all required MODE changes or power reductions are suspended until one AFW pump is restored to OPERABLE status. In this case, LCO 3.0.3 is not applicable because it could force the unit into a less safe condition.

During periodic surveillance testing of the turbine driven AFW pump, valve 2-CN-27A is closed and valve 2-CN-28 is opened to prevent overheating the water being circulated. In this configuration, the suction of the turbine driven AFW pump is aligned to the Condensate Storage Tank via the motor driven AFW pump suction flow path, and the pump minimum flow is directed to the Condensate Storage Tank by the turbine driven AFW pump suction path upstream of 2-CN-27A in the reverse direction. During this surveillance, the suction path to the motor driven AFW pump suction path remains OPERABLE, and the turbine driven AFW suction path is inoperable. In this situation, the ACTION requirements of Technical Specification 3.7.1.2 for one AFW pump are applicable. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

MILLSTONE - UNIT 2 B 3/4 7-2c Amendment No. 283,

LBDCR 14-MP2-016 September 4, 2014 3/4.7 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS (Continued)

Surveillance Requirement 4.7.1.2.a verifies the correct alignment for manual, power operated, and automatic valves in the Auxiliary Feedwater (AFW) System flow paths (water and steam) to provide assurance that the proper flow paths will exist for AFW operation. This surveillance does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position. The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirement 4.7.1.2.b, which addresses periodic surveillance testing of the AFW pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems, is required by the ASME Code for Operations and Maintenance of Nuclear Power Plants (ASME OM Code). This type of testing may be accomplished by measuring the pump developed head at only one point of the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greater than or equal to the performance assumed in the unit safety analysis. The surveillance requirements are specified in the Inservice Testing Program. The ASME OM Code provides the activities and frequencies necessary to satisfy the requirements. This surveillance is modified to indicate that the test can be deferred for the steam driven AFW pump until suitable plant conditions are established. This deferral is required because steam pressure is not sufficient to perform the test until after MODE 3 is entered. Once the unit reaches 800 psig, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months would be allowed for completing the surveillance. However, the test, if required, must be performed prior to entering MODE 2.

Surveillance Requirements 4.7.1.2.c and 4.7.1.2.d demonstrate that each automatic AFW valve actuates to the required position on an actual or simulated actuation signal (AFWAS) and that each AFW pump starts on receipt of an actual or simulated actuation signal (AFWAS). This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The surveillance frequency is controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program. These surveillances do not apply to the steam driven AFW pump and associated valves which are not automatically actuated.

MILLSTONE - UNIT 2 B 3/4 7-2d Amendment No.

LBDCR 16-MP2-012 January 19, 2017 3/4.7 PLANT SYSTEMS BASES 3/4.7.1.2 AUXILIARY FEEDWATER PUMPS (Continued)

Surveillance Requirement 4.7.1.2.e demonstrates the AFW System is properly aligned by verifying the flow path to each steam generator prior to entering MODE 2, after 30 cumulative days in MODE 5, MODE 6, or a defueled condition. OPERABILITY of the AFW flow paths must be verified before sufficient core heat is generated that would require operation of the AFW System during a subsequent shutdown. To further ensure AFW System alignment, the OPERABILITY of the flow paths is verified following extended outages to determine that no misalignment of valves has occurred. The frequency is reasonable, based on engineering judgment, and other administrative controls to ensure the flow paths are OPERABLE.

3/4.7.1.3 CONDENSATE STORAGE TANK The OPERABILITY of the condensate storage tank with the minimum water volume ensures that sufficient water is available for cooldown of the Reactor Coolant System to less than 300F in the event of a total loss of off-site power. The minimum water volume is sufficient to maintain the RCS at HOT STANDBY conditions for 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months with steam discharge to atmosphere. The contained water volume limit includes an allowance for water not usable due to discharge nozzle pipe elevation above tank bottom, plus an allowance for vortex formation.

3/4.7.1.4 ACTIVITY The limitations on secondary system specific activity ensure that the resultant off-site radiation dose will be limited to MILLSTONE - UNIT 2 B 3/4 7-2e Amendment No.

LBDCR 16-MP2-012 January 19, 2017 PLANT SYSTEMS BASES 3/4.7.1.4 ACTIVITY (Continued) 10 CFR 50.67 and Regulatory Guide 1.183 limits in the event of a steam line rupture. The dose calculations for an assumed steam line rupture include the effects of a coincident 150 GPD primary to secondary tube leak in the steam generator of the affected steam line and a concurrent loss of offsite electrical power. These values are consistent with the assumptions used in the accident analyses.

3/4.7.1.5 MAIN STEAM LINE ISOLATION VALVES The OPERABILITY of the main steam line isolation valves ensures that no more than one steam generator will blowdown in the event of a steam line rupture. This restriction is required to

1) minimize the positive reactivity effects of the Reactor Coolant System cooldown associated with the blowdown, and 2) limit the pressure rise within containment in the event the steam line rupture occurs within containment. The OPERABILITY of the main steam isolation valves within the closure times of the surveillance requirements are consistent with the assumptions used in the accident analyses.

The ability of the main steam line isolation valves (MSIVs) to close is verified after the plant has been heated up. Since it is necessary to establish a high Reactor Coolant System temperature before the surveillance test can be performed, on exception to Technical Specification 4.0.4 has been added to SR 4.7.1.5 to allow entry into MODE 3. This is necessary to allow plant startup to proceed with equipment that is believed to be OPERABLE, but that cannot be verified by performance of the surveillance test until the appropriate plant conditions have been established. After entering MODE 3 and establishing the necessary plant conditions (Tavg 515F), the MSIVs will be declared inoperable if SR 4.7.1.5 has not been performed within the required frequency, plus 25%, in accordance with Technical Specifications 4.0.2 and 4.0.3. The ACTION statement for MODES 2 and 3 would then be entered. However, the required ACTIONS can be deferred for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Technical Specification 4.0.3) to allow performance of SR 4.7.1.5. If the surveillance test is not performed within this 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time period, the requirements of the ACTION statement for MODES 2 and 3 apply, and the MSIV(s) must be either restored to OPERABLE status or closed. Closing the MSIV(s) put the valve(s) in the required accident condition. However, the MSIV(s) may be opened to perform SR 4.7.1.5. If the MSIV(s) cannot be closed, the plant must be shut down to MODE 4.

3/4.7.1.6 MAIN FEEDWATER ISOLATION COMPONENTS (MFICS)

Feedwater isolation response time ensures a rapid isolation of feed flow to the steam generators via the feedwater regulating valves, feedwater bypass valves, and as backup, feed pump discharge valves. The response time includes signal generation time and valve stroke. Feed line block valves also receive MILLSTONE - UNIT 2 B 3/4 7-3 Amendment No. 32, 188, 219, Acknowledged by NRC letter dated 6/28/05

LBDCR 07-MP2-031 August 8, 2007 PLANT SYSTEMS BASES a feedwater isolation signal since the steam line break accident analysis credits them in prevention of feed line volume flashing in some cases. Feedwater pumps are assumed to trip immediately with an MSI signal.

3/4.7.1.7 ATMOSPHERIC DUMP VALVES The atmospheric dump valve (ADV) lines provide a method to maintain the unit in HOT STANDBY, and to replace or supplement the condenser steam dump valves to cool the unit to Shutdown Cooling (SDC) entry conditions. Each ADV line contains an air operated ADV, and an upstream manual isolation valve. The manual isolation valves are normally open, and the ADVs closed. The ADVs, which are normally operated from the main control room, can be operated locally using a manual handwheel.

An ADV line is OPERABLE if the manual isolation valve is open and if local manual operation of the ADV can be used to perform a controlled release of steam to the atmosphere. If the manual isolation valve is closed the ADV line is inoperable The considerable time and effort required to open the valve would challenge the timing of critical operator actions and established operator dose limits. This is consistent with the LOCA analysis and Steam Generator Tube Rupture analysis which credits local manual operation of the ADV lines for accident mitigation.

3/4.7.1.8 STEAM GENERATOR BLOWDOWN ISOLATION VALVES The steam generator blowdown isolation valves will isolate steam generator blowdown on low steam generator water level. An auxiliary feedwater actuation signal will also be generated at this steam generator water level. Isolation of steam generator blowdown will conserve steam generator water inventory following a loss of main feedwater. The steam generator blowdown isolation valves will also close automatically upon receipt of a containment isolation signal or a high radiation signal (steam generator blowdown or condenser air ejector discharge).

3/4.7.2 DELETED 3/4.7.3 REACTOR BUILDING CLOSED COOLING WATER SYSTEM The OPERABILITY of the Reactor Building Closed Cooling Water (RBCCW) System ensures that sufficient cooling capacity is available for continued operation of vital components and Engineered Safety Feature equipment during normal and accident conditions. The redundant cooling capacity of this system, assuming a single failure, is consistent with the assumptions used in the accident analyses.

The RBCCW loops are redundant of each other to the degree that each has separate controls and power supplies and the operation of one does not depend on the other. In the event of a design basis accident, one RBCCW loop is required to provide the minimum heat removal capability assumed in the safety analysis for the systems to which it supplies cooling water. To ensure this requirement is met, two RBCCW loops must be OPERABLE, and independent to the extent necessary to ensure that a single failure will not result in the unavailability MILLSTONE - UNIT 2 B 3/4 7-3a Amendment No. 219, 223, 226, 236, 238, 272,

January 10, 2002 PTSCR 2-18-01 May 1, 2002 PLANT SYSTEMS BASES of both RBCCW loops. At least one RBCCW loop will operate assuming the worst single active failure occurs following a design basis accident coincident with a loss of offsite power, or the worst single passive failure occurs during post-loss of coolant accident long term cooling. System design is assumed to mitigate the single active failure. System design or operator action is assumed to mitigate the passive failure.

The RBCCW System has numerous cross connection points between the redundant loops, with manual valve isolation capability. When these valves are opened, the two system loops are no longer independent. The loss of independence will result in one large RBCCW loop. This may adversely impact the ability of the RBCCW System to mitigate the design basis events if a single failure, active or passive, occurs. Opening the manual cross-connection valves during normal operation should be evaluated to ensure system stability, minimum component cooling flow requirements, and the ability to mitigate the design basis events coincident with a single failure are maintained. Continuous operation with cross-connection valves open is acceptable if the configuration has been evaluated and protection against a single failure can be demonstrated.

(Several system configurations that have been evaluated and determined acceptable for continuous plant operation are identified below). If opening a cross-connection valve will result in a plant configuration that does not provide adequate protection against a single failure, the following guidance applies. If only the manual cross-connect valves have been opened, and the RBCCW System is in a normal configuration otherwise, with all system equipment OPERABLE, one RBCCW loop should be considered inoperable and the ACTION requirements of Technical Specification 3.7.3.1 applied. If the RBCCW System is not in a normal configuration otherwise and/or not all equipment is OPERABLE, both RBCCW loops should be considered inoperable and the ACTION requirements of Technical Specification 3.0.3 applied.

The loss of loop independence is equivalent to the situation where one loop is inoperable.

If one loop is inoperable, the remaining OPERABLE loop will be able to meet all design basis accident functions, assuming an additional single failure does not occur. If the loops are not independent, the remaining single large OPERABLE loop will be able to meet all design basis accident functions, assuming a single failure does not occur. Operation in a plant configuration where protection against a single failure can not be shown is acceptable provided the time period in that configuration is limited to less than the Technical Specification specified allowed outage time. It is acceptable to operate in the off normal plant configurations identified in the ACTION requirements for the time periods specified due to the low probability of occurrence of a design basis event concurrent with a single failure during this limited time period. The allowed outage time for one inoperable RBCCW loop provides an appropriate limit for continued operation with only one OPERABLE RBCCW loop, and can be applied to a plant configuration where only loop independence has been compromised. The loop determined to be inoperable should be the loop that results in the most adverse plant configuration with respect to the availability of accident mitigation equipment. Restoration of loop independence within the time constraints of the allowed outage time is required, or a plant shutdown is necessary.

MILLSTONE - UNIT 2 B 3/4 7-3b Revised by NRC Letter A15689 Amendment No.

LBDCR 14-MP2-016 September 4, 2014 PLANT SYSTEMS BASES 3/4.7.3 REACTOR BUILDING CLOSED COOLING WATER SYSTEM (Continued)

It is acceptable to operate with the RBCCW pump minimum flow valves (2-RB-107A, 2-RB-l07B, 2-RB-l07C), RBCCW pump sample valves (2-RB-56A, 2-RB-56B, and 2-RB-56C),

and the RBCCW pump radiation monitor stop valves (2-RB-39, 2-RB-41,and 2-RB-43) open. An active single failure will not adversely impact both RBCCW loops with these valves open. In addition, protection against a passive single failure after the initiation of post-loss of coolant accident long term cooling is achieved by manually closing these accessible valves, as directed by the emergency operating procedures. In addition, operation with RBCCW chemical addition valves (2-RB-50A and 2-RB-50B) open during chemical addition evolutions is acceptable since these normally closed valves are opened to add chemicals to the RBCCW and then closed as directed by normal operating procedures. Therefore, operation with these valves open does not affect OPERABILITY of the RBCCW loops.

Surveillance Requirement 4.7.3.1.a verifies the correct alignment for manual, power operated, and automatic valves in the RBCCW System flow paths to provide assurance that the proper flow paths exist for RBCCW operation. This surveillance does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirements 4.7.3.1.b and 4.7.3.1.c demonstrate that each automatic RBCCW valve actuates to the required position on an actual or simulated actuation signal and that each RBCCW pump starts on receipt of an actual or simulated actuation signal. This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. These surveillance frequencies are controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

3/4.7.4 SERVICE WATER SYSTEM The OPERABILITY of the Service Water (SW) System ensures that sufficient cooling capacity is available for continued operation of vital components and Engineered Safety Feature equipment during normal and accident conditions. The redundant cooling capacity of this system, assuming a single failure, is consistent with the assumptions used in the accident analyses.

MILLSTONE - UNIT 2 B 3/4 7-3c Amendment No. 219, 223, 226, 236, 238, 273

February 13, 2003 PLANT SYSTEMS BASES 3/4.7.4 SERVICE WATER SYSTEM (continued)

The SW loops are redundant of each other to the degree that each has separate controls and power supplies and the operation of one does not depend on the other. In the event of a design basis accident, one SW loop is required to provide the minimum heat removal capability assumed in the safety analysis for the systems to which it supplies cooling water. To ensure this requirement is met, two SW loops must be OPERABLE, and independent to the extent necessary to ensure that a single failure will not result in the unavailability of both SW loops. At least one SW loop will operate assuming the worst single active failure occurs following a design basis accident coincident with a loss of offsite power, or the worst single passive failure occurs post-loss of coolant accident long term cooling. System design is assumed to mitigate the single active failure. System design or operator action is assumed to mitigate passive failure.

The SW System has numerous cross connection points between the redundant loops, with manual valve isolation capability. When these valves are opened, the two system loops are no longer independent. The loss of independence will result in one large SW loop. This may adversely impact the ability of the SW System to mitigate the design basis events if a single failure, active or passive, occurs. Opening the manual cross-connection valves during normal operation should be evaluated to ensure system stability, minimum component cooling flow requirements, and the ability to mitigate the design basis event coicident with a single failure are maintained. Continuous operation with cross-connection valves open is acceptable if the configuration has been evaluated and protection against a single failure can be demonstrated.

(Several system configurations that have been evaluated and determined acceptable for continuous plant operation are identified below). If opening a cross-connection valve will result in a plant configuration that does not provide adequate protection against a single failure, the following guidance applies. If only the manual cross-connect valves have been opened, and the SW System is in a normal configuration otherwise, with all system equipment OPERABLE, one SW loop should be considered inoperable and the ACTION requirements of Technical Specification 3.7.4.1 applied. If the SW System is not in a normal configuration otherwise and/or not all equipment is OPERABLE, both SW loops should be considered inoperable and the ACTION requirements of Technical Specification 3.0.3 applied.

The loss of loop independence is equivalent to the situation where one loop is inoperable.

If one loop is inoperable, the remaining OPERABLE loop will be able to meet all design basis accident functions, assuming an additional single failure does not occur. If the loops are not independent, the remaining single large OPERABLE loop will be able to meet all design basis accident functions, assuming a single failure does not occur. Operation in a plant configuration where protection against a single failure can not be shown is acceptable provided the time period in that configuration is limited to less then the Technical Specification specified allowed outage time. It is acceptable to operate in the off normal plant configurations identified in the ACTION requirements for the time periods specified due to the low probability of occurrence of a design basis event concurrent with a single failure during this limited time period. The allowed outage time for one inoperable SW loop provides an appropriate limit for continued operation with only one OPERABLE SW loop, and can be applied to a plant configuration where only loop independence has been compromised. The loop MILLSTONE - UNIT 2 B 3/4 7-3d Amendment No. 273

REVERSE OF PAGE B 3/4 7-3d INTENTIONALLY LEFT BLANK

LBDCR 14-MP2-016 September 4, 2014 PLANT SYSTEMS BASES 3/4.7.4 SERVICE WATER SYSTEM (Continued) determined to be inoperable should be the loop that results in the most adverse plant configuration with respect to the availability of accident mitigation equipment. Restoration of loop independence within the time constraints of the allowed outage time is required, or a plant shutdown is necessary.

Branch lines are supplied to isolation valves in the intake for lubrication to the circulating water pump bearings (2-SW-298 and 2-SW-299), and alternate supply connections (2-SW-84A, and 2-SW-84B). The flow restricting orifices in these lines ensure that safety related loads continue to receive minimum required flow during a LOCA (in which the lines remain intact), or during a seismic event (when the lines break) even with the valves open. Therefore, operation with these valves open does not affect OPERABILITY of the SW loops.

Surveillance Requirement 4.7.4.1.a verifies the correct alignment for manual, power operated, and automatic valves in the Service Water (SW) System flow paths to provide assurance that the proper flow paths exist for SW operation. This surveillance does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

Surveillance Requirements 4.7.4.1.b and 4.7.4.1.c demonstrate that each automatic SW valve actuates to the required position on an actual or simulated actuation signal and that each SW pump starts on receipt of an actual or simulated actuation signal. This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls. These surveillance frequencies are controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the Engineered Safety Feature Actuation System (ESFAS) testing, and equipment performance is monitored as part of the Inservice Testing Program.

3/4.7.5 DELETED MILLSTONE - UNIT 2 B 3/4 7-4 Amendment No. 223, 236, 272, 273,

June 25, 2007 LBDCR 07-MP2-013 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM The OPERABILITY of the Control Room Emergency Ventilation System ensures that

1) the ambient air temperature does not exceed the allowable temperature for continuous duty rating for the equipment and instrumentation cooled by this system and 2) the control room will remain habitable for operations personnel during and following all credible accident conditions.

The OPERABILITY of this system in conjunction with control room design provisions is based on limiting the radiation exposure to personnel occupying the control room. For all postulated design basis accidents, the radiation exposure to personnel occupying the control room shall be 5 rem TEDE or less consistent with the requirements of 10 CFR 50.67 The Control Room Envelope (CRE) is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses the control room, and other non-critical areas including adjacent support offices, and utility rooms. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, ceiling, ducting, valves, doors, penetrations and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program.

In order for the control room emergency ventilation systems to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke.

TS LCO 3.7.6.1 is modified by a footnote allowing the CRE boundary to be opened intermittently under administrative controls. This footnote only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

MILLSTONE - UNIT 2 B 3/4 7-4a Amendment No. 228, 236, 272, 273, 284,

LBDCR 14-MP2-001 May 20, 2014 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM (Continued)

ACTIONS a.1, b.1, b.2, b.3, c.1, c.2 and c.3 of this specification are applicable at all times during plant operation in MODES 1, 2, 3, and 4. ACTIONS d.1, d.2, and e.1 are applicable in MODES 5 and 6, or when recently irradiated fuel assemblies are being moved. The control room emergency ventilation system is required to be OPERABLE during fuel handling involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 300 hours0.00347 days 0.0833 hours 4.960317e-4 weeks 1.1415e-4 months ).

With one Control Room Emergency Ventilation (CREV) train inoperable except due to an inoperable CREV boundary, action must be taken to restore OPERABLE status within 7 days. In this Condition, the remaining OPERABLE CREV subsystem is adequate to perform control room radiation protection function. However, the overall reliability is reduced because a single failure in the OPERABLE CREV train could result in loss of CREV function. The 7 day allowed outage time is based on the low probability of a DBA occurring during this time period, and the ability of the remaining train to provide the required capability.

If both CREV trains are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable control room boundary (i.e., Condition c), at least one CREV train must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The Condition is modified by a Note stating it is not applicable if the second CREV train is intentionally declared inoperable. The Condition does not apply to voluntary removal of redundant systems or components from service. The Condition is only applicable if one train is inoperable for any reason and the second train is discovered to be inoperable, or if both trains are discovered to be inoperable at the same time. During the period that the CREV trains are inoperable, action must be initiated to implement mitigating actions to lessen the effect on control room (CR) occupants from potential hazards while both trains of CREV are inoperable. In the event of a DBA, the mitigating actions will reduce the consequences of radiological exposures to the CR occupants.

Specification 3.4.8, Reactor Coolant System Specific Activity, allows limited operation with the reactor coolant system (RCS) activity significantly greater than the LCO limit. This presents a risk to the plant operator during an accident when all CREV trains are inoperable.

Therefore, it must be verified within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months that LCO 3.4.8 is met. This Required Action does not require additional RCS sampling beyond that normally required by LCO 3.4.8.

At least one CREV train must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed outage time is based on Reference 1 which demonstrated that the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed outage time is acceptable based on the infrequent use of the Required Actions and the small incremental effect on plant risk.

MILLSTONE - UNIT 2 B 3/4 7-4b Amendment No. 228, 236, 245, 248, 254, 284,

LBDCR 14-MP2-001 May 20, 2014 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM (Continued)

If the control room boundary is inoperable in MODES 1, 2, 3, and 4, the CREV trains cannot perform their intended functions. Actions must be taken to restore an OPERABLE control room boundary within 90 days. During the period that the control room boundary is inoperable, appropriate compensatory measures (consistent with the intent of GDC 19) should be utilized to protect control room operators from potential hazards such as radioactive contamination, toxic chemicals, smoke, temperature and relative humidity, and physical security. Preplanned measures should be available to address these concerns for intentional and unintentional entry into the condition. The 90 days allowed outage time is reasonable based on the low probability of a DBA occurring during this time period, and the use of compensatory measures. The 90 days allowed outage time is a typically reasonable time to diagnose, plan and possibly repair, and test most problems with the control room boundary.

In MODE 5 or 6, or during movement of recently irradiated fuel assemblies, if Required Action d.1 cannot be completed within the required allowed outage time, the OPERABLE CREV train must be immediately placed in the recirculation mode of operation. This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action d.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel assemblies to a safe position.

When in MODES 5 and 6, or during movement of recently irradiated fuel assemblies, with two CREV trains inoperable, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.

The control room radiological dose calculations use the conservative minimum acceptable flow of 2250 cfm based on the flowrate surveillance requirement of 2500 cfm +/- 10%.

MILLSTONE - UNIT 2 B 3/4 7-4c Amendment No. 228, 236, 245, 248, 254, 284,

LBDCR 14-MP2-001 May 20, 2014 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM (Continued)

Currently there are some situations where the CREV System may not automatically start on an accident signal, without operator action. Under most situations, the emergency filtration fans will start and the CREV System will be in the accident lineup. However, a failure of a supply fan (F21A or B) or an exhaust fan (F31A or B), will require operator action to return to a full train lineup. Also, if a single emergency bus does not power up for one train of the CREV System, the opposite train filter fan will automatically start, but the required supply and exhaust fans will not automatically start. Therefore, operator action is required to establish the whole train lineup. This action is specified in the Emergency Operating Procedures. The radiological dose calculations do not take credit for CREV System cleanup action until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months into the accident to allow for operator action.

When the CREV System is checked to shift to the recirculation mode of operation, this will be performed from the normal mode of operation, and from the smoke purge mode of operation.

If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem TEDE), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.

During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and that CRE occupants are protected from hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed outage time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day allowed outage time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90 day allowed outage time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary.

MILLSTONE - UNIT 2 B 3/4 7-4d Amendment No.

LBDCR 14-MP2-016 September 4, 2014 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM (Continued)

Immediate action(s), in accordance with the LCO Action Statements, means that the required action should be pursued without delay and in a controlled manner.

Surveillance Requirement 4.7.6.1.c.1 dictates the test frequency, methods and acceptance criteria for the Control Room Emergency Ventilation System trains (cleanup trains). These criteria all originate in the Regulatory Position sections of Regulatory Guide 1.52, Rev. 2, March 1978 as discussed below.

Section C.5.a requires a visual inspection of the cleanup system be made before the following tests, in accordance with the provisions of section 5 of ANSI N510-1975:

in-place air flow distribution test

DOP test

activated carbon adsorber section leak test Section C.5.c requires the in-place Dioctyl phthalate (DOP) test for HEPA filters to conform to section 10 of ANSI N510-1975. The HEPA filters should be tested in place (1) initially, (2) at the frequency specified in the Surveillance Frequency Control Program, and (3) following painting, fire, or chemical release in any ventilation zone communicating with the system. The testing is to confirm a penetration of less than or equal to 1%* at rated flow.

Section C.5.d requires the charcoal adsorber section to be leak tested with a gaseous halogenated hydrocarbon refrigerant, in accordance with section 12 of ANSI N510-1975 to ensure that bypass leakage through the adsorber section is less than or equal to 1%.** Adsorber leak testing should be conducted (1) initially, (2) at the frequency specified in the Surveillance Frequency Control Program, (3) following removal of an adsorber sample for laboratory testing if the integrity of the adsorber section is affected, and (4) following painting, fire, or chemical release in any ventilation zone communicating with the system.

Means that the HEPA filter will allow passage of less than or equal to 1% of the test concentration injection at the filter inlet from a standard DOP concentration injection.

- Means that the charcoal adsorber sections will allow passage of less than or equal to 1% of the injected test concentration around the charcoal adsorber section.

MILLSTONE - UNIT 2 B 3/4 7-4e Amendment No.

LBDCR 14-MP2-001 May 20, 2014 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM (Continued)

The ACTION requirements to immediately suspend various activities (CORE ALTERATIONS, irradiated fuel movement, etc.) do not preclude completion of the movement of a component to a safe position.

Technical Specification 3.7.6.1 provides the OPERABILITY requirements for the Control Room Emergency Ventilation Trains. If a Control Room Emergency Ventilation Train emergency power source or normal power source becomes inoperable in MODES 1, 2, 3, or 4 the requirements of Technical Specification 3.0.5 apply in determining the OPERABILITY of the affected Control Room Emergency Ventilation Train. If a Control Room Emergency Ventilation Train emergency power source or normal power source becomes inoperable in MODES 5 or 6 the guidance provided by Note ** of this specification applies in determining the OPERABILITY of the affected Control Room Emergency Ventilation Train. If a Control Room Emergency Ventilation Train emergency power source or normal power source becomes inoperable while not in MODES 1, 2, 3, 4, 5, or 6 the requirements of Technical Specification 3.0.5 apply in determining the OPERABILITY of the affected Control Room Emergency Ventilation Train.

Surveillance Requirement 4.7.6.1.h verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program.

Means that the HEPA filter will allow passage of less than or equal to 1% of the test concentration injection at the filter inlet from a standard DOP concentration injection.

- Means that the charcoal adsorber sections will allow passage of less than or equal to 1% of the injected test concentration around the charcoal adsorber section.

MILLSTONE - UNIT 2 B 3/4 7-4f Amendment No.

LBDCR 14-MP2-001 May 20, 2014 PLANT SYSTEMS BASES 3/4.7.6 CONTROL ROOM EMERGENCY VENTILATION SYSTEM (Continued)

The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBA consequences is no more than 5 rem TEDE and the CRE occupants are protected from hazardous chemicals and smoke. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, ACTION c. must be entered. ACTION c. allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, which endorses, with exceptions, NEI 99-03.

These compensatory measures may also be used as mitigating actions as required by ACTION c.

Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY. Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis DBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status.

REFERENCE

1. WCAP-16125-NP-A, Justification for Risk-Informed Modifications to Selected Technical Specifications for Conditions Leading to Exigent Plant Shutdown, Revision 2, August 2010.

MILLSTONE - UNIT 2 B 3/4 7-4g

LBDCR 11-MP2-010 August 23, 2011 PLANT SYSTEMS BASES 3/4.7.7 DELETED 3/4.7.8 SNUBBERS All snubbers are required OPERABLE to ensure that the structural integrity of the reactor coolant system and all other safety related systems is maintained during and following a seismic or other event initiating dynamic loads. Snubbers excluded from this inspection program are those installed on nonsafety-related systems and then only if their failure or failure of the system on which they are installed would have no adverse effect on any safety-related system.

MILLSTONE - UNIT 2 B 3/4 7-5 Amendment No. 11, 35, 96, 116, 202, 272

LBDCR 11-MP2-010 August 23, 2011 PLANT SYSTEMS BASES 3/4.7.9 DELETED MILLSTONE - UNIT 2 B 3/4 7-6 Amendment No. 11, 35, 96, 118, 191, 244

LBDCR 13-MP2-004 May 2, 2013 PLANT SYSTEMS BASES 3/4.7.10 DELETED 3/4.7.11 ULTIMATE HEAT SINK BACKGROUND The ultimate heat sink (UHS) for Millstone Unit No. 2 is Long Island Sound. The Long Island Sound is connected to the Atlantic Ocean and provides the required 30 day supply of water.

It serves as a heat sink for both safety and non-safety-related cooling systems. Sensible heat is discharged to the UHS via the service water (SW) and circulating water (CW) systems.

The basic performance requirement is that a 30 day supply of water be available, and that the design basis temperatures of safety related equipment not be exceeded.

Additional information on the design and operation of the system, along with a list of components served, can be found in References 1, 2, and 3.

APPLICABLE SAFETY ANALYSES The UHS is the sink for heat removed from the reactor core following all accidents and anticipated operational occurrences in which the unit is cooled down and placed on shutdown cooling system (SDC) operation. With UHS as the normal heat sink for condenser cooling via the CW System, unit operation at full power is its maximum heat load. Its maximum post accident heat load occurs < 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after a design basis loss of coolant accident (LOCA). Near this time, the unit switches from injection to recirculation and the containment cooling system is required to remove the core decay heat.

The operating limits are based on conservative heat transfer analyses for the worst case LOCA. References 1, 2, and 3 provide the details of the assumptions used in the analysis, which include worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and worst case single active failure (e.g., single failure of a man-made structure).

The limitations on the temperature of the UHS ensure that the assumption for temperature used in the analyses for cooling of safety related components by the SW system are satisfied.

These analyses ensure that under normal operation, plant cooldown, or accident conditions, all components cooled directly or indirectly by SW will receive adequate cooling to perform their design basis functions.

The UHS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

MILLSTONE - UNIT 2 B 3/4 7-7 Amendment No. 145, 191, 213, 247, 257, 311, Acknowledged by NRC letter dated 12/19/06

LBDCR 14-MP2-016 September 4, 2014 PLANT SYSTEMS BASES 3/4.7.11 ULTIMATE HEAT SINK (Continued)

LCO The UHS is required to be OPERABLE and is considered OPERABLE if it contains a sufficient volume of water at or below the maximum temperature that would allow the SW System to operate for at least 30 days following the design basis LOCA without the loss of net positive suction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the SW System. To meet this condition, the UHS temperature should not exceed 80°F during normal unit operation.

While the use of any supply side SW temperature indication is adequate to ensure compliance with the analysis assumptions, precision instruments installed at the inlet to the reactor building closed cooling water (RBCCW) heat exchangers will normally be used.

Therefore, instrument uncertainty need not be factored into the surveillance acceptance criteria.

All in-service instruments must be within the limit. If all of the precision instruments are out of service, alternative instruments that measure SW supply side temperature will be used. In this case, an appropriate instrument uncertainty will be subtracted from the acceptance criteria.

Since Long Island Sound temperature changes relatively slowly and in a predictable fashion according to the tides, it is acceptable to monitor this temperature at the frequency specified in the Surveillance Frequency Control Program when there is ample (>5°F) margin to the limit. When within 5°F of the limit, the temperature shall be monitored every 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to ensure that tidal variations are appropriately captured.

APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES.

In MODE 5 or 6, the OPERABILITY requirements of the UHS are determined by the systems it supports.

ACTION If the UHS is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least HOT STANDBY within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

The allowed outage times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

MILLSTONE - UNIT 2 B 3/4 7-8

LBDCR 13-MP2-004 May 2, 2013 PLANT SYSTEMS BASES 3/4.7.11 ULTIMATE HEAT SINK (Continued)

SURVEILLANCE REQUIREMENTS This surveillance requirement verifies that the UHS is capable of providing a 30 day cooling water supply to safety related equipment without exceeding its design basis temperature.

This surveillance requirement verifies that the water temperature of the UHS is 80°F.

REFERENCES

1. FSAR, Sections 6.3, 6.4, 6.5, and 6.6 addressing Containment Systems.

2. FSAR, Sections 9.3, 9.4, and 9.5 addressing Water Systems.

3. FSAR, Section 14.6, Decrease in Reactor Coolant Inventory.

MILLSTONE - UNIT 2 B 3/4 7-9

REVERSE OF PAGE B 3/4 7-9 INTENTIONALLY LEFT BLANK

LBDCR 19-MP2-005 October 17, 2019 3/4.8 ELECTRICAL POWER SYSTEMS BASES The OPERABILITY of the A.C. and D.C. power sources and associated distribution systems during operation ensures that sufficient power will be available to supply the safety related equipment required for 1) the safe shutdown of the facility and 2) the mitigation and control of accident conditions within the facility. The minimum specified independent and redundant A.C. and D.C. power sources and distribution systems satisfy the requirements of General Design Criteria 17 of Appendix A to 10 CFR 50.

The required circuits between the offsite transmission network and the onsite Class 1E distribution system (Station Busses 24C, 24D, and 24E) that satisfy Technical Specification 3.8.1.1.a (MODES 1, 2, 3, and 4) consist of the following circuits from the switchyard to the onsite electrical distribution system:

a. Station safeguards busses 24C and 24D via the Unit 2 Reserve Station Service Transformer; and

b. Station bus 24E via the Unit 3 'A' Reserve Station Service Transformer or Unit 3

'A' Normal Station Service Transformer (energized with breaker 15G-13T-2 (13T) and associated disconnect switches open) and bus 34A or 34B.

When taking credit for the Unit 3 'A' Normal Station Service Transformer as a second offsite circuit, breaker 13T and its associated disconnect switches are required to be open. This removes the potential for a single failure (that of breaker 13T) to cause a simultaneous loss of both offsite circuits. Should the other offsite circuit (i.e., the Unit 2 Reserve Station Service Transformer) already be inoperable, the requirement for maintaining breaker 13T and its associated disconnect switches open is no longer applicable.

If the plant configuration will not allow Unit 3 to supply power to Unit 2 from the Unit 3

'A' Reserve Station Service Transformer or Unit 3 'A' Normal Station Service Transformer within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , Unit 2 must consider the second offsite source inoperable and enter the appropriate ACTION statement of Technical Specification 3.8.1.1 for an inoperable offsite circuit.

This is consistent with the GDC 17 requirement for two offsite sources. Each offsite circuit is required to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded.

The first source is required to be available within a few seconds to supply power to safety related equipment following a loss of coolant accident. The second source is not required to be available immediately and no accident is assumed to occur concurrently with the need to use the second source. However, the second source is required to be available in sufficient time to assure the reactor remains in a safe condition The 3 hour3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months time period is based on the Millstone Unit No. 2 Appendix R analysis. This analysis has demonstrated that the reactor will remain in a safe condition (i.e., the pressurizer will not empty) if charging is restored within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

MILLSTONE - UNIT 2 B 3/4 8-1 Amendment No. 188, 192, 231,

LBDCR 19-MP2-005 October 17, 2019 3/4.8 ELECTRICAL POWER SYSTEMS BASES In MODES 1 through 4 (Technical Specification 3.8.1.1), the Unit 2 Normal Station Service Transformer can be used as the second offsite source after the main generator disconnect links have been removed and the backfeed lineup established.

The required circuit between the offsite transmission network and the onsite Class 1E distribution system (Station Busses 24C, 24D, and 24E) that satisfies Technical Specification 3.8.1.2.a (MODES 5 and 6) consists of the following circuit from the switchyard to the onsite electrical distribution system:

a. Station safeguards bus 24C or 24D via the Unit 2 Reserve Station Service Transformer; or

b. Station safeguards bus 24C or 24D via the Unit 2 Normal Station Service Transformer and bus 24A or 24B after the main generator disconnect links have been removed and the backfeed lineup established; or

c. Station bus 24E via the Unit 3 'A' Reserve Station Service Transformer or Unit 3

'A' Normal Station Service Transformer and bus 34A or 34B.

When the plant is operating with the main generator connected to the grid, the output of the main generator will normally be used to supply the onsite Class 1E distribution system.

During this time the required offsite circuits will be in standby, ready to supply power to the onsite Class 1E distribution system if the main generator is not available. When shut down, only one of the offsite circuits will normally be used to supply the onsite Class 1E distribution system.

The other offsite circuit, if required, will be in standby. Verification of the required offsite circuits consists of checking control power to the breakers (breaker indicating lights), proper breaker position for the current plant configuration, and voltage indication as appropriate for the current plant configuration.

The ACTION requirements specified for the levels of degradation of the power sources provide restriction upon continued facility operation commensurate with the level of degradation.

The OPERABILITY of the power sources are consistent with the initial condition assumptions of the accident analyses and are based upon maintaining at least one of each of the onsite A.C. and D.C. power sources and associated distribution systems OPERABLE during accident conditions coincident with an assumed loss of offsite power and single failure of the other onsite A.C.

source.

Required Action a.3 provides an option that can be entered for the configuration where the Millstone Unit 3 A RSST is inoperable and the Millstone Unit 3 'A' NSST is energized with breaker 15G-13T-2 closed. This option to extend 10-day AOT allows for performance of Millstone Unit 3 'A' RSST and/or 345 kV south bus switchyard component maintenance and MILLSTONE - UNIT 2 B 3/4 8-2 Amendment No. 188, 192, 231,

LBDCR 19-MP2-005 October 17, 2019 ELECTRICAL POWER SYSTEMS BASES repair activites in this configuration while Millstone Unit 2 is operating.

Required Action a.3 can only be entered if the availability of a supplemental power source, which is the Millstone Unit 3 SBO diesel generator, has been verified by testing within 30 days prior to entering the extended AOT. The verification testing is performed by bringing the Millstone Unit 3 SBO diesel generator to its rated voltage and frequency for more than 5 minutes and ensuring all its auxiliary support systems are available or operational. While in the Required Action, the availability of supplemental power source must also be checked once per shift. This check consists of administratively examining logs or other information to determine if the Millstone Unit No. 3 SBO diesel generator is out of service for maintenance or other reasons. The check also includes local visual observation of MPS3 SBO diesel generator once per shift, along with confirmation of correct switch configuration and indicated power availability once per day.

To provide additional defense-in-depth during the 10-day AOT, the following risk management actions are taken:

1. The AOT will be used no more than once every 18 month refueling interval for Unit 3 to perform maintenance on the Millstone Unit 3 'A' RSST and/or 345 kV south bus switchyard components.

2. The AOT will not be scheduled when adverse or inclement weather and/or unstable grid conditions are predicted or present.

3. The load dispatcher will be contacted once per day to ensure no significant grid perturbations are expected during the AOT.

4. Component testing or maintenance of safety systems and important non-safety equipment in the offsite power systems that can increase the likelihood of a plant trip will be avoided. No elective maintenance within the switchyard that could challenge offsite power availability will be scheduled, other than 345 kV south bus switchyard maintenance and repairs as permitted in action 5.

5. During concurrent maintenance and repair activities on 345 kV south bus switchyard components, 345 kV line 310 (Millstone to Manchester line) will be removed from service to prevent a loss of load trip of Unit 2 from a 310 line fault.

6. The Tier 2 equipment listed below will be verified to be OPERABLE/

FUNCTIONAL, and positive measures will be provided to preclude subsequent testing or maintenance activities on this equipment (except for testing required to restore or maintain OPERABILITY/FUNCTIONALITY):

MILLSTONE - UNIT 2 B 3/4 8-2a Amendment No.

LBDCR 19-MP2-005 October 17, 2019 ELECTRICAL POWER SYSTEMS

Unit 2 EDGs H7A, H7B

Unit 3 SBO Diesel Generator 3BGS-EG1

Unit 3 Diesel-driven Fire Water Pump M7-7 (which is common to MPS2 and MPS3)

Unit 2 Service Water Pumps P5A, P5B, P5C

Unit 2 Auxiliary Feedwater Pumps P9A, P9B, P4

Unit 2 High Pressure Safety Injection (HPSI) Pumps P41A, P41B, P41C (and associated equipment)

7. The Unit 2 turbine-driven auxiliary feedwater pump will be controlled as protected equipment.

8. The status of the Unit 2 EDGs will be monitored once per shift.

If the supplemental power source becomes unavailable at any time during the 10-day AOT, it shall be restored to available status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or be in HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . Opening breaker 13T and its associated disconnect switches results in exiting the Required ACTION with the 10-day AOT, because this would restore the Millstone Unit 3 'A' NSST to OPERABLE status as an offsite circuit.

To facilitate replacement of the Unit 3 'A' RSST and associated equipment, use of a one-time 35-day AOT is permitted provided the supplemental power source requirements of the Required ACTION for the 10-day AOT are met, and the related risk management actions are taken. The work shall be completed no later than the end of Unit 3 Refueling Outage 22 (fall 2023).

MILLSTONE - UNIT 2 B 3/4 8-2b Amendment No.

LBDCR 07-MP2-009 March 29, 2007 3/4.8 ELECTRICAL POWER SYSTEMS BASES Technical Specification 3.8.1.1 ACTION Statements b and c provide an allowance to avoid unnecessary testing of the other OPERABLE diesel generator. If it can be determined that the cause of the inoperable diesel generator does not exist on the OPERABLE diesel generator, Surveillance Requirement 4.8.1.1.2.a.2 does not have to be performed. If the cause of inoperability exists on the other OPERABLE diesel generator, the other OPERABLE diesel generator would be declared inoperable upon discovery, ACTION Statement e would be entered, and appropriate ACTIONS will be taken. Once the failure is corrected, the common cause failure no longer exists, and the required ACTION Statements (b, c, and e) will be satisfied.

If it cannot be determined that the cause of the inoperable diesel generator does not exist on the remaining diesel generator, performance of Surveillance Requirement 4.8.1.1.2.a.2, within the allowed time period, suffices to provide assurance of continued OPERABILITY of the diesel generator. If the inoperable diesel generator is restored to OPERABLE status prior to the determination of the impact on the other diesel generator, evaluation will continue of the possible common cause failure. This continued evaluation is no longer under the time constraint imposed while in ACTION Statement b or c.

The determination of the existence of a common cause failure that would affect the remaining diesel generator will require an evaluation of the current failure and the applicability to the remaining diesel generator. Examples that would not be a common cause failure include, but are not limited to:

1. Preplanned preventive maintenance or testing, or

2. An inoperable support system with no potential common mode failure for the remaining diesel generator, or

3. An independently testable component with no potential common mode failure for the remaining diesel generator.

If one Millstone Unit No. 2 diesel generator is inoperable in MODES 1 though 4, ACTION Statements b.3 and c.3 require verification that the steam-driven auxiliary feedwater pump is OPERABLE (MODES 1, 2, and 3 only). If the steam-driven auxiliary feedwater pump is inoperable, restoration within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is required or a plant shutdown to MODE 4 will be necessary. This requirement is intended to provide assurance that a loss of offsite power event will not result in degradation of the auxiliary feedwater safety function to below accident mitigation requirements during the period one of the diesel generators is inoperable. The term verify, as used in this context, means to administratively check by examining logs or other information to determine if the steam-driven auxiliary feedwater pump is out of service for maintenance or other reasons. It does not mean to perform Surveillance Requirements needed to demonstrate the OPERABILITY of the steam-driven auxiliary feedwater pump.

MILLSTONE - UNIT 2 B 3/4 8-3 Amendment No. 188, 192, 231, 248, 261,

LBDCR 07-MP2-009 March 29, 2007 3/4.8 ELECTRICAL POWER SYSTEMS BASES If one Millstone Unit No. 2 diesel generator is inoperable in MODES 1 through 4, a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed outage time is provided by ACTION Statement b.5 to allow restoration of the diesel generator, provided the requirements of ACTION Statements b.1, b.2, and b.3 are met. This allowed outage time can be extended to 14 days if the additional requirements contained in ACTION Statement b.4 are also met. ACTION Statement b.4 requires verification that the Millstone Unit No. 3 diesel generators are OPERABLE as required by the applicable Millstone Unit No. 3 Technical Specification (2 diesel generators in MODES 1 through 4, and 1 diesel generator in MODES 5 and 6) and the Millstone Unit No. 3 SBO diesel generator is available.

The term verify, as used in this context, means to administratively check by examining logs or other information to determine if the required Millstone Unit No. 3 diesel generators and the Millstone Unit No. 3 SBO diesel generator are out of service for maintenance or other reasons. It does not mean to perform Surveillance Requirements needed to demonstrate the OPERABILITY of the required Millstone Unit No. 3 diesel generators or availability of the Millstone Unit No. 3 SBO diesel generator.

When using the 14 day allowed outage time provision and the Millstone Unit No. 3 diesel generator and/or the Millstone Unit No. 3 SBO diesel generator requirements are not met, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed for restoration of the required Millstone Unit No. 3 diesel generators and the Millstone Unit No. 3 SBO diesel generator. If any of the required Millstone Unit No. 3 diesel generators and/or the Millstone Unit No. 3 SBO diesel generator are not restored within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and one Millstone Unit No. 2 diesel generator is still inoperable, Millstone Unit No. 2 is required to shut down.

The 14 day allowed outage time for one inoperable Millstone Unit No. 2 diesel generator will allow performance of extended diesel generator maintenance and repair activities (e.g., diesel inspections) while the plant is operating. To minimize plant risk when using this extended allowed outage time the following additional requirements must be met:

1. The extended diesel generator maintenance outage shall not be scheduled when adverse or inclement weather conditions and/or unstable grid conditions are predicted or present.

2. The availability of the Millstone Unit No. 3 SBO DG shall be verified by test performance within the previous 30 days prior to allowing a Millstone Unit No. 2 diesel generator to be inoperable for greater than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

3. All activity in the switchyard shall be closely monitored and controlled. No elective maintenance within the switchyard that could challenge offsite power availability shall be scheduled.

MILLSTONE - UNIT 2 B 3/4 8-4 Amendment No. 188, 192, 231, 248, 261, 277,

LBDCR 07-MP2-009 March 29, 2007 3/4.8 ELECTRICAL POWER SYSTEMS BASES In addition, the plant configuration shall be controlled during the diesel generator maintenance and repair activities to minimize plant risk consistent with a Configuration Risk Management Program, as required by 10 CFR 50.65(a)(4).

Diesel Generator Testing An engine prelube period is allowed prior to engine start for all diesel generator testing.

This will minimize wear on moving parts that do not get lubricated when the engine is not running.

When specified in the surveillance tests, the diesel generators must be started from a standby condition. Standby condition for a diesel generator means the diesel engine coolant and oil are being circulated and temperature is being maintained consistent with manufacturer recommendations.

SR 4.8.1.1.2.a.2 This surveillance helps to ensure the availability of the standby electrical power supply to mitigate design basis accidents and transients and to maintain the unit in a safe shutdown condition. It verifies the ability of the diesel generator to start from a standby condition and achieve steady state voltage and frequency conditions. The time for voltage and speed (frequency) to stabilize is periodically monitored and the trend evaluated to identify degradation of governor or voltage regulator performance when testing in accordance with the requirements of the surveillance.

This surveillance is modified by two notes. Note 1 allows the use of a modified start based on recommendations of the manufacturer to reduce stress and wear on diesel engines.

When using a modified start, the starting speed of the diesel generators is limited, warmup is limited to this lower speed, and the diesel generators are gradually accelerated to synchronous speed prior to loading. If a modified start is not used, the 15 second start requirement of SR 4.8.1.1.2.d applies. Note 2 states that SR 4.8.1.1.2.d, a more rigorous test, may be performed in lieu of 4.8.1.1.2.a.

During performance of SR 4.8.1.1.2.a.2, the diesel generator shall be started by using one of the following signals:

1. Manual;

2. Simulated loss of offsite power in conjunction with a safety injection actuation signal;

3. Simulated safety injection actuation signal alone; or

4. Simulated loss of power alone.

MILLSTONE - UNIT 2 B 3/4 8-5 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES The surveillance frequency is controlled under the Surveillance Frequency Control Program.

SR 4.8.1.1.2.a.3 This surveillance verifies that the diesel generators are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the diesel generator is connected to the offsite source. Although no power factor requirements are established by this surveillance, the diesel generator is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation.

This surveillance is modified by five Notes. Note 1 indicates that diesel engine runs for this surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit will not invalidate the test. Note 3 indicates that this surveillance should be conducted on only one diesel generator at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this surveillance. A successful diesel generator start must precede this test to credit satisfactory performance. Note 5 states that SR 4.8.1.1.2.d, a more rigorous test, may be performed in lieu of 4.8.1.1.2.a.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

SR 4.8.1.1.2.b.1 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the three fuel storage tanks at the frequency specified in the Surveillance Frequency Control Program eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during EDG operation. Water may come from any of several sources, including condensation, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. This surveillance is for preventative maintenance. The presence of water does not necessarily represent failure of this surveillance provided the accumulated water is removed during performance of the surveillance.

MILLSTONE - UNIT 2 B 3/4 8-6 Amendment No. 277,

LBDCR 11-MP2-022 April 3, 2012 3/4.8 ELECTRICAL POWER SYSTEMS BASES SR 4.8.1.1.2.b.2 This surveillance requires testing of the new and stored fuel oil in accordance with the Diesel Fuel Oil Testing Program, as defined in Section 6 of the Technical Specifications.

The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows (more restrictive State of Connecticut and/or equipment limits may apply):

a. Sample the new fuel oil in accordance with ASTM D4057,

b. Verify in accordance with the tests specified in ASTM D975-81 that the sample has an absolute specific gravity at 60/60F of 0.83 and 0.89, or an API gravity at 60°F of 27 and 39, a kinematic viscosity at 40°C of 1.9 centistokes and 4.1 centistokes (alternatively, Saybolt viscosity, SUS at 100°F of 32.6 but 40.1) and a flash point 125°F, and

c. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176 or a water and sediment content within limits when tested in accordance with ASTM D2709 or D1796.

Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.

Within 31 days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-81 are met for new fuel oil when tested in accordance with ASTM D975-81, except that the analysis for sulfur may be performed in accordance with ASTM D1552 or ASTM D2622. The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation.

This surveillance ensures the availability of high quality fuel oil for the diesel generators.

Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does not mean the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure. Particulate concentrations should be determined in accordance with ASTM D2276-78, Method A, every 92 days. This method involves a gravimetric MILLSTONE - UNIT 2 B 3/4 8-7 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing.

The frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between surveillance intervals.

SR 4.8.1.1.2.c.2 Under accident and loss of offsite power conditions, loads are sequentially connected to the bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the diesel generators due to high motor starting currents. The load sequence time interval tolerances ensure that sufficient time exists for the diesel generator to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding Engineered Safety Features (ESF) equipment time delays are not violated.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

This surveillance is modified by a Note. The reason for the Note is that performing the surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, or 4 is further amplified to allow the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g. post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed surveillance, a successful surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and start up to determine that plant safety is maintained or enhanced when the surveillance is performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

MILLSTONE - UNIT 2 B 3/4 8-8 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES SR 4.8.1.3.2.c.3 Each diesel generator is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This surveillance demonstrates the diesel generator load response characteristics and capability to reject the largest single load without exceeding a predetermined frequency limit. The single largest load for each diesel generator is identified in the FSAR (Tables 8.3-2 and 8.3-3).

This surveillance may be accomplished by either:

a. Tripping the diesel generator output breaker with the diesel generator carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power or while solely supplying the bus; or

b. Tripping the equivalent of the single largest post-accident load with the diesel generator solely supplying the bus.

The time, voltage, and frequency tolerances specified in this surveillance are based on the response during load sequence intervals. The 2.2 seconds specified is equal to 40% of the 5.5 second load sequence interval associated with sequencing of the largest load (Safety Guide 9).

The voltage and frequency specified are consistent with the design range of the equipment powered by the diesel generator. SR 4.8.1.1.2.c.3.a corresponds to the maximum frequency excursion, while SR 4.8.1.1.2.c.3.b and SR 4.8.1.1.2.c.3.c are steady state voltage and frequency values to which the system must recover following load rejection.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

This surveillance is modified by a Note to ensure that the diesel generator is tested under load conditions that are as close to design basis conditions as practical. When synchronized with offsite power, testing should be performed at a power factor of 0.9 lagging. This power factor is representative of the inductive loading a diesel generator would see based on the motor rating of the single largest load. It is within the adjustment capability of the Control Room Operator based on the use of reactive load indication to establish the desired power factor. Under certain conditions, however, the note allows the surveillance to be conducted at a power factor other than 0.9. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.9 results in voltages on the emergency buses that are too MILLSTONE - UNIT 2 B 3/4 8-9 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES high. Under these conditions, the power factor should be maintained as close as practicable to 0.9 while still maintaining acceptable voltage limits on the emergency buses. In other circumstances, the grid voltage may be such that the diesel generator excitation levels needed to obtain a power factor of 0.9 may not cause unacceptable voltages on the emergency buses, but the excitation levels are in excess of those recommended for the diesel generator. In such cases, the power factor shall be maintained as close as practicable to 0.9 lagging without exceeding the diesel generator excitation limits.

SR 4.8.1.1.2.c.4 This surveillance demonstrates the diesel generator capability to reject a rated load without overspeed tripping. A diesel generator rated load rejection may occur because of a system fault or inadvertent breaker tripping. This surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the diesel generator experiences following a rated load rejection and verifies that the diesel generator will not trip upon loss of the load. While the diesel generator is not expected to experience this transient during an event, this response ensures that the diesel generator is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.

This surveillance is performed by tripping the diesel generator output breaker with the diesel generator carrying the required load while paralleled to offsite power.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

This surveillance is modified by a Note to ensure that the diesel generator is tested under load conditions that are as close to design basis conditions as practical. When synchronized with offsite power, testing should be performed at a power factor of 0.83 lagging. This power factor is representative of the inductive loading a diesel generator would see under design basis accident conditions. Under certain conditions, however, the note allows the surveillance to be conducted at a power factor other than 0.83. These conditions occur when grid voltage is high, and the additional field excitation needed to get the power factor to 0.83 results in voltages on the emergency buses that are too high. Under these conditions, the power factor should be maintained as close as practicable to 0.83 while still maintaining acceptable voltage limits on the emergency buses. In other circumstances, the grid voltage may be such that the diesel generator excitation levels needed to obtain a power factor of 0.83 may not cause unacceptable voltages on the emergency buses, but the excitation levels are in excess of those recommended for the diesel MILLSTONE - UNIT 2 B 3/4 8-10 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES generator. In such cases, the power factor shall be maintained as close as practicable to 0.83 lagging without exceeding the diesel generator excitation limits.

SR 4.8.1.1.2.c.5 In the event of a design basis accident coincident with a loss of offsite power, the diesel generators are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded. This surveillance demonstrates the diesel generator operation during a loss of offsite power actuation test signal in conjunction with an ESF actuation signal, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the diesel generator. It further demonstrates the capability of the diesel generator to automatically achieve the required voltage and speed (frequency) within the specified time. The diesel generator auto-start time of 15 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved. The requirement to verify the connection of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the diesel generator loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the diesel generator system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

For the purpose of this testing, the diesel generators must be started from a standby condition. Standby condition for a diesel generator means the diesel engine coolant and oil are being circulated and temperature is being maintained consistent with manufacturer recommendations.

This surveillance is modified by a Note. The reason for the Note is that performing the surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1 2, 3, or 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g. post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and MILLSTONE - UNIT 2 B 3/4 8-11 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and start up to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for the assessment.

SR 4.8.1.1.2.c.6 This surveillance demonstrates that diesel generator noncritical protective functions (e.g.,

high jacket water temperature) are bypassed on a loss of voltage signal concurrent with an ESF actuation test signal. During this time, the critical protective functions (engine overspeed, generator differential current, low lube oil pressure [2 out of 3 logic], and voltage restraint overcurrent) remain available to trip the diesel generator and/or output breaker to avert substantial damage to the diesel generator unit. An EDG Emergency Start Signal (Loss of Power signal or SIAS) bypasses the EDG mechanical trips in the EDG control circuit, except engine overspeed, and switches the low lube oil trip to a 2 of 3 coincidence. The loss of power to the emergency bus, based on supply breaker position (A302, A304, and A505 for Bus 24C; A410, A411, and A505 for Bus 24D), bypasses the EDG electrical trips in the breaker control circuit except generator differential current and voltage restraint over current. The noncritical trips are bypassed during design basis accidents and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The diesel generator availability to mitigate the design basis accident is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the diesel generator.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

This surveillance is modified by a Note. The reason for the Note is that performing the surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g. post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is MILLSTONE - UNIT 2 B 3/4 8-12 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for the assessment.

SR 4.8.1.1.2.c.7 This surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the diesel generator. It further demonstrates the capability of the diesel generator to automatically achieve the required voltage and speed (frequency) within the specified time. The diesel generator auto-start time of 15 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved. The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the diesel generator loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the diesel generator system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

This surveillance is modified by two Notes. The reason for Note 1 is that performing the surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g. post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is MILLSTONE - UNIT 2 B 3/4 8-13 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial surveillance, a successful partial surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and start up to determine that plant safety is maintained or enhanced when portions of the surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for the assessment.

Surveillance Note 2 specifies that the start of the diesel generator from a standby condition is not required if this surveillance is performed in conjunction with SR 4.8.1.1.2.c.5.

Since this test is normally performed in conjunction with SR 4.8.1.1.2.c.5, the proposed note will exclude the requirement to start from a standby condition to minimize the time to perform this test. This will reduce shutdown risk since plant restoration, and subsequent equipment availability will occur sooner. In addition, it is not necessary to test the ability of the EDG to auto start from a standby condition for this test since that ability will have already been verified by SR 4.8.1.1.2.c.5, which will have just been performed if the note's exclusion is to be utilized. If this test is to be performed by itself, the EDG is required to start from a standby condition.

SR 4.8.1.1.2.c.8 This surveillance demonstrates that the diesel generator automatically starts and achieves the required voltage and speed (frequency) within the specified time (15 seconds) from the design basis actuation signal (Safety Injection Actuation Signal) and operates for 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. Since the specified actuation signal (ESF signal without loss of offsite power) will not cause the emergency bus loads to be shed, and will not cause the diesel generator to load, the surveillance ensures that permanently connected loads and autoconnected loads remain energized from the offsite electrical power system (Unit 2 RSST or NSST, or Unit 3 RSST or NSST). In certain circumstances, many of these loads cannot actually be connected without undue hardship or potential for undesired operation. It is not necessary to verify all autoconnected loads remain connected. A representative sample is acceptable.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

MILLSTONE - UNIT 2 B 3/4 8-14 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES For the purpose of this testing, the diesel generators must be started from a standby condition. Standby condition for a diesel generator means the diesel engine coolant and oil are being circulated and temperature is being maintained consistent with manufacturer recommendations.

SR 4.8.1.1.2.c.9 This surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from a normal surveillance, and achieve the required voltage and speed within 15 seconds. The 15 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA.

The surveillance frequency is controlled under the Surveillance Frequency Control Program.

This surveillance is modified by a Note. The Note ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the diesel generator. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain diesel generator OPERABILITY. The requirement that the diesel has operated for at least 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months at rated load conditions prior to performance of this surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary transients due to changing bus loads do not invalidate this test.

SRs 4.8.1.1.2.d.1 and 4.8.1.1.2.d.2 SR 4.8.1.1.2.d.1 verifies that, at the frequency specified in the Surveillance Frequency Control Program, the diesel generator starts from standby conditions and achieves required voltage and speed (frequency) within 15 seconds. The 15 second start requirement supports the assumptions of the design basis LOCA analysis in the FSAR. Diesel generator voltage and speed will continue to increase to rated values, and then should stabilize. SR 4.8.1.1.2.d.2 verifies the ability of the diesel generator to achieve steady state voltage and frequency conditions. The time for voltage and speed (frequency) to stabilize is periodically monitored and the trend evaluated to identify degradation of governor or voltage regulator performance when besting in accordance with the requirements of this surveillance.

These surveillance frequencies are controlled under the Surveillance Frequency Control Program. In addition, SR 4.8.1.1.2.d may be performed in lieu of 4.8.1.1.2.a.

MILLSTONE - UNIT 2 B 3/4 8-15 Amendment No. 277,

LBDCR 14-MP2-016 September 4, 2014 3/4.8 ELECTRICAL POWER SYSTEMS BASES For the purpose of this testing, the diesel generators must be started from a standby condition. Standby condition for a diesel generator means the diesel engine coolant and oil are being circulated and temperature is being maintained consistent with manufacturer recommendations.

During performance of SR 4.8.1.1.2.d.1, the diesel generators shall be started by using one of the following signals:

1. Manual;

2. Simulated loss of offsite power in conjunction with a safety injection actuation signal;

3. Simulated safety injection actuation signal alone; or

4. Simulated loss of power alone.

SR 4.8.1.1.2.d.3 This surveillance verifies that the diesel generators are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the diesel generator is connected to the offsite source. Although no power factor requirements are established by this surveillance, the diesel generator is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation.

The surveillance frequency is controlled under the Surveillance Frequency Control Program This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit will not invalidate the test. Note 3 indicates that this surveillance should be conducted on only one diesel generator at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this surveillance. A successful diesel generator start must precede this test to credit satisfactory performance.

MILLSTONE - UNIT 2 B 3/4 8-16 Amendment No. 188, 192, 231, 248, 261, 277, 279, 293,

February 19, 2009 LBDCR 09-MP2-002 3/4.8 ELECTRICAL POWER SYSTEMS BASES The OPERABILITY of the minimum specified A.C. and D.C. power sources and associated distribution systems during shutdown and refueling ensures that 1) the facility can be maintained in the shutdown or REFUELING condition for extended time periods and 2) sufficient instrumentation and control capability is available for monitoring and maintaining the facility status. If the required power sources or distribution systems are not OPERABLE in MODES 5 and 6, operations involving CORE ALTERATIONS, positive reactivity additions, or movement of recently irradiated fuel assemblies are required to be suspended. Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation.

Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM. The movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 300 hours0.00347 days 0.0833 hours 4.960317e-4 weeks 1.1415e-4 months ), is also required to be suspended.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power source or distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety systems.

Each 125-volt D.C. bus train consists of its associated 125-volt D.C. bus, a 125-volt D.C.

battery bank, and a battery charger with at least 400 ampere charging capacity. To demonstrate OPERABILITY of a 125-volt D.C. bus train, these components must be energized and capable of performing their required safety functions. Additionally, in MODES 1 through 4 at least one tie breaker between the 125-volt D.C. bus trains must be open for a 125-volt D.C. bus train to be considered OPERABLE.

For MODES 5 and 6, each battery is sized to supply the total connected vital loads (one battery connected to both buses) for one hour without charger support. Therefore, in MODES 5 and 6 with at least one 125-volt D.C. bus train OPERABLE and the 125-volt D.C. buses cross-tied, the 125-volt D.C. support system operability requirements for both buses are satisfied.

Footnote (a) to Technical Specification Tables 4.8-1 and 4.8-2 permits the electrolyte level to be above the specified maximum level for the Category A limits during equalizing charge, provided it is not overflowing. Because of the internal gas generation during the performance of an equalizing charge, specific gravity gradients and artificially elevated electrolyte levels are produced which may exist for several days following completion of the equalizing charge. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. In accordance with the recommendations of IEEE 450-1980, electrolyte level readings should be taken only after the battery has been at float charge for at least 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

MILLSTONE - UNIT 2 B 3/4 8-17 Amendment No. 188, 192, 231, 248, 261, 277, 279, 293,

March 29, 2007 LBDCR 07-MP2-009 3/4.8 ELECTRICAL POWER SYSTEMS BASES Based on vendor recommendations and past operating experience, seven (7) days has been determined a reasonable time frame for the 125-volt D.C. batteries electrolyte level to stabilize and to provide sufficient time to verify battery electrolyte levels are with in the Category A limits.

Footnote (b) to Technical Specification Tables 4.8-1 and 4.8-2 requires that level correction is not required when battery charging current is < 5 amps on float charge. This current provides, in general, an indication of overall battery condition.

Footnote (c) to Technical Specification Tables 4.8-1 and 4.8-2 states that level correction is not required when battery charging current is < 5 amps on float charge. This current provides, in general, an indication of overall battery condition. Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity measurement for determining the state of charge. This footnote allows the float charge current to be used as an alternative to specific gravity to show OPERABILITY of a battery for up to seven (7) days following the completion of a battery equalizing charge. Each connected cells specific gravity must be measured prior to expiration of the 7 day allowance.

Surveillance Requirements 4.8.2.3.2.c.1 and 4.8.2.5.2.c.l provide for visual inspection of the battery cells, cell plates, and battery racks to detect any indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The non-safety grade 125V D.C. Turbine Battery is required for accident mitigation for a main steam line break within containment with a coincident loss of a vital D.C. bus. The Turbine Battery provides the alternate source of power for Inverters 1 & 2 respectively via non-safety grade Inverters 5 & 6. For the loss of a D.C. event with a coincident steam line break within containment, the feedwater regulating valves are required to close to ensure containment design pressure is not exceeded.

The Turbine Battery D.C. electrical power subsystem consists of 125-volt D.C. bus 201D and 125-volt D.C. battery bank 201D. To demonstrate OPERABILITY of this subsystem, these components must be energized and capable of performing their required safety functions.

The feedwater regulating valves require power to close. On loss of a vital D.C. bus, the alternate source of power to the vital A.C. bus via the Turbine Battery ensures power is available to the affected feedwater regulating valve such that the valve will isolate feed flow into the faulted generator. The Turbine Battery is considered inoperable when bus voltage is less than 125 volts D.C., thereby ensuring adequate capacity for isolation functions via the feedwater regulating valves during the onset of a steam line break.

The Turbine Battery Charger is not required to be included in Technical Specifications even though the Turbine Battery is needed to power backup Inverters 5 & 6 for a main steam line break inside containment coincident with a loss of a Class 1E D.C. bus. This is due to the fact that feedwater isolation occurs within seconds from the onset of the event.

MILLSTONE - UNIT 2 B 3/4 8-18 Amendment No. 188, 192, 248,

June 28, 2006 3/4.9 REFUELING OPERATIONS BASES 3/4.9 REFUELING OPERATIONS The ACTION requirements to immediately suspend various activities (CORE ALTERATIONS, fuel movement, CEA movement, etc.) do not preclude completion of the movement of a component to a safe position.

3/4.9.1 BORON CONCENTRATION The limitations on reactivity conditions during REFUELING ensure that: 1) the reactor will remain subcritical during CORE ALTERATIONS, and 2) sufficient boron concentration is maintained for reactivity control in the water volume having direct access to the reactor vessel.

These limitations are consistent with the initial conditions assumed for the boron dilution incident in the accident analyses. Reactivity control in the water volume having direct access to the reactor vessel is achieved by determining boron concentration in the refueling canal. The refueling canal is defined as the entire length of pool stretching from refuel pool through transfer canal to spent fuel pool.

The applicability is modified by a Note. The Note states that the limits on boron concentration are only applicable to the refueling canal when this volume is connected to the Reactor Coolant System (RCS). When the refueling canal is isolated from the RCS, no potential path for boron dilution exists. Prior to reconnecting portions of the refueling canal to the RCS, Surveillance 4.9.1.2 must be met. If any dilution activity has occurred while the refueling canal was disconnected from the RCS, this surveillance ensures the correct boron concentration prior to communication with the RCS.

Concerning the ACTION statement, operations that individually add limited positive reactivity (e.g., temperature fluctuations from inventory addition or temperature control fluctuations), but when combined with all other operations affecting core reactivity (e.g., intentional boration) result in overall net negative reactivity addition, are not precluded by this ACTION.

3/4.9.2 INSTRUMENTATION The OPERABILITY of the source range neutron flux monitors ensures that redundant monitoring capability is available to detect changes in the reactivity condition of the core.

Concerning ACTION a., with only one SRM OPERABLE, redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1 must be suspended immediately.

Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that which would be required in the RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Performance of ACTION a. shall not preclude completion of movement of a component to a safe position.

MILLSTONE - UNIT 2 B 3/4 9-1 Amendment No. 72, 114, 150, 201, 245, 263, 293

LBDCR 15-MP2-012 January 19, 2016 REFUELING OPERATIONS BASES (continued) 3/4.9.3 DECAY TIME The minimum requirement for reactor subcriticality prior to movement of irradiated fuel ensures that sufficient time has elapsed to allow the radioactive decay of the short-lived fission products so that the calculated radiological dose consequences of the fuel handling accident are bounding.

3/4.9.4 CONTAINMENT PENETRATIONS The requirements on containment penetration closure and OPERABILITY ensure that a release of radioactive material within containment to the environment will be minimized. The OPERABILITY, closure restrictions, and administrative controls are sufficient to minimize the release of radioactive material from a fuel element rupture based upon the lack of containment pressurization potential during the movement of irradiated fuel assemblies within containment.

The containment purge valves are containment penetrations and must satisfy all requirements specified for a containment penetration.

Containment penetrations, including the personnel airlock doors and equipment door, can be open during the movement of irradiated fuel provided that sufficient administrative controls are in place such that any of these containment penetrations can be closed within 30 minutes.

Following a Fuel Handling Accident, each penetration, including the equipment door, is closed such that a containment atmosphere boundary can be established. However, if it is determined that closure of all containment penetrations would represent a significant radiological hazard to the personnel involved, the decision may be made to forgo the closure of the affected penetration(s).

The containment atmosphere boundary is established when any penetration which provides direct access to the outside atmosphere is closed such that at least one barrier between the containment atmosphere and the outside atmosphere is established. Additional actions beyond establishing the containment atmosphere boundary, such as installing flange bolts for the equipment door or a containment penetration, are not necessary.

Administrative controls for opening a containment penetration require that one or more designated persons, as needed, be available for isolation of containment from the outside atmosphere. Procedural controls are also in place to ensure cables or hoses which pass through a containment opening can be quickly removed. The location of each cable and hoses isolation device for those cables and hoses which pass through a containment opening is recorded to ensure timely closure of the containment boundary. Additionally, a closure plan is developed for each containment opening which includes an estimated time to close the containment opening. A log of personnel designated for containment closure is maintained, including identification of which containment openings each person has responsibility for closing. As necessary, equipment will be pre-staged to support timely closure of a containment penetration.

MILLSTONE - UNIT 2 B 3/4 9-1a Amendment No. 72, 114, 150, 201, 240, 245, 284

September 20, 2004 REFUELING OPERATIONS BASES (continued) 3/4.9.4 CONTAINMENT PENETRATIONS (Continued)

Prior to opening a containment penetration, a review of containment penetrations currently open is performed to verify that sufficient personnel are designated such that all containment penetrations can be closed within 30 minutes. Designated personnel may have other duties, however, they must be available such that their assigned containment openings can be closed within 30 minutes. Additionally, each new work activity inside containment is reviewed to consider its effect on the closure of the equipment door, personnel air lock, and/or other open containment penetrations. The required number of designated personnel are continuously available to perform closure of their assigned containment openings whenever irradiated fuel is being moved within the containment.

Administrative controls are also in place to ensure that the containment atmosphere boundary is established if adverse weather conditions which could present a potential missile hazard threaten the plant. Weather conditions are monitored during irradiated fuel movement whenever a containment penetration, including the equipment door and personnel air lock, is open and a storm center is within the plant monitoring radius of 150 miles.

The administrative controls ensure that the containment atmosphere boundary can be quickly established (i.e., within 30 minutes) upon determining that adverse weather conditions exist which pose a significant threat to the Millstone Site. A significant threat exists when a hurricane warning or tornado warning is issued which applies to the Millstone Site, or if an average wind speed of 60 miles an hour or greater is recorded by plant meteorological equipment at the meteorological tower. If the meteorological equipment is inoperable, information from the National Weather Service can be used as a backup in determining plant wind speeds. Closure of containment penetrations, including the equipment door and personnel air lock door, begin immediately upon determination that a significant threat exists.

When severe weather conditions which could generate a missile are within the plant monitoring radius, containment and spent fuel pool penetrations are closed to establish the containment atmosphere boundary.

3/4.9.5 DELETED MILLSTONE - UNIT 2 B 3/4 9-1b Amendment No. 284

LBDCR 14-MP2-017 January 8, 2015 REFUELING OPERATIONS BASES 3/4.9.6 DELETED 3/4.9.7 DELETED 3/4.9.8 SHUTDOWN COOLING AND COOLANT CIRCULATION In MODE 6 the shutdown cooling trains are the primary means of heat removal. One SDC train provides sufficient heat removal capability. However, to provide redundant paths for heat removal either two SDC trains are required to be OPERABLE and one SDC train must be in operation, or one SDC train is required to be OPERABLE and in operation with the refueling cavity water level 23 feet above the reactor vessel flange. This volume of water in the refueling cavity will provide a large heat sink in the event of a failure of the operating SDC train. Any exception to these requirements are contained in the LCO Notes.

An OPERABLE SDC train, for plant operation in MODE 6, includes a pump, heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine RCS temperature. In addition, sufficient portions of the Reactor Building Closed Cooling Water (RBCCW) and Service Water (SW) Systems are available to provide cooling to the SDC heat exchanger. The flow path starts at the RCS hot leg and is returned to the RCS cold legs.

Management of gas voids is important to SDC System OPERABILITY. An OPERABLE SDC train consists of the following equipment:

1. An OPERABLE SDC pump (low pressure safety injection pump);

2. The associated SDC heat exchanger from the same facility as the SDC pump;

3. An RBCCW pump, powered from the same facility as the SDC pump, and RBCCW heat exchanger capable of cooling the associated SDC heat exchanger;

4. A SW pump, powered from the same facility as the SDC pump, capable of supplying cooling water to the associated RBCCW heat exchanger; and

5. All valves required to support SDC System operation are in the required position or are capable of being placed in the required position.

In MODE 6, two OPERABLE SDC trains require 2 SDC pumps, 2 SDC heat exchangers, 2 RBCCW pumps, 2 RBCCW heat exchangers, and 2 SW pumps. In addition, 2 RBCCW headers are required to provide cooling to the SDC heat exchangers, but only 1 SW header is required to support the SDC trains. The equipment specified is sufficient to address a single active failure of the SDC System and associated support systems.

MILLSTONE - UNIT 2 B 3/4 9-2 Amendment No. 69, 71, 117, 185, 240, 245, 249, Acknowledged By NRC July 5, 2007

LBDCR 14-MP2-017 January 8, 2015 REFUELING OPERATIONS BASES 3/4.9.8 SHUTDOWN COOLING AND COOLANT CIRCULATION (Continued)

In addition, two SDC trains can be considered OPERABLE, with only one 125-volt D.C.

bus train OPERABLE, in accordance with Limiting Condition for Operation (LCO) 3.8.2.4.

2-SI-306 and 2-SI-657 are both powered from the same 125-volt D.C. bus, on Facility 1. Should these valves reposition due to a loss of power, SDC would no longer be aligned to cool the RCS.

However, a designated operator is assigned to reposition these valves as necessary in the event 125-volt D.C. power is lost. Consistent with the bases for LCO 3.8.2.4, the 125-volt D.C. support system operability requirements for both trains of SDC are satisfied in MODE 6 with at least one 125-volt D.C. bus train OPERABLE and the 125-volt D.C. buses cross-tied.

Either SDC pump may be aligned to the refueling water storage tank (RWST) to support filling the fueling cavity or for performance of required testing. A SDC pump may also be used to transfer water from the refueling cavity to the RWST. In addition, either SDC pump may be aligned to draw a suction on the spent fuel pool (SFP) through 2-RW-11 and 2-SI-442 instead of the normal SDC suction flow path, provided the SFP transfer canal gate valve 2-RW-280 is open under administrative control (e.g., caution tagged). When using this alternate SDC flow path, it will be necessary to secure the SFP cooling pumps, and limit SDC flow as specified in the appropriate procedure, to prevent vortexing in the suction piping. The evaluation of this alternate SDC flow path assumed that this flow path will not be used during a refueling outage until after the completion of the fuel shuffle such that approximately one third of the reactor core will contain new fuel. By waiting until the completion of the fuel shuffle, sufficient time (at least 14 days from reactor shutdown) will have elapsed to ensure the limited SDC flow rate specified for this alternate lineup will be adequate for decay heat removal from the reactor core and the spent fuel pool. In addition, CORE ALTERATIONS shall be suspended when using this alternate flow path, and this flow path should only be used for short time periods, approximately 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . If the alternate flow path is expected to be used for greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , or the decay heat load will not be bounded as previously discussed, further evaluation is required to ensure that this alternate flow path is acceptable.

These alternate lineups do not affect the OPERABILITY of the SDC train. In addition, these alternate lineups will satisfy the requirement for a SDC train to be in operation if the minimum required SDC flow through the reactor core is maintained.

SDC System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the required SDC loop(s) and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.

MILLSTONE - UNIT 2 B 3/4 9-2a Amendment No. 69, 71, 117, 185, 240, 245, 249, 284, 293, Acknowledged By NRC July 5, 2007

LBDCR 14-MP2-017 January 8, 2015 REFUELING OPERATIONS BASES 3/4.9.8 SHUTDOWN COOLING AND COOLANT CIRCULATION (Continued)

Surveillance Requirement 4.9.8.1.2 and 4.9.8.2.3 are performed for SDC System locations susceptible to gas accumulation and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.

The monitoring frequency takes into consideration the gradual nature of gas accumulation in the SDC System piping and the procedural controls governing system operation. The frequency is controlled by the Surveillance Frequency Control Program. The surveillance frequency may vary by each locations susceptibility to gas accumulation.

In MODE 6, with the refueling cavity filled to 23 feet above the reactor vessel flange, both SDC trains may not be in operation for up to 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months in each 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period, provided no operations are permitted that would dilute the RCS boron concentration by introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1. Boron concentration reduction with coolant at boron concentrations less than required to assure the RCS boron concentration is maintained is prohibited because uniform concentration distribution cannot be ensured without forced circulation. This permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles, and RCS to SDC isolation valve testing. During this 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months period, decay heat is removed by natural convection to the large mass of water in the refueling pool.

In MODE 6, with the refueling cavity filled to 23 feet above the reactor vessel flange, both SDC trains may also not be in operation for local leak rate testing of the SDC cooling suction line (containment penetration number 10) or to permit maintenance on valves located in the common SDC suction line. This will allow the performance of required maintenance and testing that otherwise may require a full core offload. In addition to the requirement prohibiting operations that would dilute the RCS boron concentration by introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1, CORE ALTERATIONS are suspended and all containment penetrations providing direct access from the containment atmosphere to outside atmosphere must be closed. The containment purge valves are containment penetrations and must satisfy all requirements specified for a containment penetration.

MILLSTONE - UNIT 2 B 3/4 9-2b Amendment No. 69, 71, 117, 185, 240, 245, 249, 293

LBDCR 14-MP2-017 January 8, 2015 REFUELING OPERATIONS BASES 3/4.9.8 SHUTDOWN COOLING AND COOLANT CIRCULATION (Continued)

No time limit is specified to operate in this configuration. However, factors such as scope of the work, decay heat load/heatup rate, and RCS temperature should be considered to determine if it is feasible to perform the work. Prior to using this provision, a review and approval of the evolution by the Facility Safety Review Committee (FSRC) is required. This review will evaluate current plant conditions and the proposed work to determine if this provision should be used, and to establish the termination criteria and appropriate contingency plans. During this period, decay heat is removed by natural convection to the large mass of water in the refueling pool.

In Mode 6, with the refueling cavity filled to > 23 feet above the reactor vessel flange and the required shutdown cooling train inoperable or not in operation (with the exceptions provided in the note following LCO 3.9.8.1), there will be no forced circulation to provide mixing to ensure uniform boron concentration distribution. Suspending positive reactivity additions that could result in failure to meet the boron concentration limit in accordance with LCO 3.9.1 is required to assure continued safe operation. Also, actions shall be taken immediately to suspend loading irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core.

A minimum refueling water level of 23 feet above the reactor vessel flange provides an adequate available heat sink. Suspending any operation that would increase the decay heat load, such as loading an irradiated fuel assembly, is a prudent action under this condition. However, suspension of loading irradiated fuel assemblies shall not preclude completion of movement of an irradiated fuel assembly to a safe position outside the core.

The requirement that at least one shutdown cooling loop be in operation at 1000 gpm ensures that (1) sufficient cooling capacity is available to remove decay heat and maintain the water in the reactor pressure vessel below 140F as required during the REFUELING MODE, (2) sufficient coolant circulation is maintained through the reactor core to minimize the effects of a boron dilution incident and prevent boron stratification, and (3) is consistent with boron dilution analysis assumptions. The 1000 gpm shutdown cooling flow limit is the minimum analytical limit. Plant operating procedures maintain the minimum shutdown cooling flow at a higher value to accommodate flow measurement uncertainties.

Average Coolant Temperature (Tavg) values are derived under shutdown cooling conditions, using the designated formula for use in Unit 2 operating procedures.

SDC flow greater than 1000 gpm: (SDCoutlet + SDCinlet) / 2 = Tavg MILLSTONE - UNIT 2 B 3/4 9-2c Amendment No.

Acknowledged By NRC July 5, 2007

LBDCR 14-MP2-017 January 8, 2015 REFUELING OPERATIONS BASES 3/4.9.8 SHUTDOWN COOLING AND COOLANT CIRCULATION (Continued)

During SDC only operation, there is no significant flow past the loop RTDs. Core inlet and outlet temperatures are accurately measured during those conditions by using T351Y, SDC return to RCS temperature indication, and T351X, RCS to SDC temperature indication. The average of these two indicators provides a temperature that is equivalent to the average RCS temperature in the core.

T351X will not be available when using the alternate SDC suction flow path from the SFP.

Substitute temperature monitoring capability shall be established to provide indication of reactor core outlet temperature. A portable temperature device can be used to indicate reactor core outlet temperature. Indication of reactor core outlet temperature from this temporary device shall be readily available to the control room personnel. A remote television camera or an assigned individual are acceptable alternative methods to provide this indication to control room personnel.

3/4.9.9 AND 3/4.9.10 DELETED 3/4.9.11 AND 3/4.9.12 WATER LEVEL-REACTOR VESSEL AND STORAGE POOL WATER LEVEL The restrictions on minimum water level ensure that sufficient water depth is available to remove 99% of the assumed 10% iodine gap activity released from the rupture of an irradiated fuel assembly. The minimum water depth is consistent with the assumptions of the accident analysis.

MILLSTONE - UNIT 2 B 3/4 9-2d Amendment No.

September 20, 2004 REFUELING OPERATIONS BASES 3/4.9.13 DELETED 3/4.9.14 DELETED 3/4.9.15 DELETED MILLSTONE - UNIT 2 B 3/4 9-3 Amendment No. 30, 109, 117, 153, 157, 172, 208, 245, 284

September 20, 2004 THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2 B 3/4 9-3a Amendment No. 30, 109, 117, 153, 157, 172, 208, 245, 284

LBDCR 12-MP2-008 December 4, 2012 REFUELING OPERATIONS BASES (Continued) 3/4.9.16 SHIELDED CASK The limitations of this specification ensure that in the event of a shielded cask drop accident the doses from ruptured fuel assemblies will be within the assumptions of the safety analyses.

3/4.9.17 SPENT FUEL POOL BORON CONCENTRATION The limitations of this specification ensures that sufficient boron is present to maintain spent fuel pool Keff 0.95 under accident conditions.

Postulated accident conditions which could cause an increase in spent fuel pool reactivity are: a single dropped or mis-loaded fuel assembly, or Non-standard Fuel Configuration, or a multiple mis-load of fuel assemblies. A spent fuel pool soluble boron concentration of 2100 ppm is sufficient to ensure Keff 0.95 under these postulated accident conditions. The required spent fuel pool soluble boron concentration is 2100 ppm. The ACTION statement ensures that if the soluble boron concentration falls below the required amount, fuel assembly or Non-standard Fuel Configuration movement or shielded cask movement is stopped, until the boron concentration is restored to within limits.

An additional basis of this LCO is to establish 2100 ppm as the minimum spent fuel pool soluble boron concentration which is sufficient to ensure that the design basis value of 600 ppm soluble boron is not reached due to a postulated spent fuel pool boron dilution event. As part of the spent fuel pool criticality design, a spent fuel soluble boron concentration of 600 ppm is sufficient to ensure Keff 0.95, provided all fuel is stored consistent with LCO requirements (the actual analysis conservatively shows that 550 ppm is sufficient to ensure Keff 0.95). By maintaining the spent fuel pool soluble boron concentration 2100 ppm, sufficient time is provided to allow the operators to detect a boron dilution event, and terminate the event, prior to the spent fuel pool being diluted below 600 ppm. In the unlikely event that the spent fuel pool soluble boron concentration is decreased to 0 ppm, Keff will be maintained <1.00, provided all fuel is stored consistent with LCO requirements. The ACTION statement ensures that if the soluble boron concentration falls below the required amount, that immediate action is taken to restore the soluble boron concentration to within limits, and that fuel assembly or Non-standard Fuel Configuration movement or shielded cask movement is stopped. Fuel assembly or Non-standard Fuel Configuration movement and shielded cask movement is stopped to prevent the possibility of creating an accident condition at the same time that the minimum soluble boron is below limits for a potential boron dilution event.

MILLSTONE - UNIT 2 B 3/4 9-3b Amendment No. 30, 109, 117, 153, 157, 172, 208, 245, 274, 284, Acknowledged By NRC July 5, 2007

LBDCR 12-MP2-008 December 4, 2012 REFUELING OPERATIONS BASES (Continued)

The surveillance of the spent fuel pool boron concentration within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of fuel assembly or Non-standard Fuel Configuration movement or cask movement over the cask layout area, verifies that the boron concentration is within limits just prior to the movement. The periodic surveillance interval is controlled under the Surveillance Frequency Control Program.

MILLSTONE - UNIT 2 B 3/4 9-3c Amendment No. 30, 109, 117, 153, 157, 172, 208, 245, 274, 284, Acknowledged By NRC July 5, 2007

LBDCR 12-MP2-008 December 4, 2012 REFUELING OPERATIONS BASES 3/4.9.18 SPENT FUEL POOL - STORAGE The limitations described by Figure 3.9-1A, Figure 3.9-1B, Figure 3.9-1C, Figure 3.9-1D, and Figure 3.9-1E ensure that the reactivity of fuel assemblies introduced into Regions 2, 3, and 4 spent fuel racks is conservatively within the assumptions of the safety analysis.

In addition, the requirement that Region 3 fuel assemblies contain Borated Stainless Steel Poison Rodlets or a fuel length, full strength Control Element Assembly ensures that the reactivity of fuel assemblies is conservatively within the assumptions of the criticality analysis. Note that the full length, reduced strength Control Element Assemblies used in Cycle 1 through 6 (Control Element Assemblies with serial numbers 66 through 73, inclusive) and the part length Control Element Assemblies used in Cycle 1 (Control Element Assemblies with identifier letters A through H, inclusive) do not satisfy this requirement, and thus are not to be used in Region 3.

There are Non-standard Fuel Configurations and non-fuel components present in the fuel storage racks. Each region of the SFP is designed to permit storage of these items, except for the Restricted Locations. Each of the Non-standard Fuel Configurations must have a separate criticality analysis which may allow storage in one or multiple Regions, and which may or may not require Borated Stainless Steel Poison Rodlets or a Control Element Assembly if stored in Region 3.

3/4.9.19 SPENT FUEL POOL - STORAGE PATTERN The limitations of this specification ensure that the reactivity condition of the Regions 1, 2, and 4 storage racks and spent fuel pool Keff will remain less than or equal to 0.95.

Maintaining empty the fuel storage rack locations designated as Restricted Locations (Figure 3.9-2) helps assure that Keffwill remain 0.95 under all postulated normal and accident conditions.

3/4.9.20 SPENT FUEL POOL - CONSOLIDATION The limitations of these specifications ensure that the decay heat rates and radioactive inventory of the candidate fuel assemblies for consolidation are conservatively within the assumptions of the safety analysis.

MILLSTONE - UNIT 2 B 3/4 9-4 Amendment No. 117, 153, 158, 172, 274

REVERSE OF PAGE B 3/4 9-4 INTENTIONALLY LEFT BLANK

September 25, 2003 3.4.10 SPECIAL TEST EXCEPTIONS BASES 3/4.10.1 SHUTDOWN MARGIN This special test exception provides that a minimum amount of CEA worth is immediately available for reactivity control or that the reactor is sufficiently subcritical so as to provide safe operating conditions when tests are performed for CEA worth measurement. This special test exception is required to permit the periodic verification of the actual versus predicted core reactivity condition occuring as a result of fuel burnup or fuel cycling operations.

3/4.10.2 GROUP HEIGHT AND INSERTION LIMITS This special test exception permits individual CEAs to be positioned ouside of their normal group heights and insertion limits during the performance of such PHYSICS TESTS as those required to 1) measure CEA worth and 2) determine the reactor stability index and damping factor under xenon oscillation conditions.

MILLSTONE - UNIT 2 B 3/4 10-1 Amendment No. 5, 280

October 27, 1977 27 THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2 B 3/4 10-2

November 28, 2000 3/4.11 DELETED BASES 3/4.11.1 DELETED 3/4.11.1 DELETED 3/4.11.1 DELETED MILLSTONE - UNIT 2 B 3/4-11-1 Amendment No. 104, 250

November 28, 2000 THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2 B 3/4 11-2 Amendment No. 104, 194, 250

November 28, 2000 THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2 B 3/4 11-3 Amendment No. 104, 250

November 28, 2000 THIS PAGE INTENTIONALLY LEFT BLANK MILLSTONE - UNIT 2 B 3/4-11-4 Amendment No. 104, 250

August 1, 1975 SECTION 5.0 DESIGN FEATURES

ML23040A046

Text

Navigation menu

Search