Text

License Amendment Request Applicable to Technical Specifications 3.8.1, AC Sources-Operating; and 3.8.9, Distribution Systems-Operating
	ML042930781
Person / Time
Site:	Mcguire, McGuire
Issue date:	10/11/2004
From:	Gordon Peterson; Duke Power Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	WCAP-15622
	Download: ML042930781 (139)
	v • d • e

Duke GARY R. PETERSON

rPowere Vice President A Duke Energy Company McGuire Nuclear Station Duke Power MG01 VP / 12700 Hagers Ferry Road Huntersville, NC 28078-9340 704 875 5333 704 875 4809 fax October 11, 2004 grpeters@duke-energy.com U. S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTENTION: Document Control Desk

SUBJECT:

Duke Energy Corporation McGuire Nuclear Station Units 1 and 2 Docket Nos. 50-369 and 50-370 License Amendment Request Applicable to Technical Specifications 3.8.1, AC Sources-Operating; and 3.8.9, Distribution Systems-Operating AC Electrical Power System Completion Times (WCAP-15622), Surveillance Requirements Modifications, and Elimination of Surveillance Requirements MODE Restrictions Pursuant to 10 CFR 50.90, attached is a Duke Energy Corporation (Duke) license amendment request (LAR) for the McGuire Nuclear Station Facility Operating Licenses and

.. Technical Specifications (TS). This LAR applies to TS 3.8.1, AC Sources-Operating; and TS 3.8.9, Distribution Systems-Operating. The changes proposed in this LAR extend several Completion Times (CT) and modify several Surveillance Requirement (SR) NOTES contained in these TS.

This LAR is consistent with a topical report1 prepared by the Westinghouse Electric Company in conjunction with the Westinghouse Owners Group, and it is also based upon two Industry/Technical Specifications Task Force (TSTF)

Standard TS (STS) travelers2 3 . Additionally, this LAR corrects a recently identified non-conservative situation that currently exists with SR 3.8.1.4 which is applicable to the McGuire Emergency Diesel Generators.

WCAP-15622, Risk-lnforincd Evialuation of Extensions to AC Electrical Power Systenm Completion Ar 0 Times. ./A'& )

2 TSTFA 17, Rev. 0, A C Electrical Powver Systenm Completion Times (WCA P- 15622).

3 TSTF-283-A, Rev. 3, Mfodify Section 3.8 MODE Restriction Notes.

www.duke-energy.com

U. S. Nuclear Regulatory Commission October 11, 2004 Page 2 The contents of this submittal package are as follows:

An Affidavit is included within this cover letter.

Attachment 1 provides a marked copy of the existing Technical Specifications and Bases for McGuire Units 1 and 2. These marked copies show the proposed changes.

Attachment 2 provides the reprinted Technical Specifications and Bases pages for McGuire Units 1 and 2.

Attachment 3a provides a Description of the Proposed Changes and Technical Justification for the risk-informed portions of this LAR.

Attachment 3b provides a Description of the Proposed Change and Technical Justification for the portion of this LAR that is applicable to SR 3.8.1.4.

Attachment 4 provides Duke's McGuire-specific responses to NRC requests for additional information.

Attachment 5 provides a list of reference documents applicable to this LAR submittal package.

Pursuant to 10 CFR 50.92, Attachment 6 documents Duke's determination that this LAR contains No Significant Hazards Considerations.

Pursuant to 10 CFR 51.22(c)(9), Attachment 7 provides the basis for the categorical exclusion from performing an Environmental Assessment/Impact Statement for this LAR.

Implementation of this LAR in the Facility Operating Licenses and Technical Specifications will not impact the McGuire Updated Final Safety Analysis Report (UFSAR). Duke is requesting NRC review and approval of this submittal by

U. S. Nuclear Regulatory Commission October 11, 2004 Page 3 October 1, 2005 with overall implementation to take place 90 days after completion of the lEOC17 Refueling Outage (which is the Fall 2005 Outage on Unit 1). Note that the changes which correct the non-conservatism in SR 3.8.1.4 will be implemented within the NRC's standard 30-day grace period. Administratively, this non-conservatism has already been corrected in the station procedures. This submittal document contains no additional regulatory commitments.

In accordance with Duke administrative procedures and Quality Assurance Program Topical Report, this LAR has been reviewed and approved by the McGuire Plant Operations Review Committee. This LAR has also been reviewed and approved by the Duke Nuclear Safety Review Board. Pursuant to 10 CFR 50.91, a copy of this LAR is being sent to the designated official of the State of North Carolina.

Inquiries on this matter should be directed to J. S. Warren at (704) 875-5171.

Very truly yours, G. R. Peterson Attachments

U. S. Nuclear Regulatory Commission October 11, 2004 Page 4 xc w/Attachments:

W. D. Travers U. S. Nuclear Regulatory Commission Regional Administrator, Region II Atlanta Federal Center 61 Forsyth St., SW, Suite 23T85 Atlanta, GA 30303 J. J. Shea (Addressee Only)

NRC Project Manager (MNS)

U. S. Nuclear Regulatory Commission Mail Stop 0-8 H12 Washington, DC 20555-0001 J. B. Brady Senior Resident Inspector (MNS)

U. S. Nuclear Regulatory Commission McGuire Nuclear Site B. 0. Hall, Section Chief Radiation Protection Section 1645 Mail Service Center Raleigh, NC 27699-1645

U. S. Nuclear Regulatory Commission October 11, 2004 Page 5 G. R. Peterson, affirms that he is the person who subscribed his name to the foregoing statement, and that all the matters and facts set forth herein are true and correct to the best of his knowledge.

G. R. Peers&, Site Vice President Subscribed and sworn to me: Oc,4 bar 1L, 20og Date (H&d 5<6'@&ry2 , Notary Public My commission expires: . 14u51 /2, 6504' 1.I Date SEAL

Attachment 1 McGuire Units 1 and 2 Technical Specifications Marked Copy

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.3 Restore offsite circuit to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months OPERABLE status.

AND 1 ays from discovery of failure to meet LCO B. One DG inoperable. 8.1 Perform SR 3.8.1.1 for the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months offsite circuit(s).

AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND B.2 Declare required feature(s) 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from supported by the discovery of inoperable DG inoperable Condition B when its required concurrent with redundant feature(s) is inoperability of inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE DG is not inoperable due to common cause failure.

OR 8.3.2 Perform SR 3.8.1.2 for OPERABLE DG.

AND (continued)

McGuire Units 1 and 2 3.8.1 -2 Amendment Nos. EEX

AC Sources - Operating 3.8.1 ACTIONS CONDITION l REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG to OPERABLE status.

AND discovery of failure to meet LCO t 1 C. Two offsite circuits C.1 Declare required feature(s) 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from inoperable. inoperable when its discovery of redundant required Condition C feature(s) is inoperable. concurrent with inoperability of redundant required feature(s)

AND C.2 Restore one offsite circuit 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to OPERABLE status.

(continued)

McGuire Units 1 and 2 3.8.1-3 Amendment Nos.'4J

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.3 ------------------ -NOTES----------- -----------

1. DG loadings may include gradual loading as recommended by the manufacturer.

2. Momentary transients outside the load range do not invalidate this test.

3. This Surveillance shall be conducted on only one DG at a time.

4. This SR shall be preceded by and immediately follow without shutdown a successful performance of SR 3.8.1.2 or SR 3.8.1.7.

Verify each DG is synchronized and loaded and operates 31 days for Ž 60 minutes at a load 2 3600 kW and

4000 kW.

SR 3.8.1.4 Verify each day tank contains J u I oil. 31 days SR 3.8.1.5 Check for and remove accumulated water from each day 31 days tank.

SR 3.8.1.6 Verify the fuel oil transfer system operates to 31 days automatically transfer fuel oil from storage tank to the day tank.

(continued)

McGuire Units 1 and 2 3.8.1 -6 Amendment Nos.m s.

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.7 )-- & tb.- --------- ------------------

All DG starts may be preceded by an engine prelube period.

Verify each DG starts from standby condition and 184 days achieves in

11 seconds voltage of 2 3740 V and frequency of 2 57 Hz and maintains steady state voltage 2 3740 V and

4580 V, and frequency 2 58.8 Hz and

61.2 Hz.

SR 3.8.1.8 --------------------------------NOTES- -----------------------

This Surveillance shall no Mbe performed in MODE 1 or 2. tJ Verify automatic and ma raneof AC power 18 months sources from the normal offsite circuit to each alternate offsite circuit.

(continued)

McGuire Units 1 and 2 3.8.1 -7 Amendment Nos.A

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.11 --------- ------- NOTES-------------------------

1. All DG starts may be preceded by an engine prelube period.

2. This Surveillance shall-nobe performed in MODE 1, 2, 3, or 4.,_

-- -- -_ -- -- __-- _---_- 18T 2n\

Verify on an actual or simulated loss of offsite power 18 months signal:

a. De-energization of emergency buses;

b. Load shedding from emergency buses;

c. DG auto-starts from standby condition and:

1. energizes the emergency bus in

11 seconds,

2. energizes auto-connected blackout loads through automatic load sequencer,

3. maintains steady state voltage 2 3740 V and* 4580 V,

4. maintains steady state frequency 2 58.8 Hz and < 61.2 Hz, and

5. supplies auto-connected blackout loads for 2 5 minutes.

(continued)

McGuire Units 1 and 2 3.8.1-9 Amendment Nos. 5

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY 4-SR 3.8.1.15 ---------------------------- NOTES---------------------------

1. This Surveillance shall be performed within 5 minutes of shutting down the DG after the DG has operated 2 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months loaded Ž 3600 kW and

< 4000 kW.

Momentary transients outside of load range do not invalidate this test.

2. All DG starts may be preceded by an engine prelube period.

Verify each DG starts and achieves, in 5 11 seconds, 18 months voltage 2 3740 V, and frequency Ž 57 Hz and maintains steady state voltage Ž 3740 V and

4580 V and frequency Ž 58.8 Hz and

61.2 Hz.

4.

SR 3.8.1.16 -------------------------- N---CN This Surveillance shall no, or 4. Y r Verify each DG: 18 months

a. Synchronizes with offsite power source while loaded with emergency loads upon a simulated restoration of offsite power;

b. Transfers loads to offsite power source; and

c. Returns to standby operation.

(continued)

McGuire Units 1 and 2 3.8.1 -12 Amendment Nos.-E

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.17 N9TES-----------------------------

This Surveillance shall nogperformed in MODE 1, 2, 3, or4.+

o r 4E b-- r M tI I2 1 Verify, with a DG operating in test mode and connected 18 months to its bus, an actual or simulated ESF actuation signal overrides the test mode by:

a. Returning DG to standby operation; and

b. Automatically energizing the emergency load from offsite power.

SR 3.8.1.18 Verify interval between each sequenced load block is 18 months within design interval for each automatic load sequencer.

(continued)

McGuire Units 1 and 2 3.8.1-13 Amendment Nos. E52

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.19 ---------------------------- NOTES---------------------------

1. All DG starts may be preceded by an engine prelube period.

2. This Surveillance shall notabe performed in MODE1,2,3,or4. A a-Elsi Verify on an actual or simulated loss of offsite power 18 months signal in conjunction with an actual or simulated ESF actuation signal:

a. De-energization of emergency buses;

b. Load shedding from emergency buses; and

c. DG auto-starts from standby condition and:

1. energizes the emergency bus in

11 seconds,

2. energizes auto-connected emergency loads through load sequencer,

3. achieves steady state voltage 2 3740 V and

4580 V,

4. achieves steady state frequency > 58.8 Hz and

61.2 Hz, and

5. supplies auto-connected emergency loads for 2 5 minutes.

(continued)

McGuire Units 1 and 2 3.8.1 -14 Amendment Nos.L0D

INSERT 1 However, this Surveillance may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

INSERT 2 However, portions of the Surveillance may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

Distribution Systems - Operating 3.8.9 3.8 ELECTRICAL POWER SYSTEMS 3.8.9 Distribution Systems -Operating LCO 3.8.9 Train A and Train B AC, four channels of DC, and four AC vital buses electrical power distribution subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2,3, and 4.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more AC A.1 Restore AC electrical 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months electrical power power distribution distribution subsystem(s) subsystem(s) to AND ,

inoperable. OPERABLE status.

hours from iscovery of failure to meet LCO B. One AC vital bus B.1 Restore AC vital bus hu inoperable. subsystem to OPERABLE status. AND hours from discovery of failure to meet LCO (continued)

McGuire Units 1 and 2 3.8.9-1 Amendment Nos.Eig

Distribution Systems - Operating 3.8.9 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One channel of DC C.1 Restore DC channel of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months electrical power electrical power distribution distribution subsystem subsystem to OPERABLE AND S3t inoperable. status.

hours from iscovery of failure to meet LCO D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion Time not met. AND D.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months E. Two trains with E.1 Enter LCO 3.0.3. Immediately inoperable distribution subsystems that result in a loss of safety function.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.8.9.1 Verify correct breaker alignments and voltage to AC, DC, 7 days and AC vital bus electrical power distribution subsystems.

McGuire Units 1 and 2 3.8.9-2 Amendment NosX- 7 j1'

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has off site power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

A.3 According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A. establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable and that DG is subsequently returned OPERABLE the (/)

may ae havebeen not met for up toiH This could lead since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, e

. -: ; cutroe P BL , and an additional a 0 10 1 iis alle prior compIElete restoration of the LCO. Theday P6"t e Gus tion Time provides a limit on the time allowed in a ecifie e4wee (c'et4AA condition after discovery of failure to meet the LCO. This limi B.,4' a Ge *considered reasonable for situations in which Conditions A and B are I 7-,4,,e,;¢ Tt ./_entered concurrentlt. The "AND" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and le. 3day I Completion Times means that both Completion Times apply simultaneously, and the more restrictive Con im m Ut an431RC s Nf got/

McGuire Units 1 and 2 B 3.8.1-7 Revision No

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued n i

'As in Req dAction . , the CompJ tion Time all ~s for an exception to the mal "time ze o" for begin g the allowe outage time Iclock.u Thisill result in es blishing the' ime zero" at e time that the LCO was alynt met, i edof at ttime Conditio! was entered.

B.1 ( 3 To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related trains. This includes motor driven auxiliary feedwater pumps. The turbine driven auxiliary feedwater pump is required to be considered a redundant required feature, and, therefore, required to be determined OPERABLE by this Required Action. Three independent AFW pumps are required to ensure the availability of decay heat removal capability for all events accompanied by a loss of offsite power and a single failure. System design is such that the remaining OPERABLE motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis. Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG.

The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal 'time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A required feature on the other train (Train A or Train B) is inoperable.

McGuire Units 1 and 2 B 3.8.1-8 Revision No.

INSERT 3 Tracking the 10 day Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 10 day Completion Time, the "time zero" is specified as beginning at the time LCO 3.8.1 was initially not met, instead of at the time Condition A was entered. This results in the requirement, when in this Condition, to track the time elapsed from the both the Condition A "time zero," and the "time zero"when LCO 3.8.1 was initially not met. Refer to Section 1.3, "Completion Times," for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

If at any time during the existence of this Condition (one DG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is Acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DG(s). If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), the other DG(s) would be declared inoperable upon discovery and Condition E of LCO 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer exists, and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s),

performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG.

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the problem investigation process will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under thevour constraint imposed while in Condition B.

These Conditions are not required to be entered if the inoperability of the DG is due to an inoperable support system, an independently testable component, or preplanned testing or maintenance. If required, these McGuire Units 1 and 2 B 3.8.1-9 Revision No/

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

Required Actions are to be completed regardless of when the inoperable DG is restored to OPERABLE status. ,

to G erc r - Ref. hour0to the OPERABLE DG(s) is not affected by the same problem as the inoperable DG tha In Condition B, the remaining OPERABLE DG and offsite circuits are te to supply electrical power to the onsite Class 1E Distribution System. The 2tho rCompletion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit I-pc- *4: fxsc cir iA4.son the maximum time allowed for any combination of required AC power rM9-reJ 4- 0PC~eA6Lr sources to be inoperable during any single contiguous occurrence of S4c 4 a.*4-k:,k fhe_ failing to meet the LCO. If Condition B is entered while, for instance, an rizre-4 72 Iowris,/ offsite circuit is inoperable c ssueps r

.B the LCO may alreadhave been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

~>vis could lead to a total of , since initial failure to meet the (

reLCO, to0r e-,5n2L.t At this time, an offsite circuit could again tSOCbecome inoperabe 'Cr and an additional W 4A 6 1 h 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months r f dallowed prior to complete restoration of the Lli- -teS~t'~t T LCO.oThe ay Completion Time provides a limit on time allowed in a

') , specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are <

entered concurrently. The 'AND' connector between the 2;nd

> iday Completion Ti es means that both Completion Times apply 7% s cc, simultaneously, and e more restrictive Completion Time must be met.

'f 4 + _ie

-A. As n Requi ed ActinB.2, th Compl tion Ti e allo s for an xce tion

/ ihe nor I ltim irol for ei nir the allwed I fe

c 01." This vyil result in tablish'g he Oti e zero"at the tf entha the LCew inif Ily not met /seado al hme Con ~tion B/wseshr!f

/_Sl 1 N.-5 *Atetf AS'44 Plant- Ca^t,6 t t JCA and C.2 C o d rn>.q( see- CanLkwot,-_

Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant McGuire Units 1 and 2 B 3.8.1-10 Revision No

INSERT 4 is justified in a plant-specific analysis which uses the methodology contained in WCAP-15622 (Ref. 8) and Ref. 13.

INSERT 5 The 7 days provided for operation to continue while in Condition B is justified by pla'nt-specific analysis developed using the plant-specific PRA model and the methodology contained in WCAP-15622 (Ref. 8) and Ref. 13.

INSERT 6 Tracking the 10 day Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 10 day Completion Time, the "time zero" is specified as beginning at the time LCO 3.8.1 was initially not met, instead of at the time Condition B was entered. This results in the requirement, when in this Condition, to track the time elapsed from the both the Condition B "time zero," and the "time zero"when LCO 3.8.1 was initially not met. Refer to Section 1.3, "Completion Times," for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

H.1 Condition H corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, Appendix A, GDC 18 (Ref. 9).

Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Regulatory Guide 1.137 (Ref. fasaddressed in the UFSAR.

Since the McGuire DG man cturer, Nordberg, is no longer in business, McGuire engineering is the designer of record. Therefore, the term manufacturer's or vendor's recommendations is taken to mean the recommendations as determined by McGuire engineering, with specific Nordberg input as it is available, that were intended for the DGs, taking into account the maintenance, operating history, and industry experience, when available.

Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The minimum steady state output voltage of 3740 V is 90% of the nominal 4160 V output voltage. This value allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90%

of name plate rating. The specified maximum steady state output voltage of 4580 V is equal to the maximum operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to

+/- 2% of the 60 Hz nominal frequency and are derived from the recommendations given in Regulatory Guide 1.9 (Ref. 3).

McGuire Units 1 and 2 B 3.8.1-14 Revision No./

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.4 This S ovides verification that the level of fuel oil in the day tank is(

US S A! \A_ .The level is expressed as an equivalent volume in gallons, and is adequate for

<e A ; T approximately 30 minutes of DG operation at full load.

< eJ, ? ~ l The 31 day Frequency is adequate to assure that a sufficient supply of s.t1 :pfuel oil is available, since low level alarms are provided and facility l operators would be aware of any large uses of fuel oil during this period.

5~~ ~ , R 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are

4. numerous bacteria that can grow in fuel oil and cause fouling, but all must i Chave a water environment in order to survive. Removal of water from the

4. t fuel oil day tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of e 4- controlling microbiological fouling. In addition, it eliminates the potential

=

x Sfor water entrainment in the fuel oil during DG operation. Water may S come from any of several sources, including condensation, ground water, 4- vrain water, contaminated fuel oil, and breakdown of the fuel oil by 9 bacteria. Frequent checking for and removal of accumulated water M \minimizes fouling and provides data regarding the watertight integrity of t t the fuel oil system. The Surveillance Frequencies are established by Regulatory Guide 1.137 (Ref. . This SR is for preventative maintenance. The presence of ter does not necessarily represent failure of this SR, provided the ac umulated water is removed during the SR 3.8.1.6 q ... t + L This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

The design of fuel transfer systems is such that pumps operate automatically or may be started manually in order to maintain an adequate volume of fuel oil in the day tanks during or following DG testing. Therefore, a 31 day Frequency is appropriate.

McGuire Units 1 and 2 B 3.8.1-17 Revision Noyf

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads.

The 18 month Frequency of the Surveillance is based on engineering judgment, taking into consideration the unit conditions required to perform the Surveillance, and is Intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems.

SR 3.8.1.9 =

Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. For this unit, the single load for each DG and its kilowatt rating is as follows: Nuclear Service Water Pump which is a 576 kW motor. This Surveillance may be accomplished by:

a. Tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus; or

b. Tripping its associated single largest post-accident load with the DG solely supplying the bus.

As required by Regulatory Guide 1.9 (Ref. 3), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the McGuire Units 1 and 2 B 3.8.1-18 Revision No.

INSERT 7a This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1, takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

iASsr(ZT $

SR 3.8.1.1 2 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (11 seconds) from the design basis actuation signal (LOCA signal) and operates for 2 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d ensures that the emergency bus remains energized from the offsite electrical power system on an ESF signal without loss of offsite power. This Surveillance also verified the tripping of non-essential loads. Tripping of non-essential loads is verified only once, either in this SR or in SR 3.8.1.19, since the same circuitry is tested in each SR.

The Frequency of 18 months is consistent with Regulatory Guide 1.9 (Ref. 3) Table 1 and takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. This SR is modified by a Note. The reason for the Note is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.

SR 3.8.1.1 3 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature) are bypassed on a loss of voltage McGuire Units 1 and 2 B 3.8.1-21 Revision No./

INSERT 8 This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.

These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.1 6 As required by Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.11, this Surveillance ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and the DG can be returned to standby operation when offsite power is restored. It also ensures that the autostart logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in standby operation when the DG is at rated speed and voltage, the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequence timers are reset.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1, and takes into consideration unit conditions required to perform the Surveillance. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

[A' EkrV 76 SR 3.8.1.17 Demonstration of the test mode override ensures that the DG availability under accident conditions will not be compromised as the result of testing and the DG will automatically reset to standby operation if a LOCA actuation signal is received during operation in the test mode. Standby operation is defined as the DG running at rated speed and voltage with the DG output breaker open. These provisions for automatic switchover are required by Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.13. The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirement associated with SR 3.8.1.1 7.b is to show that the emergency loading was not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1, takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

McGuire Units 1 and 2 B 3.8.1-24 Revision No7I

INSERT 7b This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

SR 3.8.1.18 (I Under accident and loss of offsite power conditions loads are sequentially connected to the bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The load sequence time interval tolerance in Table 8-16 of Reference 2 ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated.

Table 8-1 of Reference 2 provides a summary of the automatic loading of ESF buses. The sequencing times of Table 8-16 are committed and required for OPERABILITY. The typical 1 minute loading duration seen by the accelerated sequencing scheme is NOT required for OPERABILITY.

Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance verifies the de-energization of the emergency buses, load shedding from the emergency buses, tripping of non-essential loads and energization of the emergency buses and ESF loads from the DG.

Tripping of non-essential loads is verified only once, either in this SR or in SR 3.8.1.12, since the same circuitry is tested in each SR. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

McGuire Units 1 and 2 B 3.8.1-25 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency of 18 months is consistent with Regulatory Guide 1.9 (Ref. 3) Table 1.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs. The reason for Note 2 is that the performance of the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1.

This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. UFSAR, Chapter 8. WCAP

3. Regulatory Guide 1.9, Rev. 3, July1993. MCL 00cJ

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 15.

6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).

7. Regulatory Guide 1.93, Rev. 0, December 1974.

8. l eric Litter 84-/5, Proposed St!f Acti s to I prove nd twitanpese Zneatt Rlibi20 Julh 2, 19. A

9. 10 CFR 50, Appendix A, GDC 18.

McGuire Units 1 and 2 B 3.8.1-26 / Revision No.

AC Sources-Operating B 3.8.1 BASES

10. Regulatory Guide 1.137, Rev. 1, October 1979.

)//1 EE S)4ndard,408-1 1t.)

/1 A,2. Regulatory Guide 1.6, Rev. 0, March 1971.

/2 0. Regulatory Guide 1.8,,1, Rev. 1, January 1975.

13. Letter, R. H. Bryan, WOG, to the NRC Document Control Desk,

SUBJECT:

Transmittal of RAI Responses for WCAP-15622, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, (MUHP-3010),O Dated November 27, 2002.

McGuire Units 1 and 2 B 3.8.1-27 Revision Nod(

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued) ai (CO4.'Our C)

The second Completion Time for Required Action A.1 establishes a limit the maximum time allowed for any combination of required distribution subsys ems to be inoperable during any single contiguous occurrence of failing to me the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the AC distribution system. At this time, a Fir uicouldQ become inoperable E di riWti rdsteOTF0 A his could continue indefinitely.- 6t Theompleti Time allo s for an ex ppion to t normal sti e zero for be nning th allowed o age time cl ck. This ill result in stablishinthe t f ze zero t the time e LCO was nitially no et, instea of the tim ndition was ente d. The 16 our Corn etion Time' an acceptle limitation this pot ntial fail meet the CO indefi ely B.1 With one AC vital bus inoperable, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum ESF functions not being supported. Therefq re, the required AC vital bus must be restored to OPERABLE status withi hours by powering the bus from the associated inverter via inverted DC odegula voltage transformer.

Condition B represents one AC vital bus without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining vital buses and restorinPQower to the affected vital bus.

Thishour limit is more conservative than Completion Times allowed forg s Q5l of components that are without adequate vital AC power. Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter thanO hours if declared inoperable, is acceptable because of: L f?-4D

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue; McGuire Units 1 and 2 B 3.8.9-4 Revision No.

INSERT 9 and an additional 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed prior to complete restoration of the LCO, for a total of 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months .

INSERT 10 The 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A, B, and C are entered concurrently. The "AND" connector between the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Times means that both Completion times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time, the "time zone" is specified as beginning at the time LCO 3.8.9 was initially not met, instead of at the time Condition A was entered.

This results in the requirement, when in this Condition, to track the time elapsed from both the Condition A "time zero," and the "time zero when LCO 3.8.9 was initially not met. Refer to Section 1.3, "Completion Times," for more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

b. The potential for decreased safety by requiring entry into numerous Applicable Conditions and Required Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and

c. The potential for an event in conjunction with a single failure of a redundant component.

~Th thour Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this periodx "l L5n"r'eJ;S A to aPr zSL(Bet.e ? )c tA The se nd Completion Tie for Required tion B.1 establis es a limit on the imum allowed fo any combinatio of required distrib tion su ystems to be mopeable during any ingle contiguous currence of

.r&)EF.T- / l ling to meet the L . If Condition is entered while, f instance, an AC bus is inoperable d subsequently turned OPERABL, the LCO may already have be n not met for up 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This coul lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , sin initial failure of t LCO, to restore th vital bus distribution system. A is time, an AC tr n could again beco inoperable, and vit bus dist ution restored OP RABLE. This could ntinue indefinitely.

Thi ompletion Time a ws for an exception t the normal 'time zer for b ginning the allowed utage time "clock." T will result in establi ing the otime zero at the ti the LCO was initially t met, instead of th ime Condition B was e ered. The 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months Co pletion Time is an a eptable limitation on this otential to fail to meet t e LCO indefinitely.

C.1 With one DC bus in one train inoperable, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the DC buses must be restored to OPERABLE status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months by powering the bus from the associated battery or charger.

McGuire Units 1 and 2 B 3.8.9-5 Revision No./4

INSERT 11 Plant specific calculations using the plant specific Probabilistic Risk Assessment (PRA) model and the methodology contained in WCAP-15622, "Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times," are required to justify extending the Completion Times for Required Action B.1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . For Condition B, WCAP-15622 modeled only one inoperable AC vital bus. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months applies only to the first inoperable AC vital bus.

The second Completion Time for Required Action B.1 also establishes a limit on the maximum time allowed for any combination of required distribution systems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable (Condition A), the LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . If the AC bus is restored to OPERABLE status within the required 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , this could lead to a total of 32 hours3.703704e-4 days 0.00889 hours 5.291005e-5 weeks 1.2176e-5 months since initial failure to meet the LCO, to restore compliance with the LCO (i.e., to restore the vital bus).

At this time, a DC bus could become inoperable and an additional 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months allowed prior to complete restoration of the LCO, for a total of 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months . This could continue indefinitely if not limited.

The 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A, B, and C are entered concurrently. The "AND" connector between the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time, the "time zero" is specified as beginning at the time LCO 3.8.9 was initially 1

INSERT 11 (Continued) not met, instead of at the time Condition B was entered.

This results in the requirement, when in this Condition, to track the time elapsed from both the Condition B "time zero," and the "time zero" when LCO 3.8.9 was initially not met. Refer to Section 1.3, "Completion Times," for more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

2

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

Condition C represents one DC bus without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining channels and restoring power to the affected channel.

This 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue;

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected channel; and

c. The potential for an event in conjunction with a single failure of a redundant component. 1Cons 4o-xA The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. - CS \

The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet t LCO. If Condition C is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the DC distribution system. At this timev become inoperalad 1 -~ribgtion~letie t Wct

'hfomlonTime allw tor ane pIo to i ll~Iu I1 lim f

]~iningfi alwed Sae time 'clo '(. This will r sult in establish lg the Ztme ze 6at Ih timythe LCO was i i ia ly not metA stead of the lne vCnon C wa en red. The 16 W~r Completio Time is an ac p ableJ Liiainon this tential to fail meet the LC ~ndefinitelv.-

McGuire Units 1 and 2 B 3.8.9-6 Revision No. 2

INSERT 12 and an additional 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed prior to complete restoration of the LCO, for a total of 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months . This could continue indefinitely if not limited.

The 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A, B, and C are entered concurrently. The "AND" connector between the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Times means that both Completion times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time, the "time zone" is specified as beginning at the time LCO 3.8.9 was initially not met, instead of at the time Condition C was entered.

This results in the requirement, when in this Condition, to track the time elapsed from both the Condition C "time zero," and the "time zero when LCO 3.8.9 was initially not met. Refer to Section 1.3, "Completion Times," for more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

D.1 and D.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1 Condition E corresponds to a level of degradation in the electrical power distribution system that causes a required safety function'to be lost. When more than one inoperable electrical power distribution subsystem results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus. The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC, DC, and AC vital bus electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES 1. UFSAR, Chapter 6. 1 a/

i L 7

2. UFSAR, Chapter 15.

3. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).

( Regulatory Guide 1.93, December 1974.

2RC n, WOG, to the Document Contro Des n SUBJCT:Tranmital of RAI Responses for WCAP-15622,

< Rik-Inorme Evluation of Extensions to AC Electrical Power Ad Sste Copleion ime, {UHP3010,* ate Noembr 27, 2002.

McGuire Units 1 and 2 B 3.8.9-7 Revision NoJ

Attachment 2 McGuire Units 1 and 2 Technical Specifications Reprinted Pages Remove Insert 3.8.1-2 3.8.1-2 3.8.1-3 3.8.1-3 3.8.1-6 3.8.1-6 3.8.1-7 3.8.1-7 3.8.1-9 3 . 8. 1-9 3.8.1-12 3.8.1-12 3.8.1-13 3.8. 1-13 3.8.1-14 3.8.1-14 3.8.9-1 3.8.9-1 3.8.9-2 3.8.9-2 B3.8.1-1 B3.8.1-1 thru thru B3.8.1-27 B3. 8. 1-28 B3.8.9-1 B3.8.9-1 thru thru B3.8.9-8 B3.8.9-10

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.3 Restore offsite circuit to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months OPERABLE status.

AND 10 days from I discovery of failure to meet LCO B. One DG inoperable. B.1 Perform SR 3.8.1.1 for the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months offsite circuit(s).

AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter IAND B.2 Declare required feature(s) 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from supported by the discovery of inoperable DG inoperable Condition B when its required concurrent with redundant feature(s) is inoperability of inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE DG 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months I is not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.2 for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months I OPERABLE DG.

AND (continued)

McGuire Units 1 and 2 3.8.1 -2 Amendment Nos.

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG to OPERABLE 7 days status.

AND 10 days from discovery of failure to meet LCO C. Two offsite circuits C.1 Declare required feature(s) 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from inoperable. inoperable when its discovery of redundant required Condition C feature(s) is inoperable. concurrent with inoperability of redundant required feature(s)

AND C.2 Restore one offsite circuit 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to OPERABLE status.

(continued)

McGuire Units 1 and 2 3.8.1-3 Amendment Nos.

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.3 -------------------------------- NOTES--------------------------------

1. DG loadings may include gradual loading as recommended by the manufacturer.

2. Momentary transients outside the load range do not invalidate this test.

3. This Surveillance shall be conducted on only one DG at a time.

4. This SR shall be preceded by and immediately follow without shutdown a successful performance of SR 3.8.1.2 or SR 3.8.1.7.

Verify each DG is synchronized and loaded and operates 31 days for 2 60 minutes at a load 2 3600 kW and < 4000 kW.

SR 3.8.1.4 Verify each day tank contains 2 152 gal of fuel oil. 31 days I SR 3.8.1.5 Check for and remove accumulated water from each day 31 days tank.

SR 3.8.1.6 Verify the fuel oil transfer system operates to 31 days automatically transfer fuel oil from storage tank to the day tank.

I . .

(continued)

McGuire Units I and 2 3.8.1-6 Amendment Nos.

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.7 -------------------------------- NOTES--------------------------------

All DG starts may be preceded by an engine prelube period.

Verify each DG starts from standby condition and 184 days achieves in < 11 seconds voltage of 2 3740 V and frequency of 2 57 Hz and maintains steady state voltage 2 3740 V and < 4580 V, and frequency 2 58.8 Hz and

< 61.2 Hz.

SR 3.8.1.8 ------------------------------- NOTES--------------------------------

This Surveillance shall not normally be performed in MODE 1 or 2. However, this Surveillance may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

Verify automatic and manual transfer of AC power 18 months sources from the normal offsite circuit to each alternate offsite circuit.

(continued)

McGuire Units 1 and 2 3.8.1-7 Amendment Nos.

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.11 --------------------------------NOTES--------------------------------

1. All DG starts may be preceded by an engine prelube period.

2. This Surveillance shall not normally be performed in MODE 1, 2, 3, or 4. However, portions of the Surveillance may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

Verify on an actual or simulated loss of offsite power 18 months signal:

a. De-energization of emergency buses;

b. Load shedding from emergency buses;

c. DG auto-starts from standby condition and:

1. energizes the emergency bus in

< 11 seconds,

2. energizes auto-connected blackout loads through automatic load sequencer,

3. maintains steady state voltage 2 3740 V and* 4580 V,

4. maintains steady state frequency 2 58.8 Hz and < 61.2 Hz, and

5. supplies auto-connected blackout loads for 2 5 minutes.

(continued)

McGuire Units 1 and 2 3.8.1-9 Amendment Nos.

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.15 -------------------------------- NOTES--------------------------------

1. This Surveillance shall be performed within 5 minutes of shutting down the DG after the DG has operated Ž 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months loaded 2 3600 kW and

< 4000 kW.

Momentary transients outside of load range do not invalidate this test.

2. All DG starts may be preceded by an engine prelube period.

Verify each DG starts and achieves, in

11 seconds, l 18 months voltage 2 3740 V, and frequency 2 57 Hz and maintains steady state voltage Ž 3740 V and < 4580 V and frequency 2 58.8 Hz and < 61.2 Hz.

SR 3.8.1.16 ------------------------------- NOTES---------------------------------

This Surveillance shall not normally be performed in MODE 1, 2, 3, or 4. However, this Surveillance may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

Verify each DG: 18 months

a. Synchronizes with offsite power source while loaded with emergency loads upon a simulated restoration of offsite power;

b. Transfers loads to offsite power source; and

c. Returns to standby operation.

(continued)

McGuire Units 1 and 2 3.8.1 -12 Amendment Nos.

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.17 --------------------------------NOTES--------------------------------

This Surveillance shall not normally be performed in MODE 1, 2, 3, or 4. However, portions of the Surveillance may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

Verify, with a DG operating in test mode and connected 18 months to its bus, an actual or simulated ESF actuation signal overrides the test mode by:

a. Returning DG to standby operation; and

b. Automatically energizing the emergency load from offsite power.

SR 3.8.1.18 Verify interval between each sequenced load block is 18 months within design interval for each automatic load sequencer.

(continued)

McGuire Units 1 and 2 3.8.1 -13 Amendment Nos.

AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.19 ------------------------------- NOTES--------------------------------

1. All DG starts may be preceded by an engine prelube period.

2. This Surveillance shall not normally be performed in MODE 1, 2, 3, or 4. However, portions of the Surveillance may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

Verify on an actual or simulated loss of offsite power 18 months signal in conjunction with an actual or simulated ESF actuation signal:

a. De-energization of emergency buses;

b. Load shedding from emergency buses; and

c. DG auto-starts from standby condition and:

1. energizes the emergency bus in < 11 seconds,

2. energizes auto-connected emergency loads through load sequencer,

3. achieves steady state voltage 2 3740 V and < 4580 V,

4. achieves steady state frequency 2 58.8 Hz and < 61.2 Hz, and

5. supplies auto-connected emergency loads for 2 5 minutes.

(continued)

McGuire Units 1 and 2 3.8.1-14 Amendment Nos.

Distribution Systems - Operating 3.8.9 3.8 ELECTRICAL POWER SYSTEMS 3.8.9 Distribution Systems-Operating LCO 3.8.9 Train A and Train B AC, four channels of DC, and four AC vital buses electrical power distribution subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2,3, and 4.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or more AC A.1 Restore AC electrical 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months electrical power power distribution distribution subsystem(s) subsystem(s) to AND inoperable. OPERABLE status.

34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months from I discovery of failure to meet LCO B. One AC vital bus B.1 Restore AC vital bus 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months inoperable. subsystem to OPERABLE status. AND 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months from I discovery of failure to meet LCO (continued)

McGuire Units 1 and 2 3.8.9-1 Amendment Nos.

Distribution Systems - Operating 3.8.9 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One channel of DC C.1 Restore DC channel of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months electrical power electrical power distribution distribution subsystem subsystem to OPERABLE AND inoperable. status.

34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months from I discovery of failure to meet LCO D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion Time not met. AND D.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months E. Two trains with E.1 Enter LCO 3.0.3. Immediately inoperable distribution subsystems that result in a loss of safety function.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.8.9.1 Verify correct breaker alignments and voltage to AC, DC, 7 days and AC vital bus electrical power distribution subsystems.

McGuire Units 1 and 2 3.8.9-2 Amendment Nos.

AC Sources-Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources-Operating BASES BACKGROUND The unit Essential Auxiliary or Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources, normal and alternate(s)), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed. Each train has connections to two preferred offsite power sources and a single DG.

Offsite power is supplied to the unit switchyard(s) from the transmission network by two transmission lines. From the switchyard(s), two electrically and physically separated circuits provide AC power, through step down station auxiliary transformers, to the 4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the UFSAR, Chapter 8 (Ref. 2).

A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus(es).

The offsite transmission systems normally supply their respective unit's onsite power supply requirements. However, in the event that one or both buslines of a unit become unavailable, or by operational desire, it is acceptable to supply that unit's offsite to onsite power requirements by aligning the affected 41 60V bus of the opposite unit via the standby transformers, SATA and SATB in accordance with Regulatory Guides 1.6 and 1.81 (Ref. 11 and 12). In this alignment, each unit's offsite transmission system could simultaneously supply its own 4160V buses and one (or both) of the buses of the other unit.

Although a single auxiliary transformer (1ATA, 1ATB, 2ATA, 2ATB) is sized to carry all of the auxiliary loads of its unit plus both trains of essential 41 60V loads of the opposite unit, the LCO would not be met in this alignment due to separation criteria.

McGuire Units 1 and 2 B 3.8.1 -1 Revision No.

AC Sources-Operating B 3.8.1 BASES BACKGROUND (continued)

Each unit's Train A and B 41 60V bus must be derived from separate offsite buslines. The first offsite power supply can be derived from any of the four buslines (1A, 1B, 2A, or 2B). The second offsite power supply must not derive its power from the same busline as the first.

Acceptable train and unit specific breaker alignment options are described below:

Unit 1 A Train

1. BL1 A-1 ATA-1 TA-1 ATC-1 ETA

2. BL1 B-1 ATB-1 TA-1 ATC-1 ETA

3. BL1 A-1 ATA-1 TC-SATA-1 ETA

4. BL1 B-1 ATB-1 TC-SATA-1 ETA

5. BL2A-2ATA-2TC-SATA-1 ETA

6. BL2B-2ATB-2TC-SATA-1 ETA Unit 1 B Train

1. BL1 B-1 ATB-1 TD-1ATD-1 ETB

2. BL1 A-1 ATA-1 TD-1 ATD-1 ETB

3. BL1 B-1 ATB-1TB-SATB-1 ETB

4. BL1 A-1 ATA-1 TB-SATB-1 ETB

5. BL2B-2ATB-2TB-SATB-1 ETB

6. BL2A-2ATA-2TB-SATB-1 ETB Unit 2 A Train

1. BL2A-2ATA-2TA-2ATC-2ETA

2. BL2B-2ATB-2TA-2ATC-2ETA

3. BL2A-2ATA-2TC-SATA-2ETA

4. BL2B-2ATB-2TC-SATA-2ETA

5. BL1 A-1 ATA-1 TC-SATA-2ETA

6. BL1 B-1 ATB-1TC-SATA-2ETA Unit 2 B Train

1. BL2B-2ATB-2TD-2ATD-2ETB

2. BL2A-2ATA-2TD-2ATD-2ETB

3. BL2B-2ATB-2TB-SATB-2ETB

4. BL2A-2ATA-2TB-SATB-2ETB

5. BL1 B-1 ATB-1TB-SATB-2ETB

6. BL1 A-1 ATA-1TB-SATB-2ETB McGuire Units 1 and 2 B 3.8.1-2 Revision No.

AC Sources-Operating B 3.8.1 BASES BACKGROUND (continued)

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the transformer supplying offsite power to the onsite Class 1E Distribution System. Typically (via accelerated sequencing), within 1 minute after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

The onsite standby power source for each 4.16 kV ESF bus is a dedicated DG. DGs A and B are dedicated to ESF buses ETA and ETB, respectively.

A DG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure or high containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation"). After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an Si signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an Si signal alone. Following the trip of offsite power, a sequencer strips loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process.

Typically (via accelerated sequencing), within 1 minute after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each DG is 4000 kW with 10% overload permissible for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

APPLICABLE The initial conditions of DBA and transient analyses in the UFSAR, SAFETY ANALYSES Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, McGuire Units 1 and 2 B 3.8.1-3 Revision No.

AC Sources-Operating B 3.8.1 BASES APPLICABLE SAFETY ANALYSES (continued)

Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);

and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the Accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during Accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and

b. A worst case single failure.

The AC sources satisfy Criterion 3 of 10 CFR 50.36 (Ref. 6).

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Power System and separate and independent DGs for each train ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Qualified offsite circuits are those that are described in the UFSAR and are part of the licensing basis for the unit.

In addition, one required automatic load sequencer per train must be OPERABLE.

Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses.

The 4.16 kV essential system is divided into two completely redundant and independent trains designated A and B, each consisting of one 4.16 kV switchgear assembly, two 4.16 kV/600 V load centers, and associated loads.

Normally, each Class 1E 4.16 kV switchgear is powered from its associated non-Class 1E train of the 6.9 kV Normal Auxiliary Power System as discussed in "6.9 kV Normal Auxiliary Power System" in Chapter 8 of the UFSAR (Ref. 2). Additionally, an alternate source of power to each 4.16 kV essential switchgear is provided from the 6.9 kV system via a separate and independent 6.9/4.16 kV transformer. Two transformers are shared between units and provide the capability to supply an alternate source of power to each unit's 4.16 kV essential switchgear from either unit's 6.9 kV system. A key interlock scheme is provided to preclude the possibility of connecting the two units together at either the 6.9 or 4.16 kV level.

McGuire Units 1 and 2 B 3.8.1-4 Revision No.

AC Sources-Operating B 3.8.1 BASES LCO (continued)

Each train of the 4.16 kV Essential Auxiliary Power System is also provided with a separate and independent emergency diesel generator to supply the Class 1E loads required to safely shut down the unit following a design basis accident.

Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This will be accomplished within 11 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with the engine hot and DG in standby with the engine at ambient conditions.

Additional DG capabilities must be demonstrated to meet required Surveillance, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

Proper sequencing of loads is a function of Sequencer OPERABILITY.

Proper load shedding is a function of DG OPERABILITY. Proper tripping of non-essential loads is a function of AC Bus OPERABILITY (Condition A of Technical Specification 3.8.9).

The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, separation and independence are complete.

APPLICABILITY The AC sources and sequencers are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 5 and 6 are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A note prohibits the application of LCO 3.0.4.b to an inoperable DG.

There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after McGuire Units 1 and 2 B 3.8.1-5 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued) performance of a risk assessment addressing inoperable systems and components, would not be applied in this circumstance.

A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features. These features are powered from the redundant AC electrical power train. This includes motor driven auxiliary feedwater pumps. The turbine driven auxiliary feedwater pump is required to be considered a redundant required feature, and, therefore, required to be determined OPERABLE by this Required Action. Three independent AFW pumps are required to ensure the availability of decay heat removal capability for all events accompanied by a loss of offsite power and a single failure. System design is such that the remaining OPERABLE motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis.

The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock.m In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads; and

b. A required feature on the other train is inoperable.

If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk McGuire Units 1 and 2 B 3.8.1-6 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued) while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

A.3 According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.3 also establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 7 days. This could lead to a total of 10 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable and an additional 7 days allowed prior to complete restoration of the LCO. This could continue indefinitely if not limited. The 10 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. This limits the time the plant can alternate between Conditions A, B, and D (see Completion Time Example 1.3-3). The 'AND' connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 10 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 10 day Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 10 day Completion Time, the "time McGuire Units 1 and 2 B 3.8.1-7 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued) zero" is specified as beginning at the time LCO 3.8.1 was initially not met, instead of at the time Condition A was entered. This results in the requirement, when in this Condition, to track the time elapsed from both the Condition A "time zero," and the "time zero" when LCO 3.8.1 was initially not met. Refer to Section 1.3, "Completion Times," for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

8.1 To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related trains. This includes motor driven auxiliary feedwater pumps. The turbine driven auxiliary feedwater pump is required to be considered a redundant required feature, and, therefore, required to be determined OPERABLE by this Required Action. Three independent AFW pumps are required to ensure the availability of decay heat removal capability for all events accompanied by a loss of offsite power and a single failure. System design is such that the remaining OPERABLE motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis. Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG.

The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A required feature on the other train (Train A or Train B) is inoperable.

McGuire Units 1 and 2 B 3.8.1-8 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

If at any time during the existence of this Condition (one DG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is Acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DG(s). If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), the other DG(s) would be declared inoperable upon discovery and Condition E of LCO 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer exists, and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s),

performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG.

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the problem investigation process will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months constraint imposed while in Condition B.

These Conditions are not required to be entered if the inoperability of the DG is due to an inoperable support system, an independently testable component, or preplanned testing or maintenance. If required, these McGuire Units 1 and 2 B 3.8.1-9 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

Required Actions are to be completed regardless of when the inoperable DG is restored to OPERABLE status.

The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG, is justified in a plant-specific analysis which uses the methodology contained in WCAP-15622 (Ref. 8) and Ref. 13.

B.4 The 7 days provided for operation to continue while in Condition B is justified by plant-specific analysis developed using the plant-specific PRA model and the methodology contained in WCAP-1 5622 (Ref. 8) and Ref.

13.

In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 7 day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 also establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . If the offsite circuit is restored to OPERABLE status within the required 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , this could lead to a total of 10 days, since initial failure to meet the LCO, to restore compliance with the LCO, (i.e.,

restore the DG). At this time, an offsite circuit could again become inoperable and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed prior to complete restoration of the LCO. This could occur indefinitely if not limited. The 10 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. This limits the time the plant can alternate between Conditions A, B, and D (see Completion Time Example 1.3-3). The "AND" connector between the 7 day and 10 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 10 day Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 10 day Completion Time, the "time zero" is specified as beginning at the time LCO 3.8.1 was initially not met, instead of at the time Condition B was entered. This results in the requirement, when in this Condition, to track the time elapsed from both McGuire Units 1 and 2 B 3.8.1 -10 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued) the Condition B Ntime zero," and the "time zero" when LCO 3.8.1 was initially not met. Refer to Section 1.3, Completion Times," for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that Regulatory Guide 1.93 (Ref. 7) allows a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are powered from redundant AC safety trains. This includes motor driven auxiliary feedwater pumps.

Single train features, such as turbine driven auxiliary pumps, are not included in the list.

The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable; and

b. A required feature is inoperable.

If at any time during the existence of Condition C (two offsite circuits inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

McGuire Units 1 and 2 B 3.8.1 -11 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

However, two factors tend to decrease the severity of this level of degradation:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Reference 6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A.

D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems-Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of one offsite circuit and one DG, without regard to whether a train is de-energized. LCO 3.8.9 provides the appropriate restrictions for a de-energized train.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This McGuire Units 1 and 2 B 3.8.1-12 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued) difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

E.1 With Train A and Train B DGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Reference 7, with both DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

F.1 The sequencer(s) is an essential support system to both the offsite circuit and the DG associated with a given ESF bus. Furthermore, the sequencer is on the primary success path for most major AC electrically powered safety systems powered from the associated ESF bus.

Therefore, loss of an ESF bus sequencer affects every major ESF system in the train. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining sequencer OPERABILITY. This time period also ensures that the probability of an accident (requiring sequencer OPERABILITY) occurring during periods when the sequencer is inoperable is minimal.

G.1 and G.2 If the inoperable AC electric power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from McGuire Units 1 and 2 B 3.8.1-13 Revision No.

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued) full power conditions in an orderly manner and without challenging plant systems.

H.1 Condition H corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, Appendix A, GDC 18 (Ref. 9).

Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3) and Regulatory Guide 1.137 (Ref. 10), as addressed in the UFSAR.

Since the McGuire DG manufacturer, Nordberg, is no longer in business, McGuire engineering is the designer of record. Therefore, the term "manufacturers or vendor's recommendations" is taken to mean the recommendations as determined by McGuire engineering, with specific Nordberg input as it is available, that were intended for the DGs, taking into account the maintenance, operating history, and industry experience, when available.

Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The minimum steady state output voltage of 3740 V is 90% of the nominal 4160 V output voltage. This value allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90%

of name plate rating. The specified maximum steady state output voltage of 4580 V is equal to the maximum operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to

+/- 2% of the 60 Hz nominal frequency and are derived from the recommendations given in Regulatory Guide 1.9 (Ref. 3).

McGuire Units 1 and 2 B 3.8.1-14 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source, and that appropriate independence of offsite circuits is maintained. The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room.

SR 3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe shutdown condition.

To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs are modified by a Note (Note 2 for SR 3.8.1.2) to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period and followed by a warmup period prior to loading.

For the purposes of SR 3.8.1.2 and SR 3.8.1.7 testing, the DGs are started from standby conditions using a manual start, loss of offsite power signal, safety injection signal, or loss of offsite power coincident with a safety injection signal. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.

In order to reduce stress and wear, the manufacturer recommends a modified start in which the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 3, which is only applicable when such modified start procedures are recommended by the manufacturer.

SR 3.8.1.7 requires that, at a 184 day Frequency, the DG starts from standby conditions and achieves required voltage and frequency within 11 seconds. The 11 second start requirement supports the assumptions of the design basis LOCA analysis in the UFSAR, Chapter 15 (Ref. 5).

McGuire Units 1 and 2 B 3.8.1-15 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The 11 second start requirement is not applicable to SR 3.8.1.2 (see Note 3) when a modified start procedure as described above is used. If a modified start is not used, the 11 second start requirement of SR 3.8.1.7 applies.

Since SR 3.8.1.7 requires a 11 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This is the intent of Note 1 of SR 3.8.1.2.

The normal 31 day Frequency for SR 3.8.1.2 and the 184 day Frequency for SR 3.8.1.7 are consistent with Regulatory Guide 1.9 (Ref. 3) Table 1.

These Frequencies provide adequate assurance of DG OPERABILITY, while minimizing degradation resulting from testing.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0.

The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The 31 day Frequency for this Surveillance is consistent with Regulatory Guide 1.9 (Ref. 3) Table 1.

This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients, because of changing bus loads, do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance.

McGuire Units 1 and 2 B 3.8.1-1 6 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.4 This SR provides verification that the level of fuel oil in the day tank is adequate to successfully start a diesel engine and to ensure an orderly shutdown of the diesel engine from full load operation upon loss of oil from the main fuel oil storage tank, or upon loss of the ability to transfer fuel from the storage tank to the day tank. The level is expressed as an equivalent volume in gallons, and is adequate for approximately 30 minutes of DG operation at full load.

The 31 day Frequency is adequate to assure that a sufficient supply of fuel oil is available, since low level alarms are provided and facility operators would be aware of any large uses of fuel oil during this period.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are established by Regulatory Guide 1.137 (Ref. 10). This SR is for preventative maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during the performance of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

The design of fuel transfer systems is such that pumps operate automatically or may be started manually in order to maintain an adequate volume of fuel oil in the day tanks during or following DG testing. Therefore, a 31 day Frequency is appropriate.

McGuire Units 1 and 2 B 3.8.1-17 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads.

The 18 month Frequency of the Surveillance is based on engineering judgment, taking into consideration the unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems.

This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load McGuire Units 1 and 2 B 3.8.1-1 8 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. For this unit, the single load for each DG and its kilowatt rating is as follows: Nuclear Service Water Pump which is a 576 kW motor. This Surveillance may be accomplished by:

a. Tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus; or

b. Tripping its associated single largest post-accident load with the DG solely supplying the bus.

As required by Regulatory Guide 1.9 (Ref. 3), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower.

The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals. The 3 seconds specified is equal to 60% of a typical 5 second load sequence interval associated with sequencing of the largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG.

SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c are steady state voltage and frequency values to which the system must recover following load rejection. The 18 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref. 3) Table 1.

This Surveillance is performed with the DG connected to its bus in parallel with offsite power supply. The DG is tested under maximum kVAR loading, which is defined as being as close to design basis conditions as practical subject to offsite power conditions. Design basis conditions have been calculated to be greater than 0.9 power factor. During DG testing, equipment ratings are not to be exceeded (i.e., without creating an overvoltage condition on the DG or 4 kV emergency buses, over-excitation in the generator, or overloading the DG emergency feeder while maintaining the power factor greater than or equal to 0.9).

This Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.

McGuire Units 1 and 2 B 3.8.1 -19 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.1 0 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits.

The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide for DG damage protection. While the DG is not expected to experience this transient during an event and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.

Although not representative of the design basis inductive loading that the DG would experience, a power factor of approximately unity (1.0) is used for testing. This power factor is chosen in accordance with manufacturer's recommendations to minimize DG overvoltage during testing.

The 18 month Frequency is consistent with the recommendation of Regulatory Guide 1.9 (Ref. 3) and is intended to be consistent with expected fuel cycle lengths.

This Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.

SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.4, this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies the de-energization of the emergency buses, load shedding from the emergency buses and energization of the emergency buses and blackout loads from the DG. Tripping of non-essential loads is not verified in this test. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time.

The DG autostart time of 11 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability is achieved.

McGuire Units 1 and 2 B 3.8.1-20 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The requirement to verify the connection and power supply of the emergency bus and autoconnected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow, or residual heat removal (RHR) systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG systems to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1, takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.

These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4.

Risk insights or deterministic methods may be used for this assessment.

McGuire Units 1 and 2 B 3.8.1-21 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.12 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (11 seconds) from the design basis actuation signal (LOCA signal) and operates for 2 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d ensures that the emergency bus remains energized from the offsite electrical power system on an ESF signal without loss of offsite power. This Surveillance also verified the tripping of non-essential loads. Tripping of non-essential loads is verified only once, either in this SR or in SR 3.8.1.19, since the same circuitry is tested in each SR.

The Frequency of 18 months is consistent with Regulatory Guide 1.9 (Ref. 3) Table 1 and takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. This SR is modified by a Note. The reason for the Note is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.

SR 3.8.1.1 3 This Surveillance demonstrates that DG noncritical protective functions (e.g., high jacket water temperature) are bypassed on a loss of voltage signal concurrent with an ESF actuation test signal, and critical protective functions (engine overspeed, generator differential current, low lube oil pressure, generator voltage-controlled overcurrent) trip the DG to avert substantial damage to the DG unit. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition.

This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The 18 month Frequency is consistent with Regulatory Guide 1.9 (Ref. 3)

Table 1, taking into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

McGuire Units 1 and 2 B 3.8.1-22 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is not normally performed in MODE 1 or 2, but it may be performed in conjunction with periodic preplanned preventative maintenance activity that causes the DG to be inoperable. This is acceptable provided that performance of the SR does not increase the time the DG would be inoperable for the preplanned preventative maintenance activity.

SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.9, requires demonstration once per 18 months that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , > 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of which is at a load equivalent from 105% to 110% of the continuous duty rating and the remainder of the time at a load equivalent to the continuous duty rating of the DG. The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

This Surveillance is performed with the DG connected to its bus in parallel with offsite power supply. The DG is tested under maximum kVAR loading, which is defined as being as close to design basis conditions as practical subject to offsite power conditions. Design basis conditions have been calculated to be greater than 0.9 power factor. During DG testing, equipment ratings are not to be exceeded (i.e., without creating an overvoltage condition on the DG or 4 kV emergency buses, over-excitation in the generator, or overloading the DG emergency feeder while maintaining the power factor greater than or equal to 0.9).

The load band is provided to avoid routine overloading of the DG.

Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1, takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This Surveillance is modified by two Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Note 2 allows gradual loading of the DG in accordance with recommendation from the manufacturer.

McGuire Units 1 and 2 B 3.8.1-23 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.

SR 3.8.1.1 5 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 11 seconds. The 11 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1.

This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary transients due to changing bus loads do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.

SR 3.8.1.1 6 As required by Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.11, this Surveillance ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and the DG can be returned to standby operation when offsite power is restored. It also ensures that the autostart logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in standby operation when the DG is at rated speed and voltage, the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequence timers are reset.

The Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1, and takes into consideration unit conditions required to perform the Surveillance. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further McGuire Units 1 and 2 B 3.8.1-24 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes.

These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.17 Demonstration of the test mode override ensures that the DG availability under accident conditions will not be compromised as the result of testing and the DG will automatically reset to standby operation if a LOCA actuation signal is received during operation in the test mode. Standby operation is defined as the DG running at rated speed and voltage with the DG output breaker open. These provisions for automatic switchover are required by Regulatory Guide 1.9 (Ref. 3), paragraph 2.2.13. The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirement associated with SR 3.8.1.17.b is to show that the emergency loading was not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1, takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, McGuire Units 1 and 2 B 3.8.1-25 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.1 8 Under accident and loss of offsite power conditions loads are sequentially connected to the bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The load sequence time interval tolerance in Table 8-16 of Reference 2 ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated.

Table 8-1 of Reference 2 provides a summary of the automatic loading of ESF buses. The sequencing times of Table 8-16 are committed and required for OPERABILITY. The typical 1 minute loading duration seen by the accelerated sequencing scheme is NOT required for OPERABILITY.

Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This takes into consideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.

SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

McGuire Units 1 and 2 B 3.8.1-26 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This Surveillance verifies the de-energization of the emergency buses, load shedding from the emergency buses, tripping of non-essential loads and energization of the emergency buses and ESF loads from the DG.

Tripping of non-essential loads is verified only once, either in this SR or in SR 3.8.1.12, since the same circuitry is tested in each SR. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Frequency of 18 months is consistent with Regulatory Guide 1.9 (Ref. 3) Table 1.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs. The reason for Note 2 is that the performance of the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1, 2, 3, or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

McGuire Units 1 and 2 B 3.8.1-27 Revision No.

AC Sources-Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3) Table 1.

This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. UFSAR, Chapter 8.

3. Regulatory Guide 1.9, Rev. 3, July 1993.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 15.

6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).

7. Regulatory Guide 1.93, Rev. 0, December 1974.

8. WCAP-1 5622, Rev. 0, May 2001.

9. 10 CFR 50, Appendix A, GDC 18.

10. Regulatory Guide 1.137, Rev. 1, October 1979.

11. Regulatory Guide 1.6, Rev. 0, March 1971.

12. Regulatory guide 1.81, Rev. 1, January 1975.

13. Letter, R.H. Bryan, WOG, to the NRC Document Control Desk,

SUBJECT:

Transmittal of RAI Responses for WCAP-1 5622, "Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, (MUHP-301 0), 'Dated November 27, 2002.

McGuire Units 1 and 2 B 3.8.1-28 Revision No.

Distribution Systems-Operating B 3.8.9 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.9 Distribution Systems-Operating BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital bus electrical power distribution systems are divided by train into two redundant and independent AC, four independent channels (two per train) of DC, and four AC vital buses electrical power distribution subsystems.

The AC electrical power subsystem for each train consists of a primary Engineered Safety Feature (ESF) 4.16 kV bus and secondary 600 V buses, distribution panels, motor control centers and load centers. Each 4.16 kV ESF bus has at least one separate and independent offsite source of power from a 6.9 kV non safety related bus, as well as a dedicated onsite diesel generator (DG) source. Each 6.9 kV bus is normally connected to an offsite source. After a loss of the normal offsite power source to a 6.9 kV bus, an automatic transfer scheme automatically transfers the bus to the alternate offsite source if it is available. A fast transfer occurs if normal and alternate sources are synchronous, otherwise this transfer is done as a slow transfer (time delayed). If the normal and alternate offsite sources are unavailable, the onsite emergency DG supplies power to the 4.16 kV ESF bus. Control power for the 4.16 kV breakers is supplied from the Class 1E batteries.

Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources-Operating," and the Bases for LCO 3.8.4, "DC Sources-Operating."

The secondary AC electrical power distribution system for each train includes the safety related load centers, motor control centers, and distribution panels shown in Table B 3.8.9-1. Motor control centers shown in Table B 3.8.9-1 also include all submotor control centers such as EMXA1, EMXA2, EMXB1, EMXB2, 1EMXH1, etc.

The 120 VAC vital buses are arranged in two load groups per train and are normally powered from the inverters. The alternate power supply for the vital buses is from the regulated voltage transformers and their use is governed by LCO 3.8.7, "Inverters--Operating." The regulated voltage transformer is powered from a non-Class 1E AC bus.

The list of all required distribution buses is presented in Table B 3.8.9-1.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the UFSAR, Chapter 6 (Ref. 1), and in the UFSAR, Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC, DC, McGuire Units 1 and 2 B 3.8.9-1 Revision No.

Distribution Systems-Operating B 3.8.9 BASES APPLICABLE SAFETY ANALYSES (continued) and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and

b. A worst case single failure.

The distribution systems satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital bus electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE.

Maintaining the Train A and Train B AC, channels of DC, and AC vital buses OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

OPERABLE AC electrical power distribution subsystems require the associated buses, load centers, motor control centers, and distribution panels to be energized to their proper voltages. OPERABLE DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. OPERABLE AC vital bus electrical power distribution subsystems require the associated buses to be energized to their proper voltage from the associated inverter via inverted DC voltage or regulated voltage transformer.

McGuire Units 1 and 2 B 3.8.9-2 Revision No.

Distribution Systems-Operating B 3.8.9 BASES APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Electrical power distribution subsystem requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.10, "Distribution Systems-Shutdown."

ACTIONS A.1 With one or more required AC buses, load centers, motor control centers, or distribution panels, except AC vital buses, in one train inoperable, the remaining AC electrical power distribution subsystem in the other train is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses, load centers, motor control centers, and distribution panels must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

Condition A worst scenario is one train without AC power (i.e., no offsite power to the train and the associated DG inoperable). In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operator's attention be focused on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time limit before requiring a unit shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the unit operators attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; and

b. The potential for an event in conjunction with a single failure of a redundant component in the train with AC power.

McGuire Units 1 and 2 B 3.8.9-3 Revision No.

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

The second Completion Time for Required Action A.1 also establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable (Condition C) and subsequently restored OPERABLE, the LCO may already have been not met for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the AC distribution system. At this time, a vital bus could become inoperable, and an additional 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed prior to complete restoration of the LCO, for a total of 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months . This could continue indefinitely if not limited.

The 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A, B, and C are entered concurrently. The "AND" connector between the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time, the "time zero" is specified as beginning at the time LCO 3.8.9 was initially not met, instead of at the time Condition A was entered. This results in the requirement, when in this Condition, to track the time elapsed from both the Condition A "time zero," and the 'time zero" when LCO 3.8.9 was initially not met. Refer to Section 1.3, "Completion Times," for more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

B.1 With one AC vital bus inoperable, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum ESF functions not being supported. Therefore, the required AC vital bus must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months by powering the bus from the associated inverter via inverted DC or regulated voltage transformer.

Condition B represents one AC vital bus without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining vital buses and restoring power to the affected vital bus.

McGuire Units 1 and 2 B 3.8.9-4 Revision No.

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

This 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months limit is more conservative than Completion Times allowed for some components that are without adequate vital AC power. Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months if declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue;

b. The potential for decreased safety by requiring entry into numerous Applicable Conditions and Required Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and

c. The potential for an event in conjunction with a single failure of a redundant component.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period and is justified in WCAP-1 5622 (Ref. 4) and Ref. 6. Plant specific calculations using the plant specific Probabilistic Risk Assessment (PRA) model and the methodology contained in WCAP-1 5622, "Risk-informed Evaluation of Extensions to AC Electrical Power System Completion Times," are required to justify extending the Completion Times for Required Action B.1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . For Condition B, WCAP-1 5622 modeled only one inoperable AC vital bus. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months applies only to the first inoperable AC vital bus.

The second Completion Time for Required Action B.1 also establishes a limit on the maximum time allowed for any combination of required distribution systems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable (Condition A), the LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . If the AC bus is restored to OPERABLE status within the required 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , this could lead to a total of 32 hours3.703704e-4 days 0.00889 hours 5.291005e-5 weeks 1.2176e-5 months since initial failure to meet the LCO, to restore compliance with the LCO (i.e., to restore the vital bus). At this time, a DC bus could become inoperable and an additional 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months allowed prior to complete restoration of the LCO, for a total of 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months . This could continue indefinitely if not limited.

McGuire Units 1 and 2 B 3.8.9-5 Revision No.

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

The 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A, B, and C are entered concurrently. The "AND" connector between the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time is a requirement for beginning the Completion Time "clock" that is in addition to the normal Completion Time requirements. With respect to the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time, the 'time zero" is specified as beginning at the time LCO 3.8.9 was initially not met, instead of at the time Condition B was entered. This results in the requirement, when in this Condition, to track the time elapsed from both the Condition B "time zero," and the "time zero" when LCO 3.8.9 was initially not met. Refer to Section 1.3, "Completion Times," for more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

C.1 With one DC bus in one train inoperable, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the DC buses must be restored to OPERABLE status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months by powering the bus from the associated battery or charger.

Condition C represents one DC bus without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining channels and restoring power to the affected channel.

This 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue; McGuire Units 1 and 2 B 3.8.9-6 Revision No.

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected channel; and

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 5).

The second Completion Time for Required Action C.1 also establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition C is entered while, for instance, an AC bus is inoperable (Condition A) and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This could lead to a total of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , since initial failure of the LCO, to restore the DC distribution system. At this time, a vital bus could become inoperable, and an additional 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed prior to complete restoration of the LCO, for a total of 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months . This could continue indefinitely if not limited.

The 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Condition A, B, and C are entered concurrently. The "AND" connector between the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Times means that both Completion times apply simultaneously, and the more restrictive Completion Time must be met.

Tracking the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time is a requirement for beginning the Completion Time 'clock" that is in addition to the normal Completion Time requirements. With respect to the 34 hour3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months Completion Time, the "time zero" is specified as beginning at the time LCO 3.8.9 was initially not met, instead of at the time Condition C was entered. This results in the requirement, when in this Condition, to track the time elapsed from both the Condition C "time zero," and the time zero" when LCO 3.8.9 was initially not met. Refer to Section 1.3, "Completion Times," for more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

McGuire Units 1 and 2 B 3.8.9-7 Revision No.

Distribution Systems-Operating B 3.8.9 BASES ACTIONS (continued)

D.1 and D.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1 Condition E corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost. When more than one inoperable electrical power distribution subsystem results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus. The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC, DC, and AC vital bus electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

McGuire Units 1 and 2 B 3.8.9-8 Revision No.

Distribution Systems-Operating B 3.8.9 BASES REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.

3. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).

4. WCAP-1 5622, Rev. 0, May 2001. I

5. Regulatory Guide 1.93, December 1974. I

6. Letter, R.H. Bryan, WOG, to the NRC Document Control Desk,

SUBJECT:

Transmittal of RAI Responses for WCAP-1 5622, "Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, (MUHP - 3010), " Dated November 27, 2002.

McGuire Units 1 and 2 B 3.8.9-9 Revision No.

Distribution Systems-Operating

.B 3.8.9 BASES Table B 3.8.9-1 (page 1 of 1)

AC and DC Electrical Power Distribution Systems TYPE VOLTAGE TRAIN A* TRAIN B*

AC safety 4160 V Essential Bus ETA Essential Bus ETB buses 600 V Load Centers Load Centers ELXA, ELXC ELXB, ELXD 600 V Motor Control Centers Motor Control Centers EMXA, EMXC, EMXB, EMXD, EMXE, 1EMXG, EMXF, 2EMXG, 1EMXH 2EMXH DC buses 125 V Bus EVDA Bus EVDB Bus EVDC Bus EVDD Distribution Panels Distribution Panels EVDA, EVDC EVDB, EVDD AC vital buses 120 V Bus EKVA Bus EKVB Bus EKVC Bus EKVD

Each train of the AC and DC electrical power distribution systems is a subsystem.

McGuire Units 1 and 2 B 3.8.9-1 0 Revision No.

Attachment 3a Description Of Proposed Changes and Technical Justification a provides the description of proposed changes and technical justification for the risk-informed portions of this license amendment request (LAR) which is applicable to Duke Energy Corporation's (Duke), McGuire Nuclear Station, Units 1 and 2, Technical Specifications (TS) Nos. 3.8.1 and 3.8.9. An outline of Attachment 3a is shown below.

I. DESCRIPTION OF PROPOSED CHANGES Overview List of Affected TS and Description of Proposed Changes Affected TS Bases II. TECHNICAL JUSTIFICATION General Effects on Safety - Increase in Completion Times Bases for the Proposed Changes Deterministic Evaluation Probabilistic Risk Assessment (PRA)

Conflicts With Current Surveillance Requirements PRA Quality PRA Updates Peer Review Process PRA Model Results of Reviews With Respect to This LAR 1

Attachment 3a Description Of Proposed Changes and Technical Justification Tier 2 Assessment: Avoidance of Risk-significant Plant Equipment Outage Configurations Tier 3 Assessment: Maintenance Rule Configuration Control III. Applicable Regulatory Requirements/Criteria IV. Conclusion 2

Attachment 3a Description Of Proposed Changes and Technical Justification I. DESCRIPTION OF PROPOSED CHANGES Overview This LAR applies to McGuire Nuclear Station, Units 1 and 2, TS 3.8.1, Electrical Power Systems, AC Sources-Operating; and TS 3.8.9 Electrical Power Systems, Distribution Systems-Operating. The changes proposed to these TS are shown on the marked TS pages provided in Attachment 1 and they are also included in the reprinted TS pages provided in Attachment 2 of this submittal package. The proposed changes modify the McGuire TS as listed and described below.

List of Affected TS and Description of Proposed Changes

1. The second CT for TS 3.8.1, Required Action A.3, is being changed from 6 days to 10 days.

2. The CT for TS 3.8.1, Required Action B.3.1, is being changed from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

3. The CT for TS 3.8.1, Required Action B.3.2, is being changed from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

4. The first CT for TS 3.8.1, Required Action B.4, is being changed from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to 7 days.

5. The second CT for TS 3.8.1, Required Action B.4, is being changed from 6 days to 10 days.

6. The NOTE for Surveillance Requirement (SR) 3.8.1.8 is being modified to state that it shall not normally be performed in MODE 1 or 2, however it may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

7. The NOTE for SR 3.8.1.11 is being modified to state that it shall not normally be performed in MODE 1, 2, 3, or 4; however, portions of it may be performed to reestablish OPRABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

3

Attachment 3a Description Of Proposed Changes and Technical Justification

8. The NOTE for SR 3.8.1.16 is being modified to state that it shall not normally be performed in MODE 1, 2, 3, or 4; however, it may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

9. The NOTE for SR 3.8.1.17 is being modified to state that it shall not normally be performed in MODE 1, 2, 3, or 4; however, portions of it may be performed to reestablish OPERABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

10. The NOTE for SR 3.8.1.19 is being modified to state that it shall not normally be performed in MODE 1, 2, 3, or 4; however, portions of it may be performed to reestablish OPRABILITY provided an assessment determines the safety of the plant is maintained or enhanced.

11. The second CT for TS 3.8.9, Required Action A.1, is being changed from 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months to 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months .

12. The first CT for TS 3.8.9, Required Action B.1, is being changed from 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

13. The second CT for TS 3.8.9, Required Action B.1, is being changed from 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months to 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months .

14. The second CT for TS 3.8.9, Required Action C.1, is being changed from 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months to 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months .

Affected TS Bases Conforming changes are also being made to the Bases for McGuire TS 3.8.1 and TS 3.8.9. These Bases changes are also included in this submittal package for informational purposes.

4

Attachment 3a Description Of Proposed Changes and Technical Justification II. TECHNICAL JUSTIFICATION General An extensive list of reference documents that support this LAR is provided in Attachment 5, and these documents are referenced as appropriate throughout the discussions in this LAR submittal package. However, the changes proposed in this LAR are based primarily upon, and consistent with, the industry documents listed below.

Topical Report, WCAP-15622, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, May 2001, (Ref. 1), was prepared by the Westinghouse Electric Company in conjunction with the Westinghouse Owners Group (WOG) and has now been amended and supplemented by later WOG submittals (see Ref. 23 and Ref. 32).

Duke participated in the development of this topical report and its subsequent amendments and they apply to McGuire.

Letter, R. Bryan (WOG), to the NRC Document Control Desk,

SUBJECT:

Transmittal of WCAP-15622, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, OG-01-039, June 15, 2001 (Ref. 2).

Industry/Technical Specifications Task Force (TSTF)

Standard Technical Specifications Traveler, TSTF-417, Rev. 0, AC Electrical Power System Completion Times (WCAP-15622) (Ref. 3).

NRC-approved TSTF-283-A, Rev. 3, Modify Section 3.8 MODE Restriction Notes (Ref. 4).

Effects on Safety - Increase in Completion Times Bases for the Proposed Changes WCAP-15622 (Ref. 1, as amended by Ref. 23 which contains revised McGuire analyses and Ref. 32 which 5

Attachment 3a Description Of Proposed Changes and Technical Justification contains additional information) provides the technical basis for the proposed changes to the CT, also referred to as Allowed Outage Time (AOT), for several Required Actions in McGuire TS 3.8.1 and TS 3.8.9. This amended topical report provides the deterministic evaluation and risk assessment to support the proposed increase in the CT for the TS functions listed below.

The second CT for restoring offsite circuit to OPERABLE status is being increased from 6 days to 10 days from discovery of failure to meet LCO. This is TS 3.8.1, Required Action A.3.

The CT for determining the OPERABLE emergency diesel generator (EDG)- also referred to as diesel generator or DG in the McGuire TS- is not inoperable due to common cause failure is being increased from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This is TS 3.8.1, Required Action B.3.1.

The CT for performing SR 3.8.1.2 (which verifies the OPERABLE EDG starts from standby conditions and achieves steady state voltage greater than or equal to 3740 volts and less than or equal to 4580 volts, and frequency greater than or equal to 58.8 Hz and less than or equal to 61.2 Hz) is being increased from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This is TS 3.8.1, Required Action B.3.2.

The first CT for restoring EDG to OPERABLE status is being increased from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to 7 days. This is TS 3.8.1, Required Action B.4.

The second CT for restoring EDG to OPERABLE status is being increased from 6 days to 10 days from discovery of failure to meet LCO. This is TS 3.8.1, Required Action B.4.

The second CT for restoring AC electrical power distribution subsystem(s) to OPERABLE status is being increased from 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months to 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months from discovery of failure to meet LCO. This is TS 3.8.9, Required Action A.1.

6

Attachment 3a Description Of Proposed Changes and Technical Justification

The first CT for restoring AC vital bus subsystem to OPERABLE status is being increased from 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This is TS 3.8.9, Required Action B.1.

The second CT for restoring AC vital bus subsystem to OPERABLE status is being increased from 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months to 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months from discovery of failure to meet LCO. This is TS 3.8.9, Required Action B.1.

The second CT for restoring DC channel of electrical power distribution subsystem to OPERABLE status is being increased from 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months to 34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months from discovery of failure to meet LCO. This is TS 3.8.9, Required Action C.I.

WCAP-15622 (Ref. 1, as amended by Ref. 23 which contains revised McGuire analyses and Ref. 32 which contains additional information) uses a plant-specific Probabilistic Risk Assessment (PRA) to assess the risk impact of increasing the CTs listed above. The NRC staff is currently reviewing this topical report to determine that the proposed increases in the CTs are acceptable.

Deterministic Evaluation The deterministic evaluation in WCAP-15622 (Ref. 1, as amended by Ref. 23 which contains revised McGuire analysis and Ref. 32 which contains additional information) consisted of a review of the impact on the plant's defense-in-depth and safety margins caused by entry into the affected CT. The EDGs and affected power systems safety functions were qualitatively assessed in Section 7 of WCAP-15622 (Ref. 1, as amended by Ref. 23 which contains revised McGuire analysis and Ref. 32 which contains additional information). Based on the justification contained in the WCAP, extending the CTs as listed above does not impact any assumptions or inputs in the McGuire Updated Final Safety Analysis Report (UFSAR).

7

Attachment 3a Description Of Proposed Changes and Technical Justification Probabilistic Risk Assessment (PRA)

The PRA is discussed in Section 8 of WCAP-15622 (Ref.

1, as amended by Ref. 23 which contains revised McGuire analyses and Ref. 32 which contains additional information). This PRA is used to assess the impact of the proposed change and is based upon guidelines in Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis, (Ref. 5); and RG 1.177, An Approach for Plant-Specific, Risk-Informed Decision Making:

Technical Specifications, (Ref. 6). The risk impacts of the proposed changes were calculated and compared against the acceptability guidelines as stated in the RGs. The McGuire analyses results are presented in Ref. 23.

Conflicts with Current Surveillance Requirements McGuire cannot receive the full benefit of the increase in the CTs contained in this LAR due to conflicts with NOTES in several current Surveillance Requirements (SR).

Therefore, the changes proposed in this LAR modify the prohibitive NOTES in SR 3.8.1.8 (Transfer of AC Power Sources Test), SR 3.8.1.11 (Loss of Offsite Power Test),

SR 3.8.1.16 (Synchronization/Restoration of Loads to Offsite Power Test), SR 3.8.1.17 (Test Mode Override Test), and SR 3.8.1.19 (Loss of Offsite Power With ESF Actuation Test). The modifications will allow performance, or partial performance, of these surveillances in the currently prohibited MODES.

The changes to these NOTES are based upon TSTF-283-A, Rev.

3 (Ref. 4). The TS 3.8.1 Bases for these surveillances will also be revised to allow testing to reestablish OPERABILITY provided an assessment is performed to assure plant safety is maintained or enhanced. These Bases will be revised consistent with TSTF-283-A, Rev. 3 (Ref. 4) in order to provide guidance for conducting the assessments.

8

Attachment 3a Description Of Proposed Changes and Technical Justification PRA Quality In accordance with RG 1.177, An Approach for Plant-Specific, Risk-Informed Decision Making: Technical Specifications, August 1998 (Ref. 6), the subsequent paragraphs provide a discussion on PRA quality and Tier 2 and Tier 3 requirements.

PRA Updates Duke periodically evaluates changes to the plant with respect to the assumptions and modeling in the McGuire PRA. The original McGuire PRA was initiated in March 1982 by Duke with Technology for Energy Corporation assisting as a contractor. Law Engineering Testing Company and Structural Mechanics Associates provided specific input to the seismic analysis. It was a full scope Level 3 PRA with internal and external events.

A peer review of the draft PRA was conducted by Electric Power Research Institute's Nuclear Safety Analysis Center (NSAC) in May 1983 (Ref. 7). The final study, which incorporated the comments of the peer review, was completed in July 1984 and resulted in an internal Duke report (Ref. 8) as Revision 0 to the PRA. In January 1988, Duke initiated a complete review and update of the original study.

On November 23, 1988, the NRC issued Generic Letter 88-20 (Ref. 9), which requested that licensees conduct an Individual Plant Examination (IPE) in order to identify potential severe accident vulnerabilities at their plants. The McGuire response to GL 88-20 was provided by letter dated November 4, 1991 (Ref. 10).

McGuire's response included an updated McGuire PRA (Revision 1) study which was the culmination of the review and update which began in January 1988.

The McGuire PRA Revision 1 study and the IPE process resulted in a comprehensive, systematic examination of McGuire with regard to potential severe accidents.

The McGuire study was again a full-scope, Level 3 PRA 9

Attachment 3a Description Of Proposed Changes and Technical Justification with analysis of both the internal and external events. This examination identified the most likely severe accident sequences, both internally and externally induced, with quantitative perspectives on likelihood and fission product release potential. The results of the study prompted changes in equipment, plant configuration and enhancements in plant procedures to reduce vulnerability of the plant to some accident sequences of concern (see Duke's McGuire-specific response to NRC RAI 2 contained in Attachment 4).

As part of the Generic Letter 88-20 IPE process, the NRC conducted an audit of the human reliability analysis of the McGuire IPE during the period July 28

- 30, 1993. By letter dated June 30, 1994 (Ref. 11),

the NRC provided a Staff Evaluation of the internal events portion of the above McGuire IPE submittal which included the results of the human reliability analysis audit. The conclusion of the NRC letter (Page 15) states:

"The staff finds the licensee's IPE submittal for internal events including internal flooding essentially complete, with the level of detail consistent with the information requested in NUREG-1335. Based on the review of the submittal, and audit of "tier 2" supporting information, the staff finds reasonable the licensee's IPE conclusion that no severe accident vulnerabilities exist at McGuire."

In response to Generic Letter 88-20, Supplement 4, Duke completed an Individual Plant Examination of External Events (IPEEE) for severe accidents. This IPEEE was submitted to the NRC by letter dated June 1, 1994 (Ref. 12). The report contained a summary of the methods, results and conclusions of the McGuire IPEEE program. The IPEEE process and supporting McGuire PRA included a comprehensive, systematic examination of severe accident potential resulting from external initiating events. By letter dated February 16, 1999 (Ref. 13), the NRC provided an evaluation of the IPEEE 10

Attachment 3a Description Of Proposed Changes and Technical Justification submittal. The conclusion of the NRC letter (Page 6) states:

"On the basis of the overall review findings, the staff concludes that: (1) the licensee's IPEEE is complete with regard to the information requested by Supplement 4 to GL 88-20 (and associated guidance in NUREG-1407), and (2) the IPEEE results are reasonable given the MNS design, operation, and history. Therefore, the staff concludes that the licensee's IPEEE process is capable of identifying the most likely severe accidents and severe accident vulnerabilities, and therefore, that the MNS IPEEE has met the intent of Supplement 4 to GL 88-20 and the resolution of specific generic safety issues discussed in the SER."

In 1997, McGuire initiated Revision 2 of the 1991 IPE and provided the results to the NRC in 1998 (Ref. 14).

Revision 3 of the McGuire PRA was completed in July 2002.

This update was a comprehensive revision to the PRA models and associated documentation. The objectives of this update were as follows:

To ensure the models comprising the PRA accurately reflect the current plant, including its physical configurations, operating procedures, maintenance practices, etc.

To review recent operating experience with respect to updating the frequency of plant transients, failure rates, and maintenance unavailability data.

To correct items identified as errors and implement PRA enhancements as needed.

To address areas for improvement identified in the recent McGuire PRA Peer Review.

11

Attachment 3a Description Of Proposed Changes and Technical Justification

To utilize updated Common Cause Analysis data and Human Reliability Analysis data.

PRA maintenance encompasses the identification and evaluation of new information into the PRA and typically involves minor modifications to the plant model. PRA maintenance and updates as well as guidance for developing PRA data and evaluation of plant modifications, are governed by workplace procedures.

Approved workplace procedures address the quality assurance of the PRA. One way the quality assurance of the PRA is ensured is by maintaining a set of system notebooks on each of the PRA systems. Each system PRA analyst is responsible for updating a specific system model. This update consists of a comprehensive review of the system including drawings and plant modifications made since the last update as well as implementation of any PRA change notices that may exist on the system. The analyst's primary focal point is with the system engineer at the site. The system engineer provides information for the update as needed. The analyst will review the PRA model with the system engineer and as necessary, conduct a system walkdown with the system engineer.

The system notebooks contain, but are not limited to, documentation on system design, testing and maintenance practices, success criteria, assumptions, descriptions of the reliability data, as well as the results of the quantification. The system notebooks are reviewed and signed off by a second independent person and are approved by the manager of the group.

When any change to the PRA is identified, the same three-signature process of identification, review, and approval is utilized to ensure that the change is valid and that it receives the proper priority.

In January 2001, an enhanced manual configuration control process was implemented to more effectively track, evaluate, and implement PRA changes to better 12

Attachment 3a Description Of Proposed Changes and Technical Justification ensure the PRA reflects the as-built, as-operated plant. This process was further enhanced in July 2002 with the implementation of an electronic PRA change tracking tool.

Peer Review Process Between October 23-27, 2000, McGuire participated in the Westinghouse Owners Group (WOG) PRA Certification Program. This review followed a process that was originally developed and used by the Boiling Water Reactor Owners Group (BWROG) and subsequently broadened to be an industry-applicable process through the Nuclear Energy Institute (NEI) Risk Applications Task Force. The resulting industry document, NEI 02 (Ref. 15), describes the overall PRA peer review process. The Certification/Peer Review process is also linked to the ASME PRA Standard (Ref. 16).

The objective of the PRA Peer Review process is to provide a method for establishing the technical quality and adequacy of a PRA for a range of potential risk-informed plant applications for which the PRA may be used. The PRA Peer Review process employs a team of PRA and system analysts, who possess significant expertise in PRA development and PRA applications.

The team uses checklists to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA being reviewed. One of the key parts of the review is an assessment of the maintenance and update process to ensure the PRA reflects the as-built plant.

The review team for the McGuire PRA Peer Review consisted of six members. Three of the members were PRA personnel from other utilities. The remaining three were industry consultants. Reviewer independence was maintained by assuring that none of the six individuals had any involvement in the development of the McGuire PRA or IPE.

13

Attachment 3a Description Of Proposed Changes and Technical Justification A summary of some of the McGuire PRA strengths and recommended areas for improvement from the peer review are as follows:

Strengths

Good Summary Report write-up with insights

Good system notebooks

Rigorous Level 2 & 3 PRA Model

Integrated internal and external events model

Up-to-date plant database using Maintenance Rule

Ongoing PRA staff interaction with plant staff, plant staff reviews

PRA personnel knowledge of plant good Recommended Areas for Improvement

Better integration of sequences and recoveries within quantification process needed

Need to review treatment of events requiring time-phasing in the modeling

Better approach to closing the loop on PRA update items (tracking of errors/modifications) needed

More thorough, systematic approach to HRA screening values and common cause modeling needed 14

Attachment 3a Description Of Proposed Changes and Technical Justification

Need an approach for reconciling realistic LERF model with NRC expectations from simplistic LERF modeling

Need to update the PRA model to be more in line with current practices and expectations for state-of-the-art PRA The significance levels of the WOG Peer Review Certification process have the following definitions:

A.Extremely important and necessary to address to ensure the technical adequacy of the PRA, the quality of the PRA, or the quality of the PRA update process.

B.Important and necessary to address but may be deferred until the next PRA update.

Based on the PRA peer review report, the McGuire PRA received six Fact and Observations (F&O) with the significance level of "A" and 31 F&O with the significance level of "B." All six of the "A" F&O have been resolved and changes have been incorporated into McGuire PRA Revision 3, the current PRA model.

The "B" F&O have been reviewed and prioritized for incorporation into the PRA. Eleven of the "B" F&O have already been incorporated into Revision 3 of the PRA.

It is expected that the remaining F&O will be resolved and incorporated into Revision 4 of the McGuire PRA.

The remaining open "B" F&O were reviewed with respect to any impact on the proposed TS changes. It was determined that these have no impact on the proposed TS changes. A discussion of peer review items related to the AC power system and their resolution is provided in Attachment 4 under the Duke response to NRC RAI 2 (Ref. 21).

15

Attachment 3a Description Of Proposed Changes and Technical Justification PRA Model The McGuire PRA is a full scope PRA including both internal and external events. The model includes the necessary initiating events (e.g., LOCAs, transients) to evaluate the frequency of accidents. The previous reviews of the McGuire PRA, NRC and peer reviews, have not identified deficiencies related to the scope of initiating events considered.

The McGuire PRA includes models for those systems needed to estimate core damage frequency. These include all of the major support systems (e.g., ac power, service water, component cooling, and instrument air) as well as the mitigating systems (e.g., emergency core cooling). These systems are modeled down to the component level, pumps, valves, and heat exchangers. This level of detail is sufficient for this application.

Results of Reviews with Respect to this LAR Duke calculations for McGuire Nuclear Station contain the quantification and documentation of the analyses performed for WCAP-15622 (Ref. 1, as amended by Ref.

23 which contains revised McGuire analyses and Ref. 32 which contains additional information) and this LAR.

A review of the analyses (cut sets and pertinent accident sequences) was made for accuracy and completeness. Specifically, cut sets generated for the solutions were screened and invalid cut sets were removed and appropriate recovery events applied. This process was documented in Duke calculations. The review verified that the calculations adequately modeled the effects of the EDG and electrical systems unavailability.

Tier 2 Assessment: Avoidance of Risk-significant Plant Equipment Outage Configurations Tier 2 provides reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of 16

Attachment 3a Description Of Proposed Changes and Technical Justification service consistent with the proposed TS change. WCAP-15622 (Ref. 1, as amended by Ref. 23 which contains revised McGuire analyses and Ref. 32 which contains additional information) indicated that Tier 2 insights would be addressed on a utility specific basis. Duke is not proposing any additional compensatory actions as a result of the proposed Technical Specification changes. Duke's practices in regard to severe weather are discussed in Attachment 4 in the Response to NRC RAI 17 of Ref. 21.

Duke has several Work Process Manual procedures and Nuclear System Directives that are in place at McGuire/Catawba Nuclear Stations to ensure that risk-significant plant configurations are avoided. The key documents are as follows:

Nuclear System Directive 415, "Operational Risk Management (Modes 1-3) per 10 CFR 50.65 (a.4),"

Revision 2, May 2004.

Nuclear System Directive 403, "Shutdown Risk Management (Modes 4, 5, 6, and No-Mode) per 10 CFR 50.65 (a.4)," Revision 12, May 2004.

Work Process Manual, WPM-609, "Innage Risk Assessment Utilizing ORAM-SENTINEL," Revision 8, June 2004.

Work Process Manual, WPM-608, "Outage Risk Assessment Utilizing ORAM-SENTINEL," Revision 7, June 2004.

Additionally, should greater than 50% of the LCO CT be expected to be exceeded, a Complex Maintenance Evolution Plan would be developed that discusses in part the risks associated with the extended maintenance duration.

The proposed changes are not expected to result in any significant changes to the current configuration risk management program. The existing program uses a blended approach of quantitative and qualitative 17

Attachment 3a Description Of Proposed Changes and Technical Justification evaluation of each configuration assessed. The McGuire on-line computerized risk tool, ORAM-Sentinel, considers both internal and external initiating events with the exception of seismic events. Thus, the overall change in plant risk during maintenance activities is expected to be addressed adequately in accordance with RG 1.177 considering the proposed Technical Specifications.

Tier 3 Assessment: Maintenance Rule Configuration Control 10 CFR 50.65(a)(4) (Ref. 17), RG 1.182 (Ref. 18), and NUMARC 93-01 (Ref. 19) require that prior to performing maintenance activities, risk assessments shall be performed to assess and manage the increase in risk that may result from proposed maintenance activities. These requirements are applicable for all plant modes. NUMARC 91-06 (Ref. 20) requires utilities to assess and manage the risks that occur during the performance of outages.

As stated above, Duke has approved procedures and directives in place at McGuire to ensure the requirements of the Maintenance Rule are implemented.

These documents are used to address the Maintenance Rule requirements, including the on-line (and off-line) Maintenance Policy requirement to control the safety impact of combinations of equipment removed from service.

More specifically, the Nuclear System Directives address the process, define the program, and state individual group responsibilities to ensure compliance with the Maintenance Rule. The Work Process Manual procedures provide a consistent process for utilizing the computerized software assessment tool, ORAM-SENTINEL, which manages the risk associated with equipment inoperability.

ORAM-SENTINEL is a Windows-based computer program designed by the Electric Power Research Institute as a tool for plant personnel to use to analyze and manage the risk associated with all risk signficant work 18

Attachment 3a Description Of Proposed Changes and Technical Justification activities including assessment of combinations of equipment removed from service. It is independent of the requirements of Technical Specifications and Selected Licensee Commitments.

The ORAM-SENTINEL models for McGuire are based on a "blended" approach of probabilistic and traditional deterministic approaches. The results of the risk assessment include a prioritized listing of equipment to return to service, a prioritized listing of equipment to remain in service, and potential contingency considerations.

Additionally, prior to the release of work for execution, Operations personnel must consider the effects of severe weather and grid instabilities on plant operations. This qualitative evaluation is inherent of the duties of the Work Control Center Senior Reactor Operator (SRO). Responses to actual plant risk due to severe weather or grid instabilities are programmatically incorporated into applicable plant emergency or response procedures.

The EDG and electrical power systems are currently included in the Maintenance Rule program, and as such, availability and reliability performance criteria have been established to assure that they perform adequately.

III. Applicable Regulatory Requirements/Criteria The proposed Technical Specification changes to extend the CTs for the McGuire EDGs and related electrical systems have been developed in accordance with the NRC's Safety Goal Policy Statement, Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement, Federal Register, Volume 60, p. 42622, August 18, 1995 (Ref. 30); the guidance contained in RG 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, July 1998 (Ref. 5); and RG 1.177, An Approach for Plant-Specific, Risk-Informed Decision Making:

Technical Specifications, August 1998 (Ref. 6). Evaluation of the proposed change has determined that the associated risk is 19

Attachment 3a Description Of Proposed Changes and Technical Justification acceptable based upon the application of the criteria contained in the referenced regulatory guides.

The proposed changes to modify the MODE restrictions in the NOTES for SR 3.8.1.8, 3.8.1.11, 3.8.1.16, 3.8.1.17, and 3.8.1.19 have been determined to be acceptable as discussed in TSTF-283-A, Rev. 3 (Ref. 4) on the basis that these surveillances may be performed to reestablish OPERABILITY provided an assessment is performed in accordance with 10 CFR 50.65, which determines that the safety of the plant is maintained or enhanced. The proposed changes to these SRs have been evaluated by Duke and determined to have no adverse impact on the applicable electrical systems' ability to fulfill their design basis function as required by 10 CFR 50, Appendix A, GDC-17.

IV. Conclusion Based on the technical considerations and the regulatory requirements discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the NRC's regulations, and (3) the approval of the proposed changes will not be inimical to the common defense and security or to the health and safety of the public.

20

Attachment 3b Description Of Proposed Changes and Technical Justification Overview This LAR applies to McGuire Nuclear Station, Units 1 and 2, Technical Specification (TS) 3.8.1, Electrical Power Systems, AC Sources-Operating, Surveillance Requirement (SR) 3.8.1.4. The change proposed to this TS is shown in the marked TS pages provided in Attachment 1 and also included in the reprinted TS pages provided in Attachment 2 of this submittal package. The proposed change modifies this McGuire TS SR as described below.

Description of Proposed Changes SR 3.8.1.4 is being revised to change 120 gal to 152 gal.

This surveillance ensures maintenance of the minimum fuel oil volume for the Emergency Diesel Generator (EDG) Fuel Oil Day Tank. Conforming changes are also being made to the Bases for this SR 3.8.1.4 and this Bases change is also included in this submittal package for informational purposes.

Discussion The EDG fuel oil system provides an adequate supply of fuel to the EDGs to ensure they can perform their safety function for the required time period. TS SR 3.8.1.4 currently requires that the EDG Day Tank contains at least 120 gallons of fuel oil. Additionally, the acceptance criteria in the applicable surveillance procedures is 27.5 inches (120 gallons). However, related Duke calculations and the applicable test acceptance criteria sheet indicate 152 gallons is the minimum amount for the EDG Day Tank fuel oil. This discrepancy represents a non-conservative TS.

Within this LAR, Duke is proposing to correct this non-conservative situation. In the interim period, until this LAR is approved and implemented, Duke entered this matter into its corrective action program in order to evaluate concerns in regard to operability, reportability, and corrective actions. No operability or reportability concerns were identified since existing alarms and the automatic fuel transfer pump operation would occur prior to the tank level approaching either of the setpoints (i.e.,

152 gallons or 120 gallons). Therefore, prior to reaching 1

Attachment 3b Description Of Proposed Changes and Technical Justification levels below 152 gallons, the plant operators would be made aware of any drop in tank level and additions to the tank would be made as needed to maintain the level above 152 gallons. The deficiency in the acceptance criteria used in the applicable surveillance procedures has also been corrected.

The associated Bases for SR 3.8.1.4 is also being revised, since the investigation into this matter determined that it is also incorrect. The first Bases statement, "This SR provides verification that the level of fuel oil in the day tank is at or above the level at which fuel oil is automatically added.," is being revised since the current 27.5 inches (120 gallons) level is actually below the level at which fuel is automatically added at 43 inches (188 gallons) decreasing.

The discrepancy in the minimum fuel oil volume was identified during a recent engineering study. The apparent cause of this non-conservatism is a lack of communication concerning the difference in requirements between SR 3.8.1.4 and the calculated half hour supply of fuel needed to meet the McGuire design basis (UFSAR Sections 8.3.1.1.7 and 9.5.4) of 30 minutes run time for the EDG. The correct calculated value for the fuel oil supply was not communicated to Operations for inclusion in test acceptance criteria sheets or test procedures. The discrepancy between the 120 gallon requirement of SR 3.8.1.4 and the 152 gallon requirement contained in the Duke calculation is most likely explained by the upgrade of the EDG electrical output which occurred early in McGuire's history. The 120 gallon requirement is compatible with the EDGs initial load rating of 3500 kW. The EDGs have since been uprated and the calculated fuel oil is now based on the resultant higher fuel demand and the design basis 30-minute time requirement. However, there is no indication that the higher value was communicated to Operations for inclusion in test procedures. Since the discovery of this discrepancy, the Operations test procedures have been revised and now require an acceptance criterion of 160 gallons, which provides an additional allowance for instrument uncertainty.

2

Attachment 3b Description Of Proposed Changes and Technical Justification Applicable Regulatory Requirements/Criteria The proposed change to SR 3.8.1.4 is conservative in nature and has been evaluated by Duke and determined to have no adverse impact on the EDGs ability to fulfill their design basis function as required by 10 CFR 50, Appendix A, GDC-17.

Conclusion Based on the technical considerations and the regulatory requirements discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the NRC's regulations, and (3) the approval of the proposed change will not be inimical to the common defense and security or to the health and safety of the public.

3

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information provides the Duke Energy Corporation (Duke)

McGuire-specific responses to NRC requests for information related to the proposed extensions in Completion Times (CT) contained in this license amendment request (LAR). This LAR is applicable to McGuire Nuclear Station, Units 1 and 2, Technical Specifications (TS) Nos. 3.8.1 and 3.8.9.

Background

WCAP-15622 (Ref. 1) was initially submitted to the NRC on June 15, 2001 (Ref. 2). This topical report included a PRA analysis for McGuire to use in justifying the proposed TS CT changes contained in this LAR (note that Ref. 23 transmitted a revised McGuire analysis results and this is now the analysis of record). This topical report is currently undergoing the NRC's review and approval process and the agency's approval and resultant safety evaluation report are expected in the near future. Thus far in its review process, the NRC has made several Requests for Additional Information (RAI)- see Ref. 21, Ref. 22, and Ref. 31. Some of the RAIs contained in Ref. 21 and Ref. 22 required licensees to provide plant-specific information within their LAR submittal packages (note that Ref. 31 did not require any additional plant-specific responses). The plant-specific information provided below for McGuire addresses the areas of concern expressed by the NRC in Ref.

21 and Ref. 22, and supplements the generic industry responses contained in Westinghouse Owners Group letters to the NRC dated November 27, 2002 (Ref. 23) and December 10, 2003 (Ref. 32). Duke's responses to the NRC requests for plant-specific information for McGuire Units 1 and 2 are provided herewith in Attachment 4. Each NRC RAI and the applicable reference document (Ref. 21 or Ref. 22) is stated, followed by the Duke response.

Duke Response to NRC RAI 2 (Ref. 21)

Statement of RAI 2: The NRC staff noted that WCAP-15622 review methodology does not include probabilistic risk assessment (PRA) quality criteria for the evaluation of AC 1

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information electrical power source completion times. Discuss PRA quality measures, including peer reviews, and how WCAP-15622 addressed individual plant PRA quality for the proposed plants and PRA quality guidance for subsequent plant specific submittals, including those plants not included in WCAP-15622.

Duke Response: The quality control of the PRA is addressed through Workplace Procedures. Procedures cover topics such as risk impact of nuclear plant modifications, changes to emergency and abnormal plant procedures, evaluation of operating experience events, PRA maintenance and update guidance including PRA error forms. The ability to process and track PRA issues was significantly enhanced following the Peer review at McGuire. Duke has been proactive in maintaining the quality of the McGuire PRA. A more detailed discussion of the PRA quality program can be found in Attachment 3 under the section titled PRA Quality.

Section 3.2 of the IPE which was transmitted to the NRC in Ref. 10, identified plant enhancements that were made as a result of the study. These included:

Improving the time frame for activation of the Standby Shutdown Facility (SSF) by plant Operators.

This action provides reactor coolant pump seal injection in the event of a loss of all AC power.

Consistent operator response through training was achieved. Additionally, high temperature seals were installed in the reactor coolant pumps.

Diesel generator reliability was enhanced via a site specific reliability project.

Peer review items related to the AC power system and their resolutions are listed in the table below. These have all been addressed in Revision 3 of the PRA which is the current version and the one used for the technical justification of the proposed changes. As stated in under Peer Review Process, none of the remaining open items has any impact on the AC power system or the proposed changes.

2

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information Fact and Observation Resolution Confirm that the transient event tree is (1) The ac power model has been revised sufficiently detailed to address all of the to include the impact of battery depletion necessary SBO modeling concerns: (1) with subsequent recovery of offsite maintenance of safe shutdown and restoration power. (2) The previous RCP seal LOCA of AC power after battery depletion, (2) model, based on WCAP-10541, rev. 2, sequences when offsite power (OSP) is has been replaced using the WOG2000 recovered while a seal LOCA is in progress, seal leakage model. The new McGuire but the core is still covered at the time of OSP model includes high seal leak rates prior recovery. to 90 min. as well as after 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . If offsite power is recovered prior to core uncovery, then core damage may be averted. This is consistent with the new McGuire RCP seal LOCA model.

WCAP 10451, Rev 2 is the basis for seal For the McGuire PRA Rev. 3 update, the LOCA modeling in MPRA Rev2. There are new WOG2000 RCP seal leakage model three timing discrepancies in the use of this is used. The new McGuire model model. When they are taken together, the includes high seal leak rates prior to 90 effect is that only seal failures between 90 minutes as well as after 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

minutes and 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months are considered.

The team could not identify evidence of a McGuire system faults trees were systematic process used to identify and reviewed and new common cause failure include common cause failures (CCF) of modes were identified and quantified.

similar components. These events have been added to the calculation which contains the common cause analysis for the McGuire PRA Rev.

3 Update. New CCF events were added for the vital batteries, Emergency Diesel Generators, and 4 kV power, as well as for other systems.

Duke Response to NRC RAI 5 (Ref. 21)

Statement of RAI 5: Information Notice 97-02, "Availability of Alternate AC Power Source Designed for Station Blackout Event," addressed potential unavailability of alternate AC power sources and noted that the capability to start on demand depends on the unavailability of support systems that may require AC or DC power. Determine the 3

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information applicability of Information Notice 97-02 to WCAP-15622 review methodology and implemention guidelines.

Duke Response: This question should apply to Information Notice (IEN) 97-21, instead of 97-02 as stated. The alternate AC power source (AAC) at McGuire is the Standby Shutdown Facility (SSF). This facility has sufficient capacity and capability to operate the equipment necessary to maintain the plant in a hot standby condition for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Duke responded internally to IEN 97-21 on May 15, 1997 by means of its Operating Experience Program (OEDB No. 97-013666). It was concluded that the SSF at McGuire was not susceptible to the same kinds of failures described in IEN 97-21. No corrective actions were recommended for McGuire.

IEN 97-21 pertains to the potential unavailability of an AAC power source during a station blackout (SBO) event.

The main concern is the failure of the SBO Diesel Generator to start due to the loss of power to support systems. The SSF Diesel Generator (SSF DG) at McGuire is available within 10 minutes after recognition of an SBO event. The SSF DG at McGuire is designed to handle an SBO event.

Following an SBO, the SSF DG is manually started and connected to the 600 VAC SSF Power System load center bus.

This provides the system with its backup source of power.

The auxiliaries required to assure proper operation of the diesel generator are supplied with power from SSF Power System busses.

McGuire Operations training, procedures, and testing ensure that the SSF would be up and running within 10 minutes after an SBO event is recognized. Though the SSF support systems would be without power for up to 10 minutes, this is not long enough to affect the ability to get the SSF started and running. The plant operators should recognize the event almost immediately. The procedure actions to start the SSF occur right after immediate actions. It would only be a matter of seconds from the event occurrence until action is initiated to start the SSF.

4

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information McGuire utilizes the 250/125 VDC SSF Auxiliary Power System to provide the necessary power to ensure the AAC power sources operate in a SBO event. The 250/125 VDC SSF Auxiliary Power System consists of a 250/125 VDC distribution center, SDSP, 125 VDC batteries, three battery chargers, and two 125 VDC power panelboards. There are three sets of 125 VDC batteries. They are sized to supply emergency loads for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months without AC or loss of its associated battery charger. The battery chargers receive power from the 600 VAC SSF load center, 1SLXG.

When an SBO event occurs, the 600 VAC load center will be lost. The 125 VDC batteries will be used to supply the required DC loads until the SSF DG is manually started.

Once the SSF DG is operating and supplying power, the 600 VAC load center will be available and the battery chargers will be able to assume their normal loads.

In summary, IEN 97-21 does not apply since McGuire demonstrates that the plant operators are capable of starting the SSF DG (the AAC power source) within 10 minutes from recognition of an SBO event. The SSF DG is manually started from the SSF control room. Testing has demonstrated the ability of plant operators to start the SSF DG within 10 minutes from the recognition of an SBO event. Since McGuire's 125 VDC batteries are sized to supply emergency loads for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months without AC power, or the loss of its associated battery charger, the loss of power for 10 minutes would not deplete the batteries. Within a 10-minute timeframe, there would not be a problem with the SSF DG support systems being unavailable as described in IEN 97-21. Station emergency procedures covering the loss of all AC power require dispatching an operator to the SSF as soon as an SBO is recognized.

Duke Response to NRC RAI 6 (Ref. 21)

Statement of RAI 6: Provide the values for emergency diesel generator (EDG) reliability and unavailability used in the PRA calculations including SBO (include alternate AC source if applicable). Discuss these values in relationship to 5

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information the maintenance rule implementation goals and comparison to actual EDG performance and SBO commitments. Discuss the incorporation into WCAP-15622 implementation guidelines.

Duke Response: Section 8.2.1 of WCAP-15622 provides a discussion on how the maintenance unavailability (EDG maintenance outage time) is expected to be impacted with the CT extension. Ref. 23 provided the NRC the EDG data used in the PRA calculations as stated in the response to NRC RAI 8. Specifically, Table RAI 8-4 gives the EDG failure to start value as 3.9E-03/demand. The EDG failure to run value is 2.5E-03/hour. A discussion on how the maintenance unavailability (EDG maintenance outage time) is expected to be impacted by the CT extension is also provided in the RAI 8 response. With the 7-day CT, the yearly unavailability is expected to increase from 91 to 175 hours0.00203 days 0.0486 hours 2.893519e-4 weeks 6.65875e-5 months per year per EDG. This increase (84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months ) represents reaching 1/2 of the Maintenance Rule unavailability limit of 4% per reactor year.

Unavailability data for the EDG used in the PRA were transmitted to the NRC in Ref. 23 as part of the response to NRC RAI 13. These data formed the basis for the base case 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months CT and were based on actual EDG performance data. The maintenance unavailability for the EDG from these data, as used in the PRA, is 1.5E-02/yr.

Determination of the PRA impact of the increased CT on EDG unavailability, due to increased maintenance activities, was conducted in accordance with the implementation guidance of Appendix C of WCAP-15622 (Ref. 1) and is based on the increase of 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months noted above that is expected under the 7-day CT. For the 7-day CT, the maintenance unavailability for the EDG (adjusted by the plant capacity factor) is 2.2E-02/yr. Using the most recent 36-month data, the combined availability of the EDGs has been

99. 09%.

The AAC power source for McGuire is the SSF DG which is part of the Standby Shutdown System (SSS). The SSF DG is tracked for failures in a manner consistent for AAC power sources as defined by NUMARC 87-00, Appendix B (Ref. 24) with a target reliability of 0.95 as has been stated in a 6

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information previous Duke letter to the NRC (Ref. 25). The Maintenance Rule availability limit is 4%/cycle for the entire SSF of which the SSF DG is one part.

The SSF DG generator failure probability values used in the PRA analysis are based on actual plant data and are as follows: SSF DG fails to start 1.4E-02/demand, and SSF DG fails to run 3.lE-03/hour. The maintenance unavailability for the SSF DG is 2.8E-02/yr. Using the most recent data, the SSS has been available greater than 98.5% of the cycle.

Station Blackout (SBO) is defined as the complete loss of AC electric power to the essential and nonessential switchgear busses in a nuclear power plant unit (i.e., loss of offsite electric power system concurrent with turbine trip and unavailability of the onsite emergency AC power system). SBO does not include the loss of available AC power to busses fed by station batteries through inverters or by AAC power sources, nor does it assume a concurrent single failure or design basis accident. For McGuire, the SBO scenario assumes that both units experience a loss of offsite power (LOOP) and that one unit's EDGs completely fail to start. At least one EDG is assumed to start for the non-SBO unit.

As mentioned above, an AAC power source is provided at McGuire. The AAC is the SSF DG, which is the power source for the SSS. The SSF DG is available within 10 minutes from the recognition of an SBO event. The SSF DG is manually started from the SSF control room. Testing has demonstrated the ability of plant operators to start the SSF DG within 10 minutes from the recognition of an SBO event. This LAR will not affect the means to start the SSF DG within the required 10 minutes.

McGuire has been determined to be a 4-hour SBO coping duration plant. The SSF DG has sufficient capacity and capability to operate equipment necessary to maintain a safe shutdown condition for the 4-hour SBO event.

7

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information Following extension of the CT requested in this LAR, McGuire's SSF DG reliability will remain consistent with the requirements of NUMARC 87-00 (Ref. 24).

Duke Response to NRC RAI 7 (Ref. 21)

Statement of RAI 7: For plants that take credit for an alternate AC source, provide a discussion on the vulnerability of the alternate AC source to external events (including weather-related events) that could disable the alternate AC power source, the emergency AC power source, or the normal offsite power sources. Include common cause failure mechanisms between the normal electrical distribution system and the alternate AC source. Discuss the impact of external events on the availability of alternate sources of AC power (SBO diesels for example) with respect to WCAP-15622 and the included implementation guidelines. Provide a discussion as to the assumptions (qualification) and risk impact of the alternate AC source.

Duke Response: McGuire has an AAC power source available to achieve and maintain a hot standby condition following postulated fire and sabotage events. This is the SSF and it consists of a SSF DG and associated equipment which are parts of the SSS. The SSF provides an alternate means to cool the reactor coolant pump seals through the use of a standby makeup pump. It functions independently from onsite or offsite AC power. This equipment is covered under the Maintenance Rule.

The SSF DG is not safety related and consequently does not perform a support function in mitigating the consequences of design basis events. In accordance with 10 CFR 50, Appendix R (Ref. 27), the dedicated portions of the SSS are not designed to mitigate the consequences of design-basis accidents and need not be protected from the effects of floods, tornadoes, tornado missiles, or other environmental phenomena. No single point vulnerability exists whereby a likely weather-related event or single active failure could disable any portion of the onsite emergency AC power sources or the preferred power sources, and simultaneously 8

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information fail the ACC power source as documented in Duke internal design basis documentation applicable to McGuire.

Although the SSF Building is not classified as a Class I structure, it can be shown to be highly tornado resistant, judged to be much more so than the typical masonry block structure seen in residential and commercial buildings.

The original purpose for the SSF was for fire events and security events. To meet the design criteria for those events, the SSF is provided with numerous features as described in a previous Duke letter to the NRC (Ref. 33).

These features make the SSF Building an extremely rugged structure that exceeds typical industrial applications. To have a single incident that would disable all onsite safety related power sources, and simultaneously disable offsite power as well, is not considered a credible design event.

Response to NRC RAI 10 (Ref. 21)

Statement of RAI 10: For alternate AC sources credited in the analysis, confirm that the credited AC source meets the criteria set forth for SBO performance in industry and staff guidance (RG 1.155 and NUMARC 8700).

Duke Response: RG 1.155 (Ref. 28) describes a means acceptable to the NRC for meeting the requirements of 10 CFR 50.63 (Ref. 29). The NRC has determined that NUMARC 87-00 (Ref. 24) also provides guidance that is in large part identical to the RG guidance and is acceptable to the NRC for meeting these requirements. McGuire has been evaluated against the requirements of the SBO rule using guidance from NUMARC 87-00 (Ref. 24) except where RG 1.155 (Ref. 28) takes precedence. McGuire has had a previous SBO evaluation performed by a joint NRC/SAIC team headed by an NRC staff member. The final report of the evaluation was dated December 10, 1991 (Ref. 34) and the NRC's resultant safety evaluation report (SER) was dated February 19, 1992 (Ref. 35). McGuire meets the requirements of the SBO rule and the guidance of RG 1.155 (Ref. 28) with the exception discussed below. This exception was found to be acceptable 9

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information in the NRC/SAIC report (Ref. 34) and the NRC's SER (Ref.

35)-

McGuire takes exception to the NUMARC 87-00 (Ref. 24) guidance in that the AAC source, i.e., SSF DG, cannot be started from the Control Room. However, it has been demonstrated that the plant operators can start the SSF DG within 10 minutes from recognition of an SBO event, which satisfies the intent of NUMARC 87-00.

The NRC's original SER (Ref. 35) contained several recommendations for Duke to address. These recommendations were addressed and closed in a subsequent Duke submittal dated March 27, 1992 (Ref. 36) which was accepted by the NRC in a Supplemental SER dated June 16, 1992 (Ref. 37).

Duke Response to NRC RAI 11 (Ref. 21)

Statement of RAI 11: The proposed completion times are requested in part to facilitate on-line maintenance or at-power preventive maintenance. Although the frequency and duration of the completion time may be estimated with the resulting unavailability calculated, discuss the effects that additional testing at power might have on plant risk due to improper maintenance or additional testing required that would have previously been performed during shutdown and not directly related to the extended completion time itself. Studies have shown that restoration failures have the potential to initiate a second loss of power that is difficult to diagnose and recover when that restoration was not always performed in accordance with established procedures.

Duke Response: Following any EDG system work that requires a retest be performed to re-establish OPERABILITY, the monthly surveillance procedure is performed. This is the same procedure used to satisfy monthly testing required by TS SR 3.8.1.2 and TS SR 3.8.1.3. The tests consist of starting the EDG, synchronizing the generator to the 10

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information electrical grid, operating at 90% to 100% full load for an interval at least equal to 60 minutes, then proceeding through a normal shutdown, and disconnecting from the grid at low power operation. This procedure allows a slow or fast start to be performed, and based on the maintenance done on the engine, the appropriate start type will be chosen. Extending the CT interval will not alter the testing schedule or test method, as described above, for the EDG engines.

Based on the maintenance done to an engine, additional loading tests may be performed. This is typical if the control system is adjusted and it may include load acceptance or load rejection on the engine. This practice exists now, and is not expected to change based on an extension of the CT.

During maintenance on a EDG engine, the applicable administrative controls require tagout of equipment for personnel protection or equipment protection. Tagout and isolation of control power, starting air, and disconnection of the generator from the lE bus are the minimum requirements. Maintenance personnel verify these tags are placed and zero energy exists in the electrical circuits and the starting air system (to prevent inadvertent engine rolls). This practice is used for work on an engine during at-power preventive maintenance or shutdown maintenance.

Since the station's tagout program ensures the generator is disconnected from the electrical distribution system, any maintenance activity transients are isolated from the plant electrical distribution system. Also, since the testing that is performed following maintenance uses the same procedure as the monthly TS surveillance test, there are no additional transients introduced that could impact plant operation following maintenance that are not present during the monthly TS surveillance testing.

11

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information Duke Response to NRC RAI 17 (Ref. 21)

Statement of RAI 17: Discuss considerations to prohibit entry or termination of extended AOTs (maintenance) should external event conditions or warnings exist.

Duke Response: A risk assessment is performed using Oram-Sentinel and PRA modeling on all scheduled maintenance. A nuclear system directive (see the Attachment 3 Section on Tier 2 Assessment) for risk management was specifically written to address maintenance performed when either unit is in MODES 1 through 3. The directive contains administrative controls that apply to the risk considerations for work execution. Emergent conditions are addressed and a re-evaluation required for changes to the schedule, including changing plant configurations and external factors, such as weather and grid stability.

Challenges to the safety functions are identified by the risk assessment tool and other system/components are identified to provide the necessary defense in depth. An example of risk management actions would be, protecting redundant components and/or restoring the inoperable emergency diesel generator to an available status.

Planned diesel generator maintenance activities include mitigation strategies to protect other sources of power.

If planned activities are to exceed 50% of the CT, it will require Plant Operations Review Committee (PORC) approval.

Actions needed to assess configurations for maintenance include review of redundant components/systems and the appropriate means of protecting those when risk may be elevated. A more detailed write-up of the procedures in place to address this issue was provided to the NRC in the response to RAI 2.a in Ref. 32. Note that for McGuire, Duke is not crediting a reduced LOSP initiating frequency due to weather related restrictions.

Activities resulting in the EDG becoming unavailable meet the requirement for developing a complex or critical maintenance plan. A maintenance directive requires the 12

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information plan to clearly define termination criteria and contingency planning to address problems that may arise.

Emergent conditions may invalidate previously conducted risk assessments based on the original schedule. If significant changes occur to the schedule, site personnel will re-analyze the risk using ORAM-SENTINEL. Performance (or re-evaluation) of the assessment should not interfere with, or delay, the plant operators and/or maintenance technicians from taking timely actions to restore the equipment to service or take compensatory actions. If the emergent condition is not of a critical nature, the work shall be routed through the normal work scheduling process.

However, the emergent condition must be evaluated for ORAM-SENTINEL coding, if the component is unavailable.

Prior to the release of work for execution, Operations personnel must consider the effects of severe weather and grid instabilities on plant operations. This qualitative evaluation is inherent of the duties of the Work Control Center (WCC) Senior Reactor Operator. Response to actual plant risk during severe weather or grid instabilities is programmatically incorporated into applicable plant emergency and response procedures. Station procedures may also be credited for implementing additional requirements or compensatory actions when emergent (threatening) conditions for an external event exist (e.g., severe weather).

Internal events and external events are determined by Operations personnel and managed by emergency, abnormal or response procedures. The Response Procedure for Natural Disasters is implemented when certain conditions (tornado watch, tornado warning, high wind speeds) are observed on the site or notification from the National Weather Service, the Duke System Dispatcher, or local radio broadcast has been received that the condition is imminent or occurring.

The actions required by the response procedure include determination of the status of electrical power sources (including the EDGs) and taking any necessary actions to ensure their availability. It also requires notification of the WCC to take actions to expedite the restoration of 13

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information important plant systems and components (such as safety systems and electrical systems) which are out of service for maintenance or testing. Electrical grid stability is addressed by an Operations abnormal procedure for electrical grid disturbances.

Duke Response to NRC EP RAI 3 (Ref. 22)

Statement of EP RAI 3: The first bullet in Section 7.1 conveys that the likelihood of a transient occurring during the increased CT for an ac onsite electric power system has not been impacted and that some new activities may be performed on the diesel generators (DG) while at power.

Explain how and why these new activities will not affect or impact the likelihood of maintenance or test induced transients.

Duke Response: Following any EDG system work that requires a retest be performed to re-establish OPERABILITY, the monthly surveillance procedure is performed. This is the same procedure used to satisfy monthly testing required by TS SR 3.8.1.2 and TS SR 3.8.1.3. The tests consist of starting the EDG, synchronizing the generator to the electrical grid, operating at 90% to 100% full load for an interval at least equal to 60 minutes, then proceeding through a normal shutdown, and disconnecting from the grid at low power operation. This procedure allows a slow or fast start to be performed, and based on the maintenance done on the engine, the appropriate start type will be chosen. Extending the CT interval will not alter the testing schedule or test method, as described above, for the EDG engines.

Based on the maintenance done to the EDG system, additional loading tests may be performed. This is typical if the control system (i.e., governor control or voltage regulator controls) is adjusted, and it may include load acceptance or load rejection on the engine. The load acceptance and/or load rejection test would be performed first and the monthly surveillance would then be performed to declare the 14

Attachment 4 McGuire Specific Responses to NRC Requests for Additional Information EDG OPERABLE. This practice exists now, and is not expected to change based on an extension of the CT.

During maintenance activities on the EDGs, a complex plan is incorporated to assure that the maintenance activities are discussed between all groups involved in the activity.

McGuire has two completely independent trains of essential power. The EDG maintenance is performed on each train during its maintenance work. Therefore, the train that is operating the equipment important to plant operation is not affected. As mentioned above in the Duke response to NRC RAI 11, the EDG breaker is tagged out during maintenance activities to ensure transients could not impact plant operation. The follow-up testing would normally include the monthly surveillance test and load acceptance and load rejection testing which would be used during governor or voltage regulator control replacements or adjustments.

During these tests, all the protective relaying is available to ensure a transient does not affect other equipment. The train in service is protected at all times and maintenance on the opposite train would not affect the train in service. A risk assessment is completed to ensure that scheduled maintenance activities will not affect other equipment important to plant operation.

15

Attachment 5 List of Reference Documents provides a list of industry documents and Duke Energy Corporation (Duke) documents used as references in a license amendment request applicable to McGuire Nuclear Station, Units 1 and 2, Technical Specifications (TS) Nos.

3.8.1 and 3.8.9.

1. Westinghouse Electric Company Topical Report WCAP-15622, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, May 2001, as amended and supplemented by later WOG submittals identified by References 23 and 32.

2. Letter, R. Bryan (WOG), to the NRC Document Control Desk,

SUBJECT:

Transmittal of WCAP-15622, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, OG-01-039, Dated June 15, 2001.

3. Industry/Technical Specifications Task Force (TSTF)

Standard TS (STS) Traveler, TSTF-417, Rev. 0, AC Electrical Power System Completion Times (WCAP-15622).

4. Industry/Technical Specification Task Force (TSTF)

Standard TS (STS) Traveler, TSTF-283-A, Rev. 3, Modify Section 3.8 MODE Restriction Notes.

5. NRC Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis, July 1998.

6. NRC Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, August 1998.

7. Nuclear Safety Analysis Center, McGuire Unit 1 PRA Peer Review, May 27, 1983.

8. McGuire Nuclear Station Unit 1 Probabilistic Risk Assessment, Volumes 1-2, Duke Power Company, July 1984.

9. Generic Letter 88-20, Individual Plant Examination for Severe Accident Vulnerabilities, USNRC, November 1988.

1

Attachment 5 List of Reference Documents

10. Letter, Duke Power Company to Document Control Desk (USNRC),

SUBJECT:

McGuire Nuclear Station, Generic Letter 88-20, Dated November 4, 1991.

11. Letter, USNRC to Duke Power Company,

SUBJECT:

Staff Evaluation of the McGuire Nuclear Station, Units 1 and 2, Individual Plant Examination- Internal Events Only, Dated June 30, 1994.

12. Letter, Duke Power Company to Document Control Desk (USNRC),

SUBJECT:

McGuire Nuclear Station, Units 1 and 2, Individual Plant Examination of External Events (IPEEE) Submittal, Dated June 1, 1994.

13. Letter, USNRC to Duke Power Company,

SUBJECT:

REVIEW OF MCGUIRE NUCLEAR STATION, UNITS 1 AND 2 - INDIVIDUAL PLANT EXAMINATION OF EXTERNAL EVENTS SUBMITTAL, Dated February 16, 1999.

14. Letter, Duke Energy Corporation to Document Control Desk (USNRC),

SUBJECT:

McGuire Nuclear Station, 1997 Update of Probabilistic Risk Assessment, Dated March 19, 1998.

15. NEI-00-02, Probabilistic Risk Assessment (PRA) Peer Review Process Guideline, Nuclear Energy Institute, January 2000.

16. Standard For Probabilistic Risk Assessment For Nuclear Power Plant Applications, ASME RA-Sa-2003 (Addenda to ASME RA-S-2002), December 5, 2003.

17. 10 CFR 50.65(a)(4), Requirements for monitoring the effectiveness of maintenance at nuclear power plants.

18. NRC Regulatory Guide 1.182, Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants, May 2000.

19. NUMARC 93-01, Xndustry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, March 2000.

20. NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management, Dec. 1991.

2

Attachment 5 List of Reference Documents

21. Letter, D. Holland, USNRC to G. Bischoff, WOG,

SUBJECT:

Westinghouse Topical Report, WCAP-15622, Rev.

0, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times - Request for Additional Information (TAC No. MB2257).

22. Letter, D. Holland, USNRC, to G. Bischoff, WOG,

SUBJECT:

Westinghouse Topical Report, WCAP-15622, Rev.

0, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, Dated January 15, 2002.

23. Letter, R. H. Bryan, WOG, to the NRC Document Control Desk,

SUBJECT:

Transmittal of RAI Responses for WCAP-15622, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, (MUHP-3010),

Dated November 27, 2002.

24. NUMARC 87-00, Nuclear Management and Resources Council, Inc., Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors, November 1987.

25. Letter, H. B. Tucker, Duke Power Company, to NRC Document control Desk,

SUBJECT:

McGuire Nuclear Station, Units 1 and 2, Docket Nos. 50-369 and 50-370, 10 CFR 50.63, Requirements for Station Blackout.

26. NSAC-108, Nuclear Safety Analysis Center, The Reliability of Emergency Diesel Generators at U. S.

Nuclear Power Plants, Dated September 1986.

27. 10 CFR 50, Appendix R, Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979.

28. NRC Regulatory Guide 1.155, Station Blackout.

29. 10 CFR 50.63, Loss of all alternating current power.

30. NRC Safety Goal Policy Statement, Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement, Federal Register, Volume 60, p.

42622, August 18, 1995.

3

Attachment 5 List of Reference Documents

31. Letter, D. Holland, USNRC to G. Bischoff, WOG,

SUBJECT:

Request for Additional Information Regarding WCAP-15622, Revision 0, Risk-Informed Evaluation of Extensions to AC Electrical Power System Completion Times, Dated July 22, 2003, (TAC No. MB2257).

32. Letter, F. P. Schiffley, II, WOG, to USNRC, Document Control Desk,

SUBJECT:

Response to Request for Additional Information - WCAP-15622-NP, Rev. 0, Risk-Informed Evaluation of Extension to AC Electrical Power System Completion Times, Dated December 10, 2003.

33. Letter, Duke Power Company to NRC Document Control Desk,

SUBJECT:

McGuire Nuclear Station, Docket Nos.

50-369 and 50-370, Request for Additional Information Individual Plant Examinations for External Events, Dated November 17, 1995.

34. SAIC-91/1265, Technical Evaluation Report, McGuire Nuclear Station, Station Blackout Evaluation, TAC Nos.

68564 and 68565, Final, Dated December 10, 1991.

35. Letter, T. A. Reed, USNRC to T. C. McMeekin, Duke Power Company,

SUBJECT:

Safety Evaluation for Station Blackout (10 CFR 50.63) - McGuire Nuclear Station, Units 1 and 2 (TACS M68564/M68565).

36. Letter, Duke Power Company to NRC Document Control Desk,

SUBJECT:

McGuire Nuclear Station, Docket Nos.

50-369 and 50-370, Station Blackout (SBO) (10CFR 50.63) Response to NRC Recommendations, Dated March 27, 1992 (TACS M8564/M8565).

37. Letter, T. A. Reed, USNRC to T. C. McMeekin, Duke Power Company,

SUBJECT:

Supplemental Safety Evaluation for Station Blackout (10 CFR 50.63) McGuire Nuclear Station 1 and 2 (TACS M68564/M68565).

4

Attachment 6 No Significant Hazards Consideration Determination The following discussion is a summary of the evaluation of the changes contained in this license amendment request against the three standards of 10 CFR 50.92(c). A determination of no significant hazards consideration is concluded if operation of the facility in accordance with this license amendment satisfies the three standards.

First Standard Will implementation of the changes proposed in this .license amendment request involve a significant increase in the probability or consequences of an accident previously evaluated?

No. The changes proposed in this license amendment request increase the Technical Specifications Completion Times for the emergency diesel generators and electrical power and distribution systems. Increasing these Completion Times will not cause a significant increase in the probability or consequences of an accident which has been previously evaluated. This license amendment request is supported by an extensive risk-informed study performed by the nucl ar industry and documented in a topical report and Technical Specifications Task Force travelers that have been submitted for NRC review and approval. Within this study, the risk impacts of increasing the Completion Times were calculated and compared against the acceptability guidelines contained in the applicable regulatory guides and found to be acceptable. The emergency diesel generators and electrical power and distribution systems and equipment affected by this license amendment request will remain highly reliable.

Thus there will be no significant increase in the probability or consequences of an accident which has been previously evaluated.

The proposed changes that modify Surveillance Requirement notes are consistent with an NRC-approved industry initiative. Implementation of these changes will require that the plant's risk be managed. Thus there will be no significant increase in the probability or consequences of an accident which has been previously evaluated.

1

Attachment 6 No Significant Hazards Consideration Determination The proposed change that corrects the non-conservative Surveillance Requirement only increases a Technical Specifications parameter value in the conservative direction. Thus this change will not contribute to any increase in the probability or consequences of an accident which has been previously evaluated.

Second Standard Will implementation of the changes proposed in this license amendment request create the possibility of a new or different kind of accident from any accident previously evaluated?

No. The proposed changes would create no new accidents since no changes are being made that introduce any new accident casual mechanisms. The deterministic evaluation that supports this license amendment request consisted of a review of plant systems and safety functions impacted by entry into the expanded Completion Times, the performance of testing in previously prohibited operating modes, or increasing a Technical Specification mandated parameter in the conservative direction. The emergency diesel generators and electrical power and distribution systems were quantitatively and qualitatively assessed. It was determined that no new accidents or transients would be introduced by the proposed changes.

Third Standard Will implementation of the changes proposed in this license amendment request involve a significant reduction in a margin of safety?

No. The impact of the proposed changes on the safety margins was considered in the deterministic evaluations that support this license amendment request. Extending the Completion Times, performing testing activities to confirm operability, or conservatively increasing a Technical Specification controlled parameter does not adversely impact any assumptions or inputs in the transient analyses contained in the McGuire Updated Final Safety Analysis Report (UFSAR). The proposed changes have no negative impact upon the ability of the fission product barriers 2

Attachment 6 No Significant Hazards Consideration Determination (fuel cladding, the reactor coolant system, and the containment system) to perform their design functions during and following an accident situation. Additionally, the proposed changes have no adverse impact on setpoints or limits established or assumed within the UFSAR.

Conclusion Based upon the preceding discussion, Duke Energy Corporation has concluded that this license amendment request does not involve a significant hazards consideration.

3

Attachment 7 Environmental Assessment/Impact Statement The proposed license amendment request has been reviewed against the criteria of 10CFR51.22 for environmental considerations.

The proposed amendment does not involve a significant hazards consideration (see Attachment 6), nor increase the types and amounts of effluents that may be released offsite, nor increase individual or cumulative occupational radiation exposures.

Therefore, the proposed amendment meets the criteria given in 10 CFR 51.22(c)(9) for a categorical exclusion from the requirement for performing an Environmental Assessment/Impact Statement.

1

ML042930781

Contents

Text

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

Background

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

Navigation menu

ML042930781

Text

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

Background

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

SUBJECT:

Navigation menu

Search