License Amendment Request - LAR-15-01424, Implementation of WCAP-15376-P-A, Revision 1 - Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times.

ML15356A048
Person / Time
Site:	Summer
Issue date:	12/16/2015
From:	Gatlin T South Carolina Electric & Gas Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
LAR-15-01424, RC-15-0171, WCAP-15376-P-A, Rev. 1
Download: ML15356A048 (87)
v • d • e

Text

~Thomas D. Gatlin Vice President,Nuclear Operations 803.345.4342 A SCANA COMPANY December 16, 2015 ATTN: Document Control Desk RC-1 5-01 71 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

VIRGIL C. SUMMER NUCLEAR STATION, UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 LICENSE AMENDMENT REQUEST - LAR-15-01424 IMPLEMENTATION OF WCAP-1 5376-P-A, REVISION 1 - "RISK-INFORMED ASSESSMENT OF THE RTS AND ESFAS SURVEILLANCE TEST INTERVALS AND REACTOR TRIP BREAKER TEST AND COMPLETION TIMES"

Dear Sir / Madam:

Pursuant to 10 CFR 50.90, South Carolina Electric & Gas Company (SCE&G), acting for itself and as agent for South Carolina Public Service Authority, hereby requests an amendment to the Virgil C. Summer Nuclear Station (VCSNS) Technical Specifications (TS).

The proposed changes will revise TS 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," to implement the Allowed Outage Time, Bypass Test Time, and Surveillance Frequency changes approved by the NRC in WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," dated March 2003. The proposed changes in this license amendment request are consistent with the NRC approved Technical Specification Task Force (TSTF) Improved Standard Technical Specification Change Traveler TSTF-41 1, Rev. 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-1 5376-P)." These changes will also result in a revision to the TS Bases for 3/4.3.1 and 3/4.3.2, "Reactor Trip and Engineered Safety Feature Actuation System Instrumentation."

Information contained herein provides the No Significant Hazards Determination. Attachment 1 provides the TS pages marked up with the proposed changes. Attachment 2 provides the retyped TS pages. Attachment 3 provides a mark-up of the TS Bases while Attachment 4 provides the retyped TS Bases. Attachment 5 provides the analysis of WCAP-1 5376-P to VCSNS. Attachment 6 contains a commitment for VCSNS to trend the "as found" and "as left" data for the three representative trip functions analyzed in WCAP-1 5376-P-A for two years.

The VCSNS Plant Safety Review Committee and the Nuclear Safety Review Committee have reviewed and approved the proposed changes. SCE&G is notifying the State of South Carolina of this LAR by transmitting a copy of this letter and enclosure to the designated State Official in accordance with 10 CFR 50.91(b).

SCE&G requests approval of the proposed amendment within 12 months of submittal in accordance with the NRC goal for review of license amendment requests. Once approved, the amendment shall be implemented within 60 days.

V.C.Summer Nuclear Station* R0..Box 88.* Jenkinsville, SC.*29065.* F(803) 941-9776

r A Document Control Desk LAR 15-01424 RC-15-0171 Page 2 of 2 There are no other TS changes in process that will affect or be affected by this change request.

There are no significant changes to any~FSAR or FPER sections.

If you have any questions or require additional information, please contact Bruce L. Thompson at (803) 931-5042.

I certify under penalty of perjury that the foregoing is correct and true.

12 1 29/5 Executed on Thomas D. Gatlin TS/TDG/wm

Enclosure:

Evaluation of Proposed Changes Attachment 1: Proposed Technical Specification Changes - Mark-up Attachment 2: Proposed Technical Specification Changes - Retyped Attachment 3: Proposed Technical Specification Bases - Mark-up Attachment 4: Proposed Technical Specification Bases - Retyped Attachment 5: WCAP-1 5376-P Applicability Analysis Attachment 6: List of Regulatory Commitments c: K. B. Marsh S. A. Byrne J. B. Archie N. S. Camns J. H. Hamilton J. W. Williams W. M. Cherry L. D. Werts S. A. Williams NRC Resident Inspector K. M. Sutton S. E. Jenkins P. Ledbetter NSRC RTS (CR-I15-01424)

File (813.20)

PRSF (RC-15-0171)

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 1 of 24 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50)-395 OPERATING LICENSE NO. NPF-12 ENCLOSURE EVALUATION OF PROPOSED CHANGES

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 2 of 24

Subject:

LICENSE AMENDMENT REQUEST - LAR 15-01424 TECHNICAL SPECIFICATIONS 3)4.3.1 and 314.3.2 AND ASSOCIATED BASES

1.0 DESCRIPTION

South Carolina Electric & Gas Company (SCE&G) requests an amendment to revise the Virgil C. Summer Nuclear Station (VCSNS) Technical Specifications (TS) TS 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," to implement the Allowed Outage Time (AOT), Surveillance Frequency, and Bypass Test Time changes approved by the NRC in WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Compietion Times." The proposed changes in this license amendment request (LAR) are based on the NRC approved Technical Specification Task Force (TSTF) Improved Standard Technical Specification Change Traveler TSTF-41 1, Rev. 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376-P)." Deviations from TSTF-411I are discussed later in this Enclosure. The proposed changes will also result in a revision to the Bases for 3/4.3.1 and 3/4.3.2, "Reactor Trip and Engineered Safety Feature Actuation System Instrumentation." The proposed changes build upon the previous implementation of TSTF-418, Rev. 2, "RPS and ESFAS TEST Times (WCAP-14333)," as approved by NRC on October 24, 2006 (Reference 1 - ML062430684).

The NUREG-0452 (Reference 2) TS AOT acronym (used for the VCSNS TS) and the term "Completion Time," which is utilized in NUREG-1431 (Reference 3), are synonymous. Also note that for the surveillances performed on a Staggered Test Basis, the frequency of performance in the proposed VCSNS TS will be different, but equivalent to those given in TSTF-411I due to the difference in the definition in Staggered Test Basis between the VCSNS TSs and NUREG-1431 Improved TS (ITS). This difference is shown below:

VCSNS TSs -

1.32 A STAGGERED TEST BASIS shall consist of:

a. A test schedule for n systems, subsystems, trains or other designated components obtained by dividing the specified test interval into n equal subintervals,

b. The testing of one system, subsystem, train or other designated component at the beginning of each subinterval.

ITS TSs -

STAGGERED TEST BASIS A STAGGERED TEST BASIS shall consist of the testing of one of the systems, subsystems, channels, or other designated components during the interval specified by the Surveillance Frequency, so that all systems, subsystems, channels, or other designated components are tested during n Surveillance Frequency intervals, where n is the total number of systems, subsystems, channels, or other designated components in the associated function.

The net difference between the two Staggered Test Basis definitions stated above results in the VCSNS TS stating the total time to survey all the systems, subsystems, channels, or other designated components in the associated function and the NUREG-1 431 TS using the shorter time that is equivalent to the total time divided by the number of systems, subsystems, channels, or other designated components in the associated function. The different definition of

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 3 of 24 Staggered Test Basis is based on the difference between TSs based on NUREG-0452 and TSs based on NUREG-1431.

2.0 PROPOSED CHANGE

S Changes to Technical Specifications 3/4.3.1 and 3/4.3.2 are proposed as justified in WCAP-15376-P-A, Rev. 1. In general, the Reactor Trip Breaker bypass test time is relaxed from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the AOT from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and the Surveillance Frequency from 2 months to 4 months in Technical Specification 3/4.3.1. The Surveillance Frequencies for the Logic Cabinet are relaxed from 2 months to 6 months; the Master Relays are relaxed from 2 months to 6 months; and the Analog Channels from 3 months to 6 months in both Technical Specifications 3/4.3.1 and 3/4.3.2. Some changes contained in TSTF-411I have not been proposed in this license amendment request as a partial conversion to the ITS would be required to facilitate the changes. The TSTF-411I changes that are not proposed in this license amendment request are discussed below, following the list of proposed changes.

Specifically, the proposed changes would revise the following:

2.1 TS 3/4.3.1, Table 3.3-1 - Action 8 - The proposed change for the AOT is from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In addition, the Reactor Trip Breaker bypass test time is relaxed from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Also, due to the extension of the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AOT to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and the time allowed to bypass one channel being extended from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the last provisions of Action 8 allowing additional time for maintenance and an extended bypass time have been deleted.

2.2 TS 3/4.3.1, Table 4.3.1 -Analog Channel Operational Test (ACOT) -The proposed change to the ACOT is from Quarterly (92 days) to Semi-Annually (184 days) for the following functions in Table 4.3-1 of the VCSNS TSs: 2 (High Setpoint only), 3, 7, 8, 9, 10, 11, 12, 13, and 14 (see Attachment 1 TS mark-up for the title of each Function). The proposed change to the ACOT frequency is changed to 184 days for the following functions in Table 4.3-1 of the VCSNS TSs: 2 (Low Setpoint only), 5, and 6 by the addition of Notes 16, 17, and 18. Trip Actuating Device Operational Test (TADOT) - The proposed change to the TADOT is from Quarterly to Semi-Annually for the following functions in Table 4.3-1 of the VCSNS TSs: 15 and 16.

2.3 TS 3/4.3.1, Table 4.3-1 -TADOT - The proposed change to the TADOT for the Reactor.

Trip Breaker (Function 20) is from Monthly (62 days on a .Staggered Test Basis) to every 2 months (124 days on a Staggered Test Basis) as shown in revised Note 7. Note because of the difference in the Staggered Test Basis definition (discussed above) the number of days used for the VCSNS surveillance frequency is larger than the number used in TSTF-411I surveillance frequency.

2.4 TS 3/4.3.1, Table 4.3-1 - TADOT - The proposed change to the TADOT for the Reactor Trip Bypass Breaker (Function 22) is from Monthly (62 days on a Staggered Test Basis) to every 2 months (124 days on a Staggered Test Basis) as shown in revised Note 7 (62 days to 124 days), which is being inserted into the TADOT column. Note that this change is different than what is shown in the markups for TSTF-41 1. This change is necessary because TSTF-411I does not provide a change to the Reactor Trip Bypass Breaker as the Bypass Breaker is treated as a part of the Reactor Trip Breaker function in the standard TS in NUREG-1431 and has the same surveillance frequency assigned. In the VCSNS TS the Reactor Trip Breakers and the

L Document Control Desk Enclosure LAIR 15-01424 RC-1 5-0171 Page 4 of 24 Reactor Trip Bypass Breakers are separate. Functions consistent with the standard TS in NUREG-0452. In the VCSNS TS, the two separate Functions are assigned the same frequency specified in Note 7 to be consistent with the change for the corresponding NUREG-1431 Reactor Trip Breaker Function in TSTF-41 1. Thus, both the VCSNS Reactor Trip Breakers and Reactor Trip Bypass Breakers will be tested at the same surveillance frequency consistent with NUREG-1431 and TSTF-41 1.

2.5 TS 3/4 3.1, Table 4.3-1 - Actuation Logic Test (ALT) - The proposed change to the ALT for the Automatic Trip Logic (Function 21) is from Monthly to Quarterly on a Staggered Test Basis as specified in new Note 15 (184 days).

2.6 TS 3/4.3.2, Table 4.3-2 - ACOT - The proposed change to the ACOT is from Quarterly to Semi-Annually for the following functions in Table 4.3-2 of the VCSNS TSs: 1 .c, 1 .d, 1I.e, If, 2.c, 3.b.2, 4.c, 4.d, 4.e, 5.a, 6.c, 6.h, 8.a, 9.a, and 9.b (see Attachment I TS mark-up for the title of each Function).

2.7 TS 3/4.3.2, Table 4.3-2 - ALT - The proposed change to the ALT is from Monthly to Quarterly on a Staggered Test Basis as shown in the revised Note 1 (62 days to 184 days) for the following functions in Table 4.3-2 of the VCSNS TSs: l.b, 2.b, 3.a.3, 3.b.1, 3.c.1, 4.b, 5.b, 6.b, and 8.b (see Attachment 1 TS mark-up for the title of each function).

2.8 TS 3/4.3.2, Table 4.3 Master Relay Test - the proposed change to the Master Relay Test is from Monthly to Quarterly on a Staggered Test Basis as shown in the revised Note 1 (62 days to 184 days) for the following functions in Table 4.3-2 of the VCSNS TSs: I .b, 2.b, 3.a.3, 3.b.1, 3.c.1, 4.b, 5.b, 6.b, and 8.b (see Attachment 1 TS mark-up for the title of each function).

TSTF-411I Changes not incorporated into the VCSNS TS In addition, there are changes to the TSs provided in TSTF-411I that are not in this proposed amendment either because the format and requirements of the VCSNS TSs does not facilitate the change without a partial conversion to the NUREG-1431 ITS format and requirements or the function does not exist in the VCSNS TSs.

Specifically, for the following functions, the Surveillance Frequency was not proposed to be changed due to the significant differences in the current VCSNS licensing basis requirements and TS format which are based on the NUREG-0452 Table style TS surveillances and the newer NUREG-1431 text based surveillance descriptions and requirements:

TS 3/4 3.1, Table 4.3 TADOT for the following RTS Function:

Manual Reactor Trip (Function 1). The current VCSNS TSs require this Function to have a TADOT performed once per Refueling. This TADOT is also required to independently verify the undervoltage and shunt trip circuits' Operability. The current licensing basis frequency has proven adequate to ensure this Function performs as designed. Therefore, the TSTF-411I change to a TADOT once every 62 days on a Staggered Test Basis (ITS) is not being incorporated into the VCSNS TSs at this time; and

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 5 of 24

• TS 3/4 3.1, Table 4.3 ALT for the following RTS Function:

Reactor Trip System Interlocks - P-7 (Function 19.B). The current VCSNS TSs require this Function to have a Channel Calibration and ACOT performed once per Refueling.

The current licensing basis frequency has proven adequate to ensure this Function performs as designed. Therefore, the TSTF-41 1 change to an ALT once every 92 days on a Staggered Test Basis (ITS) is not being incorporated into the VCSNS TSs at this time.

Surveillance Frequency changes not proposed from TSTF-411I as a result of the function and/or surveillance not being a part of the VCSNS TSs are as follows:

! ALT and Master Relay Test for the Control Room Emergency Filtration System -

ES FAS

• COT for the Boron Dilution Protection System - ESFAS

• COT for the Steam Line Isolation on Steam Line Pressure Negative Rate - High ESFAS function

• COT for the Automatic Switchover to Containment Sump on RWST Level - Low - Low Coincident with Safety Injection and Containment Sump Level - High ESFAS function 3.0) BACKGROUND WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," provides the justification for the foilowing changes to the Improved Standard Technical Specifications for the Reactor Trip System (RTS) Instrumentation (3.3.1) and Engineered Safety Features Actuation System (ESFAS) Instrumentation (3.3.2):

1. Increase the Completion Time and the bypass test time for the reactor trip breakers.

2. Increase the Surveillance Test Intervals (STI) for the reactor trip breakers, master relays, logic cabinets, and analog channels.

WCAP-1 5376-P considers both the Solid State Protection System and the Relay Protection System. For VCSNS, the Protection System is Solid State. Also, the actuation logic and master relays associated with the Containment Purge and Exhaust Isolation Instrumentation are processed through the Solid State Protection System. Since the STIs for the actuation logic and master relays of the ESFAS Instrumentation were justified to be relaxed in WCAP-1 5376-P, these STI relaxations are also applicable to the actuation logic and master relays for all signals processed through the Solid State Protection System.

4.0 TECHNICAL ANALYSIS

WCAP-1 5376-P-A, Rev. 1, provides the technical justification for extending the STIs for components of the Reactor Protection System. The components specifically included are the analog channels, logic cabinets, master relays, and reactor trip breakers. This WCAP also provides the technical justification for extending the reactor trip breaker (RTB) Completion Time

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 6 of 24 (allowed outage time) for one RTB inoperable to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and the bypass time for a RTB to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The last portion of Action 8 is deleted (similar to the Note on Condition 0 of the ITS mark-up in TSTF-41 1) based on the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the train to OPERABLE status, which would allow for maintenance on the undervoltage or shunt trip mechanism. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> would also apply for parallel testing of the Automatic Trip Logic. This Completion Time and bypass time are consistent with the Completion Time and bypass time for the logic cabinets.

The WCAP-1 5376-P evaluation considers both the Solid State Protection System and the Relay Protection Systems. Extension of the STIs for slave relays is not included in WCAP-15376-P assessment, since they were previously addressed in other WOG programs. The plant protection system design of the actuation logic and master relays associated with the Containment Purge and Exhaust Isolation Instrumentation ESFAS Technical Specifications are processed through the Solid State Protection System. Since the STIs for the actuation logic and master relays of the ESFAS Instrumentation were justified to be relaxed in WCAP-1 5376-P, these STI relaxations are also applicable to the actuation logic and master relays for all signals processed through the Solid State Protection System.

The approach used in WCAP-1 5376-P-A is consistent with the Nuclear Regulatory Commission's (NRC) approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the current licensing basis as presented in Regulatory Guides 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis," and 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-making: Technical Specifications." The approach addresses, as documented in WCAP-15376-P, the impact on defense-in-depth and the impact on safety margins, as well as an evaluation of the impact on risk. The risk evaluation considered the three-tiered approach as presented by the NRC in Regulatory Guide 1.177 for the extension to the RTB Completion Time. Tier 1, PRA Capabilityand Insights, assesses the impact of the proposed Completion Time (AOT) change on core damage frequency (CDF), incremental conditional core damage probability (ICCDP), large early release frequency (LERF), and incremental conditional large early release probability (ICLERP). Tier 2, Avoidance of Risk-Significant Plant Configurations,considers potential risk-significant plant operating configurations. Tier 3, Risk-Informed Plant Configuration Control and Management, is addressed when the Technical Specification Completion Time change is implemented.

The Westinghouse Owners Group (WOG - Now called PWROG) evaluated these changes as part of an overall program addressing Technical Specification improvements for the Reactor Protection System (RPS), which includes reactor trip signals and engineered safety features actuation signals. The initial studies (References 3, 4, 5, 6 of WCAP-15376-P) evaluated changes to AOTs, bypass time, and STIs to the analog channels, logic cabinets, master relays, slave relays, and reactor trip breakers of the RPS. The approved changes to these parameters are summarized in Table 1.1 of WCAP-1 5376-P for the Solid State Protection System.

The changes considered in WCAP-15376-P were evaluated consistent with the three-tiered approach currently defined in Regulatory Guide 1.177. The first tier addresses PRA insights and includes the risk and sensitivity analyses to support the Allowed Outage Time and bypass test time changes. The second tier addresses avoidance of risk-significant plant configurations.

The third tier addresses risk-informed plant configuration control and management. In order to

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 7 of 24 model the AOTs, bypass test times, and surveillance frequencies in the fault trees used to determine the impact of the changes on signal unavailability, an understanding of approach to test and maintenance for these components is necessary. This is discussed in Section 7.2 of WCAP-1 5376-P-A, Rev. 1.

The following Tier 1, Tier 2, and Tier 3 discussions are associated with WCAP-1 5376-P-A, Rev.

1:

4.1 Tier 1: PRA Capability and Insi~qhts The risk analysis results for WCAP-1 5376-P are discussed in Section 8.4 of the WCAP.

Comparisons are presented in Tables 8.29 (ACDF) and 8.32 (ALERE) to a base case, which represents the changes previously approved in WCAP-14333. These values are summarized in Table 1. Note that VCSNS uses predominately 2-out-of-3 (2/3) logic. In response to an NRC request for an additional information letter, RA! Questions 4 and 11 in WOG letter OG-02-002 (Reference 4), the WOG provided the ICCOP and ICLERP for the requested Completion Time change (24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time plus 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to reach MODE 3, for a total of 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />) for a RTB in preventive maintenance (PM) or in corrective maintenance (CM), with the associated logic train inoperable, for the bounding 2/3 logic. Since these incremental risk metrics are met for a 30-hour maintenance time, they will also be met for a 4-hour bypass test time.

Table 1: Combined Risk Metric Results RiskMetic ccetane Citeion Change from WCAP-14333 to WCAP-RikMerc Acetnc rtein 15376*P__________

2/4 logic 2/3 logic ACDF per <1E6 year 8.0E-07 8.5E-07 RTB in PM = 3.2E-07" ICCDP < 5E-07

___________RTB in CM = 3.2E-07" 2/4 logic 2/3 logic ALERF per <11E-07 year 3.1 E-08 5.7 E-08 RTB in PM = 2.4E-08" ICLERP < 5E-08

_________ ______________RTB in CM = 2.4E-08"

• - The ICCDP and ICLERP values are provided only for a 2/3 logic, however the results bound a 2/4 logic.

The acceptance criteria defined in Regulatory Guide 1.177 for these incremental risk metrics are satisfied. The ACDF and ALERE acceptance criteria are satisfied for the changes included in WCAP-1 5376-P.

The VCSNS CDF for internal and external events is 7.27E-05/year and LERE for internal and external events is 4.96E-07/year. These values are consistent with the guidelines in Regulatory Guide 1.174 that allows small increases in CDF and LERF. Per this Regulatory Guide, for a

Document Control Desk Enclosure LAR 15-01424 RC-l15-0171 Page 8 of 24 total CDF of 1 E-04/year, changes to CDF of 1E-06/year are acceptable and for a total LERF of 1 E-05/year, changes to LERF of 1 E-07/year are acceptable. The calculated increase in CDF for the changes in WCAP-15376-P, as provided in Table 1, is 8.0E-07/year for plants with predominately a 2/4 logic and 8.5E-07/year for plants with predominately a 2/3 logic. The calculated increase in LERF due to the changes in WCAP-1 5376-P, as provided in Table 1, is 3.1E-08/year for plants with predominately a 2/4 logic and 5.7E-08/year for plants with predominately a 2/3 logic. VCSNS uses predominately 2/3 logic.

Therefore, it is concluded that implementing the Technical Specification changes justified in WCAP-1 5376-P will have an impact on CDF of less than 1.0E-06/year and on LERE of less than 1.0E-07/year, which meets the guidance in Regulatory Guide 1.174.

External Events This section addresses the impact on CDF and LERF related to the events not included in the WCAP-1 5376-P-A, Rev. 1 analysis. This includes fire events, seismic events, and other external events.

Seismic Events The seismic events of interest are those that cause a loss of offsite power (LOOP) and small Loss of Coolant Accident (LOCA) events. Large seismic events will cause larger LOCAs, secondary side breaks, failure of support systems, etc. and also adversely impact the systems required for mitigation, including the reactor protection system. Therefore, small changes to the availability of signals have no impact on seismic plant risk for these larger seismic events.

Reactor trip signals are not important to seismic events since a LOOP occurs, which interrupts power to the motor-generator sets causing the control rod drive mechanisms to release the control rods. ESFAS signals are required for the possible LOOP and small LOCA events. For LOOP events, the signals are required to start emergency feedwater (EFW). For small LOCA events, a safety injection signal is required. These signals are backed-up by operator actions for EFW and SI actuation, and Anticipated Transient Without Scram (ATWS) mitigation system actuation circuitry (AMSAC) for EFW actuation.

The seismic event CDF impact is less than 1 E-1 0/year. If it is conservatively assumed that this results in a large early release, then both the CDF and LERF impacts are very small. More detailed information on the seismic event evaluation is provided in Attachment 5, Section 3.3.1.

Fire Events The fire assessment is based, in part, on the VCSNS fire PRA and considers ignition frequencies for the various building compartments. These compartment frequencies are summed for each building and binned according to the number of available ESFAS trains; one or two. Fires in some buildings will not impact the RPS or power to the RPS so two trains of signals will be available. It is conservatively assumed that fires in buildings with electrical components or cable routing could impact the RPS, therefore only one train of signals is conservatively assumed to be available.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 9 of 24 Fire events result in plant transient events and LOOP events with partial loss of mitigation equipment and a plant shutdown is necessary. These events require a reactor trip and decay

.heat removal for mitigation. Automatic reactor trip signals and ESFAS, and manual backup signals are available to initiate these protective functions.

.The fire event CDF impact is a small reduction in CDF. Given the CDF impact is a small' reduction, then LERF impact will also be a small reduction. More detailed information on the fire

• event evaluation is provided in Attachment 5, Section 3.3.2.

Other External Events Consideration was given to the impact of the proposed changes on the CDF and LERF from other external events; high winds, external flooding, transportation and nearby facility accidents.

It was concluded that the proposed changes have no impact on CDF or LERF from these events.

Therefore, it is concluded that the small increases in the signal unavailability proposed by the Technical Specification changes justified in WCAP-15376-P will have a very small impact on the external event CDF and will not impact the acceptability of the Technical Specification changes.

Reactor Trip Breaker Test Configquration: WCAP-1 5376-P Model vs. VCSNS Approach WCAP-1 5376-P, Section 8.3.2.2 states "Testing of the reactor trip breakers prohibits actuation of the breaker in test. The bypass breaker corresponding to the affected breaker is placed into service and will be actuated by the logic cabinet in the unaffected train."

Section 3.1.3 of the NRC's Safety Evaluation for WCAP-15376-P states "The model assumed one RTB was out-of-service with the associated bypass breaker available. The operable RTB and the in-service bypass breaker provide the reactor trip. In this arrangement, both breakers are controlled by the logic cabinet associated with the operable breaker."

This means that when a reactor trip breaker (RTB) train, RTB train A for example, is tested, this test configuration results in actuation logic train B controlling the RTB in train B and the reactor trip bypass breaker (RTBB) in train A, either of which will trip the reactor. This reactor trip breaker test configuration was modeled in the PRA analysis supporting the bypass test time and surveillance frequency changes that were justified in WCAP-1 5376-P. This approach to RTB testing assumes that the RTB train being tested is removed from service or in the open position during the test.

At VCSNS, the RTB under test can be in the open or closed position during this test. It is necessary to have the RTB closed in order to verify that the RTB opens when testing the RTB actuation devices. This period of time is estimated to be 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> per surveillance test and is not expected to change with the proposed change in the RTB bypass test time change to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

Note that in this configuration, when the RTB being tested is closed, the associated RTBB will

• open upon receiving a reactor trip signal; however, for the short period of time associated with the RTB in test and closed, the protection train associated with the RTB being tested will not

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 10 of 24 provide a reactor trip. However, the other protection train, that is not being tested, will provide the reactor trip function as required.

In either test configuration, the RTB unavailability associated with the RTB bypass test remains the same as shown in the following:

Prior to implementing the changes in WCAP-15376-P the following applies.

• RTB bypass test time = 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />

• Surveillance frequency = 2 months

• Yearly RTB test unavailability = 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> x 6 surveillances per year = 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> per year.

After implementing the changes in WCAP-1 5376-P the following applies.

• RTB bypass test time = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

• Surveillance frequency = 4 months

• Yearly RTB test unavailability = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> x 3 surveillances per year = 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> per year.

Furthermore, as stated above, the time the RTB and its associated bypass breaker will both be closed is expected to remain the same. Therefore, with the extended surveillance interval, the

• time in this particular configuration while completing RTB testing will decrease, providing a risk benefit.

4.2 Tier 2, Avoidance of Risk-Siqnificant Plant Confiqurations Tier 2 requires an examination of the need to impose additional restrictions when operating under the proposed Completion Times. The Tier 2 restrictions are necessary in order to avoid risk-significant equipment outage configurations when the proposed Completion Times justified in this LAR are implemented.

WCAP-1 5376-P Page 15 in Section 3.3 of the NRC SE for WCAP-1 5376-P-A, Rev. 1 states:

"The licensee should provide reasonable assurance that risk significant plant equipment outage configurations will not occur when specific plant equipment is out-of-service in accordance with the proposed TS change."

The recommended Tier 2 restrictions for WCAP-1 5376-P are provided in Section 8.5 of the WCAP. The restrictions are applicable when an RTB train is inoperable when operating under the proposed Completion Times. Entry into the Action for an inoperable RTB train is not a typical, pre-planned evolution during operation in the modes of Applicability for the RTB train, other than when necessary for surveillance testing. Since the Condition may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Action entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures discussed below in the Tier 3 configuration risk management program section require assessment of the emergent condition and appropriate actions are then taken.

Depending on the specific situation, these actions could include restoring the inoperable RTB

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 11 of 24 train and exiting the Technical Specification Action, or fully implementing the Tier 2 restrictions, or performing a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions will be implemented when an RTB train becomes inoperable when operating under the proposed Completion Times:

• The probability of failing to trip the reactor on demand will increase when a RTB is removed from service; therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves),

emergency feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves),

AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

• Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RPS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train is inoperable.

• Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

4.3 Tier 3, Risk-Informed Configuration Risk Managqement Tier 3 requires a procedural process to assess the risk associated with both planned and unplanned work activities. The objective of the third tier is to ensure that the risk impact of out-of-service equipment is evaluated prior to performing any maintenance activity. As stated in Section 2.3 of Regulatory Guide 1.177, "a viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation." The third-tier requirement is an extension of the second-tier requirement, but addresses the limitation of not being able to identify all possible risk-significant plant configurations in the second-tier evaluation. Paragraph (a)(4) of the Maintenance Rule (10 CFR 50.65) requires that the overall effect on safety functions be considered when removing equipment from service for preventive maintenance or monitoring activities. In part, Paragraph (a)(4) states that, "Before performing maintenance activities ... the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities ...." Section 11.0 of NUMARC 93-01 provides guidance for implementing the requirements of Paragraph (a)(4). NRC Regulatory Guide 1.182 endorsed the NUMARC 93-01, Section 11.0 as an acceptable method of implementing Paragraph (a)(4).

The overall VCSNS risk management process is defined in SAP-208, "Integrated Risk Assessment." The process for assessing on-line safety impact before removing a system, structure or component from service is defined in OAP-1 02.1, "Conduct of Operations Scheduling Unit," and SSP-001, "Planning and Scheduling Maintenance Activities." These procedures provide the process for developing the weekly, on-line work schedule that provides the foundation for on-line risk assessment.

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 12 of 24 Programs and procedures at VCSNS ensure that configuration risk is assessed using a PRA-based model and managed prior to initiating any maintenance activity consistent with the requirements of 10 CFR 50.65(a)(4). The procedures also ensure that risk is reassessed if an emergent condition results in a plant configuration that has not been previously assessed. Risk thresholds are established to ensure that the average baseline risk is maintained within an acceptable band. When administrative limits are exceeded, increasing levels of management approval are required prior to initiating the work.

4.4 Topical Report Safety Evaluation Conditions The NRC's approval of WCAP-1 5376-P was subject to the following conditions requiring plant-specific information:

1. Confirm the applicability of the topical report to the plant and perform a plant-specific assessment of containment failures and address any design or performance differences that may affect the proposed changes. This includes addressing the applicability of the master relay and safeguards driver card failure probabilities to the plant-specific application.

2. Address the Tier 2 and Tier 3 analyses including risk significant configuration insights and confirm that these insights are incorporated into the plant-specific configuration risk management program.

3. The risk impact of concurrent testing of one logic train and associated reactor trip breaker needs to be evaluated on a plant-specific basis to ensure conformance with the WCAP-15376-P evaluation, and Regulatory Guides 1.174 and 1.177.

4. To ensure consistency with the reference plant, the model assumptions for human reliability in WCAP-1 5376-P should be confirmed to be applicable to the plant-specific configuration.

5. For future digital upgrades with increased scope, integration and architectural differences beyond that of Eagle 21, the staff finds the generic applicability of WCAP-15376-P to future digital systems not clear and should be considered on a plant-specific basis.

6. An additional commitment from the response to NRC RAI Question 18 (OG-0 1-058 Reference 5) requires each plant to review their setpoint calculation methodology to determine the impact of extending the Channel Operational Test (COT) Surveillance Frequency from 92 days to 184 days.

WCAP-1 5376-P SE Condition 1 In order to address SE Condition 1, Westinghouse issued implementation guidelines for licensees to confirm that the WCAP analysis is applicable to their plant. A plant specific assessment was performed to confirm the applicability of the WCAP-1 5376-P analyses to VCSNS. The results of this assessment are provided in AttachmentS5. The WCAP-1 5376-P analysis and determination of LERF is based on a large dry containment. The containment building at VCSNS is considered to be large dry containment. As concluded in Attachment 5, the WCAP analyses and results are applicable to VCSNS.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 13 of 24 App~licability of the master relay and safegquards driver card failure pjrobabilities It is necessary to indicate that component failure probabilities developed as part of WCAP-15376-P are applicable to VCSNS. For Solid State Protection System (SSPS) plants this includes the master relay and safeguards driver card failure probabilities. The failure probabilities for these components are based on data collected from a number of Westinghouse Nuclear Steam Supplier System (NSSS) plants. The failure probabilities are:

Master Relays: 1.IE-05 Safeguards Driver Cards: 5.9E-04 A summary of the experience for these components at VCSNS from 2009 to 2013 is provided in Table 2.

Table 2: Summary of Actuation and Failure Experience on the Safeguards Driver Cards and Master Relays Parameter Safeguards Driver Cards Master Relays Actuations 254 1572 Failures 0 0 An analysis based on the binomial distribution was used to determine the number of expected failures for the given failure probabilities and actuations. For both components, either 0 or 1 failures would be expected. Based on the data provided in Table 2, it is concluded that the failure probabilities for these components used in the WCAP analysis are applicable to VCSNS.

WCAP-15376-P SE Condition 2 The applicability of SE Condition 2 for WCAP-1 5376-P is addressed in the preceding Tier 2 discussion in Section 4.2 and Tier 3 discussion in Section 4.3.

WCAP-1 5376-P SE Condition 3 The risk impact of concurrent testing of one logic train and the associated RTB is addressed by demonstrating that the WCAP-1 5376-P analysis is applicable to VCSNS. The WCAP analysis assumes that if a RTB is out of service its associated logic train is also out of service.

Therefore, concurrent testing is addressed in the WCAP analysis. VCSNS testing is consistent with this approach.

WCAP-15376-P SE Condition 4 A plant specific assessment was performed to confirm the applicability of the WCAP-1 5376-P analysis, including the model assumptions for human reliability, to VCSNS. The results of this assessment are provided in Attachment 5. It was concluded that the human reliability associated with the relevant operator actions are applicable. The difference in one situation was demonstrated to have no impact.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 14 of 24 WCAP-1 5376-P SE Condition 5 There are presently no plans to implement digital upgrades to the Reactor Protection or Engineered Safety Features Systems at VCSNS.

WCAP-1 5376-P RAI Question 18 Commitment Condition 6 The response to this RAI in Reference 5 noted that plant-specific RTS and ESFAS setpoint uncertainty calculations and assumptions, including instrument drift, will be reviewed to determine the impact of extending the Surveillance Frequency of the Channel Operational Test (COT) from 92 days to 184 days.

VCSNS personnel reviewed "as found" and "as left" data for the Reactor Trip System and Engineered Safety Features Actuation System setpoints for a 24-month period and concluded that sufficient margin is present to offset the change in drift anticipated as a result of increasing the operational test surveillance frequencies to 184 days (semi-annual). Based on review of this data, the allowable margin present in the setpoints is more than adequate to offset the predicted increase in uncertainty/drift resulting from the increased interval between operational tests.

While SCE&G does not anticipate any impact in going from 92 days to 184 days, VCSNS will trend the "as found" and "as left" data for the three representative trip functions analyzed in WCAP-1 5376-P-A (Over temperature Delta-T, Steam Generator Level, and Pressurizer Pressure) for two years (four operational tests) after implementation of the amendment granting the semi-annual operational tests.

Justification for Additional Plant Specific Surveillance Frequency Extensions This section addresses the extension of the TADOT Surveillance Frequency for the following RTS Functions:

• Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 15 - Reactor trip on Reactor Coolant Pump Undervoltage, - from Quarterly to Semi-Annually

• Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 16 - Reactor trip on Reactor Coolant Pump Underfrequency, - from Quarterly to Semi-Annually The RTS Functions listed above were included in the evaluations performed to justify the changes in WCAP-1 0271, Supplement 1-P-A, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System, Supplement 1 ," May 1986, as identified in Tables 3.2-2 and 3.2-3 of the WCAP. One of the changes justified in WCAP-10271-P-A and its supplements was the extension of the applicable Surveillance Frequency for the Functions listed above from 1 month to 3 months. The affected Surveillance is called a TADOT.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 15 of 24 WCAP-1 4333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," justified extending the bypass test times and Completion Times for the signals included in WCAP-1 0271-P-A and its supplements, by utilizing a "representative signal approach," in the unavailability analysis that determined the impact of. the proposed changes on the signal unavailability. The results of the evaluation of the "representative signals," were representative of all of the signals that were evaluated in WCAP-1 0271-P-A and its supplements. The bypass test time and Completion Time changes that were justified in WCAP-14333-P-A, Revision I are identified in Tables 5.1 and 5.2 of the WCAP. Note that the maintenance time and interval, and test time and interval values listed in these tables for the "Analog Channels" are applicable to both the COT and the TADOT. The analysis did not distinguish between the two types of tests, since they impact comparable components in the same manner. This is stated in Section 11 of WCAP-14333-PA, Revision I as: "These recommendations are applicable to all the signals evaluated in WOG TOP for both solid state and relay protection systems" (i.e., all signals evaluated in WCAP-1 0271-P-A and its supplements).

WCAP-1 5376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," justified extending the Surveillance Frequencies and reactor trip breaker bypass test time and Completion Times identified in Tables 4.1 and 4.2 of the WCAP. WCAP-1 5376-P-A, Revision 1 also utilized the "representative signal approach" that was utilized in WCAP-14333-P-A, Revision 1. One of the changes justified in WCAP-1 5376-P-A, Revision I was the extension of the Frequency of the COT from 92 days to 184 days. This change is identified as "Analog Channels" in the "Component Column" of Tables 4.1 and 4.2 of WCAP-1 5376-P-A, Revision 1. The value of 6 months listed in the "Surveillance Test Intervals," column associatedI with the "Analog Channel" in Tables 4.1 and 4.2 of WCAP-1 5376-P-A, Revision 1 is applicable to both the COT and the TADOT. There was no intent to exclude the TADOT from the test interval extension to 6 months. Since the applicable TADOT frequencies were justified to be extended from 1 month to 3 months in WCAP-1 0271-P-A and its supplements, and the changes justified in WCAP-14333-P-A, Revision I and WCAP-15376-P-A, Revision 1 are applicable to all of the signals included in WCAP-1 0271-P-A and its supplements, the extension of the above listed TADOT Frequencies from 92 days to 184 days was also justified by WCAP-1 5376-P-A. This is stated in Section 11 of.WCAP-1 5376-P-A, Revision 1 as "These recommendations are applicable to all the signals evaluated in WOG TOP for both solid state and relay protection systems ... " (i.e., all signals evaluated in WCAP-1 0271-P-A and its supplements).

Therefore, the extension of the TADOT Frequencies from 92 days to 184 days justified in WCAP-14333 and WCAP-1 5376-P are applicable to the RTS Functions listed above.

4.5 Deviations from ap~proved TSTF-41 1 Design Differences VCSNS does not have installed bypass test capability for analog channels, with the exception of Reactor Building Pressure High-3, Refueling Water Storage Tank Level Low-Low, and EFW Suction Pressure Low. The bypass test Notes for plants with this design are not used in the VCSNS Technical Specifications. Bypass testing is noted in the appropriate Action Statements in the VCSNS Technical Specifications.

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 16 of 24 Superseding Changes The changes in TSTF-418 Revision 2 regarding the Technical Specification 3.3.1 Condition for RTBs are superseded by the changes in TSTF-411I Revision 1. Option 3 of Insert 6 in TSTF-411 Revision 1 is utilized for the proposed changes to Action. 8 in TS 3/4.3.1, Table 3.3-1.

Additional Surveillance Frequency Extensions The proposed changes to the TADOT Surveillance Frequencies for the following RTS and ESFAS Functions were not included in TSTF-41 1:

• Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 15 - Reactor trip on Reactor Coolant Pump Undervoltage, - from Quarterly to Semi-Annually

.. Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 16 - Reactor trip on Reactor Coolant Pump Underfrequency, - from Quarterly to Semi-Annually 4.6 PRA Quality 4.6.1 VCSNS PRA Peer Review Although consistency of the VCSNS Unit 1 internal events PRA with Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," is not an implementation requirement specified in the Limitations and Conditions of the Safety Evaluation, the NRC has requested this information in previous submittals. Unresolved Findings and Observations (F&O) from the most previous PRA model peer review were reviewed and the potential impact on implementation of the proposed changes was assessed below.

The VCSNS Unit 1 Internal Events PRA is based on a detailed model of the plant developed from the Individual Plant Examination for Generic Letter 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities." The model is maintained and updated in accordance with VCSNS procedures and has been updated to meet the ASME PRA Standard and Regulatory Guide 1.200.

The model has been reviewed and assessed on several occasions. In August 2002, the VCSNS Internal Events PRA was peer reviewed in accordance with the guidance in NEI 00-02, Industry PRA Peer Review Process. All A & B level F&Os from WOG Internal Events PRA Peer Review have been addressed. Although all C & D level findings have not been incorporated, all of the items that had the potential to significantly impact model results have been resolved.

Following completion of sufficient work to address the Peer Review comments, a 2005 gap assessment of the model was performed to determine the scope of work required to ensure the VCSNS Internal Events PRA meets Regulatory Guide 1.200, Revision 1. The results of this

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 17 of 24 review indicated that VCSNS had resolved most of the issues identified in the original peer review, but the review identified some F&Os that needed additional work, as well as several new issues. Additionally (in this 2005 review), the VCSNS PRA was found to meet Capability Categories (CC)-ll or better for 211 of the 271 Supporting Requirements (SRs) from the ASME PRA Standard, but 45 of the elements were found to either not meet the requirement or to meet the requirements at a CC-I level. Following work at VCSNS to address the findings and to increase the capability category ratings of the elements that needed an upgrade to allow use of the model in risk informed applications, a focused review was performed as required by the ASME RA-S-2002, 'Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications" (and 2007 addenda ASME RA Sc-2007, Appendix A). All SRs were judged to be CC-Il or better, with the exception of 13 SRs that were rated at the CC-I based on the VCSNS

'simplified NUREG/CR-6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," compliant Large Early Release Frequency (LERF) model. While these 13 SRs specifically define a simplified NUREG/CR-6595 LERF models as CC-I, it was noted that use of the NUREG model is an acceptable means of calculating LERF for applications. The conclusion of the 2007 focused review was that the

• model is of sufficient quality for use in risk-informed applications..

In November 2011, PRA personnel from SCE&G and Westinghouse Electric Company performed a self-assessment to identify gaps between the VCSNS PRA model and the requirements delineated in Regulatory Guide 1.200, Revision 2, and the ASME/ANS PRA Internal Events Model Standard. This task was a follow up to the 2007 focused scope review which evaluated the model against the requirements in Revision 1 of the Regulatory Guide. In addition to a general assessment of the internal events PRA model, the self-assessment also addressed changes in requirements between the time of the 2007 focused scope review and the implementation date of Revision 2.

Based on the above, it is determined that the VCSNS PRA model is acceptable for use in this WCAP-1 5376-P Implementation analysis.

4.6.2 Cumulative Risk Considering Previous Risk-Informed Amendments All risk-informed changes made at VCSNS have been implemented into the PRA model.

4.7 Monitoringq Reqiuirements Associated with the Implementation Regulatory Guide (RG) 1.174, Section 3 and RG 1.177, Section 3, as part of the key principles in implementing risk-informed decision making, establishes the need for an implementation and monitoring program to ensure that extensions to TS AOT or surveillance test intervals do not degrade operational safety over time and that no adverse degradation occurs due to changes in the licensing basis due to unanticipated degradation or common cause mechanisms. An implementation and monitoring program is intended to ensure that the impact of the proposed TS change continues to reflect the reliability and availability of structures, systems and components impacted by the change. The current VCSNS Maintenance Rule Program for the Reactor Protection System includes condition monitoring requirements. In order to address the RG monitoring program requirements discussed above with respect to the proposed change,

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 18 of 24 SCE&G will review applicable VCSNS programs and revise them as necessary to ensure that the intent of the RTS and ESFAS equipment unavailability and component failure modeling assumptions in WCAP-1 5376-P are met at VCSNS. Attachment 5, Section 3.2 provides additional information on the monitoring program.

4.8 Precedent The following plants have made submittals proposing changes similar to those being proposed in this LAR:

• Donald C. Cook, submitted on August 30, 2002, approved on May 23, 2003 as Amendments 277 (Unit 1) and 260 (Unit 2). [ML031320614]

• Callaway, submitted on December 17, 2003, approved on January 31, 2005 as Amendment 165. [ML050320484]

• Comanche Peak, submitted on January 21, 2004, approved on January 31, 2005 as Amendments 114 for both units. [ML050460331]

• Diablo Canyon, submitted on February 13, 2004, approved on January 31, 2005 as Amendments 179 (Unit 1) and 181 (Unit 2). [ML050330315]

• Vogtle, submitted on January 27, 2005, approved on September 1, 2006 as Amendments 145 (Unit 1) and 125 (Unit 2). [ML062360587]

• Wolf Creek, submitted on December 15, 2003, approved on January 31, 2005 as Amendment 156. [ML050320254]

• Beaver Valley, submitted on December 21, 2007, approved on December 29, 2008 as Amendments 282 (Unit 1) and 166 (Unit 2). [ML083380061]

The Wolf Creek, Callaway, Comanche Peak and Diablo Canyon submittals proposed the changes justified by WCAP-1 4333 and WCAP-1 5376-P.

The Donald C. Cook and Vogtle submittals proposed the changes justified by WCAP-1 5376-P.

5.0 REGULATORY SAFETY ANALYSIS In this License Amendment Request (LAR) the VC Summer Nuclear Station (VCSNS) Technical Specification is being revised to implement the bypass test time, Completion Time, and Surveillance Frequency changes that were approved by the NRC in WCAP-1 5376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times,' March 2003 and TSTF-41 1, Revision 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP- 15376-P)."

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 19 of 24 5.1 No Significant Hazards Consideration South Carolina Electric & Gas Company (SCE&G) has evaluated the proposed changes to the VCSNS TS described above against the significant Hazards Criteria of 10 CFR 50.92 and has determined that the changes do not involve any significant hazard. The following is provided in support of this conclusion:

1. Do the proposed changes involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The overall protection system performance will remain within the bounds of the previously performed accident analyses since no hardware changes are proposed. The same reactor trip system (RTS) and engineered safety feature actuation system (ESFAS) instrumentation will continue to be used. The protection systems will continue to function in a manner consistent with the plant design basis. These changes to the Technical Specifications do not result in a condition where the design, material, and construction standards that were applicable prior to the change are altered.

The proposed changes will not modify any system interfaces. The proposed changes will not affect the probability of any event initiators. There will be no degradation in the performance of or an increase in the number of challenges imposed on safety-related equipment assumed to function during an accident situation. There will be no change to normal plant operating parameters or accident mitigation performance. The proposed changes will not alter any assumptions or change any mitigation actions in the radiological consequence evaluations in the Final Safety Analysis Report (FSAR).

The determination that the results of the proposed changes are acceptable was established in the NRC Safety Evaluation prepared for WCAP-1 5376-P-A (issued by letter dated December 20, 2002 [ML023540534]). Implementation of the proposed changes will result in an insignificant risk impact. Applicability of these conclusions has been verified through plant-specific reviews and implementation of the generic analysis results in accordance with the NRC Safety Evaluation conditions.

The proposed changes to the Completion Times, bypass test times, and Surveillance Frequencies reduce the potential for inadvertent reactor trips and spurious engineered safety feature (ESF) actuations, and therefore do not increase the probability of any accident previously evaluated. The proposed changes do not change the response of the plant to any acc~idents and have an insignificant impact on the reliability of the RTS and ESFAS signals. The RTS and ESFAS instrumentation will remain highly reliable and the proposed changes will not result in a significant increase in the risk of plant operation. This is demonstrated by showing that the impact on plant safety as measured by the increase in core damage frequency (CDF) is less than 1 .0E-06 per year and the increase in large early release frequency (LERF) is less than 1 .0E-07 per year. In addition, for the Completion Time changes, the incremental conditional core damage probabilities (ICCDP) and incremental conditional large early release probabilities (ICLERP) are less than 5.OE-07 and 5.0E-08, respectively. These changes meet the acceptance criteria in Regulatory Guides 1.174 and 1.177. Therefore, since the RTS and

r" Document Controi Desk Enclosure LAR 15-01424 RC-15-0171 Page 20 of 24 ESFAS instrumentation will continue to perform their functions with high reliability as originally assumed, and the risk impact as measured by the ACDF, ALERF, ICCDP, and ICLERP risk metrics is within the acceptance criteria of existing regulatory guidance, there will not be a significant increase in the consequences of any accidents.

The proposed changes do not adversely affect accident initiators .or precursors nor alter the design assumptions, conditions, or configuration of the facility or the manner in which the plant is operated and maintained. The proposed changes do not alter or prevent the ability of structures, systems, and components (SSCs) from performing their intended function to mitigate the consequences of an initiating event within the assumed acceptance limits. The proposed changes do not affect the source term, containment isolation, or radiological release Sassumptions used in evaluating the radiological consequences of an accident previously evaluated. The proposed changes are consistent with safety analysis assumptions and resultant consequences.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

There are no hardware changes nor are there any changes in the method by which any safety-related plant system performs its safety function. The proposed changes will not affect the normal method of plant operation. No performance requirements will be affected or eliminated.

The proposed changes will not result in physical alteration to any plant system nor will there be any change in the method by which *any safety-related plant system performs its safety function.

The proposed changes do not include any changes to the instrumentation setpoints or changes to the accident analysis assumptions.

No new accident scenarios, transient precursors, failure mechanisms, or limiting single failures

• are introduced as a result of these changes. There will be no adverse effect or challenges imposed on any safety-related system as a result of these changes.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously evaluated.

3. Does this change involve a significant reduction in a margin of safety?

Response: No.

The proposed changes do not affect the acceptance criteria for any analyzed event nor is there a change to any Safety Analysis Limit (SAL). There will be no effect on the manner in which safety limits, limiting safety system settings, or limiting conditions for operation are determined nor will there be any effect on those plant systems necessary to assure the accomplishment of protection functions.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 21 of 24 The redundancy of RTS and ESFAS is maintained, and diversity with regard to the signals that provide reactor trip and ESF actuation is also maintained. All signals credited as primary or secondary, and all operator actions credited in the accident analyses will remain the same. The proposed changes will not result in plant operation in a configuration outside the design basis.

The calculated impact on risk is insignificant and meets the acceptance criteria contained in Regulatory Guides 1.174 and 1.177. Although there was no attempt to quantify any positive human factors benefit due to increased Completion Times and bypass test times, it is expected thiat there would be a net benefit due to a reduced potential for spurious reactor trips and actuations associated with testing.

Implementation of the proposed changes is expected to result in an overall improvement in safety, as follows:

a) Reduced testing should result in fewer inadvertent reactor trips, less frequent actuation of ESFAS components, less frequent distraction of operations personnel without significantly affecting RTS and ESFAS reliability.

b) The Completion Time extensions for the reactor trip breakers should provide additional time to complete test and maintenance activities while at power, potentially reducing the number of forced outages related to compliance with reactor trip breaker Completion Times, and provide consistency with the Completion Times for the logic trains.

Therefore, the proposed changes do not involve a significant reduction in a margin of safety.

Pursuant to 10 CFR 50.91, the preceding analyses provide a determination that the proposed Technical Specification changes pose no significant hazard as delineated by 10 CFR 50.92, and accordingly, a finding of no significant hazards consideration is justified.

5.2 Applicable Regiulatory Requirements/Criteria The regulatory bases and guidance documents associated with the systems discussed in this amendment application include:

A review of 10 CFR 50, Appendix A, "General Design Criteria for Nuclear Power Plants" and the Regulatory Guides was conducted to assess the potential impact associated with the proposed changes. The General Design Criteria (GDC) and the Regulatory Guides (RG) were evaluated as follows:

GDC 2 requires that structures, systems, and components important to safety be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without the loss of the capability to perform their safety functions.

GDC 4 requires that structures, systems, and components important to safety be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with the normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. These structures, systems, and components shall be appropriately protected

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 22 of 24 against dynamic effects, including the effects of missiles, pipe whipping, discharging fluids that may result from equipment failures, and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

GDC-1 3 requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems.

GDC-20 requires that the protection system(s) shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that.

specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

GDC-21 requires that the protection system(s) shall be designed for high functional reliability and testability.

GDC-22 through GDC-25 and GDC-29 require various design attributes for the protection system(s), including independence, safe failure modes, separation from control systems, requirements for reactivity control malfunctions, and protection against anticipated operational occurrences.

Regulatory Guide 1.22 discusses an acceptable method of satisfying GDC-20 and GDC-21 regarding the.periodic testing of protection system actuation functions. These periodic tests should duplicate, as closely as practicable, the performance that is required of the actuation devices in the event of an accident.

10 CER 50.55a(h)(2) requires that the protection systems are consistent with their licensing basis or IEEE 603-1991 for plants whose Construction Permit was issued before January 1, 1971, or that the protection systems meet IEEE 279-1971 or IEEE 603-1991 for plants whose Construction Permit was issued after January 1, 1971, but before May 13, 1999.. VCSNS FSAR Chapter 7, "Instrumentation and Controls," states that the licensing basis for unit 1 is IEEE 279-1971. Section 4.2 of IEEE 279-1971 discusses the general functional requirement for protection systems to assure they satisfy the single failure criterion.

There will be no changes to the RTS and ESFAS design such that compliance with the regulatory requirements and guidance documents discussed above would come into question.

This review confirms that the plant will continue to comply with these applicable regulatory requirements.

In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations,

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 23 of 24 and (3) issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.2.1 Desi~qn Bases (FSAR)

FSAR Sections 7.2, "REACTOR TRIP SYSTEM," and 7.3, "ENGINEERED SAFETY FEATURES ACTUATION SYSTEM" The VCSNS FSAR is unaffected by the proposed changes.

5.2.2 Approved Methodolocqies The proposed changes do not result in a change to any methodologies.

5.2.3 Analysis The analyses that support the changes contained in WCAP-1 5376-P-A, Rev. 1, are applicable to VCSNS.

5.2.4 Conclusion The proposed changes are based on WCAP-1 5376-P-A, Rev. 1, and TSTF-41 1, Rev. 1, which are both approved by the NRC.

6.0 ENVIRONMENTAL CONSIDERATION

SCE&G has determined that the proposed amendment would change requirements with respect to the installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. SCE&G has evaluated the proposed changes and has determined that the changes do not involve (i) a significant hazards consideration, (ii) a significant change in the types of or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. As discussed above, the proposed changes do not involve a significant hazards consideration. Accordingly, the proposed changes meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51, *specifically 10 CFR 51 .22(c)(9). Therefore, pursuant 10 CFR 51.22(b), an environmental assessment of the proposed changes is not required.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 24 of 24

7.0 REFERENCES

1. VCSNS License Amendment No. 177, "Virgil C. Summer Nuclear Station, Unit 1-Issuance of Amendment Regarding WCAP-14333, 'Probabilistic Risk Analysis of the RPS And ESFAS Test Times and Completion Times' (TAC NO. MC8898)," dated October 24, 2006.

2. NUREG-0452, Revision 4, "Standard Technical Specifications (STS) Pressurized Water Reactors," Fall 1981.

3. Standard Technical Specifications - Westinghouse Plants: Specifications (NUREG-1431, Revision 4), April 2012.

4. Westinghouse Owners Group letter OG-02-002, "Transmittal of Response to Request for Additional Information (RAI) Numbers 4 and 11 Regarding WCAP-1 5376-P, Revision 0,

'Risk-Informed 'Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times' (MU HP-3046)" dated January 8, 2002.

5. Westinghouse Owners.Group letter OG-01 -058, "Transmittal of Response to Request for Additional Information (RAI) Regarding WCAP-15376-P, Revision 0, 'Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times' (MUHP-3046)", dated September 28, 2001.

[ML012820263]

Document Control Desk LAR 15-01424 RC-15-0171 Page 1 ofl12

• . VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT I DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT I PROPOSED TECHNICAL SPECIFICATION CHANGES - MARK-UP

.l',I ... ACTI ON sT'ATEMENTS (Continued)

~~I AbSLL j*.,s-i ((.ontinued)

.TION 8 - With the numbf OPERABLE channels one less than the Mi tmum AC

~~Channels OPERABL r'uirement, restore the inoperable ch l'nel to

~~OPERABLE status within--1-heb? or be in at least HOT STANDBY within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE, .... ch..nne m~y be bye& .... r up t....2 hor... *-

mint1nan1 *1* n oltag on1*thc undc1 or shunt1 tri mochoi1111a1,* prcvidc th1 ACTION 9 - With the number of OPERABLE channels one less than thechannel Minimum Channels OPERABLE requirement, restore the inoperable to OPERABLE status within 48 hours or open the reactor trip breakers within the next hour.

Total Number of ACTION 10 - With the number of OPERABLE Channels less than the Channels, operation may continue provided the inoperable channels are I placed in the tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

ACTION 11 - With one of the diverse trip features (undervoltage or shunt trip attachment) inoperable, restore it to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or declare the breaker inoperable and apply ACTION 8. The breaker shall not be bypassed while one of the diverse trip features is inoperable except for the time required for performing maintenance to restore the breaker to OPERABLE status.

I ACTION 12 - With the number of OPERABLE Channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing per Specification 4.3.1 .1, provided the other channel is OPERABLE.

SUMMER No. *8~44 17 7 UNIT 13/4 3-8Amendment

( ( (

TABLE 4.3-1 REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENT TRIP ANALOG ACTUATING CHANNEL DEVICE MODES FOR ACTUATION WHICH C

CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE I-4

-9 CHEC__KK CALIBRATION TEST.+_ TEST TES__T. IS REQUIRED FUNCTIONAL UNIT N.A. N.A. N.A. 1, 2, 3*, 4*, 5*

1. Manual Reactor Trip R(1l) N°A.

2. Power Range, Neutron Flux High Setpoint N.A. N.A. 1,2 N.A. N.A, Low Setpoint gt4 3. P ower Ra.n~ge, Neutron Flux N.A. N.A. 1,2 High Positive Rate

4. Deleted I

5. Intermediate N.A. N.,A Neutron FluxRange,

6. Source Range, Neutron Flux N.A. N.A.

2##, 3,4, 5

7. Overtemperature AT N.A. NA.A 1,2

8. Overpower AT NA. NA, 1,2 0

9. Pressurizer Pressure--Low NA. N.A, 1 0

10. Pressurizer Pressure--High N.A. N.A. 1,2-

11. Pressurizer Water Level--High N.A. NA. I

12. Loss of Flow N.A. NA. 1

( ( (

'I, TABLE 4.3-1 (Continued)

C m

REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS TRIP ACTUATING ANALOG MODES C

CHANNEL DEVICE WiIICH FOR

-4 OPERATIONAL OPERATIONAL SURVEI LIANCE CHANNEL CHANNEL ACTUATION CHECK CALIBRATION TEST TEST LOGIC TEST IS REQUIRED FUNCTIONAL UNIT

13. Steam Generator Water Level-- S R N.oA. N. A. 1, 2 Low-Low S N.A. N.A. 1, 2

14. Steam Generator with WaterSteam/

Level -

Low Coincident Feedwater Flow Mismatch

15. Undervoltage - Reactor Coolant NA. R N.A. N.A. 1 Pumps CA 16. Underfrequency - Reactor N. A. N. A.

N.A. 1 R

Coolant Pumps

'-A

17. Turbine Trip A. Low Fluid Oil Pressure N.A. s/u~i, 10) NA.

1 N.,A. R B. Turbine Stop Valve N.A. R N.oA.

s/u~i, 10) N.A. 1 Closure

18. Safety Injection Input from N.A. N.A. N.A 1, 2 N.A.

ESF

19. Reactor Trip System Interlocks A. Intermediate Range N. A. R(4) R N. A. N.A.

Neutron Flux, P-S 0 Low Power Reactor B.

Trips Block, P-7 N.A. R(4) R N.A. N.A.

o 1 0* C. Power Range Neutron Flux, P-8 N. A. R(4) R N.A. N.A. 1 N.

( (

TABLE 4.3-1 (Continued)

REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE WHICH

-I CHANNEL CHANNEL OPERATIONAL OPERATIONAL ACTUATION SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST LOGIC TEST IS REQUIRED D. Low Setpoint Power Range Neutron Flux, P-lO N. A. R(4) R N. A. N.A. 1, 2 E. Turbine Impulse Chamber Pressure, P-13 N.A. R R N.A. N.A. 1 F. Low Power Range Neutron Flux, P-9 N.A. R(4) R N.A. N.A. 1

20. Reactor Trip Breaker N.A. N.A. N. A. .,14-7, 12) N.A.

L~) 1, 2, 3", 4*, 5"

21. Automatic Trip Logic N.A. N.A. N.A.

1, 2, 3*, 4*, 5*

I-,

CAj 22. Reactor Trip Bypass N.A. N.A. N.A. , R(14) N.A.

Breaker r9~

0

(16) - 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-IO and 184 days thereafter.

TABLE 4.3-1 (Continued)

TABLE NOTATION 1(18) - If not performed in previous 184 days.i

• - With the reactor trip system breakers closed and the control rod drive system capable of rod withdrawal.

U4 - Below P-6 (Intermediate Range Neutron Flux Interlock) setpoint.

1. 1. /- Below P-ID (Low Setpoint Power Range Neutron Flux Interlock) setpoint.

(1) - If not performed in previous 31 days.

(2) - Comparison of calorimetric to excore power indication above 15% of RATED THERMAL POWER. Adjust excore channel gains consistent with calorimetric power if absolute difference is greater than 2 percent.

The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(3) Single point comparison of incore to excore AXIAL FLUX DIFFERENCE above 15% of RATED THERMAL POWER. Recalibrate if the absolute difference is greater than or equal to 3 percent. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(4) - Neutron detectors may be excluded from CHANNEL CALIBRATION.

(5)- Detector plateau curves shall be obtained evaluated and compared to manufacturer's data. For the Power Range Neutron Flux Channels the provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(6)- Incore - Excore Calibration, above 75% of RATED THERMAL POWER. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(7) Each train shall be tested at least ever 162 days on a STAGGERED TEST BASIS.

(8 ELETED I124I (9 .... "--I:" Surveillance in MODES 3", 4* and 5* shall also include verification that permissives P-6 and P-ID are in their required state for existing plant conditions by observation of the permissive annunciator window.

10) - Setpoint verification is not required.

11) - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip circuits for the Manual Reactor Trip Function. The test shall also verify the OPERABILITY of the Bypass Breaker trip circuit(s).

12 - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip attachments of the Reactor Trip Breakers.

13- Local manual shunt trip prior to placing breaker in service.

1) - Automatic undervoltage trip. (17) - 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducingenernpOWer m below P-6 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after etrn SUMMUER - UNIT 13/4 3-14 MODE 3 from Mode 2 and 184 days 01 Ithereafter. _..

S(15)- Each train shall be tested at least every 184 days on a Staggered Test Basis.

TABLE 4.3-2 (n

C ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REOUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL TEST ISREgQ.UIRED*0 FUNCTIONAL UNIT CHECKl CALIBRATION TEST TEST TEST

1. SAFETY INJECTION, REACTOR TRIP, FEEDWATER ISOLATION, CONTROL ROOM ISOLATION, START DIESEL GENERATORS, 1

CONTAINMENT COOLING FANS AND ESSENTIAL SERVICE WATER

a. Manual Initiation NJA N.A. NA.a R N.A. N.A.

1,2, 3, 4 NA.

b. Automatic Actuation Logic and Actuation Relays N4.A. N.A. N.A. N.A. M(1) M{1) R(3) 1,2,3,4 1

a. Reactor BuildIng SR a NA. N.A. N.A. 1,2, 3 Preasura-High-1

d. Pressurizer Pressure--Low NA. 1,2,3 3 R a NA. N.A.

e. Differential Pressure . R a N.A N.A. NA.A 1,2,3 Between Steam Llnes--High 3

f. Steam Une Pressure Low R NA,A N.A. N.A, 1,2,3 a

I 2. REACTOR BUILDING SPRAY

a. Manual Initlation NJA. N.A. N.A° R N.A. N.A. 1,2,3,4 z

b, Automatic Actuation Logic and Actuation Relays N~.A. N.A. N.A. N.A.

M(1) M{1) R(3) 1,2,3,4 1

a. Reactor Building S R a N.A, NA,A N.A. N.A. 1,2, 3 I

Pressure-High-3 P

'-4

TABLE 4.3-2 (Continue)

Cl)

ENGINEERED SAFETY FE*ATURE ACTUATION SYSTEM INSTRUMENTATION m SURVFEILLANCEJ REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHC CALIBRATION TES TEST TS IS REQUIRED FUNCTIONAL UNIT

3. CONTAINMENT ISOLATION

a. Phase "A" Isolation

1) Manual N.A. N.A. N.A. R N.A, N.A. N.A. 1,2, 3, 4

2) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

3) Automatic Actuation NA. NA. N.A. N.A. M(1) M(1) 1,2,3,4 R(3)

Logic and Actuation 4~4 Relays Cf~

b. Phase "B" Isolation

1) Automatic Actuation N.A N.A. N.A, N.A, M{1) R(3) 1, 2,3, 4 Logic and Actuation Relays

2) Reactor Bultding S R N.A, N.A. N.A. 1,2,3 Preseure-High-3

c. Purge and Exhiaust Isolation N.A. N.A. N.A, M{1)

1) Automatic Actuation N.A. R(3) 1, 2,3, 4 Logic and Actuation Relays

2) Containment Radloactivityo M *N.A. N.A. N.A. NA. 1,2,3,4 S R High 0

3) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

z0 I

TABLE 4.3-2 (Continued)

(I)

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR

-4 CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL TEST FU*NCTIONAL UNIT CHECK CALIBRATION TEST TEST IS REQUIRED

4. STEAM LUNE ISOLATION

a. Manual N.A.

N,A. NA. N.A. R N.A. N.A. 1, 2, 3

b. Automatic Actuation Logic N.A. N.A. N.A. N.A. M(I) R(3) 1,2, 3 and Actuation Relays N.A.

c. Reactor Building S N.A. 1,2,3 Pressure-High-2 R a N.A.

N.A.

'4

d. Steam Flow in Two Steam S R NA. N.A. 1,2,3 (J) Lines--High Coincident NA.

-'3 with T=*,-Low-Low S R N.A. N.A. 1, 2, 3 N.A,

e. Steam Line Pressure Low S R N.A. N.A. 1,2,3 a

5. TURBINE TRIP AND N.A.

FEEDWATER ISOLATION

a. Steam Generator Water S R a N.A. 1,2 Level--High-HIgh

b. Automatic Actuationi Logic NA. NA.A N.A. M{1) R(3) 1, 2 N.A.

and Actuation Relay a.

B 6. EMERGENCY FEEDWATER CD

a. Manual NA. N.A. N.A. N.A, 1,2,3 N°A. Rl z N.A. N.A. M{1) R(3) 1,2,.3 P b; Automatic Actuation Logic NA. N.A. M(1)

I and Actuation Relays

c. Steam Generator Water S R NA. N.A. 1,2,3 Level--Low-Low a NA, N.A.

-I

TABLE4,32 (Continued*

C,,

C E*NGINEERED SA.F.ETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH C:HANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE FUJNCTIONAL UNITC ijECK CAIRTO TES TEST TS TEST IS REQUIRED EMERGENCY FEEDWATER (Continued)

d. Undervohtage

• Both ESF NA.A R N.A. R NA. NA.A N,A. 1,2,3 Busses

5. Safety Injection See I above for all Safety Injection Surveillance Requirements.

1. Undervoltage -One N.A. R NA., R N.A. N.A, N.A. 1,2, 3 ESF Bus CA) g. Trip of Main Feedwater N.A. R N.A. N.A. 1, 2 N.A. NA. NA.

Pumps

h. SuctIon transfer on S R N.A. N.A. N.A. N.A, 1,2,3 low pressure 7.LOSS OF POWER

a. 7.2 kV Emergency Bus NA. R N.A. NA*. NA. N.A. 1,2,3,4 Undervoltage (Loss of Voltage)

I b0. 7/.2 kV Emergency Bus Undervoltage (Degraded Voltage)

N.A. R N.A. NA. N.A. N.A. 1,2, 3,4 8.AUTOMATIC SWITCHOVER oz TO CONTAINMENT SUMP

a. RWST level low-low S R N.A. N.A. N.A, N.A. 1, 2, 3 0o b. Automatic Actuation Logic N.A. M(1) M(1) R(3) 1, 2, 3 NA. N.A.

and Actuation Relays

-N.

( ( (

(I' TABLE 4.3-2 (Continued)

C m ENGINEERED SAFETY SURVEILILANCE FEATURE ACTUATION SYSTEM INSTRUMENTATION REQUIREMENTS' C

TRIP

-I ACTUATING MODES FOR ANALOG DEVICE WHICH

'-I CHANNEL OPERATIONAL OPERATIONAL MASTER RELAY SLAVE RELAY SURVEILLANCE CHANNEL CHANNEL ACTUATION CHECK CALIBRATION TEST TEST LOGIC TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT

9. ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INTERLOCKS

a. Pressurizer Pressure, N. A. R. N.,A. N.A. N.A. N.A. 1, 2, 3 P-il

b. Low, Low Tavg'P1 N. A. N.A. N.A. N.A. N.A. 1., 2, 3 R.

c. Reactor Trip, P-4 N. A. N.,A. N.A. N.A. N.A. N.A. 1, 2, 3 qt C-.

'.9.

0 9-.

9-.

INSTRUMENTA'TION TAB LE 4.3-2,,,,Continued) Lj84J TABLE NOTATIO (1) Each train shall be tested at least every 62* days on a STAGGERED TEST BASIS.

(2) The 36 inch containment purge supply and exhaust isolation valves are sealed closed during Modes 1 through 4, as required by TS 3.6.1.7. With these valves sealed closed, their ability to open is defeated; therefore, they are excluded from the quarterly slave relay test.

(3) Slave Relay Testing will be conducted every 18 months for Westinghouse type AR relays and preferably during a refueling outage to preclude the risk of actuation. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval to maintain the established frequency.

• 43*0 3/43-40Amendment SUMME-UNIT1 No. 428187

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 1 ofl12 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 2 PROPOSED TECHNICAL SPECIFICATION CHANGES - RETYPED Remove Pages Insert Pages TS Page 3/4-3-8 TS Page 3/4-3-8 TS Page 3/4-3-11 TS Page 3/4-3-11 TS Page 3/4-3-12 TS Page 3/4-3-12 TS Page 3/4-3-13 TS Page 3/4-3-13 TS Page 3/4-3-14 TS Page 3/4-3-14 TS Page 3/4-3-35 TS Page 3/4-3-35 TS Page 3/4-3-36 TS Page 3/4-3-36 TS Page 3/4-3-37 TS Page 3/4-3-37 TS Page 3/4-3-38 TS Page 3/4-3-38 TS Page 3/4-3-39 TS Page 3/4-3-39 TS Page 3/4-3-40 TS Page 3/4-3-40

TABLE 3.3-1 (Continued)

ACTION STATEMENTS (Continued)

ACTION 8- With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in at least HOT STANDBY within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

I ACTION 9 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or open the reactor trip breakers within the next hour.

ACTION 10 - With the number of OPERABLE Channels less than the Total Number of Channels, operation may continue provided the inoperable channels are placed in the tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

ACTION 11 - With one of the diverse trip features (undervoltage or shunt trip attachment) inoperable, restore it to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or declare the breaker inoperable and apply ACTION 8. The breaker shall not be bypassed while one of the diverse trip features is inoperable except for the time required for performing maintenance to restore the breaker to OPERABLE status.

ACTION 12- With the number of OPERABLE Channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

3/4 3-8 SUME

-UNT 34 -8Amendment No. 78 0,17

0.,

C TABLE 4.3-1 REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS ni C TRIP z ANALOG ACTUATING MODES FOR CHANNEL DEVICE WHICH ACTUATION CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST TEST IS REQUIRED

1. Manual Reactor Trip N.A. N.A N.A. R(11) N.A. 1, 2, 3* ,4", 5*

2. Power Range, Neutron Flux High Setpoint S D(2, 4), SA N.A. NA. 1,2 M(3, 4),

Q(4, 6),

R(4, 5)

CA Low Setpoint S R(4) N.A. 1##, 2 S/U(18), (16) NA.

CA

3. Power Range, Neutron Flux N.A. R(4) SA N.A. N.A. 1,2 High Positive Rate

4. Deleted

5. Intermediate Range, Neutron S R(4) S/U(1 8), (16) 1##, 2 N.A. N.A.

Flux

6. Source Range, Neutron Flux S R(4) S/U(18), (17), (9) N.A. N.A. 2##, 3,4, 5 CD 7. Overtemperature AT S SA R N.A. N.A. 1,2

8. Overpower AT S R SA N.A. N.A. 1,2 CD

9. Pressurizer Pressure--Low S R SA N.A. N.A. 1 z0

10. Pressurizer Pressure--High S R SA N.A. N.A. 1,2

11. Pressurizer Water Level--High S R SA N.A. N.A. 1

12. Loss of Flow S R SA N.A. N.A.

TABLE 4.3-1 (Continued)

C REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS m

TRIP C ANALOG ACTUATING MODES FOR z CHANNEL DEVICE WHICH ACTUATI ON CHANNE CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE FUNCTIONAL UNIT L CHECK CALIBRATION TEST TEST TEST IS REQUIRED

13. Steam Generator Water Level-- S R SA N.A. N.A. 1,2 Low-Low

14. Steam Generator Water Level - S R SA N.A. N.A. 1,2 Low Coincident with Steam!

Feedwater Flow Mismatch

15. Undervoltage - Reactor Coolant N.A. R N.A. SA N.A.

cO) Pumps

16. Underfrequency - Reactor N.A. R N.A. SA N.A.

C,, Coolant Pumps

17. Turbine Trip A. Low Fluid Oil Pressure R 1 N.A. N.A. S/U(1, 10) N.A.

B. Turbine Stop Valve N.A. R N.A. S/U(1, 10) N.A. 1 Closure

19. Reactor Trip System Interlocks C', A. Intermediate Range N.A. R(4) R NA. N.A.

0~ Neutron Flux, P-6 CD B. Low Power Reactor N.A. R(4) R N.A. N.A.

1 Trips Block, P-7 z

a C Power Range Neutron N.A. R(4) R N.A. N.A. 1 Flux, P-8

TABLE 4.3-1 (Continued)

REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION WHICH CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE CHECK CALIBRATION TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT D Low Setpoint Power N.A. R(4) R N.A. N.A. 1,2 Range Neutron Flux, P-1 0 E. Turbine Impulse N.A. R R N.A. N.A. 1 Chamber Pressure, P-i13 F. Low Power Range N.A. R N.A. N.A. 1 R(4)

Neutron Flux, P-9

20. Reactor Trip Breaker N.A. N.A. NA.A (7, 12) N.A. 1, 2, 3,* 4*, 5*

21. Automatic Trip Logic N.A. N.A. N.A. N.A. Q (15) 1, 2, 3*, 4*, 5*

22. Reactor Trip Bypass Breaker N.A. N.A. N.A. (7, 13), R(14) N.A. 1, 2,3*, 4*, 5*j CD 0~

CD z

0 I

TABLE 4.3-1 (Continued)

TABLE NOTATION

• - With the reactor trip system breakers closed and the control rod drive system capable of rod withdrawal.

1. 4# - Below P-6 (Intermediate Range Neutron Flux Interlock) setpoint.

1. 1. - Below P-10 (Low Setpoint Power Range Neutron Flux Interlock) setpoint.

(1) - If not performed in previous 31 days.

(2) - Comparison of calorimetric to excore power indication above 15% of RATED THERMAL POWER. Adjust excore channel gains consistent with calorimetric power if absolute difference is greater than 2 percent. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(3) - Single point comparison of incore to excore AXIAL FLUX DIFFERENCE above 15% of RATED THERMAL POWER. Recalibrate ifthe absolute difference is greater than or equal to 3 percent. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(4) - Neutron detectors may be excluded from CHANNEL CALIBRATION.

(5) - Detector plateau curves shall be obtained evaluated and compared to manufacturer's data. For the Power Range Neutron Flux Channels the provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(6) - Incore - Excore Calibration, above 75% of RATED THERMAL POWER. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(7) - Each train shall be tested at least every 124 days on a STAGGERED TEST BASIS.

(8) - DELETED (9) - Surveillance in MODES 3*, 4* and 5* shall also include verification that permissives P-6 and P-i10 are in their required state for existing plant conditions by observation of the permissive annunciator window.

(10) - Setpoint verification is not required.

(11) - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip circuits for the Manual Reactor Trip Function. The test shall also verify the OPERABILITY of the Bypass Breaker trip circuit(s).

(12) - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip attachments of the Reactor Trip Breakers.

(13) - Local manual shunt trip prior to placing breaker in service.

(14) - Automatic undervoltage trip.

(15) - Each train shall be tested at least every 184 days on a Staggered Test Basis.

(16) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10 and 184 days thereafter.

(17) 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entering MODE 3 from MODE 2 and 184 days thereafter.

(18) If not performed in previous 184 days.

3/4 3-14 SUMMR

-UNI No. 73 8 , !0 !,T I /4-14Amendment 4

TABLE 4.3-2 C,,

a ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION rri SURVEILLANCE REQUIREMENTS C

z TRIP ACTUATING MODES FOR ANALOG ACTUATION MASTER SLAVE WHICH CHANNEL DEVICE OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL TEST TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT CHECK CALIBRATION TEST

1. SAFETY INJECTION, REACTOR TRIP, FEEDWATER ISOLATION, CONTROL ROOM ISOLATION, START DIESEL GENERATORS, CONTAINMENT COOLING FANS AND ESSENTIAL SERVICE WATER 1,2,3,4 CA,

a. Manual Initiation NJ.A. N.A. N.A. R N.A. N.A. N A.

N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3,4 CA)

b. Automatic Actuation Logic CA) and Actuation Relays 01 SA N.A. N.A NA. N.A. 1,2,3

c. Reactor Building S R Pressure-High-1 R SA N.A. N.A. NA. N.A. 1,2,3

d. Pressurizer Pressure--Low S R SA N.A. N.A. N.A. N.A. 1,2,3

e. Differential Pressure S Between Steam Lines--High R SA N.A. N .A. N.A. N .A. 1,2,3

f. Steam Line Pressure Low S

2. REACTOR BUILDING SPRAY CD N.A. R N.A. N.A. N.A. 1,2,3,4 c~. a. Manual Initiation N.A. N.A.

CD N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3,4

b. Automatic Actuation Logic N.A.

and Actuation Relays z N.A. N.A. 1,2,3 0

c. Reactor Building N.A. N.A.

S R SA Pressure-High-3

TABLE 4.3-2 (Continue)

C/)

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST TEST TEST TEST IS REQUIRED

3. CONTAINMENT ISOLATION

a. Phase "A" Isolation

1) Manual N.A. N.A. N.A. R N.A. N.A, N.A. 1,2,3,4

2) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

3) Automatic Actuation N.A. Q(1) R(3) 1,2,3,4 N.A. N.A. N.A. Q( 1)

Logic and Actuation Relays coo

0) b. Phase"'B' Isolation

1) Automatic Actuation N.A N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3,4 Logic and Actuation Relays

2) Reactor Building S R SA N.A. N.A. N.A. N.A. 1,2,3 Pressure-High-3

c. Purge and Exhaust Isolation N .A. N.A. N.A. N.A. Q( 1) Q(1) R(2,3) 1, 2,3, 4

1) Automatic Actuation Logic and Actuation B Relays CD

2) Containment Radioactivity- N.A. N.A. N.A. N.A. 1,2,3,4 0~ S R M B High CD

3) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

z0

TABLE 4.3-2 (Continued)

C12 C

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATIN G MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST TEST TEST TEST IS REQUIRED

4. STEAM LINE ISOLATION

a. Manual N .A. R N.A. N.A. N.A. 1,2,3 N .A. N.A.

b. Automatic Actuation Logic N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3 and Actuation Relays

c. Reactor Building S R SA NA. NA. NA. N.A. 1,2,3 Pressure-High-2

d. Steam Flow in Two Steam S R SA NA. NA. N.A. N.A. 1,2,3 Lines--High Coincident with Tavg--Low-Low S R SA N.A. N,.A. N.A. N.A. 1,2,3

e. Steam Line Pressure Low S R SA N.A. N.A. N.A. N.A. 1,2,3

5. TURBINE TRIP AND FEEDWATER ISOLATION

a. Steam Generator Water S R SA N .A. N.A. N.A. N.A. 1,2 Level-High-High

b. Automatic Actuation Logic N.A. N.A. NA.

N.A. Q(1) Q(1) R(3) 1,2 CD and Actuation Relay 0~

6. EMERGENCY FEEDWATER CD

a. Manual N.A. N A. N.A. R N.A. N.A. N .A. 1,2,3 z0 b.Automatic Actuation Logic N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3 and Actuation Relays c.Steam Generator Water S R SA N.A. N.A. N.A. NA. 1,2, 3 Level--Low-Low

TABLE 4.3-2 (Continued)

C',

C ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATIN G MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH C*HANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE FUNCTIONAL UNIT C HECK CALIBRATION TEST TEST TEST TEST TEST IS REQUIRED EMERGENCY FEEDWATER (Continued)

d. Undervoltage - Both ESF N .A. R N.A. R N .A. N.A. N.A. 1,2,3 Busses

e. Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

f. Undervoltage - One R N.A. R N.A. NA. N .A.

NA. 1,2,3 ESF Bus

,co g. Trip of Main Feedwater N.A. N.A. NA. R N.A. N.A. NA. 1,2 Pumps

h. Suction transfer on S R SA NA. N.A.

N.A. N.A. 1,2,3 low pressure

7. LOSS OF POWER

a. 7.2 kV Emergency Bus NA. R N .A. R N.A. N.A. N.A. 1,2,3,4 Undervoltage (Loss of Voltage)

B b. 7.2 kV Emergency Bus N.A. R N.A. R NA. N.A. N.A. 1,2,3,4 CD Undervoltage (Degraded Voltage)

B CD 8. AUTOMATIC SWITCHOVER TO CONTAINMENT SUMP zC

a. RWST level low-low N.A. N.A. N.A. N.A. 1,2,3 S R SA

b. Automatic Actuation Logic N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3 and Actuation Relays

TABLE 4.3-2 (Continued)

CD C

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS m

ANALOG TRIP C CHANNEL ACTUATING MODES FOR z OP ERA- DEVICE MASTER SLAVE WHICH CHANNEL CHANNEL TIONAL OPERATIONAL ACTUATION RELAY RELAY SURVEILLANCE CHECK CALIBRATION TEST TEST LOGIC TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT

9. ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INTERLOCKS

a. Pressurizer Pressure, N.A, R SA NA. N.A N.A. N.A. 1,2,3 P-11

b. Low, Low Tavg, P-12 N.A. R SA N.A. N.A. N.A. N.A. 1,2,3

c. Reactor Trip, P-4 N.A. N.A. N.A. R N.A. N.A. N.A. 1, 2,3 CA)

CA) 2 Cr, 0~

2 CD z0

INSTRUMENTATION TABLE 4.3-2 (Continued)

TABLE NOTATION (1) Each train shall be tested at least every 184 days on a STAGGERED TEST BASIS.

(2) The 36 inch containment purge supply and exhaust isolation valves are sealed closed during Modes 1 through 4, as required by TS 3.6.1.7. With these valves sealed closed, their ability to open is defeated; therefore, they are excluded from the quarterly slave relay test.

(3) Slave Relay Testing will be conducted every 18 months for Westinghouse type AR relays and preferably during a refueling outage to preclude the risk of actuation. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval to maintain the established frequency.

3/4 3-40 SUMMR

- No. !28, !8-7T NIT 3/43-40Amendment

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 1 of 7 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 3 PROPOSED TECHNICAL SPECIFICATION BASES - MARK-UP

3/4.3 INSTRUMENTATION BASES 3/4.3.1 and 3/4.3.2 REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION The OPERABILITY of the Reactor Protection System and Engineered Safety Feature Actuation System Instrumentation and interlocks ensure that 1) the associated action and/or reactor trip will be initiated when the parameter monitored by each channel or combination thereof reaches its setpoints, 2) the specified coincidence logic and sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance consistent with maintaining an appropriate level of reliability of the Reactor Protection and Engineered Safety Features instrumentation and, 3) sufficient system functions capability is available from diverse parameters.

The OPERABILITY of these systems is required to provide the overall reliability, redundancy, and diversity assumed available in the facility design for the protection and mitigation of accident and transient conditions. The integrated operation of each of these systems is consistent with the assumptions used in the accident analyses. The surveillance requirements specified for these systems ensure that the overall system functional capability is maintained comparable to the original design standards. The periodic surveillance tests performed at the minimum frequencies are sufficient to demonstrate this capability. Specified Insert 1 lsurveillance intervals have been determined in accordance with WCAP-10271, "Evaluation of rSurveillance Frequencies and Out of Service Times for Reactor Protection Instrumentation t~em," and supplements to that report. Specified surveillance and maintenance outage times hayveen determined in accordance with WCAP-1 4333-P-A, Rev. 1,, "Probabilistic Risk Analysi*4* the RPS and ESFAS Test Times and Completion Times," and Westinghouse letter CGE-05-48. Surveillance intervals and out of service times were determined based on maintaining an appropriate level of reliability of the Reactor Protection System and Engineered Safety Features instrumentation. The Slave Relay Test is performed on an 18-month frequency that is specific to Westinghouse AR relays. This test frequency is based on relay reliability assessments presented in WCAP-1 3877-P-A, "Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays," that is dependent on the qualified life and environmental conditions of the AR relays. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval.

Consistent with the requirement in Regulatory Guide 1.177 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note). Entry into Actions 12, 14, 21, or 25 is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Actions 12, 14, 21, or 25 are typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of entry into Actions 12, 14, 21, or 25. If this situation were to occur during the 24-hour AOT of Actions 12, 14, 21, or 25, the configuration risk assessment procedure will assess the emergent condition and direct activities to restore the inoperable logic train and exit Actions 12, 14, 21, or 25, or fully implement these restrictions, or perform a unit shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

• To preserve ATWS mitigation capability, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable for maintenance.

• To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.

B 3/4 3-1 SUMMR

-UNI I B3/43-1Amendment No. !0!, !77,48.-

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

• To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.

• Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train IInsert 2 is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

The Engineered Safety Feature Actuation System Instrumentation Trip Setpoints specified in Table 3.3-4 are the nominal values at which the bistables are set for each functional unit. A setpoint is considered to be adjusted consistent with the nominal value when the "as measured" setpoint is within the band allowed for calibration accuracy.

To accommodate the instrument drift assumed to occur between operational tests and the accuracy to which setpoints can be measured and calibrated, Allowable Values for the setpoints have been specified in Table 3.3-4. Operation with setpoints less conservative than the Trip Setpoint but within the Allowable Value is acceptable since an allowance has been made in the safety analysis to accommodate this error.

The methodology to derive the trip setpoints is based upon combining all of the uncertainties in the channels. Inherent to the determination of the trip setpoints are the magnitudes of these channel uncertainties. Sensor and rack instrumentation utilized in these channels are expected to be capable of operating within the allowances of these uncertainty magnitudes. Rack drift in excess of the Allowable Value exhibits the behavior that the rack has not met its allowance. Being that there is a small statistical chance that this will happen, an infrequent excessive drift is expected. Rack or sensor drift, in excess of the allowance that is more than occasional, may be indicative of more serious problems and should warrant further investigation.

The measurement of response time at the specified frequencies provides assurance that the reactor trip and the engineered safety feature actuation associated with each channel is completed within the time limit assumed in the accident analyses. No credit was taken in the analyses for those channels with response times indicated as not applicable.

Response time may be demonstrated by any series of sequential, overlapping or total channel test measurements provided that such tests demonstrate the total channel response time as defined. Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements, or by the summation of allocated sensor, signal processing, and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained SUMMER - UNIT 1 B 3/4 3-la Amendment No. a 5 4 4467, 4-7-7

Repagination Only INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) from: (1) historical records based on acceptable response time tests (hydraulic, noise or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Response Time Tests,"

provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component into operational service and re-verified following maintenance or modification that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for the repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing element of a transmitter.

Westinghouse letter CGE-00-018, dated March 28, 2000, provided an evaluation of the Group 05 (11 NLP and 6NSA) 7300 process cards. These cards were revised after the submittal of WCAP-14036, Revision 1. This letter concluded that the failure modes and effects analysis (FMEA) performed for the older versions of these cards and documented in WCAP-14036-P-A, Revision 1, is applicable for these Group 05 cards. The bounding time response values determined by test and evaluation and reported in the WCAP are valid for these redesigned cards.

The Engineered Safety Features response times specified in Table 3.3-5 which include sequential operation of the RWST and VCT valves (Notes 2 and 3) are based on values assumed in the non-LOCA safety analyses. These analyses are for injection of borated water from the RWST. Injection of borated water is assumed not to occur until the VCT charging pump suction isolation valves are closed following opening of the RWST charging pumps suction valves. When the sequential operation of the RWST and VCT valves is not included in the response times (Note 1) the values specified are based on the LOCA analyses. The LOCA analyses take credit for injection flow regardless of the source.

Verification of the response times specified in Table 3.3-5 will assure that the assumptions used for the LOCA and non-LOCA analyses with respect to the operation of the VCT and RWST valves are valid.

The Engineered Safety Features Actuation System senses selected plant parameters and determines whether or not predetermined limits are being exceeded. If they are, the signals are combined into logic matrices sensitive to combinations indicative of various accidents, events, and transients. Once the required logic combination is completed, the system sends actuation signals to those engineered safety features components whose SUMMER - UNIT 1 B 3/4 3-lb Amendment No. 42~46 458T, 14-7

Repagination only INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) aggregate function best serves the requirements of the condition. As an example, the following actions may be initiated by the Engineered Safety Features Actuation System to mitigate the consequences of a steam line break or loss of coolant accident 1) safety injection pumps start and automatic valves position, 2) reactor trip, 3) feedwater isolation,

4) startup of the emergency diesel generators, 5) containment spray pumps start and automatic valves position, 6) containment isolation, 7) steam line isolation, 8) turbine trip,

9) auxiliary feedwater pumps start and automatic valves position, 10) containment cooling fans start and automatic valves position, 11) essential service water pumps start and automatic valves position, and 12) control room isolation and ventilation systems start.

Several automatic logic functions included in this specification are not necessary for Engineered Safety Feature System actuation but their functional capability at the specified setpoints enhances the overall reliability of the Engineered Safety Features functions. These automatic actuation systems are purge and exhaust isolation from high containment radioactivity, turbine trip and feedwater isolation from steam generator high-high water level, initiation of emergency feedwater on a trip of the main feedwater pumps, automatic transfer of the suctions of the emergency feedwater pumps to service water on low suction pressure, and automatic opening of the containment recirculation sump suction valves for the RHR and spray pumps on low-low refueling water storage tank level.

The service water response time includes: 1) the start of the service water pumps and, 2) the service water pumps discharge valves (3116A,B,C-SW) stroking to the fully opened position. This condition of the valves assures that flow will become established through the component cooling water heat exchanger, diesel generator coolers, HVAC chiller, and to the suction of the service water booster pumps when these components are placed in-service. Prior to this time, the flow is rapidly approaching required flow and sufficient pressure is developed as valves finish their stroke. Each of the above-listed components will be starting to perform their accident mitigation function, either directly or indirectly depending upon the use of the component, and will be operational within the 1

service water response time of 71 .5/81 .5 seconds *. Only the service water booster pumps have a direct impact on the accident analysis via the RBCUs' heat removal capability as discussed below.

!' Total time is 1 .5 second instrument response after setpoint is reached, plus 10 seconds diesel generator start, plus 10 seconds to reach service water pump start and begin 3116-SW opening via Engineered Safety Features Loading Sequencer, plus 60 seconds stroke time for 3116-SW. During this total time, the service water pumps start and the service water pump discharge valve begins to open at 11 .5 seconds and the pump discharge valve is fully open at 71.5 seconds without a diesel generator start required and 21.5 seconds and 81.5 seconds including a diesel generator start.

SUMMER UNIT 1 B 3/4 3-ic Amendment No. 67, !44, 1-,8T,4-7-7 I

~inaIionOnlfl INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

The RBCU response time includes: 1) the start of the RBCU fan and the service water booster pumps and, 2) all the service water valves which must be driven to the fully opened or fully closed position. This condition of the valves allows the flow to become fully established through the RBCU. Prior to this time, the flow is rapidly approaching required flow as the valves finish their stroke. Although the RBCU would be removing heat through-out the Engineered Safety Features response time, the accident analysis does not assume heat removal capability from 0 to 71 .5 seconds 2-'because the industrial cooling water system is not completely isolated until 71 .5 seconds. A linear ramp increase from 95% full heat removal capability to 100% full heat removal capability is assumed by the accident analysis to start at 71 .5 seconds and end at 86.5 seconds2 --. Full heat removal capability is assumed at 86.5 seconds based on the position of the valve 3107-SW.

~'Total time is 1 .5 second instrument response after setpoint Is reached, plus 10 second diesel start plus 60 seconds* for valves to isolate industrial cooling water system.

2'Total time is 1.5 second instrument response after setpoint is reached, plus 10 second diesel generator start plus 75 seconds to stroke valves 3107A, B-SW.

• During this time period, the Engineered Safety Features Loading Sequencer starts the RBCU fans at 25 seconds and service water booster pumps at 30 seconds after the valves begin to stroke.

B 3/4 3-1d SUMER UNT 1B343idAmendment No. 6*47. I

Specified surveillance intervals and RTB outage times have been determined in accordance with Insert 1: 5376-P-A, Rev. 1, " Risk-Informed Assessment of the RTS and ESFAS Surveillance Test WCAP-1 Intervals and Reactor Trip Breaker Test and Completion Times," dated March 2003.

Insert 2:

Consistent with the NRC Safety Evaluation (SE) requirements in WCAP-1 5376-P-A, Rev. 1, Tier 2 insights must be included in the decision making process before removing an RTB train from service and implementing the extended (risk-informed) Completion Time for an RTB train. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time an RTB train is inoperable.

Entry into Action 8 for an inoperable RTB train is not a typical, preplanned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Action 8 may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Action 8 entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10OCFR50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable RTB train and exit the Action, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Action 8 when an RTB train is inoperable:

• The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available.

RCS pressure relief (pressurizer PORVs and safety valves), emergency feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

• Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

, Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

Document Control Desk LAR 15-01424 RC-15-0171 Page 1 of 7 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 4 PROPOSED TECHNICAL SPECIFICATION BASES - RETYPED Remove Pages Insert Pages TS Bases Page 3/4-3-1 TS Bases Page 3/4-3-1 TS Bases Page 3/4-3-la TS Bases Page 3/4-3-la TS Bases Page 3/4-3-1 b TS Bases Page 3/4-3-lb TS Bases Page 3/4-3-ic TS Bases Page 3/4-3-ic TS Bases Page 3/4-3-id TS Bases Page 3/4-3-id

__________________TS

-- Bases Page 3/4-3-1e

3/4.3 INSTRUMENTATION BASES 3/4.3.1 and 3/4.3.2 REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION The OPERABILITY of the Reactor Protection System and Engineered Safety Feature Actuation System Instrumentation and interlocks ensure that 1) the associated action and/or reactor trip will be initiated when the parameter monitored by each channel or combination thereof reaches its setpoints, 2) the specified coincidence logic and sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance consistent with maintaining an appropriate level of reliability of the Reactor Protection and Engineered Safety Features instrumentation and, 3) sufficient system functions capability is available from diverse parameters.

The OPERABILITY of these systems is required to provide the overall reliability, redundancy, and diversity assumed available in the facility design for the protection and mitigation of accident and transient conditions. The integrated operation of each of these systems is consistent with the assumptions used in the accident analyses. The surveillance requirements specified for these systems ensure that the overall system functional capability is maintained comparable to the original design standards. The periodic surveillance tests performed at the minimum frequencies are sufficient to demonstrate this capability. Specified surveillance intervals have been determined in accordance with WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for Reactor Protection Instrumentation System," and supplements to that report. Specified surveillance and maintenance outage times have been determined in accordance with WCAP-14333-P-A, Rev. 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and Westinghouse letter CGE-05-46. Specified surveillance intervals and RTB outage times have been determined in accordance with WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," dated March 2003. Surveillance intervals and out of service times were determined based on maintaining an appropriate level of reliability of the Reactor Protection System and Engineered Safety Features instrumentation. The Slave Relay Test is performed on an 18-month frequency that is specific to Westinghouse AR relays. This test frequency is based on relay reliability assessments presented in WCAP-1 3877-P-A, "Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays," that is dependent on the qualified life and environmental conditions of the AR relays. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval.

Consistent with the requirement in Regulatory Guide 1.177 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note). Entry into Actions 12, 14, 21, or 25 is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Actions 12, 14, 21, or 25 are typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of entry into Actions 12, 14, 21, or 25. If this situation were to occur during the 24-hour AOT of Actions 12, 14, 21, or 25, the configuration risk assessment procedure will assess the emergent condition and direct activities to restore the inoperable logic train and exit Actions 12, 14, 21, or 25, or fully implement these restrictions, or perform a unit shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

To preserve ATWS mitigation capability, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable for maintenance.

B 3/4 3-1 SUMMR-UNI I B3/43-1Amendment No. 101, 177, 187,

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

• To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.

• To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.

• Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

Consistent with the NRC Safety Evaluation (SE) requirements in WCAP-1 5376-P-A, Rev. 1, Tier 2 insights must be included in the decision making process before removing an RTB train from service and implementing the extended (risk-informed) Completion Time for an RTB train. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time an RTB train is inoperable.

Entry into Action 8 for an inoperable RTB train is not a typical, preplanned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Action 8 may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Action 8 entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10OCFR50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable RTB train and exit the Action, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Action 8 when an RTB train is inoperable:

The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWVS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves), emergency feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief SUMMER - UNIT 1 B 3/4 3-1a Amendment No. a5,-120, I46, 177,

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

• Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

• Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

The Engineered Safety Feature Actuation System Instrumentation Trip Setpoints specified in Table 3.3-4 are the nominal values at which the bistables are set for each functional unit. A setpoint is considered to be adjusted consistent with the nominal value when the "as measured" setpoint is within the band allowed for calibration accuracy.

To accommodate the instrument drift assumed to occur between operational tests and the accuracy to which setpoints can be measured and calibrated, Allowable Values for the setpoints have been specified in Table 3.3-4. Operation with setpoints less conservative than the Trip Setpoint but within the Allowable Value is acceptable since an allowance has been made in the safety analysis to accommodate this error.

The methodology to derive the trip setpoints is based upon combining all of the uncertainties in the channels. Inherent to the determination of the trip setpoints are the magnitudes of these channel uncertainties. Sensor and rack instrumentation utilized in these channels are expected to be capable of operating within the allowances of these uncertainty magnitudes. Rack drift in excess of the Allowable Value exhibits the behavior that the rack has not met its allowance. Being that there is a small statistical chance that this will happen, an infrequent excessive drift is expected. Rack or sensor drift, in excess of the allowance that is more than occasional, may be indicative of more serious problems and should warrant further investigation.

The measurement of response time at the specified frequencies provides assurance that the reactor trip and the engineered safety feature actuation associated with each channel is completed within the time limit assumed in the accident analyses. No credit was taken in the analyses for those channels with response times indicated as not applicable.

Response time may be demonstrated by any series of sequential, overlapping or total channel test measurements provided that such tests demonstrate the total channel response time as defined. Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements, or by the summation of allocated sensor, signal processing, and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or SUMMER - UNIT 1 B 3/4 3-lb Amendment No. IO-4~

1-5&A77

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

(3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Response Time Tests,"

provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component into operational service and re-verified following maintenance or modification that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for the repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing element of a transmitter.

Westinghouse letter CGE-00-018, dated March 28, 2000, provided an evaluation of the Group 05 (11 NLP and 6NSA) 7300 process cards. These cards were revised after the submittal of WCAP-14036, Revision 1. This letter concluded that the failure modes and effects analysis (FMEA) performed for the older versions of these cards and documented in WCAP-1 4036-P-A, Revision 1, is applicable for these Group 05 cards. The bounding time response values determined by test and evaluation and reported in the WCAP are valid for these redesigned cards.

The Engineered Safety Features response times specified in Table 3.3-5 which include sequential operation of the RWST and VCT valves (Notes 2 and 3) are based on values assumed in the non-LOCA safety analyses. These analyses are for injection of borated water from the RWST. Injection of borated water is assumed not to occur until the VCT charging pump suction isolation valves are closed following opening of the RWST charging pumps suction valves. When the sequential operation of the RWST and VCT valves is not included in the response times (Note 1) the values specified are based on the LOCA analyses. The LOCA analyses take credit for injection flow regardless of the source.

Verification of the response times specified in Table 3.3-5 will assure that the assumptions used for the LOCA and non-LOCA analyses with respect to the operation of the VCT and RWST valves are valid.

The Engineered Safety Features Actuation System senses selected plant parameters and determines whether or not predetermined limits are being exceeded. If they are, the signals are combined into logic matrices sensitive to combinations indicative of various accidents, events, and transients. Once the required logic combination .is completed, the system sends actuation signals to those engineered safety features components whose 7

SUMMER -UNIT 1 B 3/4 3-ic Amendment No. 6

, 1! 46 ,

1- &FI-77T

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) aggregate function best serves the requirements of the condition. As an example, the following actions may be initiated by the Engineered Safety Features Actuation System to mitigate the consequences of a steam line break or loss of coolant accident 1) safety injection pumps start and automatic valves position, 2) reactor trip, 3) feedwater isolation,

4) startup of the emergency diesel generators, 5) containment spray pumps start and automatic valves position, 6) containment isolation, 7) steam line isolation, 8) turbine trip,

9) auxiliary feedwater pumps start and automatic valves position, 10) containment cooling fans start and automatic valves position, 11) essential service water pumps start and automatic valves position, and 12) control room isolation and ventilation systems start.

Several automatic logic functions included in this specification are not necessary for Engineered Safety Feature System actuation but their functional capability at the specified setpoints enhances the overall reliability of the Engineered Safety Features functions. These automatic actuation systems are purge and exhaust isolation from high containment radioactivity, turbine trip and feedwater isolation from steam generator high-high water level, initiation of emergency feedwater on a trip of the main feedwater pumps, automatic transfer of the suctions of the emergency feedwater pumps to service water on low suction pressure, and automatic opening of the containment recirculation sump suction valves for the RHR and spray pumps on low-low refueling water storage tank level.

The service water response time includes: 1) the start of the service water pumps and, 2) the service water pumps discharge valves (3116A, B,C-SVV) stroking to the fully opened position. This condition of the valves assures that flow will become established through the component cooling water heat exchanger, diesel generator coolers, HVAC chiller, and to the suction of the service water booster pumps when these components are placed in-service. Prior to this time, the flow is rapidly approaching required flow and sufficient pressure is developed as valves finish their stroke. Each of the above-listed components will be starting to perform their accident mitigation function, either directly or indirectly depending upon the use of the component, and will be operational within the service water response time of 71.5/81.5 seconds11 . Only the service water booster pumps have a direct impact on the accident analysis via the RBCUs' heat removal capability as discussed below.

~-' Total time is 1.5 second instrument response after setpoint is reached, plus 10 seconds diesel generator start, plus 10 seconds to reach service water pump start and begin 3116-SW opening via Engineered Safety Features Loading Sequencer, plus 60 seconds stroke time for 3116-SW. During this total time, the service water pumps start and the service water pump discharge valve begins to open at 11.5 seconds and the pump discharge valve is fully open at 71.5 seconds without a diesel generator start required and 21.5 seconds and 81.5 seconds including a diesel generator start.

B 3/4 3-1d SUMME

- UIT 1 3/43-IdAmendment No. ~~~~ 7

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

The RBCU response time includes: 1) the start of the RBCU fan and the service water booster pumps and, 2) all the service water valves which must be driven to the fully opened or fully closed position. This condition of the valves allows the flow to become fully established through the RBCU. Prior to this time, the flow is rapidly approaching required flow as the valves finish their stroke. Although the RBCU would be removing heat through-out the Engineered Safety Features response time, the accident analysis does not assume heat removal capability from 0 to 71.5 seconds 2j because the industrial cooling water system is not completely isolated until 71.5 seconds. A linear ramp increase from 95% full heat removal capability to 100% full heat removal capability is assumed by the accident analysis to start at 71.5 seconds and end at 86.5 seconds-'. Full heat removal capability is assumed at 86.5 seconds based on the position of the valve 3107-SW.

21 Total time is 1.5 second instrument response after setpoint Is reached, plus 10 second diesel start plus 60 seconds* for valves to isolate industrial cooling water system.

3' Total time is 1.5 second instrument response after setpoint is reached, plus 10 second diesel generator start plus 75 seconds to stroke valves 31 07A, B-SW.

• During this time period, the Engineered Safety Features Loading Sequencer starts the RBCU fans at 25 seconds and service water booster pumps at 30 seconds after the valves begin to stroke.

B 3/4 3-1e SUMMR

-UNITI B3/4

-leAmendment No. 67, !177,

Document Control Desk LAR 15-01424 RC-1 5-01 71 Page 1 of 21 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT I DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 5 WCAP-1 5376-P APPLICABILITY ANALYSIS

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0 171 Page 2 of 21 1.0 Purpose The purpose of this Attachment is to provide a summary of the technical justification for

• implementation of the completion time (CT), bypass test time, and surveillance test interval

• (STI) changes justified in WCAP-15376-P-A, Revision 1 (Reference 1) for V.C. Summer Nuclear Station (VCSNS) Unit 1.

2.0 Background The Nuclear Regulatory Commission (NRC) approved the following TS changes justified in WCAP-15376-P-A, Revision 1 (Reference 1) regarding STIs, CTs, and bypass test times for the Reactor Protection System (RPS).

Analog channels

• STI from 3 months to 6 months Logqic cabinets

• STI from 2 months to 6 months Master relays

• STI from 2 months to 6 months Reactor trip breakers ('RTB)

• CT froml1 hour to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

• Bypass test time from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

• STI from 2 months to 4 months Implementation of these changes requires the licensee to address the Conditions and Limitations in the NRC's Safety Evaluation. For WCAP-1 5376-P-A, this requires:

I. Confirm the applicability of the WCAP-1 5376-P-A, Revision 1 analysis to the plant

2. Address Tier 2 and 3 requirements

3. Address concurrent testing of one logic cabinet and associated reactor trip breaker

4. Confirm the modeling assumptions for the human reliability assessment are applicable Implementation Guidelines for WCAP-1 5376-P-A have been previously developed and were followed in this program.

Tier 2 requirements provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when equipment is out of service. These requirements place limitations on additional equipment that can be removed from service during one of the risk-informed extended CTs. Tier 3 ensures that risk significant out-of-service equipment is evaluated prior to performing any maintenance activities. Tier 3 evaluations are addressed by the plant's Configuration Risk Management Program used to comply with I 0CFR 50.65(a)(4).

Document Control Desk LAR 15-0 1424 RC-15-0171 Page 3 of 21 An additional commitment included in the Implementation Guidelines for WCAP-1 5376-P-A, Revision 1 addresses setpoint uncertainty calculations and assumptions, including instrument drift.

In addition, monitoring requirements for the changes implemented were developed and an assessment of the impact of the proposed changes on external event risk was addressed.

These are not Conditions or Limitations in the Safety Evaluations, but the NRC has requested this information for plants that have recently requested the changes in WCAP-1 5376-P-A.

3.0 Summary of Results The following sections provide a summary of the results. Inputs included the VCSNS Unit I PRA model, Final Safety Analysis Report (FSAR), and TS.

3.1 "Task 1: Demonstrate Applicability of WCAP-1 5376-P-A, Revision 1 The following demonstrates the applicability of the WCAP-1 5376-P-A, Revision 1 analysis and results to VCSNS Unit I and addressed the Conditions and Limitations in the Safety Evaluation.

This includes:

• Demonstrate the applicability of the analysis and results to VCSNS Unit 1 (Condition and Limitation 1)

• Demonstrate the applicability of the component failure probabilities for the safeguards driver cards and master relays (Condition and Limitation 1)

• Address containment failure assessment (Condition and Limitation 1)

• Develop Tier 2 limitations (Condition and Limitation 2)

• Address concurrent testing of one logic cabinet and associated reactor trip breaker (Condition and Limitation 3)

• .Confirm modeling assumptions for human reliability assessment (Condition and Limitation 4)

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 4 of 21 3.1.1 Applicability of WCAP-15376-P-A, Revision 1 Tables 1, 2, and 3 demonstrate that the WCAP-1 5376-P-A, Revision 1 analysis and results are applicable to VCSNS Unit 1.

Table 1: WCAP-15376-P-A Implementation Guidelines: Applicability of the Analysis GeneralParameters ____________ ___________

Parameter WCAP-1 5376-P-A VCSNS Unit I Specific

_______________________Analysis Assumption Parameter Logic Cabinet Type 1 (SSPS or Relay) SSPS (Solid State

____________________,____________Protection System)

Component Bypass Test Time 2

• Analog channels 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />

• Logic cabinets (SSPS or Relay (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for SSPS or 8 Protctin Sste) -hours for RelayProtection. 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> PrtcinSse)System)_____________

.* Master Relay (SSPS or Relay (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for SSPS or 8 Proecton ystm)hours for Relay Protection 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> PrtcinSse)System)_____________

• Reactor trip breakers 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Component Test Interval 3

• Reactor trip breakers 2 months 2 months Typical At-Power Maintenance Intervals 4

• Reactor trip breakers 12 months Equal to or greater than Plant procedures are in place for the following operator actions 5

• Reactor trip from the main Ceie e control board switches

• Reactor trip by interrupting CrdtdYes power to the motor-generator sets Ceie

• Insertion of the control rods via Ceie e the rod control system

• Safety injection actuation from Ceie e the main control board switches

• Safety injection by actuation of Ceie e

• Emergency feedwater (EFW) Credited Yes pump start ATWS Mitigation System Actuation Credited for EFW pump Yes Circuitry (AMSAC) 6 start

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 5 of 21 Table 1: WCAP-1 5376-P-A Implementation Guidelines: Applicability of the Analysis General Parameters ___________

Parameter WCAP-1 5376-P-A VCSNS Unit I Specific Analysis Assumption Parameter Total Transient Event Frequency7 3.6/year 4.41 E-01/year ATWS Contribution 8 to CDF (current ~.6-6ya .3-8ya PRA model) 1.06E-06/year ______ 4.83E-08/year ____

Total CDF from Internal 9 Events (current PRA model) -- 5.67E-06/year Total LERE from Internal9 Events (current PRA model) 1-I.06E-07/year Notes:

1. Indicate type of logic cabinet; SSPS or Relay (both are included in WCAP-1 5376-P-A).

2. Fill in the current Tech Spec bypass test times. If the current Tech Spec bypass testtimes are equal to or less than those used in WCAP-1 5376-P-A, the analysis is applicable to your plant.

3. Fill in the current Tech Spec test interval. If the current Tech Spec test interval is equal to or greater than that used in WCAP-1 5376-P, the analysis is applicable to your plant.

4. Fill in the typical maintenance intervals or fill in "equal to or greater than" or "less than." If the maintenance intervals are equal to or greater than those used in WCAP-1 5376-P-A, the analysis is applicable to your plant.

5. Indicate if plant procedures are in place to perform these actions. If plant procedures are in place, the WCAP-1 5376-P-A analysis is applicable to your plant.

6. Indicate if AMSAC will initiate EFW pump start. If AMSAC will initiate EFW pump start, then the WCAP-1 5376-P-A analysis is applicable to your plant.

7. Include the total frequency for initiators requiring a reactor trip signal to be generated for event mitigation. This is required to assess the importance of ATWS events to CDF. Do not include events initiated by a reactor trip. If the plant specific value is less than the WCAP-1 5376-P-A value, then this analysis is applicable to your plant.

8. Fill in the ATWS contribution to core damage frequency (from at-power, internal events).

This is required to determine if the ATWS event is a large contributor to CDF.

9. Fill in the total CDF and LERF from internal events (including internal flooding) for the most recent PRA model update. This is required for comparison to the NRC's risk-informed CDF and LERF acceptance guidelines in RG 1.174.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 6 of 21 Table 2: WCAP-15376-P-A Implementation Guidelines: Applicability of Analysis Reactor Trip Actuation Signals Event WCAP-1 5376-P-A Analysis VCSNS Unit 1 I Specific

_____________________Assumption "Parameter Large LOCA Not Required Agree Medium LOCA Not Required Agree Small LOCA Non-diverse 2 w/0A 3 Agree Steam Generator Tube Rupture Non-diverse wIOA Agree Interfacing System LOCA Not Required Agree Reactor Vessel Rupture Not Required Agree Secondary Side Breaks Non-diverse w/OA Agree Transient Events, such as:

-Positive Reactivity Insertion

-Loss of Reactor Coolant Flow

-Total or Partial Loss of Main Feedwater

-Loss of Condenser

-Turbine Trip Diverse 4 w/OA Agree

-Loss of DC Bus

-Loss of Vital AC Bus

-Loss of Instrument Air

-Spurious Safety Injection

-Inadvertent Opening of a Steam Valve

• Reactor Trip Generated by RPS Agree Loss of Offsite Power Not Required by RPS Agree Station Blackout *Not Required by RPS Agree Loss of Service Water or Component Non-diverse w/OA Agree CoOling Water Notes:

1. Fill in "agree" if your plant design and operation is consistent with this analysis, that is, the noted reactor trip signals at a minimum, are available. If not, explain the difference. If "agree" is listed for each event, then the WCAP-1 5376-P-A analysis is applicable to your plant.

2. Non-diverse means that (at least) one signal will be generated to initiate a reactor, trip for the event.

3. O A indicates that an operator could take action to initiate a reactor trip for the event. In the event automatic reactor trip does not occur, operator action can be taken that results in a success path (reactor trip) prior to the action becoming ineffective to mitigate the event. Procedures are in place that will instruct the operator to take action.

4. Diverse means that (at least) two signals will be generated to initiate a reactor trip for the event.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 7 of 21 Table 3: WCAP-1 5376-P-A Implementation Guidelines: Applicability of Analysis ESFAS Safty untio Ev ntWCAP ;15376-P-A AnalsisVCSNS nlss Specific Unit1 SftFucinEetAssumption Parameter1 Large LOCA Non-diverse 2 Agree Medium LOCA Non-diverse, 0A 3 by SI switch on main control board Agree Non-diverse, QA by SI switch on main control Small LOCA board, QA of individual Agree components Non-diverse,, QA by SI Interfacing Systems switch on main controlAge Safety Injection LOCA board, QA of individualAge

________________components Non-diverse, OA by SI Steam Generator switch on main control Tube Rupture board, OA of individual Agree components Non-diverse, QA by SI Secondary Side switch on main controlAge Breaks board, QA of individual Age components Fedatr Events generating Pump actuation on SI signal Emergency Fewtr SI signal NndvreAM CAgree Pup tatTransient events operator action ManFewtrIoain Secondary Side Non-diverse Agree MainFeewatr Iolaion Breaks Steamline Isolation Secondary Side Non-diverse Agree Breaks Containment Spray All events Non-diverse Agree Actuation _________________________

Containment Isolation All events From SI signal Agree Containment Cooling All events From SI Signal Agree Notes:

1. Fill in "agree" if your plant design and operation is consistent with this analysis, that is, the noted ESFAS at a minimum, are available. If not, explain the difference. If "agree" is listed for each event, then the WCAP-15376-P-A analysis is applicable to your plant.

2. Non-diverse means that (at least) one signal will be generated to initiate the safety function noted for the event.

3. OA indicates that an operator could take action to initiate ESF for the event. In the event automatic ESF does not occur, operator action can be taken that results in a success path (ESF actuation) prior to the action becoming ineffective to mitigate the event. Procedures are in place that will instruct the operator to take action.

Document Control Desk LAR 15-01424 RC-1 5-01 71 Page 8 of 21 Since the WCAP-1 5376-P-A analysis and results are applicable to VCSNS Unit 1, the following is concluded:

• The signals available to actuate reactor trip for the various events are consistent with those credited in the WOAP analysis.

• The signals available to actuate safeguards equipment for the various events are consistent with those credited in the WOAP analysis.

• The current applicable analog channel, logic cabinet, and reactor trip breaker test intervals, bypass test times, and completion times are consistent with the WCAP analysis.

• Plant procedures are in place for the relevant operator actions credited in the analysis.

The calculated increase in CDF for all the changes specified in WCAP-1 5376-P-A, Revision 1, as provided in Table 8.29 of the WCAP is 8.0E-07/year for plants with predominately 2-of-4 logic requirements and 8.5E-07/year for plants with predominately 2-of-3 logic. The calculated increase in LERE due to all the changes in WCAP-1 5376-P-A, Revision 1 as provided in Table 8.32 of the WCAP is 3.1 E-08/year for plants with predominately 2-of-4 logic requirements and 5.7E-08/year for plants with predominately 2-of-3 logic. Per RG 1.174 (Reference 2), for a total CDF of 1 .0E-04/year changes to ODE of 1 .0E-06/year are acceptable; and for a total LERF of 1 .0E-05/year, changes to LERF of 1 .0E-07/year are acceptable. The VCSNS Unit 1 CDF for internal and external events is 7.27E-05/year and LERF including internal events and external events is 4.96E-07/year. Therefore, this is consistent with the guidelines in RG 1.174, Revision 2 that allows small increases in CDF and LERE.

It is concluded that implementing the changes in the WOAP will have an impact on ODE of less than 1.0E-06/year and on LERE of less than 1 .0E-07/year, which meets the guidance in RG 1.174.

3.1.2 Applicability of the Safeguards Driver Card and Master Relay Failure Probabilities It is necessary to indicate that component failure probabilities developed as part of WCAP-15376-P-A are applicable to VCSNS Unit 1. This includes the master relay and safeguards driver card failure probabilities. The failure probabilities for these components are based on data collected from a number of Westinghouse NSSS plants. The failure probabilities for these components provided in Table 8.6 of WCAP-1 5376-P are 1.10E-05 for SSPS master relays and 5.90E-04 for SSPS safeguards driver cards.

Document Control Desk LAR 15-01424 RC-15-01 71 Page 9 of 21 A summary of the experience for these components at VCSNS Unit 1 from 2009 to 2013 is provided in Table 4.

Table 4: Component Failure Probabilities for VCSNS Unit I Parameter Safeguards Driver Cards Master Relays Actuations 254 1572 Failures 0 0 An analysis based on the binomial distribution was used to determine the number of expected failures for the given failure probabilities and actuations. For both components, zero or one failure would be expected. Since the experience at VCSNS Unit 1 resulted in no failures, it is concluded that the failure probabilities for these components used in the WCAP analysis are applicable to VCSNS Unit 1.

3.1.3 Address Containment Failure Assessment The WOAP analysis and determination of LERF is based on a large dry containment. VCSNS Unit 1 is a large dry containment; therefore, the results are applicable.

3.1.4 Develop Tier 2 Limitations Recommended Tier 2 requirements, or restrictions, are provided in Section 8.5 of the WCAP.

These are:

• The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available. ROS pressure relief, emergency feedwater flow (for RCS heat removal), ATWVS Mitigating System Actuation Circuitry (AMSAC) and turbine trip are important to alternate ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC or turbine trip should not be scheduled when a RTB is out of service.

,, Due to the increased dependence on the available reactor trip train when one logic cabinet is removed from service, activities that degrade other components of the RPS,

- including master relays or slave relays and activities that cause analog channels to be unavailable should not be scheduled when a logic train is unavailable.

• Activities on electrical systems that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is unavailable.

3.1.5 Develop Tier 3 Limitations Tier 3 analysis is addressed through the VCSNS Maintenance Rule Program. Refer to the evaluation provided in Section 4.3 of the Enclosure of this submittal.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 10 of 21 3.1.6 Address Concurrent Testing of One Logic Cabinet and Associated RTB The risk impact of concurrent testing of one logic cabinet and the associated RTB is addressed by demonstrating that the WCAP-1 5376-P analysis is applicable to VCSNS Unit 1. The WCAP

• analysis assumes that if a RTB is out of service its associated logic cabinet is also out of

• service. Therefore, concurrent testing is addressed in the WCAP analysis.

3.1.7 Confirm Modeling Assumptions for Human Reliability Assessment

• Table 5 provides a summary of the operator actions credited in the WCAP analysis and the ability of these actions to be successful at VCSNS Unit 1. All actions are credited with plant procedures in place and all actions are effective.

Table 5: WCAP-15376-P-A Implementation Guidelines: Applicability of the Human Reliability Analvsis Operator Action that results in a success ArPln path (backup to the Procedures in Operator Action automatic function) Place for the prior to the action Action? 1 .

becoming ineffective

________________________________to mitigate the event? 1 Reactor trip from the main control board switches Yes Yes Reactor trip by interrupting power to the motor- NoeTbl e geeaosesExplanation #1 below) _________

Insertion of the control rods via the rod control YeYs system _________

Safety injection actuation from the main control YeYs board switches _________

Safety injection by actuation of individualYeYs components Emergency Feedwater pump start Yes Yes Note:

1. Fill in "ys or "n. If "yes is filled in for both questions, then the analysis is applicable to your plant with respect to that operator action.

Table 5 Explanation #1 The analysis supporting the reactor trip instrumentation Technical Specification changes in WCAP-15376-P-A, Revision 1 credits the ability of the operators to trip the reactor by interrupting power to the motor-generator (MG) sets. When power is interrupted to the MG sets, the MG sets coast down and control rod drive mechanisms release the control rods which drop into the core. The failure probability for this operator action is set to 0.5.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 11 of 2l VCSNS Unit 1 Emergency Operation Procedures (EOPs) include steps to trip the reactor via interrupting power to the MG sets if the reactor fails to trip. This action will occur after the operator action to trip the reactor from the main control board. Due to the short time available for operator actions during an ATWS event, the action to trip the reactor by interrupting power to the MG sets may not always be effective. The time for the reactor coolant system (RCS) to attain 3,200 psi is dependent on a number of parameters, including core time in life, availability of RCS pressure relief, and availability of emergency feedwater. Thus, there may be plant operating conditions when the time available is insufficient for a trip via the MG sets to be effective in mitigating the event.

As seen in WCAP-1 5376-P, failure of reactor trip signals for transients events are dominated by

• common cause failure of the RTBs. The reason for this is the defense-in-depth designed into the development of reactor trip signals. For transient events, reactor trip signals will be initiated by at least two sets of analog channels (transmitters or sensors monitoring different reactor parameters) and there is an operator action to trip the reactor from the control board. This

• operator action is back up to failures in the analog channels and logic cabinets, but not the

RTBs. Therefore, common cause failure of the RTBs is the dominant Contributor to failure of reactor trip signals for transient events.

The probability for getting to an ATWS condition based on the model in WCAP-1 5376-P is:

CCF RTBs x failure probability of operators to trip reactor by interrupting power to MGs = RTB

• random failure probability x J3eta Factor RTB x failure probability of operators to trip reactor by interrupting power to MGs = 3.70E-05/year x 0.043 x 0.5 = 8.0E-07/year

The probability for getting to an ATWS situation for VCSNS is:

CCF RTBs = RTB random failure probability x r3eta Factor RTB = 1.54E-05/year x 0.043 =

6.6E-07/year Note that the RTB random failure probability is from NUREG/CR-6928, "Industry Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants,"

2008. This is an updated value over WCAP-1 5376-P.

As indicated, the probability of ATWS conditions is nearly equal between the WCAP-1 5376-P analysis and an updated analysis that does not credit tripping the reactor by interrupting power to the MG sets. Therefore, it is concluded that the results in WCAP-1 5376-P remain applicable given that no credit is taken for tripping the reactor by interrupting power to the MG sets.

All Operator Actions (OAs) listed in Table 5 (above) have a "Yes" answer for both questions or are further justified; therefore the WCAP-1 5376-P analysis is applicable to VCSNS Unit 1.

3.2 Task 2: Demonstrate Monitoring Requirements for WGAP-1 5376-P-A, Revision 1 Implementation The monitoring program needs to be directed at the following components as noted:

• Analog channels (which includes the sensors to the bistables) - STI extension

Document Control Desk LAR 15-01424 RC-15-0171 Page 12 of 21

• Logic cabinets - STI extension

• Master relays - STI extension

• RTB - STI extension

• RTB - Completion time and bypass test time changes The analog channels are typically associated with in-of-n logic. This means that if there are n channels only m of those channels are required to trip to initiate a safety function, such as reactor trip or emergency core cooling. Therefore, redundancY is built into the design. In addition, the safety equipment for event mitigation for the majority of the events that are postulated to occur can be actuated by more than one set of analog channels. This is referred to as analog channel diversity and this provides diversity in the design. Furthermore, the safety equipment can be actuated by operator action for most events which provides a backup to the automatic actuation signals. This redundancy and diversity for analog channels reduces the safety importance of the channels and changes in channel reliability have only a very small impact on plant risk. As stated in RG. 1.174 (Reference 2), "SSCs are monitored commensurate with their safety importance." Based on this discussion, it is concluded that the analog channels can be eliminated from the monitoring program.

3.2.1 Monitoring Requirements - Component Failure Probabilities Monitoring requirements are required on the components with an extended STI to ensure the component failure probabilities for the extended STIs used in the analysis remain applicable.

The failure probabilities of the components used in the analysis to justify the changes to the STIs are provided in Table 6.

ITable 6: Component Failure Probabilities Component Failure Probability (for the extended STI)

Universal logic cards 1.15E-03 Undervoltage driver cards 1.01 E-03 Safeguards driver cards 1.77E-03 Master relays 3.30E-05 Reactor trip breakers 7.40E-05 The approach used to develop monitoring requirements involved the use of a binomial distribution to calculate an acceptable number of failures that support the failure probability used in the analysis. Then the actual failures and actuations can be compared to this and assessed if the failure probability used in the analysis is supported by the plant experience.

Based on this assessment, for components with a failure probability of approximately 2.0E-03 (such as the undervoltage driver cards, safeguards driver cards, and universal logic cards),

zero, one, or two failures would be expected depending on the number of actuations. For components with a failure probability of approximately 1 .0E-04 (such as the master relays or reactor trip breakers), zero or one failure would be expected, again depending on the number of actuations.

Document Control Desk LAR 15-01424 RC-15-01 71 Page 13 of 21 3.2.2 Monitoring Requirements - Component Unavailability Component unavailability monitoring requirements are required for the reactor trip breakers, master relays, and logic cabinets since these are the components in the WCAP-1 5376-P-A, Revision 1 analysis that resulted in an extended test interval, completion time, and/or bypass time that could impact component availability.

The following 18 month unavailability times are assumed in the WCAP (from Table 8.7 of WCAP-1 5376-P-A, Revision 1):

Reactor trip breakers (unavailability due to test and maintenance)

• Test unavailability = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> x 3 tests/year = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/year per RTB or 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />s/18 months per RTB

• Maintenance unavailability = 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> x I maintenance event/year = 30 hour3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />s/year or 45 hour5.208333e-4 days <br />0.0125 hours <br />7.440476e-5 weeks <br />1.71225e-5 months <br />s/18 months per RTB

• Total unavailability = 45 hour5.208333e-4 days <br />0.0125 hours <br />7.440476e-5 weeks <br />1.71225e-5 months <br />s/I18 months + 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />s/I18 months = 63 hour7.291667e-4 days <br />0.0175 hours <br />1.041667e-4 weeks <br />2.39715e-5 months <br />s/i18 months per RTB Master relays (unavailability due to test and maintenance)

• Test unavailability = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> x 3 tests/18 months = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/18 months

• Maintenance unavailability = very small due to the low failure probability of the relays

• Total unavailability = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/18 months (for each master relay)

Logqic cabinets (unavailability due to test and maintenance)

• Test unavailability =4 hours x 3 tests/18 months = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/18 months

• Maintenance unavailability = 30 hour3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />s/18 months

• Total unavailability = (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> + 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />)/18 months =42 hours/18 months (for each logic cabinet)

The suggested monitoring requirements are provided in Table 7.

Table 7: Summary of Monitoring Requirements on an Individual

-Component Basis Component Unavailability Time Interval

-Reactor Trip Breakers 63 hours7.291667e-4 days <br />0.0175 hours <br />1.041667e-4 weeks <br />2.39715e-5 months <br /> 18 months Master Relays 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 18 months Logic Cabinets 42 hours4.861111e-4 days <br />0.0117 hours <br />6.944444e-5 weeks <br />1.5981e-5 months <br /> 18 months

Document Control Desk Attachment 5 LAR 15-01424 RC-1 5-0171 Page 14 of 21 3.3 Task 3: Assessment of impact from External Events for WCAP-1 5376-P-A, Revision 1 The analysis supporting the changes in WCAP-1 5376-P-A, Revision 1 does not include external

• events. Although this is not an implementation requirement specified in the Limitations and

.Conditions of the Safety Evaluation, the NRC has requested information on the external event impact from plants recently requesting these changes.

The risk impact from seismic, fire, high winds, external flooding, and transportation and nearby facility accident events due to the implementation of the TS changes justified in WCAP-1 5376-P-A,,Revision 1 was assessed and the acceptability of the changes was determined.

3.3.1 Seismic Assessment SThe following provides the discussion of the impact of seismic events on the risk assessment as related to the signal unavailability changes for the proposed TS changes. The steps that were

'.followed to determine the impact of seismic events on the risk for the proposed CT changes are:

Step 1: Identify the Systems of Interest Step 2: Identify the Accidents that can Result from a Seismic Event Step 3: Identify How the System of Interest is Used to Mitigate the Seismically Induced Events Step 4: Assess the Impact of the Signal UnavailabilityIncrease on CDF and LERF

• • The seismic events that need to be considered are those that cause a loss of offsite power (LOOP) or a small break LOCA. Each of these events is discussed in the following with respect

,to the proposed Technical Specification changes. Note that larger seismic events will cause larger LOCAs, secondary side breaks, failure of support systems, etc., and also adversely impact the systems required for mitigation including the RPS. Therefore, small changes to the availability of the signals have no impact on seismic plant risk for these larger seismic events.

LOOP Events For a LOOP event, the Diesel Generators (DGs) are required to start and run, EFW is required to start and run, and the seal injection system or component cooling water to the thermal barrier heat exchanger need to continue (actually, load shed and then load back on the DG). The only signal required for this that is impacted by the proposed Tech Spec changes is the EFW pump start signal. If this signal fails, the EFW pumps can also be started by the ATWS mitigation system actuation circuitry (AMSAC). In addition, operators can start EFW pumps manually.

Therefore, the impact on seismic CDF from the increased signal unavailability can be determined by:

ACDF = Seismic LOOP Initiating Event (IE) Frequency x AUnavailability of ESFAS signal x Operator Action (CA) failure probability x AMSAC failure where:

• Seismic LOOP IE frequency =5.20E-04/year (based on the ceramic insulators being the limiting component which leads to a loss of offsite power)

• AUnavailability of ESFAS signal = 2.73E-04 (based on WCAP-15376-P-A, Rev. 1)

Document Control Desk LAR 15-01424 RC-15-0171 Page 15 of 21

• Operator action to initiate EFW failure probability = 1.90E-03 (from the VCSNS PRA model)

• AMSAC failure probability = 1.00E-02 (from the VCSNS PRA model)

ACDF = 5.20E-04/year x 2.73E-04 x 1.90E-03 x 1.00E-02 = 2.70E-1 2/year This results in a CDF increase of 2.70E-1 2/year, which is an extremely small impact on ODE. If it is very conservatively assumed that the total CDF increase results in a large early release, then the LERF impact is also very small. Therefore, it is concluded that the ACDF and ALERE changes meet the acceptance criteria in RG 1.174.

Note that reactor trip signals are not important to LOOP events. Given a LOOP event, the motor-generator sets will coast down and eliminate power to the .control rod drive mechanisms, which will open and release the control rods to insert into the core. Therefore, no reactor trip signal is required.

Small Break LOCA Events With a small break LOCA, the Emergency Core Cooling System (ECCS) is required to provide inventory control via coolant injection, and then recirculation. Since the ceramic insulators are the seismically limiting component, if a seismically induced small LOCA occurs, then offsite power will also be lost. That is, a higher level seismic event is required to cause a small LOCA than a LOOP. The level of the seismic event would also need to be low enough not to fail any mitigating equipment. If the level of the seismic event is high enough such that all trains of mitigating systems fail, such as the ECCS or DGs, then the event is assumed to proceed to core damage. Under this higher seismic level scenario, implementing the proposed changes does not result in an increase in risk since the mitigation systems fail whether or not they are available. But for the scenario in Which a seismic event causes a small break LOCA and LOOP, but does not fail any mitigation equipment, the availability of the Safety Injection (SI) signal needs to be considered and the proposed Tech Spec changes can result in a change in plant risk from seismically initiated small LOCAs. This risk change, in terms of CDF, can be calculated as follows:

ACDF = Seismic Induced Small LOCA Initiating Event (IE) Frequency x AUnavailability of SI signal w/OA x OA failure probability (via individual components)

The value for the "AUnavailability of SI signal w/OA" parameter improves as the unavailability decreases with the proposed changes. This is based on the signal unavailabilities provided in WCAP-1 5376-P-A, Rev. 1. Therefore, the CDF assessment will show a CDF reduction. It is not necessary to determine the other parameters in the ACDF equation since this provides a benefit. Since the CDF is reduced, the LERE impact will also be very small.

From this it is concluded that the ACDF and ALERF changes are small and meet the acceptance criteria in RG 1.174.

Document Control Desk, LAR 15-01424 RC-15-0171 Page 16 of 21 Reactor Trip Sicqnals Note that reactor trip signals are not important to LOOP events. Given a LOOP event, the motor-generator sets will coast down and eliminate power to the control rod drive mechanisms, which will open and release the control rods which will insert into the core. Therefore, no reactor trip signal is required.

3.3.2 Fire Assessment The following provides the discussion of the impact of fire events on the risk assessment as related to the signal unavailability changes for the proposed TS changes. The steps that were followed to determine the impact of seismic events on the risk for the proposed CT changes are:

Step 1: Determine the Fire IE Frequency

-Step 2: Determine the Actuation Signals Required for Event Mitigation Step 3: Determine the Increase in Signal Unavailabilityfor those Signals Identified in Step 2 and Determine CDF and LERF Impact The fire ignition frequencies were previously determined for each fire compartment via the guidance provided in NUREG/CR-6850 for VCSNS Unit 1. These frequencies were then summed by building to determine a building fire ignition frequency. The following buildings were included in the assessment:

• Auxiliary Building

• Control Building

• Circulating Water Pump House

• Diesel Generator Building

• Fuel Handling Building

• Intermediate Building

• Reactor Building

• Service Water Pump House

• Turbine Building Each building was assessed to determine if one or two ESFAS trains will be available to start EFW. Fires in the Circulating Water Pump House, Diesel Generator Building, Fuel Handling Building, and Service Water Pump House would not impact ESFAS signals, therefore, both trains will be available. In the other buildings it was assumed that the fire could impact one ESFAS train, therefore only one train of ESFAS signals will be available.

Mitigation of the fire event typically requires decay heat removal. This can be performed by the main feedwater system, EFW, and feed and bleed. Main feedwater is not credited following a fire event since there is a relatively large amount of equipment required which could be lost due to the fire, so conservatively it is not credited. EFW and feed and bleed are credited. Since this assessment is directed at the increased signal unavailabilities related to the proposed TS changes, the following discusses alternate methods to start EFW and the backup to EFW in case the signals for EFW fail.

For a transient event in which main feedwater is lost, most transient events, EFW will be started on steam generator level low-low, If this signal fails and the event degrades, then other signals

Document Control Desk LAR 15-01424 RC-15-0171 Page 17 of 21 may be available to actuate EFW, such as an SI signal. EFW can also be started by operator action from the control room and by AMSAC. If EFW fails to start due to failure of the above signals or due to failure of the EFW system itself, then operators can initiate feed and bleed for decay heat removal.

Based on this the CDF impact related to the change in signal unavailability can be calculated as:

ACDF = Fire IE frequency x Change in signal unavailability x OA to initiate EFW failure probability x AMSAC/Feed and Bleed (F&B) failure Where:

• Fire IE frequency from the areas crediting 1 ESFAS train = 9.54E-02/year

• Fire IE frequency from the areas crediting 2 ESFAS trains = 1.69E-02/year

• Change in signal unavailability - one train = - 9.0E-04 (from WCAP-1 5376-P-A, Rev. 1)

• Change in signal unavailability - two trains = 2.73E-04 (from WCAP-1 5376-P-A, Rev. 1)

• Operator action to initiate EFW failure probability = 1 .90E-03 (from the VCSNS PRA model)

• AMSAC and Feed and Bleed failure probability = 0.10 (conservative value)

ACDF (EFW Pump Start - 1 Train) = 9.54E-02/year x -9.00E-04 x 1.90E-03 x 0.10

= -1 .63E-08/year ACDF (EFW Pump Start - 2 Trains) = 1.69E-02/year x 2.73E-04 x 1.90E-03 x 0.10 = 8.77E-10/year Therefore, the total increase in CDF due to the increased signal unavailability to start EFW related to fire events = -1.63E-08/year + 8.77E-1 0/year = -1.54E-08/year. This is a risk benefit.

The CDF reduction is due to the signal unavailability reduction (availability improvement) for the single train emergency feed water pump start signal. As the test intervals are extended, the probability of a component being in an undetected failed state increases, but the component unavailability related to the test is reduced since fewer tests are being completed. This tradeoff for high reliability components often results in a reliabilitYoimprovement, especially for single trains where common cause failures do not dominate. Since the CDF is reduced, the LERF impact will also be very small and the ACDF and ALERF changes meet the acceptance criteria in RG 1.174.

Since the CDF is reduced, the LERF impact will also be very small and the ACDF and ALERF changes meet the acceptance criteria in RG 1.174.

Reactor Trip Signals For the most part, reactor trip signals are not important to mitigation of fire events. Fire events,

.like many other external events, required the hazard (fire) to cause a reactor trip and adversely

Document Control Desk LAR 15-01424 RC-15-0171 Page 18 of 21 impact mitigation equipment. If a fire event only adversely impacts a mitigation system, then the plant continues to operate and the applicable Technical Specification Action for the Condition is followed. If a fire event causes a reactor trip and doesn't impact mitigation equipment, then this is addressed as a transient event. Since fire events cause a reactor trip, then reactor trip signals are not required to mitigate fire events and the proposed changes which impact the reactor trip signals have no impact on plant risk.

3.3.3 Other External Events The VCSNS Unit 1 IPEEE was reviewed to identify vulnerabilities from external events including high winds, external flooding, and transportation and nearby facility accidents. Other external events were eliminated from further consideration. For the high winds, external flooding, and transportation and nearby facility accidents external events, the importance of reactor trip and engineered safety features actuation signals was assessed. These are discussed in the following sections.

High Winds Assessment High winds were screened out as a significant contributor to plant risk in the IPEEE. Since the high wind event can cause a loss of offsite power, the plant could be in a station blackout situation for a significant length of time. Reactor trip and ESF actuation signals play no role in this core damage scenario because the control rods will insert on loss of power and the EFW turbine driven pump will start and run during a station blackout. Therefore, it is concluded that the small increases in signal unavailabilities have no impact on plant risk due to high wind events. High wind events that do not cause loss of offsite power would be considered transient events, which are addressed in the internal events evaluation.

External FloodingAssessment An evaluation of external flooding was performed in the IPEEE assessment. As noted in the FSAR, VCSNS Unit 1 is considered a "dry site" which means the site is not subject to stream or river flooding due to topographic conditions. It was concluded that the plant was designed to provide adequate protection for safety-related structures, components, and systems from external flood hazards. Therefore, external flooding was screened from further consideration. It is concluded that the small increases in reactor trip and ESF actuation signal unavailabilities have no significant impact on plant risk in protecting the plant during external food events.

Transportationand Nearby FacilityAccidents Assessment An evaluation of transportation and nearby facility hazards was performed in the IPEEE assessment and it was concluded that these events are not significant risks to the plant.

Therefore, it is concluded that the small increases in reactor trip or ESE actuation signal unavailabilities have no impact on plant risk since there are no credible hazards posed to the plant from transportation or nearby facility accidents.

It" Document Control Desk Attachment 5 LAR 15-01424 RC-1 5-0171 Page 19 of 21 Conclusion

• Based on this assessment, it was concluded that the impact of the proposed changes on plant risk from external events was small and meets the acceptance criteria in RG 1.174.

3.3.4 Total Plant CDF and LERF The. VCSNS Unit 1 ODE including internal and external events is 7.27E-O5/year and LERE including internal and external events is 4.96E-07/year (see Table 8). These values are consistent with the guidelines in Regulatory Guide 1.174 that allows small increases in ODE and LERF.,Per this Regulatory Guide, for a total CDF of 1.0E-04/year, changes to CDE of 1 .0E-06/year are acceptable and for a total LERF of 1.0E-05/year, changes to LERF of 1.0E-07/year are acceptable.

Table 8: CDF and LERF Assessment .

Hazard Group CDF (per year) LERF (per year)

Internal Events (including 5.67E-06 1 .06E-07 Internal Flooding) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Seismic 1 .50E-05 1 .50E-07 Fire 5.20E-05 2.40E-07 Total 7.27E-05 4.96E-07 3.4 Task 4: Assessment of PRA Model Consistency and RG 1.200 Although. consistency of the VCSNS Unit I internal events PRA with Regulatory Guide 1.200 is not an implementation requirement specified in the Limitations and Conditions of the Safety Evaluation, the NRC has requested this information in previous submittals. Unresolved Findings and Observations (F&O) from the most previous PRA model peer review were reviewed and the potential impact on implementation of the proposed changes was assessed below.

The VCSNS Unit 1 Internal Events PRA is based on a detailed model of the plant developed from the Individual Plant Examination for Generic Letter 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities." The model is maintained and updated in accordance with VCSNS procedures and has been updated to meet the ASME PRA Standard and Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities."

The model has been reviewed and assessed on multiple occasions. In August 2002, the VCSNS Internal Events PRA was peer reviewed in accordance with the guidance in NEI 00-02, "Probabilistic Risk Assessment (PRA) Peer Review Process Guidance." All A & B level F&Os from WOG Internal Events PRA Peer Review have been addressed. Although all C & D level findings have not been incorporated, all of the items that had the potential to significantly impact model results have been resolved.

Following completion of sufficient work to address the Peer Review comments, a 2005 gap assessment of the model was performed to determine the scope of work required to ensure the

Document Control Desk LAR 15-01424 RC-15-0171 Page 20 of 21 VCSNS Internal Events PRA meets Regulatory Guide 1.200, Revision 1. The results of this review indicated that VCSNS had resolved most of the issues identified in the original peer review, but the review identified some F&Os that needed additional work, as well as several new issues. Additionally (in this 2005 review), the VCSNS PRA was found to meet Capability Categories (CC)-ll or better for 211 of the 271 Supporting Requirements (SRs) from the ASME PRA Standard, but 45 of the elements were found to either not meet the requirement or to meet the requirements at a CC-I level. Following work at VCSNS to address the findings and to increase the capability category ratings of the elements that needed an upgrade to allow use of the model in risk informed applications, a focused review was performed as required by the ASME RA-S-2002, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications" (and 2007 addenda ASME RA-Sc-2007, Appendix A). All SRs were judged to be CC-Il or better, with the exception of thirteen SRs that were rated at the CC-I based on the VCSNS simplified NUREG/CR-6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," compliant Large Early Release Frequency (LERF) model. While these 13 SRs specifically define a simplified NUREG/CR-6595 LERF models as CC-I, it was. noted that use of the NUREG model is an acceptable means of calculating LERF for risk-informed applications. The conclusion of the 2007 focused review was that the model is of sufficient quality for use in risk-informed applications.

In November 2011, PRA personnel from SCE&G and Westinghouse Electric Company performed a self-assessment to identify gaps between the VCSNS PRA model and the requirements delineated in Regulatory Guide 1.200, Revision 2, and the ASME/ANS PRA Internal Events Model Standard. This task was a follow up to the 2007 focused scope review which evaluated the model against the requirements in Revision I of the Regulatory Guide. In addition to a general assessment of the internal events PRA model, the self-assessment also addressed changes in requirements between the time of the 2007 focused scope review and the implerrentation date of Revision 2.

Based on the above, it is determined that the VCSNS PRA model is acceptable for use in this WCAP-1 5376-P Implementation analysis.

I-Document Control Desk Attachment 5 LAR 15-01424 RC-1 5-01 71 Page 21 of 21 4.0 Conclusions The following provides a summary of the conclusions of this program:

• The changes proposed in WCAP-1 5376-P-A, Revision 1 are applicable to VCSNS Unit

• Tier 2 limitations are only required when a logic cabinet, master relay, or a RTB is out of service.

• Monitoring requirements related to unavailability were identified for the RTBs,. Master Relays, and iogic cabinets.

• Monitoring requirements related to component reliability were identified for the undervoltage driver cards, safeguards driver cards, universal logic cards, master relays, and reactor trip breakers.

• No monitoring requirements were identified for the analog channels.

• The impact of the proposed changes on risk from external events is very small and will not impact the acceptability of the changes proposed in WCAP-1 5376-P-A, Revision 1.

• • The VCSNS PRA model is consistent with RG 1.200 and is acceptable for use in the WCAP-1 5376-P-A analysis.

5.0 References

1. WCAP-1 5376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times,"

March 2003.

2. US NRC Regulatory Guide 1.174, Revision 2, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," May 2011.

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 1 of 2 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 6 LIST OF REGULATORY COMMITMENTS

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 2 of 2 The following table identifies those actions committed to by the Virgil C. Summer Nuclear Station (VCSNS) in this document. Any other statements in this submittal are provided for information purposes and are not considered to be regulatory commitments. Please direct questions regarding these commitments to Mr. Bruce L. Thompson at (803) 931-5042.

VCSNS will trend the "as found" and "as left" data for the three representative trip functions analyzed Two years and six months after in WCAP-1 5376-P-A (Over temperature Delta-T, ipeetto Steam Generator Level, and Pressurizer ipeetto Pressure) for two years (four operational tests). ________________

~Thomas D. Gatlin Vice President,Nuclear Operations 803.345.4342 A SCANA COMPANY December 16, 2015 ATTN: Document Control Desk RC-1 5-01 71 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

VIRGIL C. SUMMER NUCLEAR STATION, UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 LICENSE AMENDMENT REQUEST - LAR-15-01424 IMPLEMENTATION OF WCAP-1 5376-P-A, REVISION 1 - "RISK-INFORMED ASSESSMENT OF THE RTS AND ESFAS SURVEILLANCE TEST INTERVALS AND REACTOR TRIP BREAKER TEST AND COMPLETION TIMES"

Dear Sir / Madam:

Pursuant to 10 CFR 50.90, South Carolina Electric & Gas Company (SCE&G), acting for itself and as agent for South Carolina Public Service Authority, hereby requests an amendment to the Virgil C. Summer Nuclear Station (VCSNS) Technical Specifications (TS).

The proposed changes will revise TS 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," to implement the Allowed Outage Time, Bypass Test Time, and Surveillance Frequency changes approved by the NRC in WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," dated March 2003. The proposed changes in this license amendment request are consistent with the NRC approved Technical Specification Task Force (TSTF) Improved Standard Technical Specification Change Traveler TSTF-41 1, Rev. 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-1 5376-P)." These changes will also result in a revision to the TS Bases for 3/4.3.1 and 3/4.3.2, "Reactor Trip and Engineered Safety Feature Actuation System Instrumentation."

Information contained herein provides the No Significant Hazards Determination. Attachment 1 provides the TS pages marked up with the proposed changes. Attachment 2 provides the retyped TS pages. Attachment 3 provides a mark-up of the TS Bases while Attachment 4 provides the retyped TS Bases. Attachment 5 provides the analysis of WCAP-1 5376-P to VCSNS. Attachment 6 contains a commitment for VCSNS to trend the "as found" and "as left" data for the three representative trip functions analyzed in WCAP-1 5376-P-A for two years.

The VCSNS Plant Safety Review Committee and the Nuclear Safety Review Committee have reviewed and approved the proposed changes. SCE&G is notifying the State of South Carolina of this LAR by transmitting a copy of this letter and enclosure to the designated State Official in accordance with 10 CFR 50.91(b).

SCE&G requests approval of the proposed amendment within 12 months of submittal in accordance with the NRC goal for review of license amendment requests. Once approved, the amendment shall be implemented within 60 days.

V.C.Summer Nuclear Station* R0..Box 88.* Jenkinsville, SC.*29065.* F(803) 941-9776

r A Document Control Desk LAR 15-01424 RC-15-0171 Page 2 of 2 There are no other TS changes in process that will affect or be affected by this change request.

There are no significant changes to any~FSAR or FPER sections.

If you have any questions or require additional information, please contact Bruce L. Thompson at (803) 931-5042.

I certify under penalty of perjury that the foregoing is correct and true.

12 1 29/5 Executed on Thomas D. Gatlin TS/TDG/wm

Enclosure:

Evaluation of Proposed Changes Attachment 1: Proposed Technical Specification Changes - Mark-up Attachment 2: Proposed Technical Specification Changes - Retyped Attachment 3: Proposed Technical Specification Bases - Mark-up Attachment 4: Proposed Technical Specification Bases - Retyped Attachment 5: WCAP-1 5376-P Applicability Analysis Attachment 6: List of Regulatory Commitments c: K. B. Marsh S. A. Byrne J. B. Archie N. S. Camns J. H. Hamilton J. W. Williams W. M. Cherry L. D. Werts S. A. Williams NRC Resident Inspector K. M. Sutton S. E. Jenkins P. Ledbetter NSRC RTS (CR-I15-01424)

File (813.20)

PRSF (RC-15-0171)

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 1 of 24 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50)-395 OPERATING LICENSE NO. NPF-12 ENCLOSURE EVALUATION OF PROPOSED CHANGES

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 2 of 24

Subject:

LICENSE AMENDMENT REQUEST - LAR 15-01424 TECHNICAL SPECIFICATIONS 3)4.3.1 and 314.3.2 AND ASSOCIATED BASES

1.0 DESCRIPTION

South Carolina Electric & Gas Company (SCE&G) requests an amendment to revise the Virgil C. Summer Nuclear Station (VCSNS) Technical Specifications (TS) TS 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," to implement the Allowed Outage Time (AOT), Surveillance Frequency, and Bypass Test Time changes approved by the NRC in WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Compietion Times." The proposed changes in this license amendment request (LAR) are based on the NRC approved Technical Specification Task Force (TSTF) Improved Standard Technical Specification Change Traveler TSTF-41 1, Rev. 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376-P)." Deviations from TSTF-411I are discussed later in this Enclosure. The proposed changes will also result in a revision to the Bases for 3/4.3.1 and 3/4.3.2, "Reactor Trip and Engineered Safety Feature Actuation System Instrumentation." The proposed changes build upon the previous implementation of TSTF-418, Rev. 2, "RPS and ESFAS TEST Times (WCAP-14333)," as approved by NRC on October 24, 2006 (Reference 1 - ML062430684).

The NUREG-0452 (Reference 2) TS AOT acronym (used for the VCSNS TS) and the term "Completion Time," which is utilized in NUREG-1431 (Reference 3), are synonymous. Also note that for the surveillances performed on a Staggered Test Basis, the frequency of performance in the proposed VCSNS TS will be different, but equivalent to those given in TSTF-411I due to the difference in the definition in Staggered Test Basis between the VCSNS TSs and NUREG-1431 Improved TS (ITS). This difference is shown below:

VCSNS TSs -

1.32 A STAGGERED TEST BASIS shall consist of:

a. A test schedule for n systems, subsystems, trains or other designated components obtained by dividing the specified test interval into n equal subintervals,

b. The testing of one system, subsystem, train or other designated component at the beginning of each subinterval.

ITS TSs -

STAGGERED TEST BASIS A STAGGERED TEST BASIS shall consist of the testing of one of the systems, subsystems, channels, or other designated components during the interval specified by the Surveillance Frequency, so that all systems, subsystems, channels, or other designated components are tested during n Surveillance Frequency intervals, where n is the total number of systems, subsystems, channels, or other designated components in the associated function.

The net difference between the two Staggered Test Basis definitions stated above results in the VCSNS TS stating the total time to survey all the systems, subsystems, channels, or other designated components in the associated function and the NUREG-1 431 TS using the shorter time that is equivalent to the total time divided by the number of systems, subsystems, channels, or other designated components in the associated function. The different definition of

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 3 of 24 Staggered Test Basis is based on the difference between TSs based on NUREG-0452 and TSs based on NUREG-1431.

2.0 PROPOSED CHANGE

S Changes to Technical Specifications 3/4.3.1 and 3/4.3.2 are proposed as justified in WCAP-15376-P-A, Rev. 1. In general, the Reactor Trip Breaker bypass test time is relaxed from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the AOT from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and the Surveillance Frequency from 2 months to 4 months in Technical Specification 3/4.3.1. The Surveillance Frequencies for the Logic Cabinet are relaxed from 2 months to 6 months; the Master Relays are relaxed from 2 months to 6 months; and the Analog Channels from 3 months to 6 months in both Technical Specifications 3/4.3.1 and 3/4.3.2. Some changes contained in TSTF-411I have not been proposed in this license amendment request as a partial conversion to the ITS would be required to facilitate the changes. The TSTF-411I changes that are not proposed in this license amendment request are discussed below, following the list of proposed changes.

Specifically, the proposed changes would revise the following:

2.1 TS 3/4.3.1, Table 3.3-1 - Action 8 - The proposed change for the AOT is from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In addition, the Reactor Trip Breaker bypass test time is relaxed from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Also, due to the extension of the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AOT to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and the time allowed to bypass one channel being extended from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the last provisions of Action 8 allowing additional time for maintenance and an extended bypass time have been deleted.

2.2 TS 3/4.3.1, Table 4.3.1 -Analog Channel Operational Test (ACOT) -The proposed change to the ACOT is from Quarterly (92 days) to Semi-Annually (184 days) for the following functions in Table 4.3-1 of the VCSNS TSs: 2 (High Setpoint only), 3, 7, 8, 9, 10, 11, 12, 13, and 14 (see Attachment 1 TS mark-up for the title of each Function). The proposed change to the ACOT frequency is changed to 184 days for the following functions in Table 4.3-1 of the VCSNS TSs: 2 (Low Setpoint only), 5, and 6 by the addition of Notes 16, 17, and 18. Trip Actuating Device Operational Test (TADOT) - The proposed change to the TADOT is from Quarterly to Semi-Annually for the following functions in Table 4.3-1 of the VCSNS TSs: 15 and 16.

2.3 TS 3/4.3.1, Table 4.3-1 -TADOT - The proposed change to the TADOT for the Reactor.

Trip Breaker (Function 20) is from Monthly (62 days on a .Staggered Test Basis) to every 2 months (124 days on a Staggered Test Basis) as shown in revised Note 7. Note because of the difference in the Staggered Test Basis definition (discussed above) the number of days used for the VCSNS surveillance frequency is larger than the number used in TSTF-411I surveillance frequency.

2.4 TS 3/4.3.1, Table 4.3-1 - TADOT - The proposed change to the TADOT for the Reactor Trip Bypass Breaker (Function 22) is from Monthly (62 days on a Staggered Test Basis) to every 2 months (124 days on a Staggered Test Basis) as shown in revised Note 7 (62 days to 124 days), which is being inserted into the TADOT column. Note that this change is different than what is shown in the markups for TSTF-41 1. This change is necessary because TSTF-411I does not provide a change to the Reactor Trip Bypass Breaker as the Bypass Breaker is treated as a part of the Reactor Trip Breaker function in the standard TS in NUREG-1431 and has the same surveillance frequency assigned. In the VCSNS TS the Reactor Trip Breakers and the

L Document Control Desk Enclosure LAIR 15-01424 RC-1 5-0171 Page 4 of 24 Reactor Trip Bypass Breakers are separate. Functions consistent with the standard TS in NUREG-0452. In the VCSNS TS, the two separate Functions are assigned the same frequency specified in Note 7 to be consistent with the change for the corresponding NUREG-1431 Reactor Trip Breaker Function in TSTF-41 1. Thus, both the VCSNS Reactor Trip Breakers and Reactor Trip Bypass Breakers will be tested at the same surveillance frequency consistent with NUREG-1431 and TSTF-41 1.

2.5 TS 3/4 3.1, Table 4.3-1 - Actuation Logic Test (ALT) - The proposed change to the ALT for the Automatic Trip Logic (Function 21) is from Monthly to Quarterly on a Staggered Test Basis as specified in new Note 15 (184 days).

2.6 TS 3/4.3.2, Table 4.3-2 - ACOT - The proposed change to the ACOT is from Quarterly to Semi-Annually for the following functions in Table 4.3-2 of the VCSNS TSs: 1 .c, 1 .d, 1I.e, If, 2.c, 3.b.2, 4.c, 4.d, 4.e, 5.a, 6.c, 6.h, 8.a, 9.a, and 9.b (see Attachment I TS mark-up for the title of each Function).

2.7 TS 3/4.3.2, Table 4.3-2 - ALT - The proposed change to the ALT is from Monthly to Quarterly on a Staggered Test Basis as shown in the revised Note 1 (62 days to 184 days) for the following functions in Table 4.3-2 of the VCSNS TSs: l.b, 2.b, 3.a.3, 3.b.1, 3.c.1, 4.b, 5.b, 6.b, and 8.b (see Attachment 1 TS mark-up for the title of each function).

2.8 TS 3/4.3.2, Table 4.3 Master Relay Test - the proposed change to the Master Relay Test is from Monthly to Quarterly on a Staggered Test Basis as shown in the revised Note 1 (62 days to 184 days) for the following functions in Table 4.3-2 of the VCSNS TSs: I .b, 2.b, 3.a.3, 3.b.1, 3.c.1, 4.b, 5.b, 6.b, and 8.b (see Attachment 1 TS mark-up for the title of each function).

TSTF-411I Changes not incorporated into the VCSNS TS In addition, there are changes to the TSs provided in TSTF-411I that are not in this proposed amendment either because the format and requirements of the VCSNS TSs does not facilitate the change without a partial conversion to the NUREG-1431 ITS format and requirements or the function does not exist in the VCSNS TSs.

Specifically, for the following functions, the Surveillance Frequency was not proposed to be changed due to the significant differences in the current VCSNS licensing basis requirements and TS format which are based on the NUREG-0452 Table style TS surveillances and the newer NUREG-1431 text based surveillance descriptions and requirements:

TS 3/4 3.1, Table 4.3 TADOT for the following RTS Function:

Manual Reactor Trip (Function 1). The current VCSNS TSs require this Function to have a TADOT performed once per Refueling. This TADOT is also required to independently verify the undervoltage and shunt trip circuits' Operability. The current licensing basis frequency has proven adequate to ensure this Function performs as designed. Therefore, the TSTF-411I change to a TADOT once every 62 days on a Staggered Test Basis (ITS) is not being incorporated into the VCSNS TSs at this time; and

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 5 of 24

• TS 3/4 3.1, Table 4.3 ALT for the following RTS Function:

Reactor Trip System Interlocks - P-7 (Function 19.B). The current VCSNS TSs require this Function to have a Channel Calibration and ACOT performed once per Refueling.

The current licensing basis frequency has proven adequate to ensure this Function performs as designed. Therefore, the TSTF-41 1 change to an ALT once every 92 days on a Staggered Test Basis (ITS) is not being incorporated into the VCSNS TSs at this time.

Surveillance Frequency changes not proposed from TSTF-411I as a result of the function and/or surveillance not being a part of the VCSNS TSs are as follows:

! ALT and Master Relay Test for the Control Room Emergency Filtration System -

ES FAS

• COT for the Boron Dilution Protection System - ESFAS

• COT for the Steam Line Isolation on Steam Line Pressure Negative Rate - High ESFAS function

• COT for the Automatic Switchover to Containment Sump on RWST Level - Low - Low Coincident with Safety Injection and Containment Sump Level - High ESFAS function 3.0) BACKGROUND WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," provides the justification for the foilowing changes to the Improved Standard Technical Specifications for the Reactor Trip System (RTS) Instrumentation (3.3.1) and Engineered Safety Features Actuation System (ESFAS) Instrumentation (3.3.2):

1. Increase the Completion Time and the bypass test time for the reactor trip breakers.

2. Increase the Surveillance Test Intervals (STI) for the reactor trip breakers, master relays, logic cabinets, and analog channels.

WCAP-1 5376-P considers both the Solid State Protection System and the Relay Protection System. For VCSNS, the Protection System is Solid State. Also, the actuation logic and master relays associated with the Containment Purge and Exhaust Isolation Instrumentation are processed through the Solid State Protection System. Since the STIs for the actuation logic and master relays of the ESFAS Instrumentation were justified to be relaxed in WCAP-1 5376-P, these STI relaxations are also applicable to the actuation logic and master relays for all signals processed through the Solid State Protection System.

4.0 TECHNICAL ANALYSIS

WCAP-1 5376-P-A, Rev. 1, provides the technical justification for extending the STIs for components of the Reactor Protection System. The components specifically included are the analog channels, logic cabinets, master relays, and reactor trip breakers. This WCAP also provides the technical justification for extending the reactor trip breaker (RTB) Completion Time

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 6 of 24 (allowed outage time) for one RTB inoperable to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and the bypass time for a RTB to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The last portion of Action 8 is deleted (similar to the Note on Condition 0 of the ITS mark-up in TSTF-41 1) based on the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the train to OPERABLE status, which would allow for maintenance on the undervoltage or shunt trip mechanism. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> would also apply for parallel testing of the Automatic Trip Logic. This Completion Time and bypass time are consistent with the Completion Time and bypass time for the logic cabinets.

The WCAP-1 5376-P evaluation considers both the Solid State Protection System and the Relay Protection Systems. Extension of the STIs for slave relays is not included in WCAP-15376-P assessment, since they were previously addressed in other WOG programs. The plant protection system design of the actuation logic and master relays associated with the Containment Purge and Exhaust Isolation Instrumentation ESFAS Technical Specifications are processed through the Solid State Protection System. Since the STIs for the actuation logic and master relays of the ESFAS Instrumentation were justified to be relaxed in WCAP-1 5376-P, these STI relaxations are also applicable to the actuation logic and master relays for all signals processed through the Solid State Protection System.

The approach used in WCAP-1 5376-P-A is consistent with the Nuclear Regulatory Commission's (NRC) approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the current licensing basis as presented in Regulatory Guides 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis," and 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-making: Technical Specifications." The approach addresses, as documented in WCAP-15376-P, the impact on defense-in-depth and the impact on safety margins, as well as an evaluation of the impact on risk. The risk evaluation considered the three-tiered approach as presented by the NRC in Regulatory Guide 1.177 for the extension to the RTB Completion Time. Tier 1, PRA Capabilityand Insights, assesses the impact of the proposed Completion Time (AOT) change on core damage frequency (CDF), incremental conditional core damage probability (ICCDP), large early release frequency (LERF), and incremental conditional large early release probability (ICLERP). Tier 2, Avoidance of Risk-Significant Plant Configurations,considers potential risk-significant plant operating configurations. Tier 3, Risk-Informed Plant Configuration Control and Management, is addressed when the Technical Specification Completion Time change is implemented.

The Westinghouse Owners Group (WOG - Now called PWROG) evaluated these changes as part of an overall program addressing Technical Specification improvements for the Reactor Protection System (RPS), which includes reactor trip signals and engineered safety features actuation signals. The initial studies (References 3, 4, 5, 6 of WCAP-15376-P) evaluated changes to AOTs, bypass time, and STIs to the analog channels, logic cabinets, master relays, slave relays, and reactor trip breakers of the RPS. The approved changes to these parameters are summarized in Table 1.1 of WCAP-1 5376-P for the Solid State Protection System.

The changes considered in WCAP-15376-P were evaluated consistent with the three-tiered approach currently defined in Regulatory Guide 1.177. The first tier addresses PRA insights and includes the risk and sensitivity analyses to support the Allowed Outage Time and bypass test time changes. The second tier addresses avoidance of risk-significant plant configurations.

The third tier addresses risk-informed plant configuration control and management. In order to

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 7 of 24 model the AOTs, bypass test times, and surveillance frequencies in the fault trees used to determine the impact of the changes on signal unavailability, an understanding of approach to test and maintenance for these components is necessary. This is discussed in Section 7.2 of WCAP-1 5376-P-A, Rev. 1.

The following Tier 1, Tier 2, and Tier 3 discussions are associated with WCAP-1 5376-P-A, Rev.

1:

4.1 Tier 1: PRA Capability and Insi~qhts The risk analysis results for WCAP-1 5376-P are discussed in Section 8.4 of the WCAP.

Comparisons are presented in Tables 8.29 (ACDF) and 8.32 (ALERE) to a base case, which represents the changes previously approved in WCAP-14333. These values are summarized in Table 1. Note that VCSNS uses predominately 2-out-of-3 (2/3) logic. In response to an NRC request for an additional information letter, RA! Questions 4 and 11 in WOG letter OG-02-002 (Reference 4), the WOG provided the ICCOP and ICLERP for the requested Completion Time change (24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time plus 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to reach MODE 3, for a total of 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />) for a RTB in preventive maintenance (PM) or in corrective maintenance (CM), with the associated logic train inoperable, for the bounding 2/3 logic. Since these incremental risk metrics are met for a 30-hour maintenance time, they will also be met for a 4-hour bypass test time.

Table 1: Combined Risk Metric Results RiskMetic ccetane Citeion Change from WCAP-14333 to WCAP-RikMerc Acetnc rtein 15376*P__________

2/4 logic 2/3 logic ACDF per <1E6 year 8.0E-07 8.5E-07 RTB in PM = 3.2E-07" ICCDP < 5E-07

___________RTB in CM = 3.2E-07" 2/4 logic 2/3 logic ALERF per <11E-07 year 3.1 E-08 5.7 E-08 RTB in PM = 2.4E-08" ICLERP < 5E-08

_________ ______________RTB in CM = 2.4E-08"

• - The ICCDP and ICLERP values are provided only for a 2/3 logic, however the results bound a 2/4 logic.

The acceptance criteria defined in Regulatory Guide 1.177 for these incremental risk metrics are satisfied. The ACDF and ALERE acceptance criteria are satisfied for the changes included in WCAP-1 5376-P.

The VCSNS CDF for internal and external events is 7.27E-05/year and LERE for internal and external events is 4.96E-07/year. These values are consistent with the guidelines in Regulatory Guide 1.174 that allows small increases in CDF and LERF. Per this Regulatory Guide, for a

Document Control Desk Enclosure LAR 15-01424 RC-l15-0171 Page 8 of 24 total CDF of 1 E-04/year, changes to CDF of 1E-06/year are acceptable and for a total LERF of 1 E-05/year, changes to LERF of 1 E-07/year are acceptable. The calculated increase in CDF for the changes in WCAP-15376-P, as provided in Table 1, is 8.0E-07/year for plants with predominately a 2/4 logic and 8.5E-07/year for plants with predominately a 2/3 logic. The calculated increase in LERF due to the changes in WCAP-1 5376-P, as provided in Table 1, is 3.1E-08/year for plants with predominately a 2/4 logic and 5.7E-08/year for plants with predominately a 2/3 logic. VCSNS uses predominately 2/3 logic.

Therefore, it is concluded that implementing the Technical Specification changes justified in WCAP-1 5376-P will have an impact on CDF of less than 1.0E-06/year and on LERE of less than 1.0E-07/year, which meets the guidance in Regulatory Guide 1.174.

External Events This section addresses the impact on CDF and LERF related to the events not included in the WCAP-1 5376-P-A, Rev. 1 analysis. This includes fire events, seismic events, and other external events.

Seismic Events The seismic events of interest are those that cause a loss of offsite power (LOOP) and small Loss of Coolant Accident (LOCA) events. Large seismic events will cause larger LOCAs, secondary side breaks, failure of support systems, etc. and also adversely impact the systems required for mitigation, including the reactor protection system. Therefore, small changes to the availability of signals have no impact on seismic plant risk for these larger seismic events.

Reactor trip signals are not important to seismic events since a LOOP occurs, which interrupts power to the motor-generator sets causing the control rod drive mechanisms to release the control rods. ESFAS signals are required for the possible LOOP and small LOCA events. For LOOP events, the signals are required to start emergency feedwater (EFW). For small LOCA events, a safety injection signal is required. These signals are backed-up by operator actions for EFW and SI actuation, and Anticipated Transient Without Scram (ATWS) mitigation system actuation circuitry (AMSAC) for EFW actuation.

The seismic event CDF impact is less than 1 E-1 0/year. If it is conservatively assumed that this results in a large early release, then both the CDF and LERF impacts are very small. More detailed information on the seismic event evaluation is provided in Attachment 5, Section 3.3.1.

Fire Events The fire assessment is based, in part, on the VCSNS fire PRA and considers ignition frequencies for the various building compartments. These compartment frequencies are summed for each building and binned according to the number of available ESFAS trains; one or two. Fires in some buildings will not impact the RPS or power to the RPS so two trains of signals will be available. It is conservatively assumed that fires in buildings with electrical components or cable routing could impact the RPS, therefore only one train of signals is conservatively assumed to be available.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 9 of 24 Fire events result in plant transient events and LOOP events with partial loss of mitigation equipment and a plant shutdown is necessary. These events require a reactor trip and decay

.heat removal for mitigation. Automatic reactor trip signals and ESFAS, and manual backup signals are available to initiate these protective functions.

.The fire event CDF impact is a small reduction in CDF. Given the CDF impact is a small' reduction, then LERF impact will also be a small reduction. More detailed information on the fire

• event evaluation is provided in Attachment 5, Section 3.3.2.

Other External Events Consideration was given to the impact of the proposed changes on the CDF and LERF from other external events; high winds, external flooding, transportation and nearby facility accidents.

It was concluded that the proposed changes have no impact on CDF or LERF from these events.

Therefore, it is concluded that the small increases in the signal unavailability proposed by the Technical Specification changes justified in WCAP-15376-P will have a very small impact on the external event CDF and will not impact the acceptability of the Technical Specification changes.

Reactor Trip Breaker Test Configquration: WCAP-1 5376-P Model vs. VCSNS Approach WCAP-1 5376-P, Section 8.3.2.2 states "Testing of the reactor trip breakers prohibits actuation of the breaker in test. The bypass breaker corresponding to the affected breaker is placed into service and will be actuated by the logic cabinet in the unaffected train."

Section 3.1.3 of the NRC's Safety Evaluation for WCAP-15376-P states "The model assumed one RTB was out-of-service with the associated bypass breaker available. The operable RTB and the in-service bypass breaker provide the reactor trip. In this arrangement, both breakers are controlled by the logic cabinet associated with the operable breaker."

This means that when a reactor trip breaker (RTB) train, RTB train A for example, is tested, this test configuration results in actuation logic train B controlling the RTB in train B and the reactor trip bypass breaker (RTBB) in train A, either of which will trip the reactor. This reactor trip breaker test configuration was modeled in the PRA analysis supporting the bypass test time and surveillance frequency changes that were justified in WCAP-1 5376-P. This approach to RTB testing assumes that the RTB train being tested is removed from service or in the open position during the test.

At VCSNS, the RTB under test can be in the open or closed position during this test. It is necessary to have the RTB closed in order to verify that the RTB opens when testing the RTB actuation devices. This period of time is estimated to be 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> per surveillance test and is not expected to change with the proposed change in the RTB bypass test time change to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

Note that in this configuration, when the RTB being tested is closed, the associated RTBB will

• open upon receiving a reactor trip signal; however, for the short period of time associated with the RTB in test and closed, the protection train associated with the RTB being tested will not

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 10 of 24 provide a reactor trip. However, the other protection train, that is not being tested, will provide the reactor trip function as required.

In either test configuration, the RTB unavailability associated with the RTB bypass test remains the same as shown in the following:

Prior to implementing the changes in WCAP-15376-P the following applies.

• RTB bypass test time = 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />

• Surveillance frequency = 2 months

• Yearly RTB test unavailability = 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> x 6 surveillances per year = 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> per year.

After implementing the changes in WCAP-1 5376-P the following applies.

• RTB bypass test time = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

• Surveillance frequency = 4 months

• Yearly RTB test unavailability = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> x 3 surveillances per year = 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> per year.

Furthermore, as stated above, the time the RTB and its associated bypass breaker will both be closed is expected to remain the same. Therefore, with the extended surveillance interval, the

• time in this particular configuration while completing RTB testing will decrease, providing a risk benefit.

4.2 Tier 2, Avoidance of Risk-Siqnificant Plant Confiqurations Tier 2 requires an examination of the need to impose additional restrictions when operating under the proposed Completion Times. The Tier 2 restrictions are necessary in order to avoid risk-significant equipment outage configurations when the proposed Completion Times justified in this LAR are implemented.

WCAP-1 5376-P Page 15 in Section 3.3 of the NRC SE for WCAP-1 5376-P-A, Rev. 1 states:

"The licensee should provide reasonable assurance that risk significant plant equipment outage configurations will not occur when specific plant equipment is out-of-service in accordance with the proposed TS change."

The recommended Tier 2 restrictions for WCAP-1 5376-P are provided in Section 8.5 of the WCAP. The restrictions are applicable when an RTB train is inoperable when operating under the proposed Completion Times. Entry into the Action for an inoperable RTB train is not a typical, pre-planned evolution during operation in the modes of Applicability for the RTB train, other than when necessary for surveillance testing. Since the Condition may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Action entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures discussed below in the Tier 3 configuration risk management program section require assessment of the emergent condition and appropriate actions are then taken.

Depending on the specific situation, these actions could include restoring the inoperable RTB

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 11 of 24 train and exiting the Technical Specification Action, or fully implementing the Tier 2 restrictions, or performing a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions will be implemented when an RTB train becomes inoperable when operating under the proposed Completion Times:

• The probability of failing to trip the reactor on demand will increase when a RTB is removed from service; therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves),

emergency feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves),

AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

• Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RPS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train is inoperable.

• Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

4.3 Tier 3, Risk-Informed Configuration Risk Managqement Tier 3 requires a procedural process to assess the risk associated with both planned and unplanned work activities. The objective of the third tier is to ensure that the risk impact of out-of-service equipment is evaluated prior to performing any maintenance activity. As stated in Section 2.3 of Regulatory Guide 1.177, "a viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation." The third-tier requirement is an extension of the second-tier requirement, but addresses the limitation of not being able to identify all possible risk-significant plant configurations in the second-tier evaluation. Paragraph (a)(4) of the Maintenance Rule (10 CFR 50.65) requires that the overall effect on safety functions be considered when removing equipment from service for preventive maintenance or monitoring activities. In part, Paragraph (a)(4) states that, "Before performing maintenance activities ... the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities ...." Section 11.0 of NUMARC 93-01 provides guidance for implementing the requirements of Paragraph (a)(4). NRC Regulatory Guide 1.182 endorsed the NUMARC 93-01, Section 11.0 as an acceptable method of implementing Paragraph (a)(4).

The overall VCSNS risk management process is defined in SAP-208, "Integrated Risk Assessment." The process for assessing on-line safety impact before removing a system, structure or component from service is defined in OAP-1 02.1, "Conduct of Operations Scheduling Unit," and SSP-001, "Planning and Scheduling Maintenance Activities." These procedures provide the process for developing the weekly, on-line work schedule that provides the foundation for on-line risk assessment.

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 12 of 24 Programs and procedures at VCSNS ensure that configuration risk is assessed using a PRA-based model and managed prior to initiating any maintenance activity consistent with the requirements of 10 CFR 50.65(a)(4). The procedures also ensure that risk is reassessed if an emergent condition results in a plant configuration that has not been previously assessed. Risk thresholds are established to ensure that the average baseline risk is maintained within an acceptable band. When administrative limits are exceeded, increasing levels of management approval are required prior to initiating the work.

4.4 Topical Report Safety Evaluation Conditions The NRC's approval of WCAP-1 5376-P was subject to the following conditions requiring plant-specific information:

1. Confirm the applicability of the topical report to the plant and perform a plant-specific assessment of containment failures and address any design or performance differences that may affect the proposed changes. This includes addressing the applicability of the master relay and safeguards driver card failure probabilities to the plant-specific application.

2. Address the Tier 2 and Tier 3 analyses including risk significant configuration insights and confirm that these insights are incorporated into the plant-specific configuration risk management program.

3. The risk impact of concurrent testing of one logic train and associated reactor trip breaker needs to be evaluated on a plant-specific basis to ensure conformance with the WCAP-15376-P evaluation, and Regulatory Guides 1.174 and 1.177.

4. To ensure consistency with the reference plant, the model assumptions for human reliability in WCAP-1 5376-P should be confirmed to be applicable to the plant-specific configuration.

5. For future digital upgrades with increased scope, integration and architectural differences beyond that of Eagle 21, the staff finds the generic applicability of WCAP-15376-P to future digital systems not clear and should be considered on a plant-specific basis.

6. An additional commitment from the response to NRC RAI Question 18 (OG-0 1-058 Reference 5) requires each plant to review their setpoint calculation methodology to determine the impact of extending the Channel Operational Test (COT) Surveillance Frequency from 92 days to 184 days.

WCAP-1 5376-P SE Condition 1 In order to address SE Condition 1, Westinghouse issued implementation guidelines for licensees to confirm that the WCAP analysis is applicable to their plant. A plant specific assessment was performed to confirm the applicability of the WCAP-1 5376-P analyses to VCSNS. The results of this assessment are provided in AttachmentS5. The WCAP-1 5376-P analysis and determination of LERF is based on a large dry containment. The containment building at VCSNS is considered to be large dry containment. As concluded in Attachment 5, the WCAP analyses and results are applicable to VCSNS.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 13 of 24 App~licability of the master relay and safegquards driver card failure pjrobabilities It is necessary to indicate that component failure probabilities developed as part of WCAP-15376-P are applicable to VCSNS. For Solid State Protection System (SSPS) plants this includes the master relay and safeguards driver card failure probabilities. The failure probabilities for these components are based on data collected from a number of Westinghouse Nuclear Steam Supplier System (NSSS) plants. The failure probabilities are:

Master Relays: 1.IE-05 Safeguards Driver Cards: 5.9E-04 A summary of the experience for these components at VCSNS from 2009 to 2013 is provided in Table 2.

Table 2: Summary of Actuation and Failure Experience on the Safeguards Driver Cards and Master Relays Parameter Safeguards Driver Cards Master Relays Actuations 254 1572 Failures 0 0 An analysis based on the binomial distribution was used to determine the number of expected failures for the given failure probabilities and actuations. For both components, either 0 or 1 failures would be expected. Based on the data provided in Table 2, it is concluded that the failure probabilities for these components used in the WCAP analysis are applicable to VCSNS.

WCAP-15376-P SE Condition 2 The applicability of SE Condition 2 for WCAP-1 5376-P is addressed in the preceding Tier 2 discussion in Section 4.2 and Tier 3 discussion in Section 4.3.

WCAP-1 5376-P SE Condition 3 The risk impact of concurrent testing of one logic train and the associated RTB is addressed by demonstrating that the WCAP-1 5376-P analysis is applicable to VCSNS. The WCAP analysis assumes that if a RTB is out of service its associated logic train is also out of service.

Therefore, concurrent testing is addressed in the WCAP analysis. VCSNS testing is consistent with this approach.

WCAP-15376-P SE Condition 4 A plant specific assessment was performed to confirm the applicability of the WCAP-1 5376-P analysis, including the model assumptions for human reliability, to VCSNS. The results of this assessment are provided in Attachment 5. It was concluded that the human reliability associated with the relevant operator actions are applicable. The difference in one situation was demonstrated to have no impact.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 14 of 24 WCAP-1 5376-P SE Condition 5 There are presently no plans to implement digital upgrades to the Reactor Protection or Engineered Safety Features Systems at VCSNS.

WCAP-1 5376-P RAI Question 18 Commitment Condition 6 The response to this RAI in Reference 5 noted that plant-specific RTS and ESFAS setpoint uncertainty calculations and assumptions, including instrument drift, will be reviewed to determine the impact of extending the Surveillance Frequency of the Channel Operational Test (COT) from 92 days to 184 days.

VCSNS personnel reviewed "as found" and "as left" data for the Reactor Trip System and Engineered Safety Features Actuation System setpoints for a 24-month period and concluded that sufficient margin is present to offset the change in drift anticipated as a result of increasing the operational test surveillance frequencies to 184 days (semi-annual). Based on review of this data, the allowable margin present in the setpoints is more than adequate to offset the predicted increase in uncertainty/drift resulting from the increased interval between operational tests.

While SCE&G does not anticipate any impact in going from 92 days to 184 days, VCSNS will trend the "as found" and "as left" data for the three representative trip functions analyzed in WCAP-1 5376-P-A (Over temperature Delta-T, Steam Generator Level, and Pressurizer Pressure) for two years (four operational tests) after implementation of the amendment granting the semi-annual operational tests.

Justification for Additional Plant Specific Surveillance Frequency Extensions This section addresses the extension of the TADOT Surveillance Frequency for the following RTS Functions:

• Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 15 - Reactor trip on Reactor Coolant Pump Undervoltage, - from Quarterly to Semi-Annually

• Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 16 - Reactor trip on Reactor Coolant Pump Underfrequency, - from Quarterly to Semi-Annually The RTS Functions listed above were included in the evaluations performed to justify the changes in WCAP-1 0271, Supplement 1-P-A, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System, Supplement 1 ," May 1986, as identified in Tables 3.2-2 and 3.2-3 of the WCAP. One of the changes justified in WCAP-10271-P-A and its supplements was the extension of the applicable Surveillance Frequency for the Functions listed above from 1 month to 3 months. The affected Surveillance is called a TADOT.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-0171 Page 15 of 24 WCAP-1 4333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," justified extending the bypass test times and Completion Times for the signals included in WCAP-1 0271-P-A and its supplements, by utilizing a "representative signal approach," in the unavailability analysis that determined the impact of. the proposed changes on the signal unavailability. The results of the evaluation of the "representative signals," were representative of all of the signals that were evaluated in WCAP-1 0271-P-A and its supplements. The bypass test time and Completion Time changes that were justified in WCAP-14333-P-A, Revision I are identified in Tables 5.1 and 5.2 of the WCAP. Note that the maintenance time and interval, and test time and interval values listed in these tables for the "Analog Channels" are applicable to both the COT and the TADOT. The analysis did not distinguish between the two types of tests, since they impact comparable components in the same manner. This is stated in Section 11 of WCAP-14333-PA, Revision I as: "These recommendations are applicable to all the signals evaluated in WOG TOP for both solid state and relay protection systems" (i.e., all signals evaluated in WCAP-1 0271-P-A and its supplements).

WCAP-1 5376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," justified extending the Surveillance Frequencies and reactor trip breaker bypass test time and Completion Times identified in Tables 4.1 and 4.2 of the WCAP. WCAP-1 5376-P-A, Revision 1 also utilized the "representative signal approach" that was utilized in WCAP-14333-P-A, Revision 1. One of the changes justified in WCAP-1 5376-P-A, Revision I was the extension of the Frequency of the COT from 92 days to 184 days. This change is identified as "Analog Channels" in the "Component Column" of Tables 4.1 and 4.2 of WCAP-1 5376-P-A, Revision 1. The value of 6 months listed in the "Surveillance Test Intervals," column associatedI with the "Analog Channel" in Tables 4.1 and 4.2 of WCAP-1 5376-P-A, Revision 1 is applicable to both the COT and the TADOT. There was no intent to exclude the TADOT from the test interval extension to 6 months. Since the applicable TADOT frequencies were justified to be extended from 1 month to 3 months in WCAP-1 0271-P-A and its supplements, and the changes justified in WCAP-14333-P-A, Revision I and WCAP-15376-P-A, Revision 1 are applicable to all of the signals included in WCAP-1 0271-P-A and its supplements, the extension of the above listed TADOT Frequencies from 92 days to 184 days was also justified by WCAP-1 5376-P-A. This is stated in Section 11 of.WCAP-1 5376-P-A, Revision 1 as "These recommendations are applicable to all the signals evaluated in WOG TOP for both solid state and relay protection systems ... " (i.e., all signals evaluated in WCAP-1 0271-P-A and its supplements).

Therefore, the extension of the TADOT Frequencies from 92 days to 184 days justified in WCAP-14333 and WCAP-1 5376-P are applicable to the RTS Functions listed above.

4.5 Deviations from ap~proved TSTF-41 1 Design Differences VCSNS does not have installed bypass test capability for analog channels, with the exception of Reactor Building Pressure High-3, Refueling Water Storage Tank Level Low-Low, and EFW Suction Pressure Low. The bypass test Notes for plants with this design are not used in the VCSNS Technical Specifications. Bypass testing is noted in the appropriate Action Statements in the VCSNS Technical Specifications.

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 16 of 24 Superseding Changes The changes in TSTF-418 Revision 2 regarding the Technical Specification 3.3.1 Condition for RTBs are superseded by the changes in TSTF-411I Revision 1. Option 3 of Insert 6 in TSTF-411 Revision 1 is utilized for the proposed changes to Action. 8 in TS 3/4.3.1, Table 3.3-1.

Additional Surveillance Frequency Extensions The proposed changes to the TADOT Surveillance Frequencies for the following RTS and ESFAS Functions were not included in TSTF-41 1:

• Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 15 - Reactor trip on Reactor Coolant Pump Undervoltage, - from Quarterly to Semi-Annually

.. Technical Specification 3/4.3.1, Table 4.3-1, RTS Function 16 - Reactor trip on Reactor Coolant Pump Underfrequency, - from Quarterly to Semi-Annually 4.6 PRA Quality 4.6.1 VCSNS PRA Peer Review Although consistency of the VCSNS Unit 1 internal events PRA with Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," is not an implementation requirement specified in the Limitations and Conditions of the Safety Evaluation, the NRC has requested this information in previous submittals. Unresolved Findings and Observations (F&O) from the most previous PRA model peer review were reviewed and the potential impact on implementation of the proposed changes was assessed below.

The VCSNS Unit 1 Internal Events PRA is based on a detailed model of the plant developed from the Individual Plant Examination for Generic Letter 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities." The model is maintained and updated in accordance with VCSNS procedures and has been updated to meet the ASME PRA Standard and Regulatory Guide 1.200.

The model has been reviewed and assessed on several occasions. In August 2002, the VCSNS Internal Events PRA was peer reviewed in accordance with the guidance in NEI 00-02, Industry PRA Peer Review Process. All A & B level F&Os from WOG Internal Events PRA Peer Review have been addressed. Although all C & D level findings have not been incorporated, all of the items that had the potential to significantly impact model results have been resolved.

Following completion of sufficient work to address the Peer Review comments, a 2005 gap assessment of the model was performed to determine the scope of work required to ensure the VCSNS Internal Events PRA meets Regulatory Guide 1.200, Revision 1. The results of this

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 17 of 24 review indicated that VCSNS had resolved most of the issues identified in the original peer review, but the review identified some F&Os that needed additional work, as well as several new issues. Additionally (in this 2005 review), the VCSNS PRA was found to meet Capability Categories (CC)-ll or better for 211 of the 271 Supporting Requirements (SRs) from the ASME PRA Standard, but 45 of the elements were found to either not meet the requirement or to meet the requirements at a CC-I level. Following work at VCSNS to address the findings and to increase the capability category ratings of the elements that needed an upgrade to allow use of the model in risk informed applications, a focused review was performed as required by the ASME RA-S-2002, 'Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications" (and 2007 addenda ASME RA Sc-2007, Appendix A). All SRs were judged to be CC-Il or better, with the exception of 13 SRs that were rated at the CC-I based on the VCSNS

'simplified NUREG/CR-6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," compliant Large Early Release Frequency (LERF) model. While these 13 SRs specifically define a simplified NUREG/CR-6595 LERF models as CC-I, it was noted that use of the NUREG model is an acceptable means of calculating LERF for applications. The conclusion of the 2007 focused review was that the

• model is of sufficient quality for use in risk-informed applications..

In November 2011, PRA personnel from SCE&G and Westinghouse Electric Company performed a self-assessment to identify gaps between the VCSNS PRA model and the requirements delineated in Regulatory Guide 1.200, Revision 2, and the ASME/ANS PRA Internal Events Model Standard. This task was a follow up to the 2007 focused scope review which evaluated the model against the requirements in Revision 1 of the Regulatory Guide. In addition to a general assessment of the internal events PRA model, the self-assessment also addressed changes in requirements between the time of the 2007 focused scope review and the implementation date of Revision 2.

Based on the above, it is determined that the VCSNS PRA model is acceptable for use in this WCAP-1 5376-P Implementation analysis.

4.6.2 Cumulative Risk Considering Previous Risk-Informed Amendments All risk-informed changes made at VCSNS have been implemented into the PRA model.

4.7 Monitoringq Reqiuirements Associated with the Implementation Regulatory Guide (RG) 1.174, Section 3 and RG 1.177, Section 3, as part of the key principles in implementing risk-informed decision making, establishes the need for an implementation and monitoring program to ensure that extensions to TS AOT or surveillance test intervals do not degrade operational safety over time and that no adverse degradation occurs due to changes in the licensing basis due to unanticipated degradation or common cause mechanisms. An implementation and monitoring program is intended to ensure that the impact of the proposed TS change continues to reflect the reliability and availability of structures, systems and components impacted by the change. The current VCSNS Maintenance Rule Program for the Reactor Protection System includes condition monitoring requirements. In order to address the RG monitoring program requirements discussed above with respect to the proposed change,

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 18 of 24 SCE&G will review applicable VCSNS programs and revise them as necessary to ensure that the intent of the RTS and ESFAS equipment unavailability and component failure modeling assumptions in WCAP-1 5376-P are met at VCSNS. Attachment 5, Section 3.2 provides additional information on the monitoring program.

4.8 Precedent The following plants have made submittals proposing changes similar to those being proposed in this LAR:

• Donald C. Cook, submitted on August 30, 2002, approved on May 23, 2003 as Amendments 277 (Unit 1) and 260 (Unit 2). [ML031320614]

• Callaway, submitted on December 17, 2003, approved on January 31, 2005 as Amendment 165. [ML050320484]

• Comanche Peak, submitted on January 21, 2004, approved on January 31, 2005 as Amendments 114 for both units. [ML050460331]

• Diablo Canyon, submitted on February 13, 2004, approved on January 31, 2005 as Amendments 179 (Unit 1) and 181 (Unit 2). [ML050330315]

• Vogtle, submitted on January 27, 2005, approved on September 1, 2006 as Amendments 145 (Unit 1) and 125 (Unit 2). [ML062360587]

• Wolf Creek, submitted on December 15, 2003, approved on January 31, 2005 as Amendment 156. [ML050320254]

• Beaver Valley, submitted on December 21, 2007, approved on December 29, 2008 as Amendments 282 (Unit 1) and 166 (Unit 2). [ML083380061]

The Wolf Creek, Callaway, Comanche Peak and Diablo Canyon submittals proposed the changes justified by WCAP-1 4333 and WCAP-1 5376-P.

The Donald C. Cook and Vogtle submittals proposed the changes justified by WCAP-1 5376-P.

5.0 REGULATORY SAFETY ANALYSIS In this License Amendment Request (LAR) the VC Summer Nuclear Station (VCSNS) Technical Specification is being revised to implement the bypass test time, Completion Time, and Surveillance Frequency changes that were approved by the NRC in WCAP-1 5376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times,' March 2003 and TSTF-41 1, Revision 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP- 15376-P)."

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 19 of 24 5.1 No Significant Hazards Consideration South Carolina Electric & Gas Company (SCE&G) has evaluated the proposed changes to the VCSNS TS described above against the significant Hazards Criteria of 10 CFR 50.92 and has determined that the changes do not involve any significant hazard. The following is provided in support of this conclusion:

1. Do the proposed changes involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The overall protection system performance will remain within the bounds of the previously performed accident analyses since no hardware changes are proposed. The same reactor trip system (RTS) and engineered safety feature actuation system (ESFAS) instrumentation will continue to be used. The protection systems will continue to function in a manner consistent with the plant design basis. These changes to the Technical Specifications do not result in a condition where the design, material, and construction standards that were applicable prior to the change are altered.

The proposed changes will not modify any system interfaces. The proposed changes will not affect the probability of any event initiators. There will be no degradation in the performance of or an increase in the number of challenges imposed on safety-related equipment assumed to function during an accident situation. There will be no change to normal plant operating parameters or accident mitigation performance. The proposed changes will not alter any assumptions or change any mitigation actions in the radiological consequence evaluations in the Final Safety Analysis Report (FSAR).

The determination that the results of the proposed changes are acceptable was established in the NRC Safety Evaluation prepared for WCAP-1 5376-P-A (issued by letter dated December 20, 2002 [ML023540534]). Implementation of the proposed changes will result in an insignificant risk impact. Applicability of these conclusions has been verified through plant-specific reviews and implementation of the generic analysis results in accordance with the NRC Safety Evaluation conditions.

The proposed changes to the Completion Times, bypass test times, and Surveillance Frequencies reduce the potential for inadvertent reactor trips and spurious engineered safety feature (ESF) actuations, and therefore do not increase the probability of any accident previously evaluated. The proposed changes do not change the response of the plant to any acc~idents and have an insignificant impact on the reliability of the RTS and ESFAS signals. The RTS and ESFAS instrumentation will remain highly reliable and the proposed changes will not result in a significant increase in the risk of plant operation. This is demonstrated by showing that the impact on plant safety as measured by the increase in core damage frequency (CDF) is less than 1 .0E-06 per year and the increase in large early release frequency (LERF) is less than 1 .0E-07 per year. In addition, for the Completion Time changes, the incremental conditional core damage probabilities (ICCDP) and incremental conditional large early release probabilities (ICLERP) are less than 5.OE-07 and 5.0E-08, respectively. These changes meet the acceptance criteria in Regulatory Guides 1.174 and 1.177. Therefore, since the RTS and

r" Document Controi Desk Enclosure LAR 15-01424 RC-15-0171 Page 20 of 24 ESFAS instrumentation will continue to perform their functions with high reliability as originally assumed, and the risk impact as measured by the ACDF, ALERF, ICCDP, and ICLERP risk metrics is within the acceptance criteria of existing regulatory guidance, there will not be a significant increase in the consequences of any accidents.

The proposed changes do not adversely affect accident initiators .or precursors nor alter the design assumptions, conditions, or configuration of the facility or the manner in which the plant is operated and maintained. The proposed changes do not alter or prevent the ability of structures, systems, and components (SSCs) from performing their intended function to mitigate the consequences of an initiating event within the assumed acceptance limits. The proposed changes do not affect the source term, containment isolation, or radiological release Sassumptions used in evaluating the radiological consequences of an accident previously evaluated. The proposed changes are consistent with safety analysis assumptions and resultant consequences.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

There are no hardware changes nor are there any changes in the method by which any safety-related plant system performs its safety function. The proposed changes will not affect the normal method of plant operation. No performance requirements will be affected or eliminated.

The proposed changes will not result in physical alteration to any plant system nor will there be any change in the method by which *any safety-related plant system performs its safety function.

The proposed changes do not include any changes to the instrumentation setpoints or changes to the accident analysis assumptions.

No new accident scenarios, transient precursors, failure mechanisms, or limiting single failures

• are introduced as a result of these changes. There will be no adverse effect or challenges imposed on any safety-related system as a result of these changes.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously evaluated.

3. Does this change involve a significant reduction in a margin of safety?

Response: No.

The proposed changes do not affect the acceptance criteria for any analyzed event nor is there a change to any Safety Analysis Limit (SAL). There will be no effect on the manner in which safety limits, limiting safety system settings, or limiting conditions for operation are determined nor will there be any effect on those plant systems necessary to assure the accomplishment of protection functions.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 21 of 24 The redundancy of RTS and ESFAS is maintained, and diversity with regard to the signals that provide reactor trip and ESF actuation is also maintained. All signals credited as primary or secondary, and all operator actions credited in the accident analyses will remain the same. The proposed changes will not result in plant operation in a configuration outside the design basis.

The calculated impact on risk is insignificant and meets the acceptance criteria contained in Regulatory Guides 1.174 and 1.177. Although there was no attempt to quantify any positive human factors benefit due to increased Completion Times and bypass test times, it is expected thiat there would be a net benefit due to a reduced potential for spurious reactor trips and actuations associated with testing.

Implementation of the proposed changes is expected to result in an overall improvement in safety, as follows:

a) Reduced testing should result in fewer inadvertent reactor trips, less frequent actuation of ESFAS components, less frequent distraction of operations personnel without significantly affecting RTS and ESFAS reliability.

b) The Completion Time extensions for the reactor trip breakers should provide additional time to complete test and maintenance activities while at power, potentially reducing the number of forced outages related to compliance with reactor trip breaker Completion Times, and provide consistency with the Completion Times for the logic trains.

Therefore, the proposed changes do not involve a significant reduction in a margin of safety.

Pursuant to 10 CFR 50.91, the preceding analyses provide a determination that the proposed Technical Specification changes pose no significant hazard as delineated by 10 CFR 50.92, and accordingly, a finding of no significant hazards consideration is justified.

5.2 Applicable Regiulatory Requirements/Criteria The regulatory bases and guidance documents associated with the systems discussed in this amendment application include:

A review of 10 CFR 50, Appendix A, "General Design Criteria for Nuclear Power Plants" and the Regulatory Guides was conducted to assess the potential impact associated with the proposed changes. The General Design Criteria (GDC) and the Regulatory Guides (RG) were evaluated as follows:

GDC 2 requires that structures, systems, and components important to safety be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without the loss of the capability to perform their safety functions.

GDC 4 requires that structures, systems, and components important to safety be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with the normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. These structures, systems, and components shall be appropriately protected

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 22 of 24 against dynamic effects, including the effects of missiles, pipe whipping, discharging fluids that may result from equipment failures, and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

GDC-1 3 requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems.

GDC-20 requires that the protection system(s) shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that.

specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

GDC-21 requires that the protection system(s) shall be designed for high functional reliability and testability.

GDC-22 through GDC-25 and GDC-29 require various design attributes for the protection system(s), including independence, safe failure modes, separation from control systems, requirements for reactivity control malfunctions, and protection against anticipated operational occurrences.

Regulatory Guide 1.22 discusses an acceptable method of satisfying GDC-20 and GDC-21 regarding the.periodic testing of protection system actuation functions. These periodic tests should duplicate, as closely as practicable, the performance that is required of the actuation devices in the event of an accident.

10 CER 50.55a(h)(2) requires that the protection systems are consistent with their licensing basis or IEEE 603-1991 for plants whose Construction Permit was issued before January 1, 1971, or that the protection systems meet IEEE 279-1971 or IEEE 603-1991 for plants whose Construction Permit was issued after January 1, 1971, but before May 13, 1999.. VCSNS FSAR Chapter 7, "Instrumentation and Controls," states that the licensing basis for unit 1 is IEEE 279-1971. Section 4.2 of IEEE 279-1971 discusses the general functional requirement for protection systems to assure they satisfy the single failure criterion.

There will be no changes to the RTS and ESFAS design such that compliance with the regulatory requirements and guidance documents discussed above would come into question.

This review confirms that the plant will continue to comply with these applicable regulatory requirements.

In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations,

Document Control Desk Enclosure LAR 15-01424 RC-15-0171 Page 23 of 24 and (3) issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.2.1 Desi~qn Bases (FSAR)

FSAR Sections 7.2, "REACTOR TRIP SYSTEM," and 7.3, "ENGINEERED SAFETY FEATURES ACTUATION SYSTEM" The VCSNS FSAR is unaffected by the proposed changes.

5.2.2 Approved Methodolocqies The proposed changes do not result in a change to any methodologies.

5.2.3 Analysis The analyses that support the changes contained in WCAP-1 5376-P-A, Rev. 1, are applicable to VCSNS.

5.2.4 Conclusion The proposed changes are based on WCAP-1 5376-P-A, Rev. 1, and TSTF-41 1, Rev. 1, which are both approved by the NRC.

6.0 ENVIRONMENTAL CONSIDERATION

SCE&G has determined that the proposed amendment would change requirements with respect to the installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. SCE&G has evaluated the proposed changes and has determined that the changes do not involve (i) a significant hazards consideration, (ii) a significant change in the types of or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. As discussed above, the proposed changes do not involve a significant hazards consideration. Accordingly, the proposed changes meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51, *specifically 10 CFR 51 .22(c)(9). Therefore, pursuant 10 CFR 51.22(b), an environmental assessment of the proposed changes is not required.

Document Control Desk Enclosure LAR 15-01424 RC-1 5-01 71 Page 24 of 24

7.0 REFERENCES

1. VCSNS License Amendment No. 177, "Virgil C. Summer Nuclear Station, Unit 1-Issuance of Amendment Regarding WCAP-14333, 'Probabilistic Risk Analysis of the RPS And ESFAS Test Times and Completion Times' (TAC NO. MC8898)," dated October 24, 2006.

2. NUREG-0452, Revision 4, "Standard Technical Specifications (STS) Pressurized Water Reactors," Fall 1981.

3. Standard Technical Specifications - Westinghouse Plants: Specifications (NUREG-1431, Revision 4), April 2012.

4. Westinghouse Owners Group letter OG-02-002, "Transmittal of Response to Request for Additional Information (RAI) Numbers 4 and 11 Regarding WCAP-1 5376-P, Revision 0,

'Risk-Informed 'Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times' (MU HP-3046)" dated January 8, 2002.

5. Westinghouse Owners.Group letter OG-01 -058, "Transmittal of Response to Request for Additional Information (RAI) Regarding WCAP-15376-P, Revision 0, 'Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times' (MUHP-3046)", dated September 28, 2001.

[ML012820263]

Document Control Desk LAR 15-01424 RC-15-0171 Page 1 ofl12

• . VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT I DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT I PROPOSED TECHNICAL SPECIFICATION CHANGES - MARK-UP

.l',I ... ACTI ON sT'ATEMENTS (Continued)

~~I AbSLL j*.,s-i ((.ontinued)

.TION 8 - With the numbf OPERABLE channels one less than the Mi tmum AC

~~Channels OPERABL r'uirement, restore the inoperable ch l'nel to

~~OPERABLE status within--1-heb? or be in at least HOT STANDBY within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE, .... ch..nne m~y be bye& .... r up t....2 hor... *-

mint1nan1 *1* n oltag on1*thc undc1 or shunt1 tri mochoi1111a1,* prcvidc th1 ACTION 9 - With the number of OPERABLE channels one less than thechannel Minimum Channels OPERABLE requirement, restore the inoperable to OPERABLE status within 48 hours or open the reactor trip breakers within the next hour.

Total Number of ACTION 10 - With the number of OPERABLE Channels less than the Channels, operation may continue provided the inoperable channels are I placed in the tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

ACTION 11 - With one of the diverse trip features (undervoltage or shunt trip attachment) inoperable, restore it to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or declare the breaker inoperable and apply ACTION 8. The breaker shall not be bypassed while one of the diverse trip features is inoperable except for the time required for performing maintenance to restore the breaker to OPERABLE status.

I ACTION 12 - With the number of OPERABLE Channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing per Specification 4.3.1 .1, provided the other channel is OPERABLE.

SUMMER No. *8~44 17 7 UNIT 13/4 3-8Amendment

( ( (

TABLE 4.3-1 REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENT TRIP ANALOG ACTUATING CHANNEL DEVICE MODES FOR ACTUATION WHICH C

CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE I-4

-9 CHEC__KK CALIBRATION TEST.+_ TEST TES__T. IS REQUIRED FUNCTIONAL UNIT N.A. N.A. N.A. 1, 2, 3*, 4*, 5*

1. Manual Reactor Trip R(1l) N°A.

2. Power Range, Neutron Flux High Setpoint N.A. N.A. 1,2 N.A. N.A, Low Setpoint gt4 3. P ower Ra.n~ge, Neutron Flux N.A. N.A. 1,2 High Positive Rate

4. Deleted I

5. Intermediate N.A. N.,A Neutron FluxRange,

6. Source Range, Neutron Flux N.A. N.A.

2##, 3,4, 5

7. Overtemperature AT N.A. NA.A 1,2

8. Overpower AT NA. NA, 1,2 0

9. Pressurizer Pressure--Low NA. N.A, 1 0

10. Pressurizer Pressure--High N.A. N.A. 1,2-

11. Pressurizer Water Level--High N.A. NA. I

12. Loss of Flow N.A. NA. 1

( ( (

'I, TABLE 4.3-1 (Continued)

C m

REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS TRIP ACTUATING ANALOG MODES C

CHANNEL DEVICE WiIICH FOR

-4 OPERATIONAL OPERATIONAL SURVEI LIANCE CHANNEL CHANNEL ACTUATION CHECK CALIBRATION TEST TEST LOGIC TEST IS REQUIRED FUNCTIONAL UNIT

13. Steam Generator Water Level-- S R N.oA. N. A. 1, 2 Low-Low S N.A. N.A. 1, 2

14. Steam Generator with WaterSteam/

Level -

Low Coincident Feedwater Flow Mismatch

15. Undervoltage - Reactor Coolant NA. R N.A. N.A. 1 Pumps CA 16. Underfrequency - Reactor N. A. N. A.

N.A. 1 R

Coolant Pumps

'-A

17. Turbine Trip A. Low Fluid Oil Pressure N.A. s/u~i, 10) NA.

1 N.,A. R B. Turbine Stop Valve N.A. R N.oA.

s/u~i, 10) N.A. 1 Closure

18. Safety Injection Input from N.A. N.A. N.A 1, 2 N.A.

ESF

19. Reactor Trip System Interlocks A. Intermediate Range N. A. R(4) R N. A. N.A.

Neutron Flux, P-S 0 Low Power Reactor B.

Trips Block, P-7 N.A. R(4) R N.A. N.A.

o 1 0* C. Power Range Neutron Flux, P-8 N. A. R(4) R N.A. N.A. 1 N.

( (

TABLE 4.3-1 (Continued)

REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE WHICH

-I CHANNEL CHANNEL OPERATIONAL OPERATIONAL ACTUATION SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST LOGIC TEST IS REQUIRED D. Low Setpoint Power Range Neutron Flux, P-lO N. A. R(4) R N. A. N.A. 1, 2 E. Turbine Impulse Chamber Pressure, P-13 N.A. R R N.A. N.A. 1 F. Low Power Range Neutron Flux, P-9 N.A. R(4) R N.A. N.A. 1

20. Reactor Trip Breaker N.A. N.A. N. A. .,14-7, 12) N.A.

L~) 1, 2, 3", 4*, 5"

21. Automatic Trip Logic N.A. N.A. N.A.

1, 2, 3*, 4*, 5*

I-,

CAj 22. Reactor Trip Bypass N.A. N.A. N.A. , R(14) N.A.

Breaker r9~

0

(16) - 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-IO and 184 days thereafter.

TABLE 4.3-1 (Continued)

TABLE NOTATION 1(18) - If not performed in previous 184 days.i

• - With the reactor trip system breakers closed and the control rod drive system capable of rod withdrawal.

U4 - Below P-6 (Intermediate Range Neutron Flux Interlock) setpoint.

1. 1. /- Below P-ID (Low Setpoint Power Range Neutron Flux Interlock) setpoint.

(1) - If not performed in previous 31 days.

(2) - Comparison of calorimetric to excore power indication above 15% of RATED THERMAL POWER. Adjust excore channel gains consistent with calorimetric power if absolute difference is greater than 2 percent.

The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(3) Single point comparison of incore to excore AXIAL FLUX DIFFERENCE above 15% of RATED THERMAL POWER. Recalibrate if the absolute difference is greater than or equal to 3 percent. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(4) - Neutron detectors may be excluded from CHANNEL CALIBRATION.

(5)- Detector plateau curves shall be obtained evaluated and compared to manufacturer's data. For the Power Range Neutron Flux Channels the provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(6)- Incore - Excore Calibration, above 75% of RATED THERMAL POWER. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(7) Each train shall be tested at least ever 162 days on a STAGGERED TEST BASIS.

(8 ELETED I124I (9 .... "--I:" Surveillance in MODES 3", 4* and 5* shall also include verification that permissives P-6 and P-ID are in their required state for existing plant conditions by observation of the permissive annunciator window.

10) - Setpoint verification is not required.

11) - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip circuits for the Manual Reactor Trip Function. The test shall also verify the OPERABILITY of the Bypass Breaker trip circuit(s).

12 - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip attachments of the Reactor Trip Breakers.

13- Local manual shunt trip prior to placing breaker in service.

1) - Automatic undervoltage trip. (17) - 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducingenernpOWer m below P-6 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after etrn SUMMUER - UNIT 13/4 3-14 MODE 3 from Mode 2 and 184 days 01 Ithereafter. _..

S(15)- Each train shall be tested at least every 184 days on a Staggered Test Basis.

TABLE 4.3-2 (n

C ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REOUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL TEST ISREgQ.UIRED*0 FUNCTIONAL UNIT CHECKl CALIBRATION TEST TEST TEST

1. SAFETY INJECTION, REACTOR TRIP, FEEDWATER ISOLATION, CONTROL ROOM ISOLATION, START DIESEL GENERATORS, 1

CONTAINMENT COOLING FANS AND ESSENTIAL SERVICE WATER

a. Manual Initiation NJA N.A. NA.a R N.A. N.A.

1,2, 3, 4 NA.

b. Automatic Actuation Logic and Actuation Relays N4.A. N.A. N.A. N.A. M(1) M{1) R(3) 1,2,3,4 1

a. Reactor BuildIng SR a NA. N.A. N.A. 1,2, 3 Preasura-High-1

d. Pressurizer Pressure--Low NA. 1,2,3 3 R a NA. N.A.

e. Differential Pressure . R a N.A N.A. NA.A 1,2,3 Between Steam Llnes--High 3

f. Steam Une Pressure Low R NA,A N.A. N.A, 1,2,3 a

I 2. REACTOR BUILDING SPRAY

a. Manual Initlation NJA. N.A. N.A° R N.A. N.A. 1,2,3,4 z

b, Automatic Actuation Logic and Actuation Relays N~.A. N.A. N.A. N.A.

M(1) M{1) R(3) 1,2,3,4 1

a. Reactor Building S R a N.A, NA,A N.A. N.A. 1,2, 3 I

Pressure-High-3 P

'-4

TABLE 4.3-2 (Continue)

Cl)

ENGINEERED SAFETY FE*ATURE ACTUATION SYSTEM INSTRUMENTATION m SURVFEILLANCEJ REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHC CALIBRATION TES TEST TS IS REQUIRED FUNCTIONAL UNIT

3. CONTAINMENT ISOLATION

a. Phase "A" Isolation

1) Manual N.A. N.A. N.A. R N.A, N.A. N.A. 1,2, 3, 4

2) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

3) Automatic Actuation NA. NA. N.A. N.A. M(1) M(1) 1,2,3,4 R(3)

Logic and Actuation 4~4 Relays Cf~

b. Phase "B" Isolation

1) Automatic Actuation N.A N.A. N.A, N.A, M{1) R(3) 1, 2,3, 4 Logic and Actuation Relays

2) Reactor Bultding S R N.A, N.A. N.A. 1,2,3 Preseure-High-3

c. Purge and Exhiaust Isolation N.A. N.A. N.A, M{1)

1) Automatic Actuation N.A. R(3) 1, 2,3, 4 Logic and Actuation Relays

2) Containment Radloactivityo M *N.A. N.A. N.A. NA. 1,2,3,4 S R High 0

3) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

z0 I

TABLE 4.3-2 (Continued)

(I)

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR

-4 CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL TEST FU*NCTIONAL UNIT CHECK CALIBRATION TEST TEST IS REQUIRED

4. STEAM LUNE ISOLATION

a. Manual N.A.

N,A. NA. N.A. R N.A. N.A. 1, 2, 3

b. Automatic Actuation Logic N.A. N.A. N.A. N.A. M(I) R(3) 1,2, 3 and Actuation Relays N.A.

c. Reactor Building S N.A. 1,2,3 Pressure-High-2 R a N.A.

N.A.

'4

d. Steam Flow in Two Steam S R NA. N.A. 1,2,3 (J) Lines--High Coincident NA.

-'3 with T=*,-Low-Low S R N.A. N.A. 1, 2, 3 N.A,

e. Steam Line Pressure Low S R N.A. N.A. 1,2,3 a

5. TURBINE TRIP AND N.A.

FEEDWATER ISOLATION

a. Steam Generator Water S R a N.A. 1,2 Level--High-HIgh

b. Automatic Actuationi Logic NA. NA.A N.A. M{1) R(3) 1, 2 N.A.

and Actuation Relay a.

B 6. EMERGENCY FEEDWATER CD

a. Manual NA. N.A. N.A. N.A, 1,2,3 N°A. Rl z N.A. N.A. M{1) R(3) 1,2,.3 P b; Automatic Actuation Logic NA. N.A. M(1)

I and Actuation Relays

c. Steam Generator Water S R NA. N.A. 1,2,3 Level--Low-Low a NA, N.A.

-I

TABLE4,32 (Continued*

C,,

C E*NGINEERED SA.F.ETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH C:HANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE FUJNCTIONAL UNITC ijECK CAIRTO TES TEST TS TEST IS REQUIRED EMERGENCY FEEDWATER (Continued)

d. Undervohtage

• Both ESF NA.A R N.A. R NA. NA.A N,A. 1,2,3 Busses

5. Safety Injection See I above for all Safety Injection Surveillance Requirements.

1. Undervoltage -One N.A. R NA., R N.A. N.A, N.A. 1,2, 3 ESF Bus CA) g. Trip of Main Feedwater N.A. R N.A. N.A. 1, 2 N.A. NA. NA.

Pumps

h. SuctIon transfer on S R N.A. N.A. N.A. N.A, 1,2,3 low pressure 7.LOSS OF POWER

a. 7.2 kV Emergency Bus NA. R N.A. NA*. NA. N.A. 1,2,3,4 Undervoltage (Loss of Voltage)

I b0. 7/.2 kV Emergency Bus Undervoltage (Degraded Voltage)

N.A. R N.A. NA. N.A. N.A. 1,2, 3,4 8.AUTOMATIC SWITCHOVER oz TO CONTAINMENT SUMP

a. RWST level low-low S R N.A. N.A. N.A, N.A. 1, 2, 3 0o b. Automatic Actuation Logic N.A. M(1) M(1) R(3) 1, 2, 3 NA. N.A.

and Actuation Relays

-N.

( ( (

(I' TABLE 4.3-2 (Continued)

C m ENGINEERED SAFETY SURVEILILANCE FEATURE ACTUATION SYSTEM INSTRUMENTATION REQUIREMENTS' C

TRIP

-I ACTUATING MODES FOR ANALOG DEVICE WHICH

'-I CHANNEL OPERATIONAL OPERATIONAL MASTER RELAY SLAVE RELAY SURVEILLANCE CHANNEL CHANNEL ACTUATION CHECK CALIBRATION TEST TEST LOGIC TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT

9. ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INTERLOCKS

a. Pressurizer Pressure, N. A. R. N.,A. N.A. N.A. N.A. 1, 2, 3 P-il

b. Low, Low Tavg'P1 N. A. N.A. N.A. N.A. N.A. 1., 2, 3 R.

c. Reactor Trip, P-4 N. A. N.,A. N.A. N.A. N.A. N.A. 1, 2, 3 qt C-.

'.9.

0 9-.

9-.

INSTRUMENTA'TION TAB LE 4.3-2,,,,Continued) Lj84J TABLE NOTATIO (1) Each train shall be tested at least every 62* days on a STAGGERED TEST BASIS.

(2) The 36 inch containment purge supply and exhaust isolation valves are sealed closed during Modes 1 through 4, as required by TS 3.6.1.7. With these valves sealed closed, their ability to open is defeated; therefore, they are excluded from the quarterly slave relay test.

(3) Slave Relay Testing will be conducted every 18 months for Westinghouse type AR relays and preferably during a refueling outage to preclude the risk of actuation. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval to maintain the established frequency.

• 43*0 3/43-40Amendment SUMME-UNIT1 No. 428187

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 1 ofl12 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 2 PROPOSED TECHNICAL SPECIFICATION CHANGES - RETYPED Remove Pages Insert Pages TS Page 3/4-3-8 TS Page 3/4-3-8 TS Page 3/4-3-11 TS Page 3/4-3-11 TS Page 3/4-3-12 TS Page 3/4-3-12 TS Page 3/4-3-13 TS Page 3/4-3-13 TS Page 3/4-3-14 TS Page 3/4-3-14 TS Page 3/4-3-35 TS Page 3/4-3-35 TS Page 3/4-3-36 TS Page 3/4-3-36 TS Page 3/4-3-37 TS Page 3/4-3-37 TS Page 3/4-3-38 TS Page 3/4-3-38 TS Page 3/4-3-39 TS Page 3/4-3-39 TS Page 3/4-3-40 TS Page 3/4-3-40

TABLE 3.3-1 (Continued)

ACTION STATEMENTS (Continued)

ACTION 8- With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in at least HOT STANDBY within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

I ACTION 9 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or open the reactor trip breakers within the next hour.

ACTION 10 - With the number of OPERABLE Channels less than the Total Number of Channels, operation may continue provided the inoperable channels are placed in the tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

ACTION 11 - With one of the diverse trip features (undervoltage or shunt trip attachment) inoperable, restore it to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or declare the breaker inoperable and apply ACTION 8. The breaker shall not be bypassed while one of the diverse trip features is inoperable except for the time required for performing maintenance to restore the breaker to OPERABLE status.

ACTION 12- With the number of OPERABLE Channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; however, one channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

3/4 3-8 SUME

-UNT 34 -8Amendment No. 78 0,17

0.,

C TABLE 4.3-1 REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS ni C TRIP z ANALOG ACTUATING MODES FOR CHANNEL DEVICE WHICH ACTUATION CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST TEST IS REQUIRED

1. Manual Reactor Trip N.A. N.A N.A. R(11) N.A. 1, 2, 3* ,4", 5*

2. Power Range, Neutron Flux High Setpoint S D(2, 4), SA N.A. NA. 1,2 M(3, 4),

Q(4, 6),

R(4, 5)

CA Low Setpoint S R(4) N.A. 1##, 2 S/U(18), (16) NA.

CA

3. Power Range, Neutron Flux N.A. R(4) SA N.A. N.A. 1,2 High Positive Rate

4. Deleted

5. Intermediate Range, Neutron S R(4) S/U(1 8), (16) 1##, 2 N.A. N.A.

Flux

6. Source Range, Neutron Flux S R(4) S/U(18), (17), (9) N.A. N.A. 2##, 3,4, 5 CD 7. Overtemperature AT S SA R N.A. N.A. 1,2

8. Overpower AT S R SA N.A. N.A. 1,2 CD

9. Pressurizer Pressure--Low S R SA N.A. N.A. 1 z0

10. Pressurizer Pressure--High S R SA N.A. N.A. 1,2

11. Pressurizer Water Level--High S R SA N.A. N.A. 1

12. Loss of Flow S R SA N.A. N.A.

TABLE 4.3-1 (Continued)

C REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS m

TRIP C ANALOG ACTUATING MODES FOR z CHANNEL DEVICE WHICH ACTUATI ON CHANNE CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE FUNCTIONAL UNIT L CHECK CALIBRATION TEST TEST TEST IS REQUIRED

13. Steam Generator Water Level-- S R SA N.A. N.A. 1,2 Low-Low

14. Steam Generator Water Level - S R SA N.A. N.A. 1,2 Low Coincident with Steam!

Feedwater Flow Mismatch

15. Undervoltage - Reactor Coolant N.A. R N.A. SA N.A.

cO) Pumps

16. Underfrequency - Reactor N.A. R N.A. SA N.A.

C,, Coolant Pumps

17. Turbine Trip A. Low Fluid Oil Pressure R 1 N.A. N.A. S/U(1, 10) N.A.

B. Turbine Stop Valve N.A. R N.A. S/U(1, 10) N.A. 1 Closure

19. Reactor Trip System Interlocks C', A. Intermediate Range N.A. R(4) R NA. N.A.

0~ Neutron Flux, P-6 CD B. Low Power Reactor N.A. R(4) R N.A. N.A.

1 Trips Block, P-7 z

a C Power Range Neutron N.A. R(4) R N.A. N.A. 1 Flux, P-8

TABLE 4.3-1 (Continued)

REACTOR TRIP SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION WHICH CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC SURVEILLANCE CHECK CALIBRATION TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT D Low Setpoint Power N.A. R(4) R N.A. N.A. 1,2 Range Neutron Flux, P-1 0 E. Turbine Impulse N.A. R R N.A. N.A. 1 Chamber Pressure, P-i13 F. Low Power Range N.A. R N.A. N.A. 1 R(4)

Neutron Flux, P-9

20. Reactor Trip Breaker N.A. N.A. NA.A (7, 12) N.A. 1, 2, 3,* 4*, 5*

21. Automatic Trip Logic N.A. N.A. N.A. N.A. Q (15) 1, 2, 3*, 4*, 5*

22. Reactor Trip Bypass Breaker N.A. N.A. N.A. (7, 13), R(14) N.A. 1, 2,3*, 4*, 5*j CD 0~

CD z

0 I

TABLE 4.3-1 (Continued)

TABLE NOTATION

• - With the reactor trip system breakers closed and the control rod drive system capable of rod withdrawal.

1. 4# - Below P-6 (Intermediate Range Neutron Flux Interlock) setpoint.

1. 1. - Below P-10 (Low Setpoint Power Range Neutron Flux Interlock) setpoint.

(1) - If not performed in previous 31 days.

(2) - Comparison of calorimetric to excore power indication above 15% of RATED THERMAL POWER. Adjust excore channel gains consistent with calorimetric power if absolute difference is greater than 2 percent. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(3) - Single point comparison of incore to excore AXIAL FLUX DIFFERENCE above 15% of RATED THERMAL POWER. Recalibrate ifthe absolute difference is greater than or equal to 3 percent. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(4) - Neutron detectors may be excluded from CHANNEL CALIBRATION.

(5) - Detector plateau curves shall be obtained evaluated and compared to manufacturer's data. For the Power Range Neutron Flux Channels the provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(6) - Incore - Excore Calibration, above 75% of RATED THERMAL POWER. The provisions of Specification 4.0.4 are not applicable for entry into MODE 2 or 1.

(7) - Each train shall be tested at least every 124 days on a STAGGERED TEST BASIS.

(8) - DELETED (9) - Surveillance in MODES 3*, 4* and 5* shall also include verification that permissives P-6 and P-i10 are in their required state for existing plant conditions by observation of the permissive annunciator window.

(10) - Setpoint verification is not required.

(11) - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip circuits for the Manual Reactor Trip Function. The test shall also verify the OPERABILITY of the Bypass Breaker trip circuit(s).

(12) - The TRIP ACTUATING DEVICE OPERATIONAL TEST shall independently verify the OPERABILITY of the undervoltage and shunt trip attachments of the Reactor Trip Breakers.

(13) - Local manual shunt trip prior to placing breaker in service.

(14) - Automatic undervoltage trip.

(15) - Each train shall be tested at least every 184 days on a Staggered Test Basis.

(16) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10 and 184 days thereafter.

(17) 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entering MODE 3 from MODE 2 and 184 days thereafter.

(18) If not performed in previous 184 days.

3/4 3-14 SUMMR

-UNI No. 73 8 , !0 !,T I /4-14Amendment 4

TABLE 4.3-2 C,,

a ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION rri SURVEILLANCE REQUIREMENTS C

z TRIP ACTUATING MODES FOR ANALOG ACTUATION MASTER SLAVE WHICH CHANNEL DEVICE OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL TEST TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT CHECK CALIBRATION TEST

1. SAFETY INJECTION, REACTOR TRIP, FEEDWATER ISOLATION, CONTROL ROOM ISOLATION, START DIESEL GENERATORS, CONTAINMENT COOLING FANS AND ESSENTIAL SERVICE WATER 1,2,3,4 CA,

a. Manual Initiation NJ.A. N.A. N.A. R N.A. N.A. N A.

N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3,4 CA)

b. Automatic Actuation Logic CA) and Actuation Relays 01 SA N.A. N.A NA. N.A. 1,2,3

c. Reactor Building S R Pressure-High-1 R SA N.A. N.A. NA. N.A. 1,2,3

d. Pressurizer Pressure--Low S R SA N.A. N.A. N.A. N.A. 1,2,3

e. Differential Pressure S Between Steam Lines--High R SA N.A. N .A. N.A. N .A. 1,2,3

f. Steam Line Pressure Low S

2. REACTOR BUILDING SPRAY CD N.A. R N.A. N.A. N.A. 1,2,3,4 c~. a. Manual Initiation N.A. N.A.

CD N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3,4

b. Automatic Actuation Logic N.A.

and Actuation Relays z N.A. N.A. 1,2,3 0

c. Reactor Building N.A. N.A.

S R SA Pressure-High-3

TABLE 4.3-2 (Continue)

C/)

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATING MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH CHANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST TEST TEST TEST IS REQUIRED

3. CONTAINMENT ISOLATION

a. Phase "A" Isolation

1) Manual N.A. N.A. N.A. R N.A. N.A, N.A. 1,2,3,4

2) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

3) Automatic Actuation N.A. Q(1) R(3) 1,2,3,4 N.A. N.A. N.A. Q( 1)

Logic and Actuation Relays coo

0) b. Phase"'B' Isolation

1) Automatic Actuation N.A N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3,4 Logic and Actuation Relays

2) Reactor Building S R SA N.A. N.A. N.A. N.A. 1,2,3 Pressure-High-3

c. Purge and Exhaust Isolation N .A. N.A. N.A. N.A. Q( 1) Q(1) R(2,3) 1, 2,3, 4

1) Automatic Actuation Logic and Actuation B Relays CD

2) Containment Radioactivity- N.A. N.A. N.A. N.A. 1,2,3,4 0~ S R M B High CD

3) Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

z0

TABLE 4.3-2 (Continued)

C12 C

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATIN G MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE CHANNEL CHANNEL FUNCTIONAL UNIT CHECK CALIBRATION TEST TEST TEST TEST TEST IS REQUIRED

4. STEAM LINE ISOLATION

a. Manual N .A. R N.A. N.A. N.A. 1,2,3 N .A. N.A.

b. Automatic Actuation Logic N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3 and Actuation Relays

c. Reactor Building S R SA NA. NA. NA. N.A. 1,2,3 Pressure-High-2

d. Steam Flow in Two Steam S R SA NA. NA. N.A. N.A. 1,2,3 Lines--High Coincident with Tavg--Low-Low S R SA N.A. N,.A. N.A. N.A. 1,2,3

e. Steam Line Pressure Low S R SA N.A. N.A. N.A. N.A. 1,2,3

5. TURBINE TRIP AND FEEDWATER ISOLATION

a. Steam Generator Water S R SA N .A. N.A. N.A. N.A. 1,2 Level-High-High

b. Automatic Actuation Logic N.A. N.A. NA.

N.A. Q(1) Q(1) R(3) 1,2 CD and Actuation Relay 0~

6. EMERGENCY FEEDWATER CD

a. Manual N.A. N A. N.A. R N.A. N.A. N .A. 1,2,3 z0 b.Automatic Actuation Logic N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3 and Actuation Relays c.Steam Generator Water S R SA N.A. N.A. N.A. NA. 1,2, 3 Level--Low-Low

TABLE 4.3-2 (Continued)

C',

C ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION m SURVEILLANCE REQUIREMENTS C

z TRIP ANALOG ACTUATIN G MODES FOR CHANNEL DEVICE ACTUATION MASTER SLAVE WHICH C*HANNEL CHANNEL OPERATIONAL OPERATIONAL LOGIC RELAY RELAY SURVEILLANCE FUNCTIONAL UNIT C HECK CALIBRATION TEST TEST TEST TEST TEST IS REQUIRED EMERGENCY FEEDWATER (Continued)

d. Undervoltage - Both ESF N .A. R N.A. R N .A. N.A. N.A. 1,2,3 Busses

e. Safety Injection See 1 above for all Safety Injection Surveillance Requirements.

f. Undervoltage - One R N.A. R N.A. NA. N .A.

NA. 1,2,3 ESF Bus

,co g. Trip of Main Feedwater N.A. N.A. NA. R N.A. N.A. NA. 1,2 Pumps

h. Suction transfer on S R SA NA. N.A.

N.A. N.A. 1,2,3 low pressure

7. LOSS OF POWER

a. 7.2 kV Emergency Bus NA. R N .A. R N.A. N.A. N.A. 1,2,3,4 Undervoltage (Loss of Voltage)

B b. 7.2 kV Emergency Bus N.A. R N.A. R NA. N.A. N.A. 1,2,3,4 CD Undervoltage (Degraded Voltage)

B CD 8. AUTOMATIC SWITCHOVER TO CONTAINMENT SUMP zC

a. RWST level low-low N.A. N.A. N.A. N.A. 1,2,3 S R SA

b. Automatic Actuation Logic N.A. N.A. N.A. N.A. Q(1) Q(1) R(3) 1,2,3 and Actuation Relays

TABLE 4.3-2 (Continued)

CD C

ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS m

ANALOG TRIP C CHANNEL ACTUATING MODES FOR z OP ERA- DEVICE MASTER SLAVE WHICH CHANNEL CHANNEL TIONAL OPERATIONAL ACTUATION RELAY RELAY SURVEILLANCE CHECK CALIBRATION TEST TEST LOGIC TEST TEST TEST IS REQUIRED FUNCTIONAL UNIT

9. ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INTERLOCKS

a. Pressurizer Pressure, N.A, R SA NA. N.A N.A. N.A. 1,2,3 P-11

b. Low, Low Tavg, P-12 N.A. R SA N.A. N.A. N.A. N.A. 1,2,3

c. Reactor Trip, P-4 N.A. N.A. N.A. R N.A. N.A. N.A. 1, 2,3 CA)

CA) 2 Cr, 0~

2 CD z0

INSTRUMENTATION TABLE 4.3-2 (Continued)

TABLE NOTATION (1) Each train shall be tested at least every 184 days on a STAGGERED TEST BASIS.

(2) The 36 inch containment purge supply and exhaust isolation valves are sealed closed during Modes 1 through 4, as required by TS 3.6.1.7. With these valves sealed closed, their ability to open is defeated; therefore, they are excluded from the quarterly slave relay test.

(3) Slave Relay Testing will be conducted every 18 months for Westinghouse type AR relays and preferably during a refueling outage to preclude the risk of actuation. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval to maintain the established frequency.

3/4 3-40 SUMMR

- No. !28, !8-7T NIT 3/43-40Amendment

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 1 of 7 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 3 PROPOSED TECHNICAL SPECIFICATION BASES - MARK-UP

3/4.3 INSTRUMENTATION BASES 3/4.3.1 and 3/4.3.2 REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION The OPERABILITY of the Reactor Protection System and Engineered Safety Feature Actuation System Instrumentation and interlocks ensure that 1) the associated action and/or reactor trip will be initiated when the parameter monitored by each channel or combination thereof reaches its setpoints, 2) the specified coincidence logic and sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance consistent with maintaining an appropriate level of reliability of the Reactor Protection and Engineered Safety Features instrumentation and, 3) sufficient system functions capability is available from diverse parameters.

The OPERABILITY of these systems is required to provide the overall reliability, redundancy, and diversity assumed available in the facility design for the protection and mitigation of accident and transient conditions. The integrated operation of each of these systems is consistent with the assumptions used in the accident analyses. The surveillance requirements specified for these systems ensure that the overall system functional capability is maintained comparable to the original design standards. The periodic surveillance tests performed at the minimum frequencies are sufficient to demonstrate this capability. Specified Insert 1 lsurveillance intervals have been determined in accordance with WCAP-10271, "Evaluation of rSurveillance Frequencies and Out of Service Times for Reactor Protection Instrumentation t~em," and supplements to that report. Specified surveillance and maintenance outage times hayveen determined in accordance with WCAP-1 4333-P-A, Rev. 1,, "Probabilistic Risk Analysi*4* the RPS and ESFAS Test Times and Completion Times," and Westinghouse letter CGE-05-48. Surveillance intervals and out of service times were determined based on maintaining an appropriate level of reliability of the Reactor Protection System and Engineered Safety Features instrumentation. The Slave Relay Test is performed on an 18-month frequency that is specific to Westinghouse AR relays. This test frequency is based on relay reliability assessments presented in WCAP-1 3877-P-A, "Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays," that is dependent on the qualified life and environmental conditions of the AR relays. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval.

Consistent with the requirement in Regulatory Guide 1.177 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note). Entry into Actions 12, 14, 21, or 25 is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Actions 12, 14, 21, or 25 are typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of entry into Actions 12, 14, 21, or 25. If this situation were to occur during the 24-hour AOT of Actions 12, 14, 21, or 25, the configuration risk assessment procedure will assess the emergent condition and direct activities to restore the inoperable logic train and exit Actions 12, 14, 21, or 25, or fully implement these restrictions, or perform a unit shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

• To preserve ATWS mitigation capability, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable for maintenance.

• To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.

B 3/4 3-1 SUMMR

-UNI I B3/43-1Amendment No. !0!, !77,48.-

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

• To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.

• Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train IInsert 2 is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

The Engineered Safety Feature Actuation System Instrumentation Trip Setpoints specified in Table 3.3-4 are the nominal values at which the bistables are set for each functional unit. A setpoint is considered to be adjusted consistent with the nominal value when the "as measured" setpoint is within the band allowed for calibration accuracy.

To accommodate the instrument drift assumed to occur between operational tests and the accuracy to which setpoints can be measured and calibrated, Allowable Values for the setpoints have been specified in Table 3.3-4. Operation with setpoints less conservative than the Trip Setpoint but within the Allowable Value is acceptable since an allowance has been made in the safety analysis to accommodate this error.

The methodology to derive the trip setpoints is based upon combining all of the uncertainties in the channels. Inherent to the determination of the trip setpoints are the magnitudes of these channel uncertainties. Sensor and rack instrumentation utilized in these channels are expected to be capable of operating within the allowances of these uncertainty magnitudes. Rack drift in excess of the Allowable Value exhibits the behavior that the rack has not met its allowance. Being that there is a small statistical chance that this will happen, an infrequent excessive drift is expected. Rack or sensor drift, in excess of the allowance that is more than occasional, may be indicative of more serious problems and should warrant further investigation.

The measurement of response time at the specified frequencies provides assurance that the reactor trip and the engineered safety feature actuation associated with each channel is completed within the time limit assumed in the accident analyses. No credit was taken in the analyses for those channels with response times indicated as not applicable.

Response time may be demonstrated by any series of sequential, overlapping or total channel test measurements provided that such tests demonstrate the total channel response time as defined. Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements, or by the summation of allocated sensor, signal processing, and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained SUMMER - UNIT 1 B 3/4 3-la Amendment No. a 5 4 4467, 4-7-7

Repagination Only INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) from: (1) historical records based on acceptable response time tests (hydraulic, noise or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Response Time Tests,"

provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component into operational service and re-verified following maintenance or modification that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for the repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing element of a transmitter.

Westinghouse letter CGE-00-018, dated March 28, 2000, provided an evaluation of the Group 05 (11 NLP and 6NSA) 7300 process cards. These cards were revised after the submittal of WCAP-14036, Revision 1. This letter concluded that the failure modes and effects analysis (FMEA) performed for the older versions of these cards and documented in WCAP-14036-P-A, Revision 1, is applicable for these Group 05 cards. The bounding time response values determined by test and evaluation and reported in the WCAP are valid for these redesigned cards.

The Engineered Safety Features response times specified in Table 3.3-5 which include sequential operation of the RWST and VCT valves (Notes 2 and 3) are based on values assumed in the non-LOCA safety analyses. These analyses are for injection of borated water from the RWST. Injection of borated water is assumed not to occur until the VCT charging pump suction isolation valves are closed following opening of the RWST charging pumps suction valves. When the sequential operation of the RWST and VCT valves is not included in the response times (Note 1) the values specified are based on the LOCA analyses. The LOCA analyses take credit for injection flow regardless of the source.

Verification of the response times specified in Table 3.3-5 will assure that the assumptions used for the LOCA and non-LOCA analyses with respect to the operation of the VCT and RWST valves are valid.

The Engineered Safety Features Actuation System senses selected plant parameters and determines whether or not predetermined limits are being exceeded. If they are, the signals are combined into logic matrices sensitive to combinations indicative of various accidents, events, and transients. Once the required logic combination is completed, the system sends actuation signals to those engineered safety features components whose SUMMER - UNIT 1 B 3/4 3-lb Amendment No. 42~46 458T, 14-7

Repagination only INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) aggregate function best serves the requirements of the condition. As an example, the following actions may be initiated by the Engineered Safety Features Actuation System to mitigate the consequences of a steam line break or loss of coolant accident 1) safety injection pumps start and automatic valves position, 2) reactor trip, 3) feedwater isolation,

4) startup of the emergency diesel generators, 5) containment spray pumps start and automatic valves position, 6) containment isolation, 7) steam line isolation, 8) turbine trip,

9) auxiliary feedwater pumps start and automatic valves position, 10) containment cooling fans start and automatic valves position, 11) essential service water pumps start and automatic valves position, and 12) control room isolation and ventilation systems start.

Several automatic logic functions included in this specification are not necessary for Engineered Safety Feature System actuation but their functional capability at the specified setpoints enhances the overall reliability of the Engineered Safety Features functions. These automatic actuation systems are purge and exhaust isolation from high containment radioactivity, turbine trip and feedwater isolation from steam generator high-high water level, initiation of emergency feedwater on a trip of the main feedwater pumps, automatic transfer of the suctions of the emergency feedwater pumps to service water on low suction pressure, and automatic opening of the containment recirculation sump suction valves for the RHR and spray pumps on low-low refueling water storage tank level.

The service water response time includes: 1) the start of the service water pumps and, 2) the service water pumps discharge valves (3116A,B,C-SW) stroking to the fully opened position. This condition of the valves assures that flow will become established through the component cooling water heat exchanger, diesel generator coolers, HVAC chiller, and to the suction of the service water booster pumps when these components are placed in-service. Prior to this time, the flow is rapidly approaching required flow and sufficient pressure is developed as valves finish their stroke. Each of the above-listed components will be starting to perform their accident mitigation function, either directly or indirectly depending upon the use of the component, and will be operational within the 1

service water response time of 71 .5/81 .5 seconds *. Only the service water booster pumps have a direct impact on the accident analysis via the RBCUs' heat removal capability as discussed below.

!' Total time is 1 .5 second instrument response after setpoint is reached, plus 10 seconds diesel generator start, plus 10 seconds to reach service water pump start and begin 3116-SW opening via Engineered Safety Features Loading Sequencer, plus 60 seconds stroke time for 3116-SW. During this total time, the service water pumps start and the service water pump discharge valve begins to open at 11 .5 seconds and the pump discharge valve is fully open at 71.5 seconds without a diesel generator start required and 21.5 seconds and 81.5 seconds including a diesel generator start.

SUMMER UNIT 1 B 3/4 3-ic Amendment No. 67, !44, 1-,8T,4-7-7 I

~inaIionOnlfl INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

The RBCU response time includes: 1) the start of the RBCU fan and the service water booster pumps and, 2) all the service water valves which must be driven to the fully opened or fully closed position. This condition of the valves allows the flow to become fully established through the RBCU. Prior to this time, the flow is rapidly approaching required flow as the valves finish their stroke. Although the RBCU would be removing heat through-out the Engineered Safety Features response time, the accident analysis does not assume heat removal capability from 0 to 71 .5 seconds 2-'because the industrial cooling water system is not completely isolated until 71 .5 seconds. A linear ramp increase from 95% full heat removal capability to 100% full heat removal capability is assumed by the accident analysis to start at 71 .5 seconds and end at 86.5 seconds2 --. Full heat removal capability is assumed at 86.5 seconds based on the position of the valve 3107-SW.

~'Total time is 1 .5 second instrument response after setpoint Is reached, plus 10 second diesel start plus 60 seconds* for valves to isolate industrial cooling water system.

2'Total time is 1.5 second instrument response after setpoint is reached, plus 10 second diesel generator start plus 75 seconds to stroke valves 3107A, B-SW.

• During this time period, the Engineered Safety Features Loading Sequencer starts the RBCU fans at 25 seconds and service water booster pumps at 30 seconds after the valves begin to stroke.

B 3/4 3-1d SUMER UNT 1B343idAmendment No. 6*47. I

Specified surveillance intervals and RTB outage times have been determined in accordance with Insert 1: 5376-P-A, Rev. 1, " Risk-Informed Assessment of the RTS and ESFAS Surveillance Test WCAP-1 Intervals and Reactor Trip Breaker Test and Completion Times," dated March 2003.

Insert 2:

Consistent with the NRC Safety Evaluation (SE) requirements in WCAP-1 5376-P-A, Rev. 1, Tier 2 insights must be included in the decision making process before removing an RTB train from service and implementing the extended (risk-informed) Completion Time for an RTB train. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time an RTB train is inoperable.

Entry into Action 8 for an inoperable RTB train is not a typical, preplanned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Action 8 may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Action 8 entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10OCFR50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable RTB train and exit the Action, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Action 8 when an RTB train is inoperable:

• The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available.

RCS pressure relief (pressurizer PORVs and safety valves), emergency feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

• Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

, Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

Document Control Desk LAR 15-01424 RC-15-0171 Page 1 of 7 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 4 PROPOSED TECHNICAL SPECIFICATION BASES - RETYPED Remove Pages Insert Pages TS Bases Page 3/4-3-1 TS Bases Page 3/4-3-1 TS Bases Page 3/4-3-la TS Bases Page 3/4-3-la TS Bases Page 3/4-3-1 b TS Bases Page 3/4-3-lb TS Bases Page 3/4-3-ic TS Bases Page 3/4-3-ic TS Bases Page 3/4-3-id TS Bases Page 3/4-3-id

__________________TS

-- Bases Page 3/4-3-1e

3/4.3 INSTRUMENTATION BASES 3/4.3.1 and 3/4.3.2 REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION The OPERABILITY of the Reactor Protection System and Engineered Safety Feature Actuation System Instrumentation and interlocks ensure that 1) the associated action and/or reactor trip will be initiated when the parameter monitored by each channel or combination thereof reaches its setpoints, 2) the specified coincidence logic and sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance consistent with maintaining an appropriate level of reliability of the Reactor Protection and Engineered Safety Features instrumentation and, 3) sufficient system functions capability is available from diverse parameters.

The OPERABILITY of these systems is required to provide the overall reliability, redundancy, and diversity assumed available in the facility design for the protection and mitigation of accident and transient conditions. The integrated operation of each of these systems is consistent with the assumptions used in the accident analyses. The surveillance requirements specified for these systems ensure that the overall system functional capability is maintained comparable to the original design standards. The periodic surveillance tests performed at the minimum frequencies are sufficient to demonstrate this capability. Specified surveillance intervals have been determined in accordance with WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for Reactor Protection Instrumentation System," and supplements to that report. Specified surveillance and maintenance outage times have been determined in accordance with WCAP-14333-P-A, Rev. 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and Westinghouse letter CGE-05-46. Specified surveillance intervals and RTB outage times have been determined in accordance with WCAP-1 5376-P-A, Rev. 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," dated March 2003. Surveillance intervals and out of service times were determined based on maintaining an appropriate level of reliability of the Reactor Protection System and Engineered Safety Features instrumentation. The Slave Relay Test is performed on an 18-month frequency that is specific to Westinghouse AR relays. This test frequency is based on relay reliability assessments presented in WCAP-1 3877-P-A, "Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays," that is dependent on the qualified life and environmental conditions of the AR relays. Replacement relays other than Westinghouse type AR or reconciled Cutler-Hammer relays will require further analysis and NRC approval.

Consistent with the requirement in Regulatory Guide 1.177 to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic train is inoperable for maintenance are included (note that these restrictions do not apply when a logic train is being tested under the 4-hour bypass Note). Entry into Actions 12, 14, 21, or 25 is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since Actions 12, 14, 21, or 25 are typically entered due to equipment failure, it follows that some of the following restrictions may not be met at the time of entry into Actions 12, 14, 21, or 25. If this situation were to occur during the 24-hour AOT of Actions 12, 14, 21, or 25, the configuration risk assessment procedure will assess the emergent condition and direct activities to restore the inoperable logic train and exit Actions 12, 14, 21, or 25, or fully implement these restrictions, or perform a unit shutdown, as appropriate from a risk management perspective. The following restrictions will be observed:

To preserve ATWS mitigation capability, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable for maintenance.

B 3/4 3-1 SUMMR-UNI I B3/43-1Amendment No. 101, 177, 187,

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

• To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained when a logic train is inoperable for maintenance.

• To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable for maintenance.

• Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g., service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable for maintenance. That is, one complete train of a function that supports a complete train of a function noted above must be available.

Consistent with the NRC Safety Evaluation (SE) requirements in WCAP-1 5376-P-A, Rev. 1, Tier 2 insights must be included in the decision making process before removing an RTB train from service and implementing the extended (risk-informed) Completion Time for an RTB train. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time an RTB train is inoperable.

Entry into Action 8 for an inoperable RTB train is not a typical, preplanned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Action 8 may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Action 8 entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10OCFR50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable RTB train and exit the Action, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering Action 8 when an RTB train is inoperable:

The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWVS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves), emergency feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief SUMMER - UNIT 1 B 3/4 3-1a Amendment No. a5,-120, I46, 177,

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

• Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

• Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

The Engineered Safety Feature Actuation System Instrumentation Trip Setpoints specified in Table 3.3-4 are the nominal values at which the bistables are set for each functional unit. A setpoint is considered to be adjusted consistent with the nominal value when the "as measured" setpoint is within the band allowed for calibration accuracy.

To accommodate the instrument drift assumed to occur between operational tests and the accuracy to which setpoints can be measured and calibrated, Allowable Values for the setpoints have been specified in Table 3.3-4. Operation with setpoints less conservative than the Trip Setpoint but within the Allowable Value is acceptable since an allowance has been made in the safety analysis to accommodate this error.

The methodology to derive the trip setpoints is based upon combining all of the uncertainties in the channels. Inherent to the determination of the trip setpoints are the magnitudes of these channel uncertainties. Sensor and rack instrumentation utilized in these channels are expected to be capable of operating within the allowances of these uncertainty magnitudes. Rack drift in excess of the Allowable Value exhibits the behavior that the rack has not met its allowance. Being that there is a small statistical chance that this will happen, an infrequent excessive drift is expected. Rack or sensor drift, in excess of the allowance that is more than occasional, may be indicative of more serious problems and should warrant further investigation.

The measurement of response time at the specified frequencies provides assurance that the reactor trip and the engineered safety feature actuation associated with each channel is completed within the time limit assumed in the accident analyses. No credit was taken in the analyses for those channels with response times indicated as not applicable.

Response time may be demonstrated by any series of sequential, overlapping or total channel test measurements provided that such tests demonstrate the total channel response time as defined. Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements, or by the summation of allocated sensor, signal processing, and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or SUMMER - UNIT 1 B 3/4 3-lb Amendment No. IO-4~

1-5&A77

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

(3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Response Time Tests,"

provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component into operational service and re-verified following maintenance or modification that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for the repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing element of a transmitter.

Westinghouse letter CGE-00-018, dated March 28, 2000, provided an evaluation of the Group 05 (11 NLP and 6NSA) 7300 process cards. These cards were revised after the submittal of WCAP-14036, Revision 1. This letter concluded that the failure modes and effects analysis (FMEA) performed for the older versions of these cards and documented in WCAP-1 4036-P-A, Revision 1, is applicable for these Group 05 cards. The bounding time response values determined by test and evaluation and reported in the WCAP are valid for these redesigned cards.

The Engineered Safety Features response times specified in Table 3.3-5 which include sequential operation of the RWST and VCT valves (Notes 2 and 3) are based on values assumed in the non-LOCA safety analyses. These analyses are for injection of borated water from the RWST. Injection of borated water is assumed not to occur until the VCT charging pump suction isolation valves are closed following opening of the RWST charging pumps suction valves. When the sequential operation of the RWST and VCT valves is not included in the response times (Note 1) the values specified are based on the LOCA analyses. The LOCA analyses take credit for injection flow regardless of the source.

Verification of the response times specified in Table 3.3-5 will assure that the assumptions used for the LOCA and non-LOCA analyses with respect to the operation of the VCT and RWST valves are valid.

The Engineered Safety Features Actuation System senses selected plant parameters and determines whether or not predetermined limits are being exceeded. If they are, the signals are combined into logic matrices sensitive to combinations indicative of various accidents, events, and transients. Once the required logic combination .is completed, the system sends actuation signals to those engineered safety features components whose 7

SUMMER -UNIT 1 B 3/4 3-ic Amendment No. 6

, 1! 46 ,

1- &FI-77T

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued) aggregate function best serves the requirements of the condition. As an example, the following actions may be initiated by the Engineered Safety Features Actuation System to mitigate the consequences of a steam line break or loss of coolant accident 1) safety injection pumps start and automatic valves position, 2) reactor trip, 3) feedwater isolation,

4) startup of the emergency diesel generators, 5) containment spray pumps start and automatic valves position, 6) containment isolation, 7) steam line isolation, 8) turbine trip,

9) auxiliary feedwater pumps start and automatic valves position, 10) containment cooling fans start and automatic valves position, 11) essential service water pumps start and automatic valves position, and 12) control room isolation and ventilation systems start.

Several automatic logic functions included in this specification are not necessary for Engineered Safety Feature System actuation but their functional capability at the specified setpoints enhances the overall reliability of the Engineered Safety Features functions. These automatic actuation systems are purge and exhaust isolation from high containment radioactivity, turbine trip and feedwater isolation from steam generator high-high water level, initiation of emergency feedwater on a trip of the main feedwater pumps, automatic transfer of the suctions of the emergency feedwater pumps to service water on low suction pressure, and automatic opening of the containment recirculation sump suction valves for the RHR and spray pumps on low-low refueling water storage tank level.

The service water response time includes: 1) the start of the service water pumps and, 2) the service water pumps discharge valves (3116A, B,C-SVV) stroking to the fully opened position. This condition of the valves assures that flow will become established through the component cooling water heat exchanger, diesel generator coolers, HVAC chiller, and to the suction of the service water booster pumps when these components are placed in-service. Prior to this time, the flow is rapidly approaching required flow and sufficient pressure is developed as valves finish their stroke. Each of the above-listed components will be starting to perform their accident mitigation function, either directly or indirectly depending upon the use of the component, and will be operational within the service water response time of 71.5/81.5 seconds11 . Only the service water booster pumps have a direct impact on the accident analysis via the RBCUs' heat removal capability as discussed below.

~-' Total time is 1.5 second instrument response after setpoint is reached, plus 10 seconds diesel generator start, plus 10 seconds to reach service water pump start and begin 3116-SW opening via Engineered Safety Features Loading Sequencer, plus 60 seconds stroke time for 3116-SW. During this total time, the service water pumps start and the service water pump discharge valve begins to open at 11.5 seconds and the pump discharge valve is fully open at 71.5 seconds without a diesel generator start required and 21.5 seconds and 81.5 seconds including a diesel generator start.

B 3/4 3-1d SUMME

- UIT 1 3/43-IdAmendment No. ~~~~ 7

INSTRUMENTATION BASES REACTOR TRIP AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION (continued)

The RBCU response time includes: 1) the start of the RBCU fan and the service water booster pumps and, 2) all the service water valves which must be driven to the fully opened or fully closed position. This condition of the valves allows the flow to become fully established through the RBCU. Prior to this time, the flow is rapidly approaching required flow as the valves finish their stroke. Although the RBCU would be removing heat through-out the Engineered Safety Features response time, the accident analysis does not assume heat removal capability from 0 to 71.5 seconds 2j because the industrial cooling water system is not completely isolated until 71.5 seconds. A linear ramp increase from 95% full heat removal capability to 100% full heat removal capability is assumed by the accident analysis to start at 71.5 seconds and end at 86.5 seconds-'. Full heat removal capability is assumed at 86.5 seconds based on the position of the valve 3107-SW.

21 Total time is 1.5 second instrument response after setpoint Is reached, plus 10 second diesel start plus 60 seconds* for valves to isolate industrial cooling water system.

3' Total time is 1.5 second instrument response after setpoint is reached, plus 10 second diesel generator start plus 75 seconds to stroke valves 31 07A, B-SW.

• During this time period, the Engineered Safety Features Loading Sequencer starts the RBCU fans at 25 seconds and service water booster pumps at 30 seconds after the valves begin to stroke.

B 3/4 3-1e SUMMR

-UNITI B3/4

-leAmendment No. 67, !177,

Document Control Desk LAR 15-01424 RC-1 5-01 71 Page 1 of 21 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT I DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 5 WCAP-1 5376-P APPLICABILITY ANALYSIS

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0 171 Page 2 of 21 1.0 Purpose The purpose of this Attachment is to provide a summary of the technical justification for

• implementation of the completion time (CT), bypass test time, and surveillance test interval

• (STI) changes justified in WCAP-15376-P-A, Revision 1 (Reference 1) for V.C. Summer Nuclear Station (VCSNS) Unit 1.

2.0 Background The Nuclear Regulatory Commission (NRC) approved the following TS changes justified in WCAP-15376-P-A, Revision 1 (Reference 1) regarding STIs, CTs, and bypass test times for the Reactor Protection System (RPS).

Analog channels

• STI from 3 months to 6 months Logqic cabinets

• STI from 2 months to 6 months Master relays

• STI from 2 months to 6 months Reactor trip breakers ('RTB)

• CT froml1 hour to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

• Bypass test time from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

• STI from 2 months to 4 months Implementation of these changes requires the licensee to address the Conditions and Limitations in the NRC's Safety Evaluation. For WCAP-1 5376-P-A, this requires:

I. Confirm the applicability of the WCAP-1 5376-P-A, Revision 1 analysis to the plant

2. Address Tier 2 and 3 requirements

3. Address concurrent testing of one logic cabinet and associated reactor trip breaker

4. Confirm the modeling assumptions for the human reliability assessment are applicable Implementation Guidelines for WCAP-1 5376-P-A have been previously developed and were followed in this program.

Tier 2 requirements provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when equipment is out of service. These requirements place limitations on additional equipment that can be removed from service during one of the risk-informed extended CTs. Tier 3 ensures that risk significant out-of-service equipment is evaluated prior to performing any maintenance activities. Tier 3 evaluations are addressed by the plant's Configuration Risk Management Program used to comply with I 0CFR 50.65(a)(4).

Document Control Desk LAR 15-0 1424 RC-15-0171 Page 3 of 21 An additional commitment included in the Implementation Guidelines for WCAP-1 5376-P-A, Revision 1 addresses setpoint uncertainty calculations and assumptions, including instrument drift.

In addition, monitoring requirements for the changes implemented were developed and an assessment of the impact of the proposed changes on external event risk was addressed.

These are not Conditions or Limitations in the Safety Evaluations, but the NRC has requested this information for plants that have recently requested the changes in WCAP-1 5376-P-A.

3.0 Summary of Results The following sections provide a summary of the results. Inputs included the VCSNS Unit I PRA model, Final Safety Analysis Report (FSAR), and TS.

3.1 "Task 1: Demonstrate Applicability of WCAP-1 5376-P-A, Revision 1 The following demonstrates the applicability of the WCAP-1 5376-P-A, Revision 1 analysis and results to VCSNS Unit I and addressed the Conditions and Limitations in the Safety Evaluation.

This includes:

• Demonstrate the applicability of the analysis and results to VCSNS Unit 1 (Condition and Limitation 1)

• Demonstrate the applicability of the component failure probabilities for the safeguards driver cards and master relays (Condition and Limitation 1)

• Address containment failure assessment (Condition and Limitation 1)

• Develop Tier 2 limitations (Condition and Limitation 2)

• Address concurrent testing of one logic cabinet and associated reactor trip breaker (Condition and Limitation 3)

• .Confirm modeling assumptions for human reliability assessment (Condition and Limitation 4)

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 4 of 21 3.1.1 Applicability of WCAP-15376-P-A, Revision 1 Tables 1, 2, and 3 demonstrate that the WCAP-1 5376-P-A, Revision 1 analysis and results are applicable to VCSNS Unit 1.

Table 1: WCAP-15376-P-A Implementation Guidelines: Applicability of the Analysis GeneralParameters ____________ ___________

Parameter WCAP-1 5376-P-A VCSNS Unit I Specific

_______________________Analysis Assumption Parameter Logic Cabinet Type 1 (SSPS or Relay) SSPS (Solid State

____________________,____________Protection System)

Component Bypass Test Time 2

• Analog channels 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />

• Logic cabinets (SSPS or Relay (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for SSPS or 8 Protctin Sste) -hours for RelayProtection. 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> PrtcinSse)System)_____________

.* Master Relay (SSPS or Relay (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for SSPS or 8 Proecton ystm)hours for Relay Protection 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> PrtcinSse)System)_____________

• Reactor trip breakers 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Component Test Interval 3

• Reactor trip breakers 2 months 2 months Typical At-Power Maintenance Intervals 4

• Reactor trip breakers 12 months Equal to or greater than Plant procedures are in place for the following operator actions 5

• Reactor trip from the main Ceie e control board switches

• Reactor trip by interrupting CrdtdYes power to the motor-generator sets Ceie

• Insertion of the control rods via Ceie e the rod control system

• Safety injection actuation from Ceie e the main control board switches

• Safety injection by actuation of Ceie e

• Emergency feedwater (EFW) Credited Yes pump start ATWS Mitigation System Actuation Credited for EFW pump Yes Circuitry (AMSAC) 6 start

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 5 of 21 Table 1: WCAP-1 5376-P-A Implementation Guidelines: Applicability of the Analysis General Parameters ___________

Parameter WCAP-1 5376-P-A VCSNS Unit I Specific Analysis Assumption Parameter Total Transient Event Frequency7 3.6/year 4.41 E-01/year ATWS Contribution 8 to CDF (current ~.6-6ya .3-8ya PRA model) 1.06E-06/year ______ 4.83E-08/year ____

Total CDF from Internal 9 Events (current PRA model) -- 5.67E-06/year Total LERE from Internal9 Events (current PRA model) 1-I.06E-07/year Notes:

1. Indicate type of logic cabinet; SSPS or Relay (both are included in WCAP-1 5376-P-A).

2. Fill in the current Tech Spec bypass test times. If the current Tech Spec bypass testtimes are equal to or less than those used in WCAP-1 5376-P-A, the analysis is applicable to your plant.

3. Fill in the current Tech Spec test interval. If the current Tech Spec test interval is equal to or greater than that used in WCAP-1 5376-P, the analysis is applicable to your plant.

4. Fill in the typical maintenance intervals or fill in "equal to or greater than" or "less than." If the maintenance intervals are equal to or greater than those used in WCAP-1 5376-P-A, the analysis is applicable to your plant.

5. Indicate if plant procedures are in place to perform these actions. If plant procedures are in place, the WCAP-1 5376-P-A analysis is applicable to your plant.

6. Indicate if AMSAC will initiate EFW pump start. If AMSAC will initiate EFW pump start, then the WCAP-1 5376-P-A analysis is applicable to your plant.

7. Include the total frequency for initiators requiring a reactor trip signal to be generated for event mitigation. This is required to assess the importance of ATWS events to CDF. Do not include events initiated by a reactor trip. If the plant specific value is less than the WCAP-1 5376-P-A value, then this analysis is applicable to your plant.

8. Fill in the ATWS contribution to core damage frequency (from at-power, internal events).

This is required to determine if the ATWS event is a large contributor to CDF.

9. Fill in the total CDF and LERF from internal events (including internal flooding) for the most recent PRA model update. This is required for comparison to the NRC's risk-informed CDF and LERF acceptance guidelines in RG 1.174.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 6 of 21 Table 2: WCAP-15376-P-A Implementation Guidelines: Applicability of Analysis Reactor Trip Actuation Signals Event WCAP-1 5376-P-A Analysis VCSNS Unit 1 I Specific

_____________________Assumption "Parameter Large LOCA Not Required Agree Medium LOCA Not Required Agree Small LOCA Non-diverse 2 w/0A 3 Agree Steam Generator Tube Rupture Non-diverse wIOA Agree Interfacing System LOCA Not Required Agree Reactor Vessel Rupture Not Required Agree Secondary Side Breaks Non-diverse w/OA Agree Transient Events, such as:

-Positive Reactivity Insertion

-Loss of Reactor Coolant Flow

-Total or Partial Loss of Main Feedwater

-Loss of Condenser

-Turbine Trip Diverse 4 w/OA Agree

-Loss of DC Bus

-Loss of Vital AC Bus

-Loss of Instrument Air

-Spurious Safety Injection

-Inadvertent Opening of a Steam Valve

• Reactor Trip Generated by RPS Agree Loss of Offsite Power Not Required by RPS Agree Station Blackout *Not Required by RPS Agree Loss of Service Water or Component Non-diverse w/OA Agree CoOling Water Notes:

1. Fill in "agree" if your plant design and operation is consistent with this analysis, that is, the noted reactor trip signals at a minimum, are available. If not, explain the difference. If "agree" is listed for each event, then the WCAP-1 5376-P-A analysis is applicable to your plant.

2. Non-diverse means that (at least) one signal will be generated to initiate a reactor, trip for the event.

3. O A indicates that an operator could take action to initiate a reactor trip for the event. In the event automatic reactor trip does not occur, operator action can be taken that results in a success path (reactor trip) prior to the action becoming ineffective to mitigate the event. Procedures are in place that will instruct the operator to take action.

4. Diverse means that (at least) two signals will be generated to initiate a reactor trip for the event.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 7 of 21 Table 3: WCAP-1 5376-P-A Implementation Guidelines: Applicability of Analysis ESFAS Safty untio Ev ntWCAP ;15376-P-A AnalsisVCSNS nlss Specific Unit1 SftFucinEetAssumption Parameter1 Large LOCA Non-diverse 2 Agree Medium LOCA Non-diverse, 0A 3 by SI switch on main control board Agree Non-diverse, QA by SI switch on main control Small LOCA board, QA of individual Agree components Non-diverse,, QA by SI Interfacing Systems switch on main controlAge Safety Injection LOCA board, QA of individualAge

________________components Non-diverse, OA by SI Steam Generator switch on main control Tube Rupture board, OA of individual Agree components Non-diverse, QA by SI Secondary Side switch on main controlAge Breaks board, QA of individual Age components Fedatr Events generating Pump actuation on SI signal Emergency Fewtr SI signal NndvreAM CAgree Pup tatTransient events operator action ManFewtrIoain Secondary Side Non-diverse Agree MainFeewatr Iolaion Breaks Steamline Isolation Secondary Side Non-diverse Agree Breaks Containment Spray All events Non-diverse Agree Actuation _________________________

Containment Isolation All events From SI signal Agree Containment Cooling All events From SI Signal Agree Notes:

1. Fill in "agree" if your plant design and operation is consistent with this analysis, that is, the noted ESFAS at a minimum, are available. If not, explain the difference. If "agree" is listed for each event, then the WCAP-15376-P-A analysis is applicable to your plant.

2. Non-diverse means that (at least) one signal will be generated to initiate the safety function noted for the event.

3. OA indicates that an operator could take action to initiate ESF for the event. In the event automatic ESF does not occur, operator action can be taken that results in a success path (ESF actuation) prior to the action becoming ineffective to mitigate the event. Procedures are in place that will instruct the operator to take action.

Document Control Desk LAR 15-01424 RC-1 5-01 71 Page 8 of 21 Since the WCAP-1 5376-P-A analysis and results are applicable to VCSNS Unit 1, the following is concluded:

• The signals available to actuate reactor trip for the various events are consistent with those credited in the WOAP analysis.

• The signals available to actuate safeguards equipment for the various events are consistent with those credited in the WOAP analysis.

• The current applicable analog channel, logic cabinet, and reactor trip breaker test intervals, bypass test times, and completion times are consistent with the WCAP analysis.

• Plant procedures are in place for the relevant operator actions credited in the analysis.

The calculated increase in CDF for all the changes specified in WCAP-1 5376-P-A, Revision 1, as provided in Table 8.29 of the WCAP is 8.0E-07/year for plants with predominately 2-of-4 logic requirements and 8.5E-07/year for plants with predominately 2-of-3 logic. The calculated increase in LERE due to all the changes in WCAP-1 5376-P-A, Revision 1 as provided in Table 8.32 of the WCAP is 3.1 E-08/year for plants with predominately 2-of-4 logic requirements and 5.7E-08/year for plants with predominately 2-of-3 logic. Per RG 1.174 (Reference 2), for a total CDF of 1 .0E-04/year changes to ODE of 1 .0E-06/year are acceptable; and for a total LERF of 1 .0E-05/year, changes to LERF of 1 .0E-07/year are acceptable. The VCSNS Unit 1 CDF for internal and external events is 7.27E-05/year and LERF including internal events and external events is 4.96E-07/year. Therefore, this is consistent with the guidelines in RG 1.174, Revision 2 that allows small increases in CDF and LERE.

It is concluded that implementing the changes in the WOAP will have an impact on ODE of less than 1.0E-06/year and on LERE of less than 1 .0E-07/year, which meets the guidance in RG 1.174.

3.1.2 Applicability of the Safeguards Driver Card and Master Relay Failure Probabilities It is necessary to indicate that component failure probabilities developed as part of WCAP-15376-P-A are applicable to VCSNS Unit 1. This includes the master relay and safeguards driver card failure probabilities. The failure probabilities for these components are based on data collected from a number of Westinghouse NSSS plants. The failure probabilities for these components provided in Table 8.6 of WCAP-1 5376-P are 1.10E-05 for SSPS master relays and 5.90E-04 for SSPS safeguards driver cards.

Document Control Desk LAR 15-01424 RC-15-01 71 Page 9 of 21 A summary of the experience for these components at VCSNS Unit 1 from 2009 to 2013 is provided in Table 4.

Table 4: Component Failure Probabilities for VCSNS Unit I Parameter Safeguards Driver Cards Master Relays Actuations 254 1572 Failures 0 0 An analysis based on the binomial distribution was used to determine the number of expected failures for the given failure probabilities and actuations. For both components, zero or one failure would be expected. Since the experience at VCSNS Unit 1 resulted in no failures, it is concluded that the failure probabilities for these components used in the WCAP analysis are applicable to VCSNS Unit 1.

3.1.3 Address Containment Failure Assessment The WOAP analysis and determination of LERF is based on a large dry containment. VCSNS Unit 1 is a large dry containment; therefore, the results are applicable.

3.1.4 Develop Tier 2 Limitations Recommended Tier 2 requirements, or restrictions, are provided in Section 8.5 of the WCAP.

These are:

• The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available. ROS pressure relief, emergency feedwater flow (for RCS heat removal), ATWVS Mitigating System Actuation Circuitry (AMSAC) and turbine trip are important to alternate ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC or turbine trip should not be scheduled when a RTB is out of service.

,, Due to the increased dependence on the available reactor trip train when one logic cabinet is removed from service, activities that degrade other components of the RPS,

- including master relays or slave relays and activities that cause analog channels to be unavailable should not be scheduled when a logic train is unavailable.

• Activities on electrical systems that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is unavailable.

3.1.5 Develop Tier 3 Limitations Tier 3 analysis is addressed through the VCSNS Maintenance Rule Program. Refer to the evaluation provided in Section 4.3 of the Enclosure of this submittal.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 10 of 21 3.1.6 Address Concurrent Testing of One Logic Cabinet and Associated RTB The risk impact of concurrent testing of one logic cabinet and the associated RTB is addressed by demonstrating that the WCAP-1 5376-P analysis is applicable to VCSNS Unit 1. The WCAP

• analysis assumes that if a RTB is out of service its associated logic cabinet is also out of

• service. Therefore, concurrent testing is addressed in the WCAP analysis.

3.1.7 Confirm Modeling Assumptions for Human Reliability Assessment

• Table 5 provides a summary of the operator actions credited in the WCAP analysis and the ability of these actions to be successful at VCSNS Unit 1. All actions are credited with plant procedures in place and all actions are effective.

Table 5: WCAP-15376-P-A Implementation Guidelines: Applicability of the Human Reliability Analvsis Operator Action that results in a success ArPln path (backup to the Procedures in Operator Action automatic function) Place for the prior to the action Action? 1 .

becoming ineffective

________________________________to mitigate the event? 1 Reactor trip from the main control board switches Yes Yes Reactor trip by interrupting power to the motor- NoeTbl e geeaosesExplanation #1 below) _________

Insertion of the control rods via the rod control YeYs system _________

Safety injection actuation from the main control YeYs board switches _________

Safety injection by actuation of individualYeYs components Emergency Feedwater pump start Yes Yes Note:

1. Fill in "ys or "n. If "yes is filled in for both questions, then the analysis is applicable to your plant with respect to that operator action.

Table 5 Explanation #1 The analysis supporting the reactor trip instrumentation Technical Specification changes in WCAP-15376-P-A, Revision 1 credits the ability of the operators to trip the reactor by interrupting power to the motor-generator (MG) sets. When power is interrupted to the MG sets, the MG sets coast down and control rod drive mechanisms release the control rods which drop into the core. The failure probability for this operator action is set to 0.5.

Document Control Desk Attachment 5 LAR 15-01424 RC-15-0171 Page 11 of 2l VCSNS Unit 1 Emergency Operation Procedures (EOPs) include steps to trip the reactor via interrupting power to the MG sets if the reactor fails to trip. This action will occur after the operator action to trip the reactor from the main control board. Due to the short time available for operator actions during an ATWS event, the action to trip the reactor by interrupting power to the MG sets may not always be effective. The time for the reactor coolant system (RCS) to attain 3,200 psi is dependent on a number of parameters, including core time in life, availability of RCS pressure relief, and availability of emergency feedwater. Thus, there may be plant operating conditions when the time available is insufficient for a trip via the MG sets to be effective in mitigating the event.

As seen in WCAP-1 5376-P, failure of reactor trip signals for transients events are dominated by

• common cause failure of the RTBs. The reason for this is the defense-in-depth designed into the development of reactor trip signals. For transient events, reactor trip signals will be initiated by at least two sets of analog channels (transmitters or sensors monitoring different reactor parameters) and there is an operator action to trip the reactor from the control board. This

• operator action is back up to failures in the analog channels and logic cabinets, but not the

RTBs. Therefore, common cause failure of the RTBs is the dominant Contributor to failure of reactor trip signals for transient events.

The probability for getting to an ATWS condition based on the model in WCAP-1 5376-P is:

CCF RTBs x failure probability of operators to trip reactor by interrupting power to MGs = RTB

• random failure probability x J3eta Factor RTB x failure probability of operators to trip reactor by interrupting power to MGs = 3.70E-05/year x 0.043 x 0.5 = 8.0E-07/year

The probability for getting to an ATWS situation for VCSNS is:

CCF RTBs = RTB random failure probability x r3eta Factor RTB = 1.54E-05/year x 0.043 =

6.6E-07/year Note that the RTB random failure probability is from NUREG/CR-6928, "Industry Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants,"

2008. This is an updated value over WCAP-1 5376-P.

As indicated, the probability of ATWS conditions is nearly equal between the WCAP-1 5376-P analysis and an updated analysis that does not credit tripping the reactor by interrupting power to the MG sets. Therefore, it is concluded that the results in WCAP-1 5376-P remain applicable given that no credit is taken for tripping the reactor by interrupting power to the MG sets.

All Operator Actions (OAs) listed in Table 5 (above) have a "Yes" answer for both questions or are further justified; therefore the WCAP-1 5376-P analysis is applicable to VCSNS Unit 1.

3.2 Task 2: Demonstrate Monitoring Requirements for WGAP-1 5376-P-A, Revision 1 Implementation The monitoring program needs to be directed at the following components as noted:

• Analog channels (which includes the sensors to the bistables) - STI extension

Document Control Desk LAR 15-01424 RC-15-0171 Page 12 of 21

• Logic cabinets - STI extension

• Master relays - STI extension

• RTB - STI extension

• RTB - Completion time and bypass test time changes The analog channels are typically associated with in-of-n logic. This means that if there are n channels only m of those channels are required to trip to initiate a safety function, such as reactor trip or emergency core cooling. Therefore, redundancY is built into the design. In addition, the safety equipment for event mitigation for the majority of the events that are postulated to occur can be actuated by more than one set of analog channels. This is referred to as analog channel diversity and this provides diversity in the design. Furthermore, the safety equipment can be actuated by operator action for most events which provides a backup to the automatic actuation signals. This redundancy and diversity for analog channels reduces the safety importance of the channels and changes in channel reliability have only a very small impact on plant risk. As stated in RG. 1.174 (Reference 2), "SSCs are monitored commensurate with their safety importance." Based on this discussion, it is concluded that the analog channels can be eliminated from the monitoring program.

3.2.1 Monitoring Requirements - Component Failure Probabilities Monitoring requirements are required on the components with an extended STI to ensure the component failure probabilities for the extended STIs used in the analysis remain applicable.

The failure probabilities of the components used in the analysis to justify the changes to the STIs are provided in Table 6.

ITable 6: Component Failure Probabilities Component Failure Probability (for the extended STI)

Universal logic cards 1.15E-03 Undervoltage driver cards 1.01 E-03 Safeguards driver cards 1.77E-03 Master relays 3.30E-05 Reactor trip breakers 7.40E-05 The approach used to develop monitoring requirements involved the use of a binomial distribution to calculate an acceptable number of failures that support the failure probability used in the analysis. Then the actual failures and actuations can be compared to this and assessed if the failure probability used in the analysis is supported by the plant experience.

Based on this assessment, for components with a failure probability of approximately 2.0E-03 (such as the undervoltage driver cards, safeguards driver cards, and universal logic cards),

zero, one, or two failures would be expected depending on the number of actuations. For components with a failure probability of approximately 1 .0E-04 (such as the master relays or reactor trip breakers), zero or one failure would be expected, again depending on the number of actuations.

Document Control Desk LAR 15-01424 RC-15-01 71 Page 13 of 21 3.2.2 Monitoring Requirements - Component Unavailability Component unavailability monitoring requirements are required for the reactor trip breakers, master relays, and logic cabinets since these are the components in the WCAP-1 5376-P-A, Revision 1 analysis that resulted in an extended test interval, completion time, and/or bypass time that could impact component availability.

The following 18 month unavailability times are assumed in the WCAP (from Table 8.7 of WCAP-1 5376-P-A, Revision 1):

Reactor trip breakers (unavailability due to test and maintenance)

• Test unavailability = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> x 3 tests/year = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/year per RTB or 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />s/18 months per RTB

• Maintenance unavailability = 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> x I maintenance event/year = 30 hour3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />s/year or 45 hour5.208333e-4 days <br />0.0125 hours <br />7.440476e-5 weeks <br />1.71225e-5 months <br />s/18 months per RTB

• Total unavailability = 45 hour5.208333e-4 days <br />0.0125 hours <br />7.440476e-5 weeks <br />1.71225e-5 months <br />s/I18 months + 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />s/I18 months = 63 hour7.291667e-4 days <br />0.0175 hours <br />1.041667e-4 weeks <br />2.39715e-5 months <br />s/i18 months per RTB Master relays (unavailability due to test and maintenance)

• Test unavailability = 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> x 3 tests/18 months = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/18 months

• Maintenance unavailability = very small due to the low failure probability of the relays

• Total unavailability = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/18 months (for each master relay)

Logqic cabinets (unavailability due to test and maintenance)

• Test unavailability =4 hours x 3 tests/18 months = 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />s/18 months

• Maintenance unavailability = 30 hour3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />s/18 months

• Total unavailability = (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> + 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />)/18 months =42 hours/18 months (for each logic cabinet)

The suggested monitoring requirements are provided in Table 7.

Table 7: Summary of Monitoring Requirements on an Individual

-Component Basis Component Unavailability Time Interval

-Reactor Trip Breakers 63 hours7.291667e-4 days <br />0.0175 hours <br />1.041667e-4 weeks <br />2.39715e-5 months <br /> 18 months Master Relays 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 18 months Logic Cabinets 42 hours4.861111e-4 days <br />0.0117 hours <br />6.944444e-5 weeks <br />1.5981e-5 months <br /> 18 months

Document Control Desk Attachment 5 LAR 15-01424 RC-1 5-0171 Page 14 of 21 3.3 Task 3: Assessment of impact from External Events for WCAP-1 5376-P-A, Revision 1 The analysis supporting the changes in WCAP-1 5376-P-A, Revision 1 does not include external

• events. Although this is not an implementation requirement specified in the Limitations and

.Conditions of the Safety Evaluation, the NRC has requested information on the external event impact from plants recently requesting these changes.

The risk impact from seismic, fire, high winds, external flooding, and transportation and nearby facility accident events due to the implementation of the TS changes justified in WCAP-1 5376-P-A,,Revision 1 was assessed and the acceptability of the changes was determined.

3.3.1 Seismic Assessment SThe following provides the discussion of the impact of seismic events on the risk assessment as related to the signal unavailability changes for the proposed TS changes. The steps that were

'.followed to determine the impact of seismic events on the risk for the proposed CT changes are:

Step 1: Identify the Systems of Interest Step 2: Identify the Accidents that can Result from a Seismic Event Step 3: Identify How the System of Interest is Used to Mitigate the Seismically Induced Events Step 4: Assess the Impact of the Signal UnavailabilityIncrease on CDF and LERF

• • The seismic events that need to be considered are those that cause a loss of offsite power (LOOP) or a small break LOCA. Each of these events is discussed in the following with respect

,to the proposed Technical Specification changes. Note that larger seismic events will cause larger LOCAs, secondary side breaks, failure of support systems, etc., and also adversely impact the systems required for mitigation including the RPS. Therefore, small changes to the availability of the signals have no impact on seismic plant risk for these larger seismic events.

LOOP Events For a LOOP event, the Diesel Generators (DGs) are required to start and run, EFW is required to start and run, and the seal injection system or component cooling water to the thermal barrier heat exchanger need to continue (actually, load shed and then load back on the DG). The only signal required for this that is impacted by the proposed Tech Spec changes is the EFW pump start signal. If this signal fails, the EFW pumps can also be started by the ATWS mitigation system actuation circuitry (AMSAC). In addition, operators can start EFW pumps manually.

Therefore, the impact on seismic CDF from the increased signal unavailability can be determined by:

ACDF = Seismic LOOP Initiating Event (IE) Frequency x AUnavailability of ESFAS signal x Operator Action (CA) failure probability x AMSAC failure where:

• Seismic LOOP IE frequency =5.20E-04/year (based on the ceramic insulators being the limiting component which leads to a loss of offsite power)

• AUnavailability of ESFAS signal = 2.73E-04 (based on WCAP-15376-P-A, Rev. 1)

Document Control Desk LAR 15-01424 RC-15-0171 Page 15 of 21

• Operator action to initiate EFW failure probability = 1.90E-03 (from the VCSNS PRA model)

• AMSAC failure probability = 1.00E-02 (from the VCSNS PRA model)

ACDF = 5.20E-04/year x 2.73E-04 x 1.90E-03 x 1.00E-02 = 2.70E-1 2/year This results in a CDF increase of 2.70E-1 2/year, which is an extremely small impact on ODE. If it is very conservatively assumed that the total CDF increase results in a large early release, then the LERF impact is also very small. Therefore, it is concluded that the ACDF and ALERE changes meet the acceptance criteria in RG 1.174.

Note that reactor trip signals are not important to LOOP events. Given a LOOP event, the motor-generator sets will coast down and eliminate power to the .control rod drive mechanisms, which will open and release the control rods to insert into the core. Therefore, no reactor trip signal is required.

Small Break LOCA Events With a small break LOCA, the Emergency Core Cooling System (ECCS) is required to provide inventory control via coolant injection, and then recirculation. Since the ceramic insulators are the seismically limiting component, if a seismically induced small LOCA occurs, then offsite power will also be lost. That is, a higher level seismic event is required to cause a small LOCA than a LOOP. The level of the seismic event would also need to be low enough not to fail any mitigating equipment. If the level of the seismic event is high enough such that all trains of mitigating systems fail, such as the ECCS or DGs, then the event is assumed to proceed to core damage. Under this higher seismic level scenario, implementing the proposed changes does not result in an increase in risk since the mitigation systems fail whether or not they are available. But for the scenario in Which a seismic event causes a small break LOCA and LOOP, but does not fail any mitigation equipment, the availability of the Safety Injection (SI) signal needs to be considered and the proposed Tech Spec changes can result in a change in plant risk from seismically initiated small LOCAs. This risk change, in terms of CDF, can be calculated as follows:

ACDF = Seismic Induced Small LOCA Initiating Event (IE) Frequency x AUnavailability of SI signal w/OA x OA failure probability (via individual components)

The value for the "AUnavailability of SI signal w/OA" parameter improves as the unavailability decreases with the proposed changes. This is based on the signal unavailabilities provided in WCAP-1 5376-P-A, Rev. 1. Therefore, the CDF assessment will show a CDF reduction. It is not necessary to determine the other parameters in the ACDF equation since this provides a benefit. Since the CDF is reduced, the LERE impact will also be very small.

From this it is concluded that the ACDF and ALERF changes are small and meet the acceptance criteria in RG 1.174.

Document Control Desk, LAR 15-01424 RC-15-0171 Page 16 of 21 Reactor Trip Sicqnals Note that reactor trip signals are not important to LOOP events. Given a LOOP event, the motor-generator sets will coast down and eliminate power to the control rod drive mechanisms, which will open and release the control rods which will insert into the core. Therefore, no reactor trip signal is required.

3.3.2 Fire Assessment The following provides the discussion of the impact of fire events on the risk assessment as related to the signal unavailability changes for the proposed TS changes. The steps that were followed to determine the impact of seismic events on the risk for the proposed CT changes are:

Step 1: Determine the Fire IE Frequency

-Step 2: Determine the Actuation Signals Required for Event Mitigation Step 3: Determine the Increase in Signal Unavailabilityfor those Signals Identified in Step 2 and Determine CDF and LERF Impact The fire ignition frequencies were previously determined for each fire compartment via the guidance provided in NUREG/CR-6850 for VCSNS Unit 1. These frequencies were then summed by building to determine a building fire ignition frequency. The following buildings were included in the assessment:

• Auxiliary Building

• Control Building

• Circulating Water Pump House

• Diesel Generator Building

• Fuel Handling Building

• Intermediate Building

• Reactor Building

• Service Water Pump House

• Turbine Building Each building was assessed to determine if one or two ESFAS trains will be available to start EFW. Fires in the Circulating Water Pump House, Diesel Generator Building, Fuel Handling Building, and Service Water Pump House would not impact ESFAS signals, therefore, both trains will be available. In the other buildings it was assumed that the fire could impact one ESFAS train, therefore only one train of ESFAS signals will be available.

Mitigation of the fire event typically requires decay heat removal. This can be performed by the main feedwater system, EFW, and feed and bleed. Main feedwater is not credited following a fire event since there is a relatively large amount of equipment required which could be lost due to the fire, so conservatively it is not credited. EFW and feed and bleed are credited. Since this assessment is directed at the increased signal unavailabilities related to the proposed TS changes, the following discusses alternate methods to start EFW and the backup to EFW in case the signals for EFW fail.

For a transient event in which main feedwater is lost, most transient events, EFW will be started on steam generator level low-low, If this signal fails and the event degrades, then other signals

Document Control Desk LAR 15-01424 RC-15-0171 Page 17 of 21 may be available to actuate EFW, such as an SI signal. EFW can also be started by operator action from the control room and by AMSAC. If EFW fails to start due to failure of the above signals or due to failure of the EFW system itself, then operators can initiate feed and bleed for decay heat removal.

Based on this the CDF impact related to the change in signal unavailability can be calculated as:

ACDF = Fire IE frequency x Change in signal unavailability x OA to initiate EFW failure probability x AMSAC/Feed and Bleed (F&B) failure Where:

• Fire IE frequency from the areas crediting 1 ESFAS train = 9.54E-02/year

• Fire IE frequency from the areas crediting 2 ESFAS trains = 1.69E-02/year

• Change in signal unavailability - one train = - 9.0E-04 (from WCAP-1 5376-P-A, Rev. 1)

• Change in signal unavailability - two trains = 2.73E-04 (from WCAP-1 5376-P-A, Rev. 1)

• Operator action to initiate EFW failure probability = 1 .90E-03 (from the VCSNS PRA model)

• AMSAC and Feed and Bleed failure probability = 0.10 (conservative value)

ACDF (EFW Pump Start - 1 Train) = 9.54E-02/year x -9.00E-04 x 1.90E-03 x 0.10

= -1 .63E-08/year ACDF (EFW Pump Start - 2 Trains) = 1.69E-02/year x 2.73E-04 x 1.90E-03 x 0.10 = 8.77E-10/year Therefore, the total increase in CDF due to the increased signal unavailability to start EFW related to fire events = -1.63E-08/year + 8.77E-1 0/year = -1.54E-08/year. This is a risk benefit.

The CDF reduction is due to the signal unavailability reduction (availability improvement) for the single train emergency feed water pump start signal. As the test intervals are extended, the probability of a component being in an undetected failed state increases, but the component unavailability related to the test is reduced since fewer tests are being completed. This tradeoff for high reliability components often results in a reliabilitYoimprovement, especially for single trains where common cause failures do not dominate. Since the CDF is reduced, the LERF impact will also be very small and the ACDF and ALERF changes meet the acceptance criteria in RG 1.174.

Since the CDF is reduced, the LERF impact will also be very small and the ACDF and ALERF changes meet the acceptance criteria in RG 1.174.

Reactor Trip Signals For the most part, reactor trip signals are not important to mitigation of fire events. Fire events,

.like many other external events, required the hazard (fire) to cause a reactor trip and adversely

Document Control Desk LAR 15-01424 RC-15-0171 Page 18 of 21 impact mitigation equipment. If a fire event only adversely impacts a mitigation system, then the plant continues to operate and the applicable Technical Specification Action for the Condition is followed. If a fire event causes a reactor trip and doesn't impact mitigation equipment, then this is addressed as a transient event. Since fire events cause a reactor trip, then reactor trip signals are not required to mitigate fire events and the proposed changes which impact the reactor trip signals have no impact on plant risk.

3.3.3 Other External Events The VCSNS Unit 1 IPEEE was reviewed to identify vulnerabilities from external events including high winds, external flooding, and transportation and nearby facility accidents. Other external events were eliminated from further consideration. For the high winds, external flooding, and transportation and nearby facility accidents external events, the importance of reactor trip and engineered safety features actuation signals was assessed. These are discussed in the following sections.

High Winds Assessment High winds were screened out as a significant contributor to plant risk in the IPEEE. Since the high wind event can cause a loss of offsite power, the plant could be in a station blackout situation for a significant length of time. Reactor trip and ESF actuation signals play no role in this core damage scenario because the control rods will insert on loss of power and the EFW turbine driven pump will start and run during a station blackout. Therefore, it is concluded that the small increases in signal unavailabilities have no impact on plant risk due to high wind events. High wind events that do not cause loss of offsite power would be considered transient events, which are addressed in the internal events evaluation.

External FloodingAssessment An evaluation of external flooding was performed in the IPEEE assessment. As noted in the FSAR, VCSNS Unit 1 is considered a "dry site" which means the site is not subject to stream or river flooding due to topographic conditions. It was concluded that the plant was designed to provide adequate protection for safety-related structures, components, and systems from external flood hazards. Therefore, external flooding was screened from further consideration. It is concluded that the small increases in reactor trip and ESF actuation signal unavailabilities have no significant impact on plant risk in protecting the plant during external food events.

Transportationand Nearby FacilityAccidents Assessment An evaluation of transportation and nearby facility hazards was performed in the IPEEE assessment and it was concluded that these events are not significant risks to the plant.

Therefore, it is concluded that the small increases in reactor trip or ESE actuation signal unavailabilities have no impact on plant risk since there are no credible hazards posed to the plant from transportation or nearby facility accidents.

It" Document Control Desk Attachment 5 LAR 15-01424 RC-1 5-0171 Page 19 of 21 Conclusion

• Based on this assessment, it was concluded that the impact of the proposed changes on plant risk from external events was small and meets the acceptance criteria in RG 1.174.

3.3.4 Total Plant CDF and LERF The. VCSNS Unit 1 ODE including internal and external events is 7.27E-O5/year and LERE including internal and external events is 4.96E-07/year (see Table 8). These values are consistent with the guidelines in Regulatory Guide 1.174 that allows small increases in ODE and LERF.,Per this Regulatory Guide, for a total CDF of 1.0E-04/year, changes to CDE of 1 .0E-06/year are acceptable and for a total LERF of 1.0E-05/year, changes to LERF of 1.0E-07/year are acceptable.

Table 8: CDF and LERF Assessment .

Hazard Group CDF (per year) LERF (per year)

Internal Events (including 5.67E-06 1 .06E-07 Internal Flooding) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Seismic 1 .50E-05 1 .50E-07 Fire 5.20E-05 2.40E-07 Total 7.27E-05 4.96E-07 3.4 Task 4: Assessment of PRA Model Consistency and RG 1.200 Although. consistency of the VCSNS Unit I internal events PRA with Regulatory Guide 1.200 is not an implementation requirement specified in the Limitations and Conditions of the Safety Evaluation, the NRC has requested this information in previous submittals. Unresolved Findings and Observations (F&O) from the most previous PRA model peer review were reviewed and the potential impact on implementation of the proposed changes was assessed below.

The VCSNS Unit 1 Internal Events PRA is based on a detailed model of the plant developed from the Individual Plant Examination for Generic Letter 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities." The model is maintained and updated in accordance with VCSNS procedures and has been updated to meet the ASME PRA Standard and Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities."

The model has been reviewed and assessed on multiple occasions. In August 2002, the VCSNS Internal Events PRA was peer reviewed in accordance with the guidance in NEI 00-02, "Probabilistic Risk Assessment (PRA) Peer Review Process Guidance." All A & B level F&Os from WOG Internal Events PRA Peer Review have been addressed. Although all C & D level findings have not been incorporated, all of the items that had the potential to significantly impact model results have been resolved.

Following completion of sufficient work to address the Peer Review comments, a 2005 gap assessment of the model was performed to determine the scope of work required to ensure the

Document Control Desk LAR 15-01424 RC-15-0171 Page 20 of 21 VCSNS Internal Events PRA meets Regulatory Guide 1.200, Revision 1. The results of this review indicated that VCSNS had resolved most of the issues identified in the original peer review, but the review identified some F&Os that needed additional work, as well as several new issues. Additionally (in this 2005 review), the VCSNS PRA was found to meet Capability Categories (CC)-ll or better for 211 of the 271 Supporting Requirements (SRs) from the ASME PRA Standard, but 45 of the elements were found to either not meet the requirement or to meet the requirements at a CC-I level. Following work at VCSNS to address the findings and to increase the capability category ratings of the elements that needed an upgrade to allow use of the model in risk informed applications, a focused review was performed as required by the ASME RA-S-2002, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications" (and 2007 addenda ASME RA-Sc-2007, Appendix A). All SRs were judged to be CC-Il or better, with the exception of thirteen SRs that were rated at the CC-I based on the VCSNS simplified NUREG/CR-6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," compliant Large Early Release Frequency (LERF) model. While these 13 SRs specifically define a simplified NUREG/CR-6595 LERF models as CC-I, it was. noted that use of the NUREG model is an acceptable means of calculating LERF for risk-informed applications. The conclusion of the 2007 focused review was that the model is of sufficient quality for use in risk-informed applications.

In November 2011, PRA personnel from SCE&G and Westinghouse Electric Company performed a self-assessment to identify gaps between the VCSNS PRA model and the requirements delineated in Regulatory Guide 1.200, Revision 2, and the ASME/ANS PRA Internal Events Model Standard. This task was a follow up to the 2007 focused scope review which evaluated the model against the requirements in Revision I of the Regulatory Guide. In addition to a general assessment of the internal events PRA model, the self-assessment also addressed changes in requirements between the time of the 2007 focused scope review and the implerrentation date of Revision 2.

Based on the above, it is determined that the VCSNS PRA model is acceptable for use in this WCAP-1 5376-P Implementation analysis.

I-Document Control Desk Attachment 5 LAR 15-01424 RC-1 5-01 71 Page 21 of 21 4.0 Conclusions The following provides a summary of the conclusions of this program:

• The changes proposed in WCAP-1 5376-P-A, Revision 1 are applicable to VCSNS Unit

• Tier 2 limitations are only required when a logic cabinet, master relay, or a RTB is out of service.

• Monitoring requirements related to unavailability were identified for the RTBs,. Master Relays, and iogic cabinets.

• Monitoring requirements related to component reliability were identified for the undervoltage driver cards, safeguards driver cards, universal logic cards, master relays, and reactor trip breakers.

• No monitoring requirements were identified for the analog channels.

• The impact of the proposed changes on risk from external events is very small and will not impact the acceptability of the changes proposed in WCAP-1 5376-P-A, Revision 1.

• • The VCSNS PRA model is consistent with RG 1.200 and is acceptable for use in the WCAP-1 5376-P-A analysis.

5.0 References

1. WCAP-1 5376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times,"

March 2003.

2. US NRC Regulatory Guide 1.174, Revision 2, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," May 2011.

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 1 of 2 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT 6 LIST OF REGULATORY COMMITMENTS

Document Control Desk LAR 15-01424 RC-1 5-0171 Page 2 of 2 The following table identifies those actions committed to by the Virgil C. Summer Nuclear Station (VCSNS) in this document. Any other statements in this submittal are provided for information purposes and are not considered to be regulatory commitments. Please direct questions regarding these commitments to Mr. Bruce L. Thompson at (803) 931-5042.

VCSNS will trend the "as found" and "as left" data for the three representative trip functions analyzed Two years and six months after in WCAP-1 5376-P-A (Over temperature Delta-T, ipeetto Steam Generator Level, and Pressurizer ipeetto Pressure) for two years (four operational tests). ________________