Text

R. E. Ginna, License Amendment Request to Revise Technical Specifications for Selected Reactor Trip System and Engineered Safety Feature Actuation System Instrumentation Channels to Incorporate Bypass Test Capability
	ML17321A107
Person / Time
Site:	Ginna
Issue date:	11/16/2017
From:	Jim Barstow; Exelon Generation Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML17321A106	List: ML17321A107;
References
	Download: ML17321A107 (73)
	v • d • e

PROPRIETARY INFORMATION-WITHHOLD UNDER 10 CFR 2.390 Exelon Generation ~,

200 Exelon Way Kennett Square. PA 19348 www.exeloncorp.com 10 CFR 50.90 November 16, 2017 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 R. E. Ginna Nuclear Power Plant Renewed Facility Operating License No. DPR-18 NRG Docket No. 50-244

Subject:

License Amendment Request to Revise Technical Specifications for Selected Reactor Trip System and Engineered Safety Feature Actuation System Instrumentation Channels to Incorporate Bypass Test Capability In accordance with 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit," Exelon Generation Company, LLC (EGG) requests changes to the Technical Specifications (TS) of the R. E. Ginna Nuclear Power Plant (Ginna).

The proposed amendment revises TS for selected Reactor Trip System (ATS) and Engineered Safety Feature Actuation System (ESFAS) instrumentation channels. This change will allow selected RTS (Table 3.3.1*1) and ESFAS instrumentation channels (Table 3.3.2-1) to be bypassed during surveillance testing. Additionally, this change will allow ATS and ESFAS input relays to be excluded from the Channel Operational Test (COT). This change will allow testing of Nuclear Instrumentation System power range functions, which are part of the RTS, with a permanently installed bypass capability, while other ATS and ESFAS system functions will be capable of being bypassed utilizing permanent connections in the racks to connect a portable test box.

The proposed change has been reviewed by the Ginna Plant Operations Review Committee in accordance with the requirements of the EGC Quality Assurance Program.

Attachment 4 contains information proprietary to Westinghouse Electric Company LLC (Westinghouse). Westinghouse requests that the document be withheld from public disclosure in accordance with 10 CFR 2.390(b)(4). Attachment 5 contains a non-proprietary version of the Westinghouse document. An affidavit supporting this request is contained in Attachment 6.

EGC requests approval of the proposed license amendment by November 16, 2018. Once approved, the amendment shall be implemented within 60 days of receipt. There are no regulatory commitments contained within this letter.

Attachment 4 transmitted herewith contains Proprietary Information.

When separated from attachments, this document is decontrolled.

License Amendment Request to Revise TS for Selected Reactor Trip System and Engineered Safety Feature Actuation System Instrumentation November 16, 2017 Page2 In accordance with 10 CFR 50.91, "Notice for public comment; State consultation,"

paragraph (b), EGC is notifying the State New York of this application for license amendment by transmitting a copy of this letter and its attachments to a designated State Official.

Should you have any questions concerning this letter, please contact Tom Loomis at (610) 765-5510.

I declare under penalty of perjury that the foregoing is true and correct. This statement was executed on the 161h day of November 2017.

Respectfully,

~~~

James Barstow Director - Licensing and Regulatory Affairs Exelon Generation Company, LLC Attachments: 1. Evaluation of Proposed Change

2. Markup of Proposed Technical Specifications Pages

3. Revised Technical Specifications Bases Pages

4. "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R.E. Ginna," WCAP-18298-P, September 2017 (Proprietary Version)

5. "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna," WCAP-18298-NP, September 2017 (Non-Proprietary Version)

6. Affidavit cc: NRC Regional Administrator, Region I NRC Senior Resident Inspector, Ginna NRC Project Manager, Ginna A. L. Peterson, NYSERDA

Attachment 1 Evaluation of Proposed Change 1.0

SUMMARY

DESCRIPTION 2.0 DETAILED DESCRIPTION

3.0 TECHNICAL EVALUATION

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements/Criteria 4.2 Precedent 4.3 No Significant Hazards Consideration 4.4 Conclusions

5.0 ENVIRONMENTAL CONSIDERATION

Attachment 1 Evaluation of Proposed Change 1.0

SUMMARY

DESCRIPTION In accordance with 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit," Exelon Generation Company, LLC (EGC) requests changes to the Technical Specifications (TS) of the R. E. Ginna Nuclear Power Plant (Ginna).

EGC proposes to revise the TS for selected Reactor Trip System {RTS} and Engineered Safety Feature Actuation System (ESFAS) instrumentation channels. This change will allow selected RTS (Table 3.3.1-1) and ESFAS (Table 3.3.2-1) instrumentation channels to be bypassed during surveillance testing (Channel Operational Test (COT) and channel calibration).

Additionally, this change will allow RTS and ESFAS input relays to be excluded from the COT.

This change will allow testing of Nuclear Instrumentation System (NIS) power range functions, which are part of the RTS, with permanently installed bypass capability while other RTS and ESFAS system functions will be capable of being bypassed utilizing permanent connections in the racks to connect a portable test box.

This change to the NIS power range functions is supported by Westinghouse Electric Company LLC (Westinghouse) report WCAP-18298-P, "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna" (Attachment 4) and the nonproprietary version (Attachment 5). Changes associated with the bypass testing of the RTS and ESFAS system functions utilizing permanent connections in the racks to connect a portable test box are discussed below.

2.0 DETAILED DESCRIPTION The proposed change will allow certain functions in the RTS and ESFAS instrumentation to be tested in bypass following implementation of the bypass test instrumentation modifications, including a permanent modification for NIS power range functions, and a permanent connection in the reactor protection racks to connect the portable test box. The proposed change is needed to support utilization of bypass testing capability, which will reduce the potential for an inadvertent reactor trip or safeguards actuation due to a failure or spurious transient in a redundant channel.

The following functions in the RTS and ESFAS instrumentation will be capable of being bypassed for testing:

TS Table 3.3.1-1 Function 2a - Power Range Neutron Flux - High (Nuclear Instrumentation System)

Function 2b - Power Range Neutron Flux - Low (Nuclear Instrumentation System)

Function 5 - Overtemperature /1 T Function 6 - Overpower /1T Function 7a - Pressurizer Pressure - Low Function 7b - Pressurizer Pressure - High Function 8 - Pressurizer Water Level - High Function 9a - Reactor Coolant Flow - Low - Single Loop Function 9b - Reactor Coolant Flow - Low - Two Loops Function 13 - Steam Generator Water Level - Low Low Function 16c - Reactor Trip System Interlocks - Power Range Neutron Flux, P-8 Function 16d - Reactor Trip System Interlocks - Power Range Neutron Flux, P-9 Page 1

Attachment 1 Evaluation of Proposed Change Function 16e - Reactor Trip System Interlocks - Power Range Neutron Flux, P-10 TS Table 3.3.2-1 Function 1c - Safety Injection - Containment Pressure - High Function 1d - Safety Injection - Pressurizer Pressure - Low Function 1e - Safety Injection - Steam Line Pressure - Low Function 4c - Steam Line Isolation - Containment Pressure - High High Function Sb - Feedwater Isolation - SG Water Level - High In addition to allowing the listed RTS and ESFAS instrumentation functions to be tested in bypass, the proposed change would revise certain Required Actions Notes in TS 3.3.1, Conditions D, K, M, and S and Surveillance Requirements 3.3.1. 7, 3.3.1.8, and 3.3.1.13. This change also revised TS 3.3.2, Conditions F, J, and L, and Surveillance Requirement 3.3.2.2 to reflect wording for plants with installed bypass capability. The Notes are being revised to allow testing a channel in bypass, and the Surveillance Requirements are being revised to exclude the RTS and ESFAS input relays during the performance of a COT. contains mark-ups of the affected TS pages, respectively, for the proposed change. contains the proposed mark-ups of the affected TS Bases pages for information only.

3.0 TECHNICAL EVALUATION

Operating plants have experienced many inadvertent reactor trips and safeguards actuations during the performance of instrumentation surveillances, causing unnecessary transients and challenges to safety systems. In the early 1980s, in response to growing concern regarding the impact of TS surveillance testing and maintenance activities on plant operations, particularly as related to instrumentation systems, the Pressurized Water Reactor Owners Group (PWROG)

(formerly the Westinghouse Owners Group) initiated a program to justify extending the RTS and ESFAS bypass test times, completion times, and surveillance frequencies, to provide additional time to perform surveillance and maintenance activities. WCAP-10271-P-A and its supplements justified extending the RTS and ESFAS bypass test times, Completion Times, and Surveillance Frequencies. One of the provisions discussed was to allow routine surveillance testing of the RTS and ESFAS channels in a bypassed condition rather than a tripped condition. The NRG Safety Evaluation Reports (SERs) for WCAP-10271-P-A and its supplements conclude that using temporary jumpers or lifting leads was not an acceptable method of performing a channel bypass during routine surveillance testing.

This change will allow selected RTS (Table 3.3.1-1) and ESFAS instrumentation channels (Table 3.3.2-1) to be bypassed during surveillance testing. Additionally, this change will allow RTS and ESFAS input relays to be excluded from the COT. However, the RTS and ESFAS input relays will continue to be tested (i.e., tripped) during the channel calibration (SRs 3.3.1.1 o (RTS relays) and SR 3.3.2.5 (ESFAS relays)) in accordance with the frequencies specified in the surveillance frequency control program.

Page2

Attachment 1 Evaluation of Proposed Change The proposed change to the Ginna TS will allow testing of the NIS power range functions of the RTS by installing permanent test panels located within the rear of the NIS cabinets. The NIS power range functions are contained in TS Table 3.3.1-1. This permanently installed test panel will allow performance of the COT by placing the channel in bypass instead of placing the channel in a tripped condition. The test panel LEDs provide positive indication of channels placed in bypass. This change does not make use of temporary jumpers. Details of the NIS power range bypass test capability are contained in Attachment 4.

For the RTS functions in Table 3.3.1-1, which do not contain a permanently installed test panel, and the ESFAS functions in Table 3.3.2-1, a simple design consisting of permanently installed quick disconnect connectors wired to RTS and ESFAS input relays will allow the use of a temporary test box without the use of temporary jumpers during the performance of the COT. A temporary test box is connected to the reactor protection input relays during testing via a quick disconnect connector which receives 120 VAC instrument bus power from the channel in test and outputs the same 120 VAC to relays in that channel. The test box has switching circuits which provide bypass capability. It is not possible to inadvertently bypass a channel when the test box power is secured or the test box is disconnected. The test box LEDs provide positive indication of channels placed in bypass.

During the performance of the COT, the Main Control Board (MCB) "Channel in Test

annunciator will alarm when the test box is connected and powered up. The MCB annunciator will clear when power is secured to the test box. This will provide an indication to the operators when the channel is in bypass and when the bypass is removed. Additionally, administrative controls (procedures, control key access for locked cabinets) are currently in place for work in the reactor protection channels.

The proposed changes discussed above do not modify trip setpoints or the RTS and ESFAS functions assumed in the safety analyses. Hardware modifications will be made so that testing in bypass can be accomplished without lifting leads or installing temporary jumpers. This meets the conditions specified by the NRC in SERs issued during the review of WCAP-10271-P-A and its supplements. The impact of testing in bypass upon reactor safety was previously evaluated by the NRC during their review of WCAP-10271-P-A and determined to be acceptable.

Hardware changes necessary to facilitate testing in bypass will be implemented in accordance with 1o CFR 50.59. This License Amendment Request addresses the need for the TS changes to support this modification.

The current TS allow an inoperable channel to be placed in bypass for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to allow testing of other channels; however, the channel is currently placed in the tripped state during channel testing. The ability to place a channel in trip will still exist with the new hardware; therefore, this function is not affected. With the proposed TS change, the plant would be able to perform routine testing with a channel in bypass instead of placing the channel that is tested in a tripped condition.

Utilizing the permanently installed equipment and the use of a portable test box will reduce the potential for an inadvertent reactor trip or safeguards actuation due to a failure or spurious transient in a redundant channel.

Page 3

Attachment 1 Evaluation of Proposed Change With a channel in bypass, as an example, the two-out-of-four logic becomes a two-out-of-three logic, and the two-out-of-three logic becomes a two-out-of-two logic; therefore, the Function will still provide the necessary protection. With implementation of this TS change, a spurious reactor trip or safeguards actuation will be avoided, since the partial trip conditions that would have been present are eliminated by placing the channel in bypass, and the coincident logic is maintained by requiring signals from two channels to actuate the protective function.

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements/Criteria The proposed changes to the Ginna TS that will allow testing of the NIS power range functions of the RTS by utilizing permanent test panels are contained in TS Table 3.3.1-1. Westinghouse Report WCAP-18298-P, "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna," (Attachment 4) provides the plant specific basis for testing the NIS channels in bypass.

For the RTS functions contained in TS Table 3.3.1-1, which do not contain a permanently installed test panel, and ESFAS functions contained in Table 3.3.2-1, the following regulatory requirements/criteria apply:

1) General Design Criteria 20 - Protection system functions This Criterion is applicable to the installation of the changes to allow bypass testing with a test box at Ginna because the protection system must still be able to perform its function.

During normal operations, the bypass test box is not connected to the protection system circuitry, i.e., no protection system signals interface with the test box. The passive internal rack test connectors and wiring will have no effect on the reactor protection system because the test box is not normally connected. All Class 1E and non-Class 1E circuits remain isolated from each other.

2) General Design Criteria 21 - Protection system reliability and testability This Criterion is applicable to the use of the bypass testing with a test box, because the bypass testing instrumentation design must show sufficient reliability to ensure that a single failure will not cause the protection system to be unable to perform its function. All postulated failures in the bypass systems that would inadvertently cause the channel in bypass to trip are failures in a safe direction. There is no credible single failure of the bypass test instrumentation that could result in the protection system being degraded to the point of being unable to perform its intended safety function.

3) General Design Criteria 22 - Protection system independence This Criterion is applicable to the use of bypass testing with a test box, because the ability exists, without the proper administrative controls, for the simultaneous bypassing of more than one protection channel at a time. Administrative controls only allow for one reactor protection channel to be tested at a time. Administrative controls are utilized to prevent the bypassing of more than one protection channel at a time and thus conform to this criterion.

Page4

Attachment 1 Evaluation of Proposed Change

4) General Design Criteria 23 - Protection system failure modes This Criterion is applicable to the use of the bypass testing with a test box, because a failure mode of the bypass testing instrumentation will result in a loss of power to the Reactor Protection System channel for a short circuit condition of the permanently installed system connectors or cables. Although highly unlikely, if this condition did occur, the associated reactor protection channel circuit breaker would open and all associated reactor protection circuits would fail to their designed fail-safe condition.

5) General Design Criteria 24 - Separation of protection and control systems Use of the test box will conform with IEEE Standard 279-1971 regarding separation and isolation requirements.

The following Regulatory Guides are applicable:

1) Regulatory Guide 1.47 - Bypass and Inoperable Status Indication for Nuclear Power Plant Sat ety Systems Regulatory Guide 1.47 describes an acceptable method of complying with the requirements of IEEE Standard 279-1971 and states that automatic indication should be provided in the control room for each bypass or deliberately induced inoperable status that meets the following conditions:

a. Renders inoperable any redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the system it actuates to perform their safety-related functions.

b. Is expected to occur more frequently than once per year.

c. Is expected to occur when the affected system is normally required to be operable.

Bypass testing with a test box meets these conditions. By placing a protection system channel in the bypass mode, that channel of the protection system is rendered inoperable.

For any channel that is placed in the bypass mode, an automatic annunciation is initiated in the main control room.

2) Regulatory Guide 1.53 - Application of Single-Failure Criterion to Nuclear Power Plant Protection Systems IEEE Standard 379-1972 addresses the single failure criterion in nuclear power plant protection systems. All postulated failures in the bypass systems that would inadvertently cause the channel in bypass to trip are failures in a safe direction. There is no credible single failure of the bypass test instrumentation that could result in the protection system being degraded to the point of being unable to perform its intended safety function.

Page 5

Attachment 1 Evaluation of Proposed Change

3) Regulatory Guide 1.75, Revision 3 - Physical Independence of Electrical Systems Regulatory Guide 1.75 endorses and prescribes acceptable methods for complying with the requirements of IEEE Standard 279-1971 with respect to the physical independence of electrical systems.

The bypass test instrumentation connection panels and associated wiring are safety related.

The reactor protection cabinets in which the connection panels and wiring is installed are safety related. The bypass test connection panel relays that interface with the annunciator system are also safety related. These relays will be actuated by safety-related instrument bus power during testing only when the test box is connected and powered up. The non-safety annunciator system will remain electrically isolated from the safety-related power via relay contacts.

4) Regulatory Guide 1.89, Revision 1 - Environmental Qualification of Certain Electrical Equipment Important to Safety for Nuclear Power Plants Regulatory Guide 1.89 endorses IEEE Standard 323-1974. The bypass test instrumentation connection panels and associated wiring are located in a mild environment (control room) and are qualified to IEEE Standard 323-1974/1983.

5) Regulatory Guide 1.100, Revision 3 - Seismic Qualification of Electric and Active Mechanical Equipment and Functional Qualification of Active Mechanical Equipment for Nuclear Power Plants Regulatory Guide 1.100 endorses IEEE Standard 344-2004 and previous revisions of the standard. The connection panel, annunciator relay, and wiring are qualified to IEEE Standard 344-1975/1987.

The differences between the IEEE Standard 344-1987 and IEEE Standard 344-2004 standards are addressed below:

a. A review of plant SQUG (Seismic Qualification Utility Group) SEWS (Screening Evaluation Worksheets) shows that the addition of the connection panels, relay, and wiring is bounded by the existing evaluation which is based on experience data.

b. High frequency ground motion for hard-rock based plants is not applicable because Ginna is not a hard-rock based plant.

6) Regulatory Guide 1.118, Revision 3 - Periodic Testing of Electric Power and Protection Systems This Regulatory Guide endorses IEEE Standard 388-1987 for periodic testing of protection systems subject to providing a method of preventing the expansion of any bypass condition to redundant channels. This is accomplished by administrative control of access to bypass capability. The latest version of Regulatory Guide 1.118 was compared to the previous version and the following changes were noted:

a. Ginna will have administrative controls in place to perform periodic surveillance testing (COT and channel calibration) when using the bypass test instrumentation.

Page 6

Attachment 1 Evaluation of Proposed Change

b. The sensors (transmitters and Resistance Temperature Detectors (RTDs)) are not directly connected to the bypass test instrumentation hardware. The bypass test instrumentation bypass test connection panel wiring is connected to the associated input relays and channel-in-test annunciator circuit; therefore, sensor testing does not apply to the bypass test instrumentation hardware. The bypass test instrumentation hardware does not interfere with required testing of any instrument channel components. The instrumentation bypass test connection panel only provides the capability to test the instrument channel components in the bypass mode and only when the test box is connected. The description for a logic system functional test, as noted in Section 6.3.5 of IEEE Standard 338-1987, implies that the sensor is included. A logic system functional test is to be a test of all logic components (i.e., relays and contacts, trip units, logic elements, etc.) of a logic circuit, from as close to the sensor as practicable up to but not including the actuated device, to verify operability.

7) Regulatory Guide 1.22, Revision O - Periodic Testing of Protection System Actuation Functions The bypass test instrumentation bypass test connection panel with the use of the test box provides a preferred means for periodic testing because it allows testing a channel in bypass instead of trip and reduces the potential for a spurious reactor trip during testing. When an entire reactor protection channel is being tested (i.e., periodic logic testing where the input relay is cycled), the trip signal is unaffected as the test box is not connected. A channel cannot be bypassed unless the test box is connected to the bypass connection panel.

The instrumentation bypass test connection panel (when using the test box) provides a means of supplying 120 VAC power to the ATS and ESFAS input relays. The instrumentation bypass test connection panel wiring is permanently connected to terminal block connections for the associated input relay. The instrumentation bypass test connection panel will not interfere with the testing of the actuation devices as long as the test box is not connected and powered up.

This is administratively controlled. The test box is connected only during that testing that does not include the actuation device. A main control board annunciator alerts the operators when the test box is connected and powered up.

Channels are isolated from each other; therefore, placing one channel in bypass cannot result in placing any other channel in bypass. The bypass test instrumentation channels, with the test box connected, provides automatic annunciation when the capability to bypass is present.

The bypass test instrumentation bypass test connection panel is a passive connection when the test box is not connected. The instrumentation bypass test connection panel will not interfere with testing of the actuation devices and the required testing of the actuation devices will not be affected by the bypass test instrumentation connection panel.

8) Regulatory Guide 1.30, Revision O - Quality Assurance Requirements for the Installation, Inspection and Testing of Instrumentation and Electric Equipment Ginna will comply with Regulatory Guide 1.30 for installation, inspection, and maintenance testing.

Page 7

Attachment 1 Evaluation of Proposed Change 4.2 Precedent The NRC has approved similar submittals as indicated below:

1) Letter from B. L. Mozafari (U.S. Nuclear Regulatory Commission) to M. J. Pacilio (Exelon Generation Company, LLC), "Braidwood Station, Units 1 and 2 and Byron Station, Unit Nos. 1 and 2 - Issuance of Amendments RE: Revision of Technical Specifications (TS) 3.3.1, 'Reactor Trip System Instrumentation,' and TS 3.3.2,

'Engineered Safety Feature Actuation System Instrumentation' (TAC Nos. ME5836, ME5837, ME5838, and ME5839)," dated March 30, 2012.

2) Letter from J. Wiebe (U.S. Nuclear Regulatory Commission) to M. J. Pacilio (Exelon Generation Company, LLC), "Braidwood Station, Units 1 and 2, and Byron Station, Unit Nos. 1 and 2 - Issuance of Amendments to Clarify Technical Specifications 3.3.1,

'Reactor Trip System Instrumentation,' and TS 3.3.2, 'Engineered Safety Feature Actuation System Instrumentation' (TAC Nos. MF4023, MF4024, MF4025, and MF4026)," dated December 7, 2014.

3) Letter from T. Wengert (U.S. Nuclear Regulatory Commission) to R. Braun (PSEG Nuclear LLC), "Salem Nuclear Generating Station, Unit Nos. 1 and 2 - Issuance of Amendments RE: Revision to Reactor Trip System Instrumentation Technical Specifications (CAC Nos. MF6067 and MF6068)," dated March 28, 2016.

4.3 No Significant Hazards Consideration Exelon Generation Company, LLC (EGC) has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The Reactor Trip System (ATS) and Engineered Safety Feature Actuation System (ESFAS) provide plant protection and are part of the accident mitigation response. The ATS and ESFAS functions do not themselves act as a precursor or an initiator for any transient or design basis accident; therefore, the proposed change does not significantly increase the probability of any accident previously evaluated.

The structural and functional integrity of the ATS and ESFAS, or any other plant system, is unaffected. The proposed change does not alter or prevent the ability of structures, systems, and components to perform their intended function to mitigate the consequences of an initiating event within the assumed acceptance limits. Surveillance testing in the bypass condition will not cause any design or analysis acceptance criteria to be exceeded.

Under the proposed change, the channel being tested may be bypassed. The number of available channels with one channel in bypass for testing will remain the same as the number of channels available when testing in trip. The number of channels to trip will be unchanged when testing in bypass while the number of channels to trip is reduced to one Page 8

Attachment 1 Evaluation of Proposed Change when testing in trip. Although there may be a slight increase in the possibility that the failure of a channel could prevent the actuation of a function (because testing in bypass could result in two-out-of-two logic while testing in trip would have resulted in one-out-of-two logic),

testing in bypass will reduce the vulnerability to inadvertent actuation of a function while maintaining the required number of channels to trip. The impact of using bypass test capability upon nuclear safety has been previously evaluated by the NRG and determined to be acceptable in WCAP-10271-P-A and its supplements. Thus, testing in bypass when all channels are operable does not involve a significant increase in the probability or consequences of an accident previously evaluated.

Under the proposed change, the channel being tested may be bypassed when another channel is concurrently inoperable and in a tripped condition. As a result, one channel in bypass and another in trip leaves one-out-of-two operable channels to initiate the protective function (if the initial logic is two-out-of-four) or one-out-of-one operable channels to initiate the protective function (if the initial logic was two-out-of-three). Thus, testing in bypass with one channel inoperable does not involve a significant increase in the probability or consequences of an accident previously evaluated.

Implementation of the bypass testing capability does not affect the integrity of the fission product barriers utilized for mitigation of radiological dose consequences as a result of an accident. Plant response as modeled in the safety analyses is unaffected. Hence, the releases used as input to the dose calculations are unchanged from those previously assumed.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

Surveillance testing in bypass does not affect accident initiation sequences or response scenarios as modeled in the safety analyses. No new operating configuration is being imposed by the surveillance testing in bypass that would create a new failure scenario. The ATS and ESFAS will continue to have the same setpoints after the proposed change is implemented. In addition, no new failure modes are being created for any plant equipment.

The bypass test instrumentation has been designed to applicable regulatory and industry standards. Fault conditions, failure detection, reliability and equipment qualification have been considered. The modifications do not result in any new or different accident scenarios.

The types of accidents defined in the UFSAR continue to represent the credible spectrum of events to be analyzed which determine safe plant operation.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

Page 9

Attachment 1 Evaluation of Proposed Change

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No.

No safety analyses were changed or modified as a result of the proposed TS change to reflect installed bypass test capability. The proposed change does not alter the manner in which safety limits, limiting safety system settings, or limiting conditions for operation are determined. Margins associated with the current safety analyses acceptance criteria are unaffected. The current safety analyses remain bounding since their conclusions are not affected by performing surveillance testing in bypass. The safety systems credited in the safety analyses will continue to be available to perform their mitigation functions.

Implementation of testing in bypass results in an overall improvement in safety because the capability to test the channels in bypass will reduce the potential for an inadvertent reactor trip or safeguards actuation due to a failure or spurious transient in a redundant channel.

Therefore, the proposed change does not result in a significant reduction in a margin of safety.

4.4 Conclusions In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

Page 10

Attachment 2 Markup of Proposed Technical Specifications Pages REVISED TECHNICAL SPECIFICATIONS PAGES 3.3.1-2 3.3.1-4 3.3.1-5 3.3.1-6 3.3.1-9 3.3.1-10 3.3.2-2 3.3.2-3 Inserts 1 - 11

RTS Instrumentation 3.3.1 CONDITION REQUIRED ACTION COMPLETION TIME D. As required by Required 0.1 Action A. 1 and referenced by Table 3.3.1-1. ~ *-----------------

-NOTE-

- 'the inoperable channel

!INSERT *1 l?* may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing of other channels.

Place channel in trip. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months E. As required by Required E.1 Reduce THERMAL POV\ER 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Action A. 1 and referenced to < 5E-11 amps.

by Table 3.3.1-1.

OR E.2

- NOTE-Required Action E.2 is not applicable when:

a. Two channels are inoperable, or

b. THERMAL POWER is

< SE-11 amps.

Increase THERMAL 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months POWER to,;:: 8% RTP.

F. As required by Required F.1 Open RTBs and RT8Bs Immediately upon Action A.1 and referenced upon discovery of two discovery of two by Table 3.3.1-1. inoperable channels. inoperable channels AMO R.E. Ginna Nuclear Power Plant 3.3.1-2 Amendment 112

RTS Instrumentation 3.3.1 CONDITION REQUIRED ACTION COMPLETION TIME H.3 Restore channel to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months OPERABLE status.

I. Required Action and 1.1 Initiate action to fully insert Immediately associated Completion all rods.

Time of Condition H not met. AND 1.2 Place the Control Rod Drive 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months System in a condition incapable of rod withdrawal.

J. As required by Required J.1 Immediately Action A. 1 and referenced -----~NOTE:------*

by Table 3.3.1-1.

Plant temperature changes are allowed provided the temperature change is accounted for in the calculated SOM.

Suspend operations involving positive reactivity additions.

AND J.2 Perform SR 3.1.1.1. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND Once per *12 hours thereafter K. As required by Required K.1 Action A. 1 and referenced

?f *-------------~---

-NOTE-by Table 3.3.1-1.

_ ,.,,,'.The inoperable channel

[l~ISERT 4 1---- / may be bypassed for up to 4

/

/ hours for surveillance

)

"-* testing of other channels.

Place channel in trip. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months R.E. Ginna Nuclear Power Plant 3.3.1-4 Amendment 112

RTS Instrumentation 3.3,1 CONDITION REQUIRED ACTION COMPLETION TIME L. Required Action and Reduce THERMAL PO\JIJER 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion to< B.5% RTP.

Time of Condition K not met.

M. As required by Required M.1 Action A. 1 and referenced *- - - - - - - - - - - - - - - -

byTable3.3.1-1 . ~/: -NOTE-lNSERT _ _ ___ 1 -fhe inoperable channel

l. 5 1 . / may be bypassed for up to 4

~ / hours for surveillance

~ testing of other channels.

Place channel in trip. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months N. As required by Required N.1 Restore channel to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action A.1 and referenced OPERABLE status.

by Table 3.3.1-1.

0. Required Action and 0 .I Reduce THERMAL POV\iER 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion ta< 30% RTP.

Time of Condition M or N not met.

P. As ~equired by Required P.1 Action A.1 and referenced by Table 3.3.1-1.

- NOTE-The inoperable channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for swveillance testing of other channels.

Place channel in trip. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months

a. Required Action and Q.1 Reduce THERMAL POV'vER 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Associated Completion to< 50% RTP .

Time of Condition P not met.

R.E. Ginna Nuclear Power Plant 3.3.1-5 Amendment 112

RTS Instrumentation 3.3.1 CONDITION REQUIRED ACTION COMPLETION TIME Q.2.1 Verify Steam Dump System 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months is OPERABLE.

QB Q.2.2 Reduce THERMAL POV\ER 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months to< 8% RTP.

R. As required by Required R.1 Action A.1 and referenced by Table 3.3.1*1.

----:NorE:------*

One train may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing provided the other train is OPERABLE.

Restore train to OPERABLE 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months status.

s. As required by Required ~ Verify interlock is in~ed 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Action A.1 and referenced , state for existing pl ,

_ '"></

by Table 3.3.1-1. ' ' .conditions. _,/

6R 1------

r1NSERT 11 S.2 ~are ass'O'o4'1ted RTS 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months

/ . Function channetfs.(

/ inoperable. ....._

R.E. Ginna Nuclear Power Plant 3.3.1-6 Amendment 112

RTS Instrumentation 3.3.1 SURVEILLANCE FREQUENCY SR 3.3.1.4 Perform TADOT. In accordance with the Surveillance Frequency Control Program SR 3.3.1.5 Perform ACTUATION LOGIC TEST. In accordance with I SR 3.3.1.6 -NOTE-the Surveillance Frequency Control Program Not required to be performed until 7 days after THERMAL POWER is~ 50% RTP, but prior to exceeding 90% RTP following each refueling.

l Calibrate excore channels to agree with incore In accordance with detector measurements. the Surveillance Frequency Control Program SR 3.3.1.7 - NOTE -

?! Not required to be performed for source range

[]-/I instrumentation prior to entering MODE 3 from MODE 2 until 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after entering MODE 3.

Perform COT. In accordance with the Surveillance Frequency Control Program SR 3.3.1.8 -NOTE-

1. Not required for power range and intermediate range instrumentation until 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after reducing power < 6% RTP.

2. Not required for source range instrumentation until 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after reducing power < SE-11 amps.

Perform COT. In accordance with the Surveillance Frequency Control Program R.E. Ginna Nuclear Power Plant 3.3.1-9 Amendment No. 122

RTS Instrumentation 3.3.1 SURVEILLANCE FREQUENCY SR 3.3.1.9 -NOTE-Setpolnt verification is not required.

I Perform TADOT. In accordance with the Surveillance Frequency Control Program SR 3.3.1 .10 - NOTE-Neutron detectors are excluded.

I Perform CHANNEL CALIBRATION. In accordance with the Surveillance Frequency Control Program SR 3.3.1.11 Perform TADOT. In accordance with I SR3.3.1.12 - NOTE-the Surveillance Frequency Control Program Setpoint verification is not required.

jlNSERT10~ F Prior to reactor startup if not

~.erform TADOT. pertormed within previous 31 days SR 3.3.1.13 Perform COT.

l In accordance with the Surveillance Frequency Control Program R.E. Ginna Nuclear Power Plant 3.3.1-10 Amendment No. *122

ESFAS Instrumentation 3.3.2 CONDITION REQUIRED ACTION COMPLETION TIME F. As required by Required F: 1 Action A. 1 and referenced *- - - - - - - - - - - - - - - -

by Table 3.3.2-1. ____-7-. - NOTE -

!I NSERT 6 1---

/

l1 ~a~ ~~~~::~:~:~~rn~~

1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for surveillance to 4

2. testing of the other channels.

Place channel in trip. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months G. Required Action and G.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion Time of Condition D, E, or AND F not met.

Bein MODE4. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months G.2 H. As required by Required H.1 Restore channel to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Action A. 1 and referenced OPERABLE status.

by Table 3.3.2-1.

1. As required by Required 1.1 Restore train to OPERABLE 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action A.1 and referenced status.

by Table 3.3.2-1.

J. As required by Required J.1 Action A.1 and referenced * - - - - - - - - - - - - ____ _

by Table 3.3.2-1. )'. - NOTE*

INSERT ~l----;4 Theinoperablechannel

[ 7 / *may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance

2. testing of the other channels.

Place channel In trip. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months K. Required Action and K.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion Time of Condition H, I, or AND J not met.

K.2 BeinMODE5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months R.E. Ginna Nuclear Power Plant 3.3.2-2 Amendment 109

ESFAS Instrumentation 3.3.2 CONDITION REQUIRED ACTION COMPLETION TIME L. As required by Required L.1 Action A. 1 and referenced *,- - - - -: NOTE--- - - - - - -

by Table 3.3.2-1.

~~he inoperable channel I

!INSERT 8 r - ) may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance

[2 testing of the other channels.

Place channel in trip. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months M. Required Action and M.1 Bein MODE3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion Time of Condition L not AND met M.2 Reduce pressurizer 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months pressure to < 2000 psig.

N. As required by Required N.1 Declare associated Auxiliary Immediately Action A.1 and referenced Feedwater pump inoperable by Table 3.3.2-1. and enter applicable condition(s) of LCO 3.7.5, "Auxiliary Feedwater (AFW)

System."

SURVEILLANCE REQUIREMENTS

- NOTE-Refer to Table 3.3.2-1 to determine which SRs apply for each ESFAS Function.

SURVEILLANCE FREQUENCY I SR 3.3.2.1 Perform CHANNEL CHECK. In accordance with the Surveillance Frequency Control Program SR3.3.2.2 Perform COT. In accordance with the Surveillance Frequency Control INSERT 9 Program R.E. Ginna Nuclear Power Plant 3.3.2*3 Amendment No. 122

INSERT 1

1. For Functions 2a, 2b, 5, 6, 7b, 8, and 13, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing.

INSERT 2

2. The RTS input relays are excluded from this surveillance for Functions 2a, 5, 6, 7a, 7b, 8, 9a, 9b, and 13.

INSERT 3

3. The RTS input relay is excluded from this surveillance for Function 2b.

INSERT 4

1. For Functions 7a and 9b, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing.

INSERT 5

1. For Function 9a, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing.

INSERTS

1. For Functions 4c and 5b, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing.

INSERT 7

1. For Functions 1c, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing.

INSERT 8

1. For Functions 1d and 1e, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing.

INSERT 9

-NOTE-The ESFAS input relays are excluded from this surveillance for Functions 1c, 1d, 1e, 4c, and Sb.

INSERT 10

-NOTE-The RTS permissive input relays are excluded from this surveillance for Functions 16c, 16d, and 16e.

INSERT 11 S.1

-NOTE-For Functions 16c, 16d, and 16e.

one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing.

Verify interlock is in required state for existing plant conditions.

S.2 Declare associated RTS Function channel(s) inoperable.

Attachment 3 Revised Technical Specifications Bases Pages REVISED TECHNICAL SPECIFICATIONS BASES PAGES B 3.3.1-43 B 3.3.1-46 B 3.3.1-47 B 3.3.2-32 B 3.3.2-35 Inserts A- D

RTS Instrumentation 83.3.1 Pressurizer Pressurizer-High; Pressurizer Water Level-High; Reactor Coolant Flow-Low (Single Loop);

Reactor Coolant Flow-Low (Two Loops); and SG Water Level-Low Low A COT is performed on each required channel to ensure the channel will perform the intended Function. The as-found setpoints must be within the COT Acceptance Criteria specified within plant procedures. The as-left values must be consistent with the setting tolerance used in the setpoint methodology (Ref. 8). two Notes. Note 1 This SR is modified by a Mote that$rovides a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months delay in the requirement to perform this sul'\leillance for source range instrumentation when entering MODE 3 from MODE 2. This Nate allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1. 7 is no longer required to be performed. If the plant is in MODE 3 with the RTBs closed far greater than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , this SR must be perfamed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after entry into MODE 3.

_ _ _ _ ___.tI~ S l'-*lNSERTA *n F . lied The urvet ance requency 1s contro under the Surveillance I Frequency Control Program.

.--------------------~---.

three Notes. Notes 1 and 2 SR 3.3.1.8 This SR is the performance of a COT as described in R 3.3.1. 7 for the Power Range Neutron Flux-Low, Intermediate Rang Neutron Flux, and Source Range Neutron Flux (MOOE 2), except that t is test also Includes verification that the P-6 and P-1 Ointerlocks are in t ir required state for the existing plant condition. This SR is modified by two Notes that provide a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months delay in the requirement to perform this surveillance.

These Notes allow a normal shutdown to be completed and the plant removed from the MODE of Applicabil\ty for this sul'\leillance without a delay to perform the testing required by this surveillance. The Frequency I is in accordance with the Sul'\leillance Frequency Control Program if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after reducing power below P-1 O or P-6.

p..._N_S_E_RT_B_ ___.~

R.E. Ginna Nuclear Power Plant 8 3.3.1-43 Revision 77

RTS Instrumentation B 3.3.1 SR 3.3.1.11 This SR is the performance of a TADOT of the Manual Reactor Trip, RCP 1 Breaker Position, and the SI Input from ESFAS trip Functions. This test Independently verifies the OPERABILITY of the undervoltage and shunt trip mechanisms far the Manual Reactor Trip Function for the Reactor Trip Breakers and Reactor Trip Bypass Breakers.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.12 This SR is the performance of a TADOT for Turbine Trip Functions which is performed prior to reactor startup if it has not been pertormed within the last 31 days. This test shall verify OPERABILITY by actuation of the end devices.

The Frequency is based on the known reliability of the Functions and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

This SR Is modified by a Note stating that verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to taking the reactor critical because portions of this test cannot be pertorrned with the reactor at power.

_ _ _ _ ____.' -~SR 3.3.1.13 jlNSERTC ~

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

R.E. Ginna Nuclear Power Plant B 3.3.1-46 Revision 77

ATS Instrumentation 83.

3.1 REFERENCES

1. Atomic Industry Forum {AIF) GDC 14, Issued for comment July 10, 1967.

2. 10 CFR 50.67.

3. American National Standard, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants," N18.2-1973.

4. UFSAR, Chapter7.

5. UFSAR, Chapter 6.

6. UFSAR, Chapter 15.

7. IEEE-279-1971.

8. EP-3-S-0505, "Instrument Setpoint/Loop Accuracy Calculation Methodology".

9. Deleted .

.1

10. "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna," WCAP-18298-P, September 2017.

)

R.E. Ginna Nuclear Power Plant B 3.3.1-47 Revision 77

ES FAS Instrumentation 83.3.2 CHANNEL CHECK acceptance criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, Including indication and readability. If a channel is outside the criteria, 1t may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR3.3.2.2

!INSERT D >

This SR is the performance of a COT every 92 days for the following ESFAS functions:

SI-Containment Pressure-High:

SI-Pressurizer Pressure-Low; SI-Steam Line Pressure-Low; CS-Containment Pressure-High High; Steam Line lsolation-Conta111ment Pressure-High High; Steam Line Isolation-High Steam Flow Coincident with SI and Tavg- Low; Steam Line Isolation-High-High Steam Flow Coincident with SI; Feedwater lsolation-SG Water Level-High; and AFW-SG Water Level-Low Low.

A COT is periormed on each required channel to ensure the channel will perform the intended Function. Setpoints must be found to be within the COT Acceptance Criteria specified in plant procedures. The as-left values must be consistent with the drift allowance used in the setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance l Frequency Control Program.

R.E. Ginna Nuclear Power Plant B 3.3.2~32 Revision T1

ESFAS Instrumentation B 3.

3.2 REFERENCES

1. Atomic Industrial Forum (AIF) GDC 15, Issued for Comment July 10, 1967.

2. UFSAR, Chapter 7.

3. UFSAR, Chapter 6.

4. UFSAR, Chapter 15.

5. IEEE-279-1971.

6. EP-3-S-0505, "Instrument Setpoint/Loop Accuracy Calculation Methodology".

7. WCAP-10271-P-A, Supplement2. Rev. 1, June 1990.

8. "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna," WCAP-18298-P, September 2017 .

__)'

R.E. Ginna Nuclear Power Plant B 3.3.2-35 Revision42

INSERT A Note 2 states that the RTS input relays are excluded from this surveillance for these Functions. These Functions have installed bypass test capability. For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

INSERT B Note 3 states that the RTS input relays are excluded from this surveillance for this Function. This Function has installed bypass test capability. For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

INSERTC SR 3.3.1.13 is modified by a Note. The Note states that the RTS permissive input relays are excluded from this surveillance for the Functions specified. These Functions have installed bypass test capability.

For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

INSERT D SR 3.3.2.2 is modified by a Note. The Note states that the ESFAS input relays are excluded from this surveillance for the Functions specified. These Functions have installed bypass test capability. For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

Attachment 5 "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna,"

WCAP-18298-NP, September 2017 (Non-Proprietary Version)

Westinghouse Non-Proprietary Class 3 WCAP-18298-NP September 2017 Revision 0 Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna

Westinghouse Non-Proprietary Class 3 WCAP-18298-NP Revision 0 Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna Frank P. Ferri*

Plant Licensing and Engineering September 2017 Reviewer: James D. Andrachek*

Plant Licensing and Engineering Frederick W. Hantz*

Nuclear Instrumentation System Approved: Cameron C. Martin*, Manager Plant Licensing and Engineering Robert E. Single*, Manager Nuclear Instrumentation System

Electronically approved records are authenticated in the electronic document management system.

Westinghouse Electric Company LLC 1000 Westinghouse Drive Cranberry Township, PA 16066, USA

i ABSTRACT In order to reduce the potential for spurious reactor trips, which reduces the potential transient associated with a trip, a modification can be implemented that allows testing of the Reactor Trip System (RTS) channels in a bypassed condition, as opposed to the tripped condition. If a channel is in the tripped condition, and a second comparator trips in a redundant channel, which can be caused by a human error, spurious transient, or channel failure, this will result in a reactor trip. With the Bypass Test Instrumentation (BTI), a spurious reactor trip will be avoided, which reduces the potential transient associated with a reactor trip. Routine bypass testing capability is being provided for the Power Range Nuclear Instrumentation System (NIS) reactor trip functions.

Various aspects of the BTI installation are addressed in this topical report (TR). These aspects include a demonstration of the functionality of the BTI hardware, the BTI design features which comply with the applicable U.S. Nuclear Regulatory Commission (NRC) regulations, regulatory guidance, and industry standards associated with testing in bypass. The administrative controls that will be implemented are also identified.

WCAP-18298-NP September 2017 Revision 0

ii TABLE OF CONTENTS ABSTRACT................................................................................................................................................... i LIST OF TABLES ....................................................................................................................................... iv LIST OF FIGURES ...................................................................................................................................... v ACRONYMS ............................................................................................................................................... vi 1 INTRODUCTION ........................................................................................................................ 1-1 2 BACKGROUND .......................................................................................................................... 2-1 3 DETAILED DESIGN DESCRIPTION......................................................................................... 3-1 3.1 NIS BYPASS PANEL ...................................................................................................... 3-1 3.2 FAULT CONDITIONS .................................................................................................... 3-2 3.3 FAILURE DETECTION ................................................................................................. 3-2 3.4 HUMAN FACTORS/ADMINISTRATIVE CONTROL ................................................. 3-3 3.5 RELIABILITY................................................................................................................. 3-4 3.6 INDICATION AND ANNUNCIATION .......................................................................... 3-4 3.7 OPERATOR ACTIONS ................................................................................................... 3-4 3.8 EQUIPMENT QUALIFICATION ................................................................................... 3-5 3.9 ELECTROMAGNETIC COMPATIBILITY ................................................................... 3-5 3.10 DISCUSSION OF BTI PANEL ....................................................................................... 3-5 4 COMPLIANCE WITH THE APPLICABLE REGULATIONS, REGULATORY GUIDES, AND INDUSTRY STANDARDS .......................................................................................................... 4-1 4.1 GDCs ............................................................................................................................... 4-1 4.1.1 GDC 2 - Design Bases for Protection from Natural Phenomena .................... 4-1 4.1.2 GDC 19 - Control Room ................................................................................. 4-1 4.1.3 GDC 20 - Protection System Functions .......................................................... 4-2 4.1.4 GDC 21 - Protection System Reliability and Testability ................................ 4-2 4.1.5 GDC 22 - Protection System Independence ................................................... 4-2 4.1.6 GDC 23 - Protection System Failure Modes .................................................. 4-2 4.1.7 GDC 24 - Separation of Protection and Control Systems ............................... 4-2 4.2 RGs .................................................................................................................................. 4-3 4.2.1 RG 1.47, Rev. 1 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems ............................................................................ 4-3 4.2.2 RG 1.53, Rev. 2 - Application of Single Failure Criterion to Nuclear Power Plant Protection Systems ................................................................................. 4-5 4.2.3 RG 1.75, Rev. 3 - Physical Independence of Electric Systems ....................... 4-6 4.2.4 RG 1.89, Rev. 1 - Qualification of Class 1E Equipment for Nuclear Power Plants ............................................................................................................... 4-6 WCAP-18298-NP September 2017 Revision 0

iii 4.2.5 RG 1.100, Rev. 3 - Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants .............................................................. 4-9 4.2.6 RG 1.118, Rev. 3 - Periodic Testing of Electric Power and Protection Systems

......................................................................................................................... 4-9 4.2.7 RG 1.22, Rev. 0 - Periodic Testing Of Protection System Actuation Functions

....................................................................................................................... 4-10 4.2.8 RG 1.30, Rev. 0 - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment ............. 4-11 4.3 IEEE STANDARDS ...................................................................................................... 4-11 4.3.2 IEEE Standard 379-2000 ............................................................................... 4-14 4.3.3 IEEE Standard 384-1974 ............................................................................... 4-15 4.3.4 IEEE Standard 344-2004 ............................................................................... 4-15 4.3.5 IEEE Standard 338-1987 ............................................................................... 4-15 4.3.6 IEEE Standard 323-1974 ............................................................................... 4-15 5 CONCLUSION ............................................................................................................................. 5-1 6 REFERENCES ............................................................................................................................. 6-1 WCAP-18298-NP September 2017 Revision 0

iv LIST OF TABLES Table 5-1. NIS Comparators to by Bypassed ............................................................................................ 5-1 Table 5-2. NIS BTI Panel Part Numbers................................................................................................... 5-1 WCAP-18298-NP September 2017 Revision 0

v LIST OF FIGURES Figure 5-1. NIS Bypass Panel Diagram .................................................................................................... 5-2 WCAP-18298-NP September 2017 Revision 0

vi ACRONYMS AOT Allowed Outage Time BTI Bypass Test Instrumentation ESF Engineered Safety Feature ESFAS Engineered Safety Feature Actuation System FAT Factory Acceptance Test GDC General Design Criteria IEEE Institute of Electrical and Electronics Engineers LED Light Emitting Diode LOCA Loss-of-Coolant Accident MCB Main Control Board MSLB Main Steam Line Break NIS Nuclear Instrumentation System NRC U.S. Nuclear Regulatory Commission OBE Operating Basis Earthquake PC Printed Circuit PR Power Range PWROG Pressurized Water Reactor Owners Group RG Regulatory Guide RPS Relay Protection System RTS Reactor Trip System SER Safety Evaluation Report SSE Safe Shutdown Earthquake SSPS Solid State Protection System TR Topical Report TS Technical Specifications VAC Voltage Alternating Current WOG Westinghouse Owners Group WCAP-18298-NP September 2017 Revision 0

1-1 1 INTRODUCTION The Reactor Trip System (RTS) Nuclear Instrumentation System (NIS) Power Range (PR) functions utilize a two-out-of-four coincidence logic from redundant channels to initiate protective actions. In the current design, the RTS NIS PR analog channel comparators are placed in the tripped condition during channel testing or if a channel is inoperable. In the current design of testing a channel in the tripped condition, a redundant channel cannot be tested without bypassing an inoperable channel that is in the tripped condition. Additionally, routine testing of a channel in the tripped condition can result in the potential for an unnecessary reactor trip if a second comparator trips in a redundant channel, which can be caused by a human error, spurious transient, or channel failure.

The benefits associated with the installation of the Bypass Test Instrumentation (BTI) at the R. E. Ginna Nuclear Power Plant (Ginna) are:

Analog channel online surveillance testing can be performed with the comparator outputs bypassed, rather than tripped, thus reducing the potential for unnecessary reactor trips due to a failure or transient in a redundant channel.

Surveillance testing can be performed on an operable channel in bypass, if a redundant channel is inoperable and in the tripped condition, reducing the potential for a spurious reactor trip by testing in bypass.

One channel of the PR reactor trip function can be bypassed for maintenance, as opposed to being in the tripped condition.

The BTI is integral to the existing racks, thus eliminating the need for portable test equipment, lifting leads, or using jumpers to bypass the channel, which is prohibited on a routine basis.

This Topical Report (TR) provides the licensing basis for the BTI for Ginna. It is structured into five sections, as follows:

1. An introduction of the concept of the BTI and its purpose.

2. A brief background of the issue of bypass testing and prior regulatory positions on this subject.

3. A detailed description of the design of the bypass systems with figures to illustrate the operation.

([XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]a,c)

4. A discussion of how the BTI design complies with the applicable General Design Criteria (GDC),

Regulatory Guides (RGs), and Institute of Electrical and Electronics Engineers (IEEE) Standards.

5. A conclusion supporting the implementation of the BTI.

WCAP-18298-NP September 2017 Revision 0

2-1 2 BACKGROUND In response to a concern regarding the impact of RTS and Engineered Safety Features Actuation System (ESFAS) Technical Specification (TS) instrumentation surveillance testing and maintenance activities on plant operations, i.e., inadvertent reactor trips and ESF actuations, the Pressurized Water Reactor Owners Group (PWROG) (formerly the Westinghouse Owners Group [WOG]) initiated a program to justify extending the RTS and ESFAS instrumentation bypass test times, Completion Times, Allowed Outage Times (AOTs) and Surveillance Frequencies to provide additional time to perform surveillance and maintenance activities. WCAP-10271-P-A and Supplements 1 and 2, Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System (References 1-3) (and WCAP-14333-P-A, Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times [Reference 4]) justified extending the RTS and ESFAS instrumentation bypass test times, Completion Times, AOTs and Surveillance Frequencies. One of the provisions for surveillance testing discussed in References 1-3 was to allow routine testing of the RTS and ESFAS instrumentation channels in a bypassed condition instead of a tripped condition.

The NRC Safety Evaluation Reports (SERs) for WCAP-10271-P-A and Supplements 1 and 2 that were issued in February 1985 (RTS instrumentation) and in February 1989 (ESFAS instrumentation) state that the use of temporary jumpers or the lifting of leads is unacceptable for bypassing a channel for routine surveillance testing.

The installation of the BTI at Ginna will allow testing of the RTS NIS PR channels in a bypassed condition using installed instrumentation, and does not utilize temporary jumpers or the lifting of leads as discussed above.

The use of the installed BTI for the RTS NIS PR channels will result in a reduction in the potential number of inadvertent reactor trips that could potentially occur during testing in a tripped condition.

Testing in bypass eliminates the partial trip condition that is associated with testing in the tripped condition for the affected RTS NIS PR functions.

WCAP-18298-NP September 2017 Revision 0

3-1 3 DETAILED DESIGN DESCRIPTION The bypass system allows the channel to be tested without tripping the channel. The bypass system accomplishes this by imposing a signal in parallel, thus maintaining the Relay Protection System (RPS) in an untripped condition.

3.1 NIS BYPASS PANEL

[XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXn XXXXXXXXXXXXXXXXXXX]a,c WCAP-18298-NP September 2017 Revision 0

3-2 The potential for failure of the NIS PR bypass panel is low based on the following characteristics. All components are purely mechanical or electro-mechanical and will perform at least 50,000 operations (based on manufacturers reports) under normal conditions without failure. Over the 40-year life of the plant, it is expected that these components will be exercised less than 200 times. The keylock switch, toggle switch, and relay were cycled 300 times for testing purposes. This constitutes one cycle per quarter for 60 years with an added 25 percent margin.

3.2 FAULT CONDITIONS Each NIS PR bypass panel is separated by a protection set; therefore, a single fault in a bypass panel would not prevent the other three channels from performing the specified safety function. The portions of the BTI panels that are non-Class 1E are isolated from the Class 1E circuits by the K1 relay coil to contact as shown in Figure 5-1. Therefore, there is no possibility that a control system fault could propagate to all of the bypass panels and simultaneously adversely affect all protection sets. Subsection 4.2.3 discusses the isolation and separation of the Class 1E and non-Class 1E equipment in the bypass panels.

The NIS PR bypass panel is protected by a circuit breaker to prevent damage to the panel. The breaker status is monitored by the same LED that indicates that the bypass panel is enabled. This LED will not light if the breaker is tripped. Since this LED is also the indication that the panel is enabled, if this LED is not lit, due to a lack of power to the bypass panel, the bypass panel will not allow any function to go into bypass. This will prevent a channel from being placed into bypass with no bypass signal available.

3.3 FAILURE DETECTION The different types of potential credible failure modes in the NIS PR bypass panel are as follows:

1. Power unavailable to the bypass panel

2. Breaker in the bypass panel tripped

3. An LED failure

4. A contact failure With power unavailable to the bypass panel, the panel is unable to put a channel in bypass. This is easily detected by the absence of a lit LED when the keylock switch is turned from NORMAL to BYPASS ENABLE. Additionally, there is no control room annunciation of the attempt to place a channel in bypass.

The circuit breaker status is monitored by the same LED that indicates that the bypass panel is enabled, i.e., that a channel is bypassed. This LED will not light if the breaker is tripped. Since this LED also provides the indication that the panel is enabled, if this LED is not lit, due to a lack of power, the bypass panel will not allow any channel to go into bypass. This will prevent a channel from being placed into bypass with no bypass signal available (see Figure 5-1).

WCAP-18298-NP September 2017 Revision 0

3-3 3.4 HUMAN FACTORS/ADMINISTRATIVE CONTROL Human Factors and Administrative Controls have been designed into the BTI for Ginna. The design features incorporated that address the Human Factors and Administrative Controls are:

A keylock switch (NIS PR bypass panel)

LEDs on the bypass panels Control board annunciation of the bypass condition Permanently installed bypass test capability The bypass system is located in the cabinets where the protection channels are located. Therefore, the test technician will be aware of the channel that is in bypass and the channels that are not in bypass, without having to depend on a non-local indication.

[XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXX]a,c WCAP-18298-NP September 2017 Revision 0

3-4 3.5 RELIABILITY Steps have been taken to ensure the operation of the BTI. The key to ensuring proper BTI operation is associated with the BTI reliability. The BTI is designed with the reliability characteristics necessary to preserve the total integrity of the RPS. The BTI is designed to reduce the frequency of failures through the utilization of highly reliable components.

IEEE Standard 603-1991 delineates certain functional performance requirements regarding the aspects of system reliability for the protection systems. Because the BTI will be implemented to support the RPS, it has been evaluated against those criteria that are applicable to its design.

All of the components of the BTI are mechanical or electro-mechanical and will be reliable for at least 50,000 operations under normal environmental conditions.

3.6 INDICATION AND ANNUNCIATION The BTI is provided with the capability to provide timely and accurate information to the control room operator, as well as the test technician performing the bypass testing. In accordance with IEEE Standard 603-1991 and RG 1.47, control room annunciation must be provided for the status of any NIS PR channel that is put into a bypassed condition. Main control room alarm/status light indicators are provided to ensure that the operator knows which BTI panel has a protection set channel instrumentation loop in the bypass condition.

The BTI has the capability to provide local indication of the status of the channels and the bypass panel.

It can be determined from the position of the keylock switch on the NIS PR bypass panel that the technician has attempted to put the channel in test, and the lighting of the LED on the bypass panel will indicate that power is available to the bypass panel. The LEDs that are associated with the locking toggle switches will identify to the technician that an individual channel has been placed in the bypass condition.

3.7 OPERATOR ACTIONS

[XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX]a,c WCAP-18298-NP September 2017 Revision 0

3-5 3.8 EQUIPMENT QUALIFICATION Equipment qualification for the BTI must address several issues. Since the NIS PR bypass panels are installed in the Class 1E instrumentation racks, it must be shown that: (1) the installation of this bypass system in these instrumentation racks will not adversely affect the seismic qualification of the Class 1E racks, and (2) the panels are able to withstand the required seismic levels associated with Ginna and still continue to show structural integrity and electrical isolation. All components used in the cards and bypass panels are acceptable for the environment expected in the cabinets. The BTI equipment to be installed in the Class 1E instrumentation cabinets was subjected to multi-axis, multi-frequency inputs in accordance with RG 1.100. The equipment was subjected to Westinghouse generic operating basis earthquake (OBE) and safe shutdown earthquake (SSE) testing. The BTI generic seismic qualification and environmental evaluation bounds the Ginna current licensing basis and was performed in accordance with WCAP-8587 (Reference 6).

3.9 ELECTROMAGNETIC COMPATIBILITY The NIS PR bypass panels and associated wiring are completely contained inside a metal cabinet; therefore, the dominant entry of electromagnetic interference would be expected to be conducted through the field cabling. Additionally, the NIS PR bypass panels employ high level signals (118 VAC) that are not susceptible to radiated or conducted interference. The ability of the BTI panel to affect other equipment within the same cabinet is minimal due to the panel metal assembly and, more importantly, the very low duty cycle of the bypass relays. In the event that the BTI panel is required to be placed in bypass, the relays are manually actuated only twice. Additionally, the relays have been provided with arc suppression circuits in order to minimize any interference issues.

3.10 DISCUSSION OF BTI PANEL The comparators that Ginna selected to be bypassed affect the NIS PR Functions as identified in Table 5-1.

Each NIS BTI panel is operated by unit-specific keylock switches. The bypass panel assemblies are part numbers 10154D47G01 through G04, and will use the 3A98714G02 keylock switch. The use of specific keylock switches provides an administrative control to prevent two channels from being placed in bypass at one time. The base panel part number is 4D04921G02.

Finally, the NIS PR panels are individually numbered per channel per unit, as shown in Table 5-2.

WCAP-18298-NP September 2017 Revision 0

4-1 4 COMPLIANCE WITH THE APPLICABLE REGULATIONS, REGULATORY GUIDES, AND INDUSTRY STANDARDS As with any modifications to the RTS, compliance with the applicable regulations, Regulatory Guidance and Industry Standards must be addressed. This section addresses the design of the BTI to the current applicable:

GDCs RGs IEEE Standards 4.1 GDCs The following GDCs are applicable to the BTI and are discussed in Subsections 4.1.1 through 4.1.7:

GDC 2 - Design Bases for Protection Against Natural Phenomena GDC 19 - Control Room GDC 20 - Protection System Functions GDC 21 - Protection System Reliability and Testability GDC 22 - Protection System Independence GDC 23 - Protection System Failure Modes GDC 24 - Separation of Protection and Control Systems 4.1.1 GDC 2 - Design Bases for Protection from Natural Phenomena GDC 2 states that Systems and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions. This criterion is applicable to the installation of the BTI at Ginna because the BTI is being added to the Class 1E NIS cabinets. The BTI cannot adversely affect the existing seismic qualification of the cabinets, nor can the BTI become a missile in a seismic event and thus adversely affect any safety-related equipment.

The BTI must also be shown to maintain its required functionality during and after a seismic event.

Equipment qualification reports have been prepared to address all seismic qualification concerns.

Section 3.8 discusses the equipment qualification and seismic concerns related to the BTI at Ginna.

4.1.2 GDC 19 - Control Room GDC 19 states that A control room shall be provided from which actions can be taken to operate the nuclear power plant safely under normal conditions and to maintain it in a safe condition under accident conditions. This criterion is applicable to the installation of the BTI at Ginna because adequate indication and annunciation of the status of the protection system channels (i.e., normal, bypasses, or tripped) must be available to the operators. The BTI has been designed to meet this criterion by providing the operator as well as the test technician with accurate information concerning the status of the channels being tested.

Section 3.6 describes the indication and annunciation design features of the BTI at Ginna and its conformance to this criterion.

WCAP-18298-NP September 2017 Revision 0

4-2 4.1.3 GDC 20 - Protection System Functions GDC 20 states, The protection system shall be designed to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded... This criterion is applicable to the installation of the BTI at Ginna because the protection system must still be able to perform its function after the installation of the BTI.

When the NIS PR BTI is not powered, it is not within the protection system circuitry (i.e., no protection system signals pass through the BTI). Isolation devices are being used as isolators between Class 1E and non-Class 1E circuits. A complete discussion of the administrative control and operator actions to ensure conformance to this criterion are discussed in Sections 3.4 and 3.7, respectively.

4.1.4 GDC 21 - Protection System Reliability and Testability GDC 21 states, The protection system shall be designed for high functional reliability and in service testability commensurate with the safety function to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that no single failure results in loss of the protection function... This criterion is applicable to the installation of the BTI at Ginna because the BTI design must show sufficient reliability to ensure that a single failure will not cause the protection system to be unable to perform its function. A complete discussion of the conformance of the installation of the BTI to the single failure criterion is contained in Subsection 4.2.2.

4.1.5 GDC 22 - Protection System Independence GDC 22 states, The protection system shall be designed to assure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in the loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. This criterion is applicable to the installation of the BTI because the ability exists, without the proper administrative controls, for the simultaneous bypassing of more than one protection set at a time. Section 3.4 discusses the administrative controls that prevent the bypassing of more than one protection set at a time and thus conformance to this criterion.

4.1.6 GDC 23 - Protection System Failure Modes GDC states, The protection system shall be designed to fail into a safe state... if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air) or postulated adverse environments are experienced. This criterion is applicable to the installation of the BTI at Ginna because a failure mode of the BTI is the loss of power to the bypass system. Loss of power, due to either a circuit breaker opening or loss of power to the cabinet, will cause the bypass system to terminate any bypassing that was being performed. The bypass systems will return to their normal operating mode. These results demonstrate conformance to this criterion.

4.1.7 GDC 24 - Separation of Protection and Control Systems GDC 24 states, The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection system leaves WCAP-18298-NP September 2017 Revision 0

4-3 intact a system satisfying all the reliability, redundancy, and independence requirements of the protection system. This criterion is applicable to the installation of the BTI at Ginna because the indication and annunciation of the status of the channels in bypass are part of the control system. Subsection 4.2.3 and Section 5.6 (within Subsection 4.3.1) discuss the BTI conformance to RG 1.75 and IEEE Standard 603-1991, respectively, as pertinent to separation and isolation requirements.

4.2 RGs The following RGs are applicable to the installation of the BTI:

RG 1.47, Rev. 1 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems RG 1.53, Rev. 2 - Application of Single Failure Criterion to Nuclear Power Plant Protection Systems RG 1.75, Rev. 3 - Physical Independence of Electric Systems RG 1.89, Rev. 1 - Qualification of Class 1E Equipment for Nuclear Power Plants RG 1.100, Rev. 3 - Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants RG 1.118, Rev. 3 - Periodic Testing of Electric Power and Protection Systems RG 1.22, Rev. 0 - Periodic Testing Of Protection System Actuation Functions RG 1.30, Rev. 0 - Quality Assurance Requirements for the Installation Inspection, and Testing Instrumentation and Electric Equipment 4.2.1 RG 1.47, Rev. 1 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems RG 1.47 describes an acceptable method of complying with the requirements of IEEE Standard 279-1971and IEEE Standard 603-1991, and states that automatic indication should be provided in the control room for each bypass or deliberately induced inoperable status that meets all of the following conditions:

a. Renders inoperable any redundant portion of the protection system, systems actuated or controlled by the protection system, and auxiliary or supporting systems that must be operable for the protection system and the system it actuates to perform their safety-related functions.

b. Expected to occur more frequently than once per year.

c. Expected to occur when the affected system is normally required to be operable.

WCAP-18298-NP September 2017 Revision 0

4-4 The BTI meets all of these conditions. By placing a protection system channel in the bypass mode, that channel of the protection system is rendered inoperable. For any channel that is placed in the bypass mode, an automatic annunciation is initiated in the main control room. Section 3.6 discussed how the BTI conforms to this RG along with the detailed responses to each of the regulatory positions listed below.

Regulatory positions:

1. Administrative procedures should be supplemented by an indication system that automatically indicates, for each affected safety system or subsystem, the bypass or deliberately induced inoperability of a safety function and the systems actuated or controlled by the safety function.

Provisions should also be made to allow the operations staff to confirm that a bypassed safety function has been properly returned to service.

The BTI hardware automatically indicates through the annunciator signals that the channel has been placed in bypass. In addition, Exelon Generation Company, LLC (Exelon) will have administrative procedures in place to alert the operator when a channel is in bypass.

2. The indicating system of Position 1 above should also be activated automatically by the bypassing or the deliberately induced inoperability of any auxiliary or supporting system that effectively bypasses or renders inoperable a safety function and the systems actuated or controlled by the safety function.

Annunciator signals are provided by the BTI panel. As part of the installation, the site will connect the annunciator signal wires to the main control board (MCB) annunciator panel. These annunciator signals are provided automatically once the BTI panel is switched to bypass mode.

3. Annunciating functions for system failure and automatic actions based on the self-test or self-diagnostic capabilities of digital computer-based I&C safety systems should be consistent with Positions 1 and 2 above.

The BTI panel does not contain any self-test or self-diagnostic capabilities. Furthermore, the BTI panel does not contain any digital computer-based components.

4. The bypass and inoperable status indication system should include a capability for ensuring its operable status during normal plant operation to the extent that the indicating and annunciating functions can be verified.

Status indication is provided locally on the front panel by LEDs and through the MCB annunciator panel.

WCAP-18298-NP September 2017 Revision 0

4-5

5. Bypass and inoperable status indicators should be arranged such that the operator can determine whether continued reactor operation is permissible. The control room of all affected units should receive an indication of the bypass of shared system safety functions.

Bypass status visible through the MCB annunciator panel provides the operator clear and unambiguous indication of the status of particular channel. Exelon will position the panel such that it is visible and unobstructed to the operator. Also see the discussions to regulatory positions 2 and 4 above.

6. Bypass and inoperable status indicators should be designed and installed in a manner that precludes the possibility of adverse effects on plant safety systems. The indication system should not be used to perform functions that are essential to safety, unless it is designed in conformance with criteria established for safety systems.

The BTI front panel indication and MCB annunciator panel are only designed and used for indication purposes. They do not perform any other function.

4.2.2 RG 1.53, Rev. 2 - Application of Single Failure Criterion to Nuclear Power Plant Protection Systems RG 1.53 endorses IEEE Standard 379-2000 with some clarification. IEEE Standard 379-2000 addresses the single failure criterion in nuclear power plant protection systems. A discussion of the BTI adherence to IEEE Standard 379-2000, this RG and the single failure criterion in general is contained in Section 4.3.

A single hardware failure of the BTI hardware cannot cause a channel to inadvertently go into bypass.

The BTI design only includes analog and passive components. The BTI design does not include any microprocessors or digital hardware.

Channel bypass through the BTI panel is accomplished by following these four steps:

1. Main breaker is switched on.

2. Appropriate key is provided to the technician.

3. Key is inserted and turned on the BTI front panel.

4. BTI front panel switch is enabled.

For a channel to inadvertently stay in the bypass mode, the main breaker, the key switch and the toggle switch would all have to fail at the same time. In addition the MCB annunciator panel and the local BTI panel, a LED must also fail for the operators not to identify that a failure has occurred.

WCAP-18298-NP September 2017 Revision 0

4-6 4.2.3 RG 1.75, Rev. 3 - Physical Independence of Electric Systems RG 1.75 endorses and delineates acceptable methods for complying with the requirements of IEEE Standard 279-1971 with respect to physical independence of electric systems.

RG 1.75 discusses requirements for physical separation between Class 1E and non-Class 1E circuits, electrical isolation between Class 1E and non-Class 1E circuits, and requirements for associated circuits.

The BTI is a safety-related assembly. Furthermore, the cabinet that contains the BTI panel and the NIS drawers is considered a safety-related cabinet with only safety-related power applied to the panels and drawers. It should be noted that there are non-safety-related signals (MCB annunciator) exiting the BTI panel, which are isolated from the safety-related signals and hardware by safety-related hardware such as the K1 relays. Section 5.6 (within Subsection 4.3.1) discusses the BTI conformance to IEEE Standard 603-1991, as pertinent to separation and isolation requirements.

4.2.4 RG 1.89, Rev. 1 - Qualification of Class 1E Equipment for Nuclear Power Plants RG 1.89 endorses IEEE Standard 323-1974. A discussion of the BTI conformance to the requirements of IEEE Standard 323-1974 and this RG is contained in Section 4.3.

Regulatory positions:

1. Section 50.49, Environmental Qualification of Electric Equipment Important to Safety for Nuclear Power Plants, of 10 CFR Part 50 requires that safety related electric equipment (Class lE) as defined in paragraph 50.49(b)(1) be qualified to perform its intended safety functions.

The BTI generic seismic qualification and environmental evaluation was performed in accordance with WCAP-8587 (Reference 6).

2. Paragraph 50.49(d) and Section 6.2 of IEEE Std 323-1974 require equipment specifications to include performance and environmental conditions. For the requirements called for in item (7) of Section 6.2 of IEEE 323-1974 and paragraph 50.49(d)(3), the following should be included:

a. Temperature and Pressure Conditions Inside Containment for Loss-of-Coolant Accident (LOCA) and Main Steam Line Break (MSLB).

b. Effects of Sprays and Chemicals.

c. Radiation Conditions Inside and Outside Containment.

d. Environmental Conditions for Equipment Outside Containment.

Items 2a, 2b and 2c are not applicable to Exelon BTI equipment due the location of the hardware.

Item 2d is addressed because the BTI panels are located in the control room environment, which is considered to be a mild environment as described in Reference 5.

WCAP-18298-NP September 2017 Revision 0

4-7

3. Section 6.3, Type Test Procedures, of IEEE Std. 323-1974 should be supplemented with the following:

a. Electric equipment that could be submerged should be identified and qualified by testing in a submerged condition to demonstrate operability for the duration required.

b. Electric equipment located in an area where rapid pressure changes are postulated simultaneously with the most adverse relative humidity should be qualified to demonstrate that the equipment seals and vapor barriers will prevent moisture from penetrating into the equipment to the degree necessary to maintain equipment functionability.

c. The parameters to which electric equipment is being qualified (e.g., temperature, pressure, radiation) by exposure to a simulated environment in a test chamber should be measured sufficiently close to the equipment to ensure that actual test conditions accurately represent the environment characterized by the test.

d. Performance characteristics that demonstrate the operability of equipment should be verified before, after, and periodically during testing throughout its range of required operability.

e. Chemical spray or demineralized water spray that is representative of service conditions should be incorporated during simulated event testing at pressure and temperature conditions that would occur when the spray systems actuate.

f. Cobalt-60 or cesium-137 would be acceptable gamma radiation sources for environmental qualification.

These regulatory positions are not applicable because the BTI panel is located in the control room environment, which is considered to be a mild environment as discussed in Reference 5. The BTI panel does not have any requirements related to a harsh environment as listed in position 3.

4. The suggested values in Section 6.3.1.5, Margin, of IEEE Std. 323-1974, except time margins, are acceptable for meeting the requirements of paragraph 50.49(e)(8). Alternatively, quantified margins should be applied to the environmental parameters discussed in Regulatory Position C.2 to ensure that the postulated accident conditions have been enveloped during testing.

The BTI generic seismic qualification and environmental evaluation bounds the Exelon current licensing basis, and was performed in accordance with WCAP-8587 (Reference 6).

WCAP-18298-NP September 2017 Revision 0

4-8

5. Section 6.3.3, Aging, of IEEE Std 323-1974 and paragraph 50.49(e)(5) should be supplemented with the following:

a. If synergistic effects have been identified prior to the initiation of qualification, they should be accounted for in the qualification program. Synergistic effects known at this time are dose rate effects and effects resulting from the different sequence of applying radiation and (elevated) temperature.

b. The expected operating temperature of the equipment under service conditions should be accounted for in thermal aging. The Arrhenius methodology is considered an acceptable method of addressing accelerated thermal aging within the limitation of state-of-the-art technology. Other aging methods will be evaluated on a case-by-case basis.

c. The aging acceleration rate and activation energies used during qualification testing and the basis upon which the rate and activation energy were established should be defined, justified, and documented.

d. Periodic surveillance and testing programs are acceptable to account for uncertainties regarding age related degradation that could affect the functional capability of equipment.

Results of such programs will be acceptable as ongoing qualification to modify designated life (or qualified life) of equipment and should be incorporated into the maintenance and refurbishment/ replacement schedules.

Aging testing was not performed for the BTI panel because the BTI hardware is not part of the reactor trip system; the BTI is only used for the testing of a channel in bypass. During normal system operation, the BTI hardware is de-energized. Additionally, a failure of the BTI panel will not prevent a reactor trip from occurring.

6. Replacement electric equipment installed subsequent to February 22, 1983, must be qualified in accordance with the provisions of § 50.49 unless there are sound reasons to the contrary.

Future replacement components for the BTI panel will be commercially dedicated in accordance with the original qualification requirements. The commercial dedications will address the critical characteristics required to maintain the qualification of the equipment.

7. In addition to the requirements of paragraph 50.49(j) of 10 CFR Part 50 and Section 8, Documentation, of IEEE Std. 323-1974, documentation should address the information identified in Appendix E to this guide. A record of the qualification should be maintained in an auditable file to permit verification that each item of electric equipment is qualified to perform its safety function under its postulated environmental conditions throughout its installed life.

This equipment has been qualified in accordance with WCAP-8587 (Reference 6), and the test results are documented in WCAP-8687 (Reference 5) which have been approved by the NRC (Reference 6).

WCAP-18298-NP September 2017 Revision 0

4-9 4.2.5 RG 1.100, Rev. 3 - Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants RG 1.100 endorses IEEE Standard 344-2004 and previous revisions of the Standard. A discussion of the BTI conformance to the IEEE Standard 344-1975 and this RG are discussed in Section 4.3. The BTI panel was seismically qualified per IEEE Standard 344-1975; therefore the differences with the current IEEE Standard 344-2004 were evaluated for compliance. The two differences between IEEE Standard 344-1975 and IEEE Standard 344-2004 listed below do not invalidate the previous seismic qualification.

1. Use of experience data - This is not applicable because experience data was not used since the BTI panel was seismically tested.

2. High frequency ground motion for hard-rock-based plants - Ginna is not considered a hard-rock-based plant.

4.2.6 RG 1.118, Rev. 3 - Periodic Testing of Electric Power and Protection Systems RG 1.118 endorses IEEE Standard 338-1987 for periodic testing of protection systems subject to providing a method of preventing the expansion of any bypass condition to redundant channels. This is accomplished by administrative control of access to the bypass capability. The latest version of the RG 1.118 was compared to the previous version and the following changes were evaluated.

Position on 2.3 and 3 2.3 Test procedures or administrative controls shall provide for verifying the open circuit or verifying that temporary connections are restored after testing.

Exelon will have administrative controls in place to perform periodic surveillance testing when using the BTI Panel at Ginna.

3. The description for a logic system functional test, as noted in Section 6.3.5 of IEEE Std. 338-1987, implies that the sensor is included. A logic system functional test is to be a test of all logic components (i.e., all relays and contacts, trip units, solid state logic elements, etc.) of a logic circuit, from as close to the sensor as practicable up to but not including the actuated device, to verify operability.

The in-containment sensors (PR ex-core detectors) are not directly connected to the BTI panel.

Within a protection channel, the BTI panel is located between the NIS drawers and Solid State Protection System (SSPS); therefore, sensor testing is not applicable to the BTI panel. The BTI panel does not interfere with the required testing of any instrument channel components. The BTI panel only provides a method of testing the instrument channel components in bypass mode.

WCAP-18298-NP September 2017 Revision 0

4-10 4.2.7 RG 1.22, Rev. 0 - Periodic Testing Of Protection System Actuation Functions The following section discusses in detail how the BTI panel complies with RG 1.22.

1. The protection system should be designed to permit periodic testing to extend to and include the actuation devices and actuated equipment.

a. The periodic tests should duplicate, as closely as practicable, the performance that is required of the actuation devices in the event of an accident.

The BTI panel provides a preferred means for periodic testing because it allows testing a channel in bypass versus trip, and reduces the potential for a spurious reactor trip during testing. When the entire protection channel is being tested, the trip signal simply passes through the BTI panel.

b. The protection system and the systems whose operation it initiates should be designed to permit testing of the actuation devices during reactor operation.

The BTI panel provides a means of verifying that the 120V signal on the terminal blocks, which are located in the same cabinet. If the 120V signal is not present in the terminal blocks, the SSPS would alarm depending on the BTI state. Within a protection channel, the BTI panel is located between the NIS drawers and SSPS; therefore, the BTI panels do not directly interface with the actuation device. The BTI panel does not interfere with the testing of the actuation devices, and the required testing of the actuation devices will not be affected by the BTI panel.

2. Acceptable methods of including the actuation devices in the periodic tests of the protection system.

This is not applicable to the BTI panel since the actuation device (such as the reactor trip breaker) is not connected to the BTI panel directly. The BTI panel is connected directly to the SSPS. The BTI panel does not interfere with the testing of the actuation devices, and the required testing of the actuation devices will not be affected by the BTI panel.

3. Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation:

a. Positive means should be provided to prevent expansion of the bypass condition to redundant or diverse systems, and

b. Each bypass condition should be individually and automatically indicated to the reactor operator in the main control room.

Each channel is isolated from each other; therefore placing one channel in bypass cannot result in placing any other channel in bypass. The BTI panels have individual and automatic annunciation.

Refer to Section 3.4 for details.

WCAP-18298-NP September 2017 Revision 0

4-11

4. Where actuated equipment is not tested during reactor operation, it should be shown that:

a. There is no practicable system design that would permit operation of the actuated equipment without adversely affecting the safety or operability of the plant;

b. The probability that the protection system will fail to initiate the operation of the actuated equipment is, and can be maintained, acceptably low without testing the actuated equipment during reactor operation, and

c. The actuated equipment can be routinely tested when the reactor is shut down.

This is not applicable to the BTI panel because the actuated equipment is not directly connected to it. The BTI panel does not interfere with the testing of the actuation devices and the required testing of the actuation devices will not be affected by the BTI panel.

4.2.8 RG 1.30, Rev. 0 - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment Exelon will comply with RG 1.30 for the installation, inspection or maintenance testing. The factory acceptance test (FAT) will be performed at a 10CFR Part 21, Appendix B facility before shipping the hardware to the site.

4.3 IEEE STANDARDS The following IEEE Standards are applicable to the BTI panel at Ginna and are discussed in Subsections 4.3.1 through 4.3.6:

IEEE 603-1991 - IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations IEEE 379-2000 - Trial Use Guide for the Application of the Single Failure Criteria to Nuclear Power Generating Station Protection Systems IEEE 384-1974 - Trial Use Standard for Separation of Class 1E Equipment and Circuits IEEE 344-2004 - IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations IEEE 338-1987 - IEEE Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Class 1E Power and Protection Systems IEEE 323-1974 - IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations WCAP-18298-NP September 2017 Revision 0

4-12 4.3.1 IEEE Standard 603-1991 has several sections which are applicable to the BTI installation at Ginna. The sections that are applicable are:

Section 5.1 - Single Failure Criterion This section requires that any single failure in the protection system shall not prevent proper protective action at the system level when required. A discussion of the potential fault conditions and failure detection of the BTI are discussed in Sections 3.2 and 3.3, respectively.

Any postulated failure in the bypass systems that would inadvertently cause the channel in bypass to trip are failures in a safe direction, i.e., tripped conditions and will not be discussed. Failures in the bypass systems that need to be addressed are those that could potentially:

1. Cause a channel to go into the bypass condition inadvertently.

2. Cause a channel to fail to exit the bypass condition when indications show otherwise.

All of these types of failures could cause the same result. That is, the possibility could exist for more than one redundant protection set to be in bypass at the same time such that a reactor trip may not be generated. It would require several contacts to spuriously close on the NIS PR bypass system to cause an inadvertent bypass. For a channel to fail to come out of bypass while indicating that it has returned to normal, one contact would have to stick closed in the associated relay. These failures would all be detected by observation of the local bypass status lights. Thus, there is no credible single failure of the BTI that could result in the protection system being degraded to the point of being unable to perform its intended safety function.

Section 5.3 - Quality of Components This section requires that components and modules be of a high quality. The components used in the BTI are of a quality consistent with minimum maintenance requirements and low failure rates. The quality of the components that are used in the BTI is consistent with components used in the protection system. All of the components are mechanical or electro-mechanical and are reliable through at least 50,000 operations under normal environmental conditions.

Section 5.4 - Equipment Qualification This section requires that type test data, or reasonable engineering extrapolation based on test data, be available to verify that protection system equipment meet the performance requirements. Generic tests were conducted to verify that the NIS PR BTI panels that are located in Class 1E instrument cabinets will not go into one of the failure modes identified during a seismic event. The tests were run to show structural integrity and electrical isolation where applicable. A complete discussion of the equipment qualification of the BTI is contained in Section 3.8.

WCAP-18298-NP September 2017 Revision 0

4-13 Section 5.6 - Control and Protection System Interaction Each BTI panel is located within its own protection set; therefore, a single fault would not cause a problem in redundant channels. The components of the NIS PR BTI panels that are non-Class 1E are isolated from the Class 1E circuits by qualified isolators. Therefore, there is no possibility that a control system fault could propagate to all the bypass panels and simultaneously adversely affect all protection sets. Separation requirements are maintained in the NIS PR BTI panels through physical separation on the bottom lid of the bypass panel with 6 inches between the safety-related and non-safety-related 118 VAC.

The circuit board maintains this required separation by placing a ground layer between the safety-related and non-safety-related 118 VAC circuits.

Section 5.7 - Capability for Test and Calibration The BTI panel complies with this section by providing the capability to functionally test its operation, and it does not require any calibration.

Section 5.8 - Information Displays 5.8.3.1: The annunciator is not part of the safety system.

5.8.3.2: The annunciator signal is provided automatically once the BTI keylock is engaged.

5.8.3.3: The keylock switch is located in the BTI front panel, which is located in the control room.

Section 5.8.3 - Indication of Bypasses This section requires that for a protective function that has been deliberately bypassed, indication/annunciation of the bypass must be continuously displayed in the control room. The design of the BTI at Ginna provides local alarm/status light and annunciators in the control room when a channel is bypassed.

Section 5.9 - Control of Access This section requires that the BTI design permit administrative control of the means for bypassing channels or protective functions. The design of the BTI for Ginna requires the use of the NIS keylock switches for placing a channel in bypass. Administrative control can be implemented by proper control of the distribution of the keys for the NIS PR BTI panels.

Section 6.6 - Channel Bypass or Removal from Operation The NIS PR BTI panel for Ginna will not affect the compliance of the protection system to this section.

When one channel is bypassed for testing, there will still be sufficient channels available to trip the reactor. The protection system will continue to conform to this section.

WCAP-18298-NP September 2017 Revision 0

4-14 Section 6.3 - Interaction Between the Sense and Command Features and Other Systems Based on Figure 5 (Interpretation of 6.3.1 of IEEE Standard 603-1991) from Subsection 6.3.1 of IEEE Standard 603-1991, the response for the BTI panel with respect to Does event by itself result in condition requiring safety function and Does event cause action by a non-safety system, is No, therefore the criteria of 6.3.1 (1) and 6.3.2 (2) are not applicable. Furthermore, the BTI panel is not directly connected to a field sensor. None of the actions listed in Subsection 6.3.1 can impact the BTI hardware. The BTI panel does not have the capability to receive an input from a field sensor or a process variable nor does it have the capability to generate a command signal.

Section 6.6 - Operating Bypasses If one channel is in bypass the protection system can still perform its function, since two-out-of-three coincidence logic is still in place.

Section 6.7 - Maintenance Bypass As described in IEEE 603 Section 6.3 above, the BTI panel does not interface with field sensors or process variables and it does not generate a command signal.

Section 4.20 - Information Read-out This section requires that the protection system be designed to provide the operator with information pertaining to its own status and the status of the plant. Section 3.6 discusses the annunciation features of the BTI and conformance to this section.

4.3.2 IEEE Standard 379-2000 IEEE Standard 379-2000 describes the application of the single failure criterion to the protection system.

The most limiting single failure would be one that would cause a channel to remain in bypass while indicating to the technician and the control room operator that the channel has been removed from bypass.

Another redundant channel could then be placed in bypass and there would be two redundant channels in bypass simultaneously. A failure of any component in the bypass system that inadvertently causes a channel to trip is a failure in the conservative direction, and would not prevent that channel from performing its function. There is no credible single failure that could inadvertently place a channel of the protection system into the bypass condition. Power is provided to the NIS PR BTI panel only when the circuit breaker is closed and the keylock switch is turned from NORMAL to BYPASS ENABLE, and the individual bypass toggle switch is placed in bypass. No single failure could inadvertently provide power to the bypass panel. Furthermore, the NIS PR BTI panels among the four channels do not share components or functions.

WCAP-18298-NP September 2017 Revision 0

4-15 4.3.3 IEEE Standard 384-1974 IEEE Standard 384-1974 discusses the separation requirements for Class 1E circuits and equipment.

These separation requirements are required when Class 1E and non-Class 1E equipment is located within close proximity to one another. The information provided in this standard and in Regulatory Guide 1.75 is similar and also supports the separation requirements contained in IEEE Standard 603-1991, Section 5.6.

4.3.4 IEEE Standard 344-2004 IEEE Standard 344-2004 discusses the recommended practices for performing seismic qualification of Class 1E equipment. The BTI, since it is being installed in Class 1E instrument racks, must be shown to be seismically qualified. Section 3.8 discusses the generic seismic qualification of the BTI for Ginna.

The BTI panel was seismically qualified per IEEE Standard 344-1975, therefore the differences with the current IEEE Standard 344-2004 were evaluated for compliance. The following two differences between IEEE Standard 344-1975 and IEEE Standard 344-2004 do not invalidate the previous seismic qualification:

1. Use of experience data - This is not applicable because experience data was not used since the BTI panel was seismically tested.

2. High frequency ground motion for hard-rock-based plants - Ginna are not considered a hard-rock-based plant.

4.3.5 IEEE Standard 338-1987 IEEE Standard 338-1987 discusses the criteria for performing periodic testing of safety systems.

Installation of the BTI does not impact the capability for performing periodic tests that was originally designed into the equipment. The BTI panel provides an alternative means of testing in bypass rather than in a tripped condition.

This IEEE Standard applies to the Nuclear Instrumentation detectors and drawers. This standard provides guidance for the periodic testing of safety-related systems. The BTI panel does not perform a safety function when installed in the NIS cabinet. The BTI panel does not have any impact on the capability to perform the required testing as discussed in the IEEE Standard. The BTI panel only allows the drawers to be tested in bypass. It does not change or influence the method of surveillance testing of the drawers.

Thus, the installation of the BTI panels has no effect on the NIS system compliance with this IEEE Standard.

4.3.6 IEEE Standard 323-1974 IEEE Standard 323-1974 discusses the requirements for qualifying Class 1E equipment for nuclear power plants. Section 3.8 discusses the equipment qualification and conformance of the BTI.

The BTI generic seismic qualification and environmental evaluation bounds the Ginna current licensing basis, and was performed in accordance with WCAP-8587 (Reference 6).

WCAP-18298-NP September 2017 Revision 0

5-1 5 CONCLUSION Various aspects of the RTS NIS PR BTI panel are addressed in this TR. These aspects include a demonstration of the functionality of the BTI hardware, and the design features of the BTI panel to demonstrate compliance with the applicable regulations, RGs and IEEE Standards associated with testing in bypass.

The NIS PR BTI panel will reduce the potential for spurious reactor trips, which reduces the potential transients associated with them, and ensures that the RTS NIS PR functions remain capable of performing their specified safety function.

The following tables and figures provide additional details of the RTS NIS PR BTI System. Table 5-1 lists the comparators that can be bypassed and Table 5-2 provides the NIS PR BTI panel part numbers. Figure 5-1 provides a basic functional diagram to illustrate the operation of a NIS PR BTI panel.

Table 5-1. NIS Comparators to by Bypassed Protection Set Function I II III IV Power Range - High Flux Reactor Trip (Low Setpoint) 1 1 1 1 Power Range - High Flux Reactor Trip (High Setpoint) 1 1 1 1 Power Range - Overpower Rod Stop 1 1 1 1 Power Range - P-10 Permissive 1 1 1 1 Power Range - P-8 Permissive 1 1 1 1 Power Range - P-9 Permissive 1 1 1 1 Power Range - Rod Drop 1 1 1 1 Dropped Rod Bypass (Indication only - no comparator) 1 1 1 1 Table 5-2. NIS BTI Panel Part Numbers Panel Part Number Description 10154D47G01 NIS Bypass Panel Assembly (Channel 1) 10154D47G02 NIS Bypass Panel Assembly (Channel 2) 10154D47G03 NIS Bypass Panel Assembly (Channel 3) 10154D47G04 NIS Bypass Panel Assembly (Channel 4)

WCAP-18298-NP September 2017 Revision 0

5-2 a,c Figure 5-1. NIS Bypass Panel Diagram WCAP-18298-NP September 2017 Revision 0

6-1 6 REFERENCES

1. Westinghouse Document, WCAP-10271-P-A, Rev. 0, Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System, May 1986.

2. Westinghouse Document, WCAP-10271, Supplement 1-P-A, Rev. 0, Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System Supplement 1, May 1986.

3. Westinghouse Document, WCAP-10271-P-A, Supplement 2, Rev. 1, Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System, June 1990.

4. Westinghouse Document, WCAP-14333-P-A, Rev. 1, Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times, October 1998.

5. Westinghouse Document, WCAP-8687, Supplement 2, EQTR-E47G, Rev. 1, Equipment Qualification Test Report Nuclear Instrumentation System (NIS) Bypass Test Instrumentation Panel (Seismic Testing), March 1996.

6. Westinghouse Document, WCAP-8587, Rev. 6-A, Methodology for Qualifying Westinghouse WRD Supplied NSSS Safety Related Electrical Equipment, March 1983.

WCAP-18298-NP September 2017 Revision 0 Affidavit

.1 Westinghouse Non-Proprietary Class 3 l

@Westinghouse Westinghouse Electric Company 1000 Westinghouse Drive Cranberry Township, Pennsylvania 16066 USA U.S. Nuclear Regulatory Commission Direct tel: (412) 374-4643 Document Control Desk Direct fax: (724) 940-8560 115 55 Rockville Pike e-mail: greshaja@westinghouse.com Rockville, MD 20852 CAW-17-4624 September 21, 2017 APPLICATION FOR WITIIBOLDING PROPRIETARY INFORMATION FROM PUBLIC DISCLOSURE

Subject:

WCAP-18298-P, Revision 0, "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R.E. Ginna" (Proprietary)

The Application for Withholding Proprietary Information from Public Disclosure is submitted by Westinghouse Electric Company LLC ("Westinghouse"), pursuant to the provisions of paragraph (b)( 1) of Section 2.390 of the Nuclear Regulatory Commission's ("Commission's") regulations. It contains commercial strategic information proprietary to Westinghouse and customarily held in confidence.

The proprietary information for which withholding is being requested in the above-referenced report is further identified in Affidavit CAW-17-4624 signed by the owner of the proprietary information, Westinghouse. The Affidavit, which accompanies this letter, sets forth the basis on which the information may be withheld from public disclosure by the Commission and addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR Section 2.390 of the Commission's regulations.

Accordingly, this letter authorizes the utilization of the accompanying Affidavit by Exelon Generation Company, LLC.

Correspondence with respect to the proprietary aspects of the Application for Withholding or the Westinghouse Affidavit should reference CAW-17-4624 and should be addressed to James A. Gresham, Manager, Regulatory Compliance, Westinghouse Electric Company, 1000 Westinghouse Drive, Building 3 Suite 310, Cranberry Township, Pennsylvania 16066.

CA W-17-4624 AFFIDAVIT COMMONWEALTH OF PENNSYLVANIA:

SS COUNTY OF BUTLER:

I, James A. Gresham, am authorized to execute this Affidavit on behalf of Westinghouse Electric Company LLC ("Westinghouse") and declare that the averments of fact set forth in this Affidavit are true and correct to the best of my knowledge, information, and belief.

(,-17---

Executed on: !W__..:......;.'

James A. Gresham, Manager Regulatory Compliance

3 CA W-17-4624 (I) I am Manager, Regulatory Compliance, Westinghouse Electric Company LLC ("Westinghouse"),

and as such, I have been specifically delegated the function of reviewing the proprietary information sought to be withheld from public disclosure in connection with nuclear power plant licensing and rule making proceedings, and am authorized to apply for its withholding on behalf of Westinghouse.

(2) I am making this Affidavit in conformance with the provisions of 10 CFR Section 2.390 of the Nuclear Regulatory Commission's ("Commission's") regulations and in conjunction with the Westinghouse Application for Withholding Proprietary Information from Public Disclosure accompanying this Affidavit.

(3) I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged or as confidential commercial or financial information.

(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.390 of the Commission's regulations, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse.

(ii) The information is of a type customarily held in confidence by Westinghouse and not customarily disclosed to the public. Westinghouse has a rational basis for determining the types of information customarily held in confidence by it and, in that connection, utilizes a system to determine when and whether to hold certain types of information in confidence. The application of that system and the substance of that system constitute Westinghouse policy and provide the rational basis required.

Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of

4 CAW-17-4624 Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

(c) Its use by a competitor would reduce his expenditure ofresources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(t) It contains patentable ideas, for which patent protection may be desirable.

(iii) There are sound policy reasons behind the Westinghouse system which include the following:

(a) The use of such information by Westinghouse gives Westinghouse a competitive advantage over its competitors. It is, therefore, withheld from disclosure to protect the Westinghouse competitive position.

(b) It is information that is marketable in many ways. The extent to which such information is available to competitors diminishes the Westinghouse ability to sell products and services involving the use of the information.

(c) Use by our competitor would put Westinghouse at a competitive disadvantage by reducing his expenditure of resources at our expense.

5 CA W-17-4624 (d) Each component of proprietary information pertinent to a particular competitive advantage is potentially as valuable as the total competitive advantage. If competitors acquire components of proprietary information, any one component may be the key to the entire puzzle, thereby depriving Westinghouse of a competitive advantage.

(e) Unrestricted disclosure would jeopardize the position of prominence of Westinghouse in the world market, and thereby give a market advantage to the competition of those countries.

(t) The Westinghouse capacity to invest corporate assets in research and development depends upon the success in obtaining and maintaining a competitive advantage.

(iv) The information is being transmitted to the Commission in confidence and, under the provisions of I 0 CFR Section 2.390, is to be received in confidence by the Commission.

(v) The information sought to be protected is not available in public sources or available information has not been previously employed in the same original manner or method to the best of our knowledge and belief.

(vi) The proprietary information sought to be withheld in this submittal is that which is appropriately marked in WCAP-18298-P, Revision 0, "Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R.E. Ginna" (Proprietary), dated September 2017, for submittal to the Commission, being transmitted by Exelon Generation Company, LLC letter. The proprietary information as submitted by Westinghouse is that associated with Westinghouse's request for NRC approval of WCAP-18298-P, and may be used only for that purpose.

6 CA W-17-4624 (a) This information is part of that which will enable Westinghouse to support licensee installation of Bypass Test Instrumentation (BTI) to provide bypass testing capability for the Power Range Nuclear Instrumentation System (NIS) reactor trip functions.

(b) Further, this information has substantial commercial value as follows:

(i) Westinghouse plans to sell the use of similar information to its customers for the purpose of installation of BTI to provide bypass testing capability for the NIS reactor trip functions.

(ii) Westinghouse can sell support and defense of industry guidelines and acceptance criteria for plant-specific applications.

(iii) The information requested to be withheld reveals the distinguishing aspects of a methodology which was developed by Westinghouse.

Public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

The development of the technology described in part by the information is the result of applying the results of many years of experience in an intensive Westinghouse effort and the expenditure of a considerable sum of money.

In order for competitors of Westinghouse to duplicate this information, similar technical programs would have to be performed and a significant manpower effort, having the requisite talent and experience, would have to be expended.

Further the deponent sayeth not.

PROPRIETARY INFORMATION NOTICE Transmitted herewith are proprietary and non-proprietary versions of a document, furnished to the NRC in connection with requests for generic and/or plant-specific review and approval.

In order to confonn to the requirements of 10 CFR 2.390 of the Commission's regulations concerning the protection of proprietary infonnation so submitted to the NRC, the infonnation which is proprietary in the proprietary versions is contained within brackets, and where the proprietary infonnation has been deleted in the non-proprietary versions, only the brackets remain (the infonnation that was contained within the brackets in the proprietary versions having been deleted). The justification for claiming the infonnation so designated as proprietary is indicated in both versions by means of lower case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of infonnation being identified as proprietary or in the margin opposite such infonnation. These lower case letters refer to the types of infonnation Westinghouse customarily holds in confidence identified in Sections (4)(ii)(a) through (4)(ii)(f) of the Affidavit accompanying this transmittal pursuant to 10 CFR 2.390(b)(l).

COPYRIGHT NOTICE The reports transmitted herewith each bear a Westinghouse copyright notice. The NRC is pennitted to make the number of copies of the information contained in these reports which are necessary for its internal use in connection with generic and plant-specific reviews and approvals as well as the issuance, denial, amendment, transfer, renewal, modification, suspension, revocation, or violation of a license, permit, order, or regulation subject to the requirements of 10 CFR 2.390 regarding restrictions on public disclosure to the extent such information has been identified as proprietary by Westinghouse, copyright protection notwithstanding. With respect to the non-proprietary versions of these reports, the NRC is permitted to make the number of copies beyond those necessary for its internal use which are necessary in order to have one copy available for public viewing in the appropriate docket files in the public document room in Washington, DC and in local public document rooms as may be required by NRC regulations if the number of copies submitted is insufficient for this purpose. Copies made by the NRC must include the copyright notice in all instances and the proprietary notice if the original was identified as proprietary.

v t e Letter Sequence Request
EPID:L-2017-LLA-0388, R. E. Ginna, License Amendment Request to Revise Technical Specifications for Selected Reactor Trip System and Engineered Safety Feature Actuation System Instrumentation Channels to Incorporate Bypass Test Capability (Approved, Closed)
Initiation Request Acceptance Administration Withholding Request Acceptance Questions Answers Results Approval Other:
MONTHYEAR2017-12-12 [Table View]

ML17321A107

Text

Subject:

SUMMARY

3.0 TECHNICAL EVALUATION

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

SUMMARY

3.0 TECHNICAL EVALUATION

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

3.1 REFERENCES

3.2 REFERENCES

Subject:

Navigation menu

Search