Supplement to the Request for License Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification .

ML19280E414
Person / Time
Site:	Vogtle   (NPF-091, NPF-092)
Issue date:	10/07/2019
From:	Whitley B Southern Nuclear Operating Co
To:	Document Control Desk, Office of New Reactors
Shared Package
ML19280E411	List: ND-19-1129, Supplement to the Request for License Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification .
References
LAR-19-001S1, ND-19-1129
Download: ML19280E414 (148)
v • d • e

Text

B. H. Whitley Southern Nuclear Director Operating Company, Inc.

Regulatory Affairs 3535 Colonnade Parkway Birmingham, AL 35243 Tel 205.992.7079 Fax 205.992.7722 October 7, 2019 Docket Nos.: 52-025 ND-19-1129 52-026 10 CFR 50.90 10 CFR 52.98(c)

U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Southern Nuclear Operating Company Vogtle Electric Generating Plant Units 3 and 4 Supplement to the Request for License Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR-19-001S1)

Ladies and Gentlemen:

Pursuant to 10 CFR 52.98(c) and in accordance with 10 CFR 50.90, Southern Nuclear Operating Company (SNC) previously requested an amendment to the combined licenses (COLs) for Vogtle Electric Generating Plant (VEGP) Units 3 and 4 (License Nos. NPF-91 and NPF-92, respectively).

The requested amendment proposes changes to the Updated Final Safety Analysis Report (UFSAR) in the form of departures from the Plant-Specific Design Control Document (DCD) Tier 2 information and involves changes to the VEGP Units 3 and 4 COL Appendix A, Technical Specifications (TS).

SNC originally submitted this request by letter SNC ND-19-0168, dated March 25, 2019 [ADAMS Accession Number ML19084A309] and the license amendment request (LAR) was subsequently accepted for review.

The original LAR requested to change Technical Specification (TS) Sections 1.0, 3.1, 3.2, 3.3, 3.9, and 5.5 by removing the Surveillance Requirements (SRs), manual Channel Checks, Channel Operational Tests (COTs), Actuation Logic Tests (ALTs) and Actuation Logic Output Tests (ALOTs), being performed on Protection and Safety Monitoring System (PMS) components. Also, the approach for satisfying the reactor trip and engineered safety feature actuation system (ESFAS) response time test SRs for the PMS racks was also proposed to be changed.

This supplement is being provided to 1) address seven open items developed during an NRC audit conducted June 17, 2019 through August 28, 2019 (transmitted to SNC via NRC electronic-mail correspondences dated September 23, 2019 [ML19266A665]), 2) revise the scope of the original LAR by rescinding some of the manual Channel Check deletions for several PMS functions and 3) clarify information to align with the revisions made to the original LAR scope. Revision bars are provided in this supplement to clearly discern the revisions made to the original LAR.

U.S. Nuclear Regulatory Commission ND-19-1129 Page 2 of 6 Enclosures 1 through 7 were provided in the original LAR submittal via ND-19-0168. supplements LAR-19-001 to address the seven open items and provides revisions/clarifications to the original LAR dated March 25, 2019. Enclosure 8 includes information that is considered proprietary and, therefore, is requested to be withheld from disclosure to the public under 10 CFR 2.390. provides a redacted version of Enclosure 8 and can be made available to the public. 0 provides the revised proposed changes to the VEGP 3&4 Licensing Basis Documents. Enclosure 10 supersedes Enclosure 3 of ND-19-0168 in its entirety.

Neither the scope changes (provided in Enclosures 8 and 10) nor the supplemental information (provided in Enclosure 8) alter the conclusions of the Significant Hazards Consideration Determination of Environmental Considerations in LAR-19-001. 1 contains the revised Technical Specification Bases sections. These sections are provided for informational purposes only. 2 provides an affidavit from SNC supporting withholding under 10 CFR 2.390. 3 is Westinghouse's Application for Withholding Proprietary Information from Public Disclosure, Affidavit CAW-19-4955, Proprietary Information Notice, and Copyright Notice. The affidavit sets forth the basis upon which the information may be withheld from public disclosure by the Commission and addresses with specificity the considerations listed in paragraph (b)(4) of Section 2.390 of the Commission's regulations. Accordingly, it is respectfully requested that the information that is proprietary to Westinghouse be withheld from public disclosure in accordance with 10 CFR 2.390 of the Commission's regulations.

Correspondence with respect to the copyright or proprietary aspects of the items listed above or the supporting Westinghouse affidavit should reference CAW-19-4955 and should be addressed to James A. Gresham, Manager, Regulatory Compliance, Westinghouse Electric Company, 1000 Westinghouse Drive, Building 3 Suite 310, Cranberry Township, Pennsylvania 16066.

This letter, including enclosures, has been reviewed and confirmed to not contain security-related information. This letter contains no regulatory commitments.

SNC originally requested the NRC staff review and approve the requested license amendment no later than November 19, 2019; however, this supplement revises the requested approval date to November 22, 2019 to support Operator training updates. Delayed approval of this license amendment could result in a delay in Operator training updates and subsequent dependent activities. SNC expects to implement the proposed amendment within 30 days of approval of the requested changes.

In accordance with 10 CFR 50.91, SNC is notifying the State of Georgia by transmitting a copy of this letter and its enclosures to the designated State Official.

Should you have any questions, please contact Ms. Stephanie Y. Agee at (205) 992-7556.

U.S. Nuclear Regulatory Commission ND-19-1129 Page 3 of 6 I declare under penalty of perjury that the foregoing is true and correct. Executed on the 7th of October 2019.

Respectfully submitted, Brian H. Whitley Director, Regulatory Affairs Southern Nuclear Operating Company

U.S. Nuclear Regulatory Commission ND-19-1129 Page 4 of 6 Enclosures

1) - 7) Previously submitted with the original LAR, LAR-19-001

8) Vogtle Electric Generating Plant (VEGP) Units 3 and 4 - Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Withhold from Public Disclosure) (LAR-19-001S1)

9) Vogtle Electric Generating Plant (VEGP) Units 3 and 4 - Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

10) Vogtle Electric Generating Plant (VEGP) Units 3 and 4 - Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

11) Vogtle Electric Generating Plant (VEGP) Units 3 and 4 - Revised Conforming Technical Specification Bases Sections (For Information Only) (LAR 001S1)

12) Vogtle Electric Generating Plant (VEGP) Units 3 and 4 - Affidavit from Southern Nuclear Operating Company for Withholding Under 10 CFR 2.390 (LAR-19-001S1)

13) Vogtle Electric Generating Plant (VEGP) Units 3 and 4 - Westinghouse Authorization Letter CAW-19-4955 Affidavit, Proprietary Information Notice and Copyright Notice (LAR-19-001S1)

U.S. Nuclear Regulatory Commission ND-19-1129 Page 5 of 6 cc:

Southern Nuclear Operating Company / Georgia Power Company Mr. S. E. Kuczynski (w/o enclosures)

Mr. P. P. Sena III (w/o enclosures)

Mr. M. D. Meier (w/o enclosures)

Mr. D. H. Jones (w/o enclosures)

Mr. G. Chick Mr. D. L. McKinney (w/o enclosures)

Mr. T. W. Yelverton (w/o enclosures)

Ms. C. A. Gayheart Mr. C. R. Pierce Mr. D. L. Fulton Mr. M. J. Yox Mr. C. T. Defnall Mr. J. Tupik Mr. B. H. Whitley Ms. S. Agee Mr. M. Humphrey Ms. A. C. Chamberlain Mr. S. Leighty Mr. E. Riffle Ms. K. Roberts Mr. N. Kellenberger Mr. J. Haswell Mr. J. Andrews Mr. D.T. Blythe Document Services RTYPE: VND.LI.L00 File AR.01.02.06 Nuclear Regulatory Commission Mr. W. Jones (w/o enclosures)

Ms. J. Dixon-Herrity Mr. C. Patel Mr. B. Kemker Mr. G. Khouri Ms. S. Temple Mr. F. Brown Mr. C. J. Even Mr. A. Lerch Mr. S. Walker Mr. N.D. Karlovich Ms. N. C. Coovert Mr. C. Welch Mr. J. Gaslevic Mr. V. Hall Ms. K. P. Carrington Mr. M. Webb Mr. P.J. Heher

U.S. Nuclear Regulatory Commission ND-19-1129 Page 6 of 6 State of Georgia Mr. R. Dunn (w/o enclosure 8)

Oglethorpe Power Corporation Mr. M. W. Price (w/o enclosure 8)

Ms. A. Whaley (w/o enclosure 8)

Municipal Electric Authority of Georgia Mr. J. E. Fuller (w/o enclosure 8)

Mr. S. M. Jackson (w/o enclosure 8)

Dalton Utilities Mr. T. Bundros (w/o enclosure 8)

Westinghouse Electric Company, LLC Mr. L. Oriani (w/o enclosures)

Mr. T. Rubenstein (w/o enclosures)

Mr. M. Corletti Mr. M. L. Clyde Mr. D. Hawkins Mr. J. Coward Other Mr. S. W. Kline, Bechtel Power Corporation Ms. L. A. Matis, Tetra Tech NUS, Inc. (w/o enclosure 8)

Dr. W. R. Jacobs, Jr., Ph.D., GDS Associates, Inc. (w/o enclosure 8)

Mr. S. Roetger, Georgia Public Service Commission (w/o enclosure 8)

Ms. S. W. Kernizan, Georgia Public Service Commission (w/o enclosure 8)

Mr. K. C. Greene, Troutman Sanders (w/o enclosure 8)

Mr. S. Blanton, Balch Bingham NDDocumentinBox@duke-energy.com, Duke Energy (w/o enclosure 8)

Mr. S. Franzone, Florida Power & Light (w/o enclosure 8)

Southern Nuclear Operating Company ND-19-1129 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information)

(LAR-19-001S1)

(This Enclosure consists of 31 pages, including this cover page)

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 2 of 31 Open Items from NRC Audit dated June 17, 2019 through August 28, 2019 The information provided below contains seven open items from the License Amendment Request (LAR)-19-001 NRC Audit which was conducted from June 17, 2019 to August 28, 2019.

These items were transmitted to SNC via NRC electronic-mail correspondences dated September 23, 2019 [ML19266A665].

1. HFE supplement information referencing the applicable ITAAC.

2. The proposed language for 70% loading.

3. AC160 modification process description for configuration management control.

4. Operating Experience Review (Tracker Program) for disposition of issues process.

5. Descriptions of 4 CIM diagnostics.

6. FSAR changes to document the basis for operability.

7. Description that 1) self-diagnostics will produce a division alarm as required and evaluation completed, 2) if self-diagnostics fail, then this produces a system alarm, and evaluation completed and 3) in the absence of the 1-2 alarms, there will be operator rounds and system engineers monthly reports looking for health/error/faults of system.

Responses to Open Items from NRC Audit dated June 17, 2019 through August 28, 2019

1. HFE Supplemental Information Referencing the Applicable ITAAC Improved Operations The elimination of manual surveillances reduces overall operator tasks and workload during normal operations, plant startup, shutdown, and outages. There are minor impacts on plant operating procedures that will require future revision (after approval of the license amendment request) due to this change.

The operator response to self-diagnostics alarms does not change operator workload because there is no proposed change to any alarms or Human System Interfaces (HSI). No new alarms are proposed. The existing validated operating procedures and training include the response to the PMS fault alarms.

The impacts to the operating procedures, training, and previously completed human factors engineering (HFE) verification and validation (V&V) activities (i.e., Design Verification, Task Analysis, Integrated System Validation, and Human Engineering Discrepancy Resolution) will be evaluated per Combined Operating License (COL) Appendix C ITAAC No. 3.2.00.01e. This Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) requires an evaluation of the implementation of the plant HFE/HSI (as designed at the time of plant startup) to be performed in accordance with APP-OCS-GEH-520, Plant Startup Human Factors Engineering Design Verification Plan, which is a Tier 2* document that is incorporated by reference into the plant-specific Design Control Document (DCD).

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 3 of 31

2. The Proposed Language for 70% Loading Assurance of the Functionality of Self-Diagnostics

[

]a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 4 of 31

[

]a,c Therefore, there is assurance that the self-diagnostics will function as designed.

3. AC160 Modification Process Description for Configuration Management Control Modification Process for Platform Changes The following section describes the process for modifying the Advant Controller 160 (AC160):

[

]a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 5 of 31

[

]a,c

4. Operating Experience Review (Tracker Program) for Disposition of Issues Process The information in Open Item 3 above addresses this open item.

5. Descriptions of Four Component Interface Module (CIM) Diagnostics

[

]a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 6 of 31

[

]a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 7 of 31

[

]a,c a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 8 of 31

6. Updated Final Safety Analysis Report (UFSAR) Changes to Document the Basis for Operability Enclosures 10 and 11 contain revisions to UFSAR Subsection 7.1.2.11 and TS Bases Sections 3.3.1, 3.3.6, 3.3.7 and 3.3.8, respectively, to address operability. The UFSAR marked-up pages included in Enclosure 10 of this supplement supersede the UFSAR marked-up pages in Enclosure 3 of ND-19-0168. The conforming TS Bases changes are provided for information only.

7. Description that 1) self-diagnostics will produce a division alarm as required and evaluation completed, 2) if self-diagnostics fail, then this produces a system alarm, and evaluation completed and 3) in the absence of the 1-2 alarms, there will be operator rounds and system engineers monthly reports looking for health/error/faults of system.

PMS operability is verified using 1) the automated diagnostics credited in this LAR and 2)

Technical Specification manual surveillance requirements. A failure of credited automated diagnostics to detect a fault are either detected by other diagnostics in the system or by checker(s) of diagnostics. This condition is alarmed and displayed on the main control room (MCR) safety displays. Upon receipt of an alarm or abnormal conditions, the station operating procedures require the operators to perform system checks and verify operability of PMS deviation / function. The procedure would direct the operator to dispatch a maintenance technician to determine the source of the alarm.

The following routine actions also provide assurance (defense-in-depth) that faults are captured and investigated.

1. Conduct of Operations - During routine operator rounds and MCR board walkdowns, the following tasks are performed by the operators:

Checking for proper PMS Heartbeats for each division.

Checking the Safety Displays for Health Status and faults including but not limited to communication errors and CRC status, other faults monitored include:

o CIM test fault o Intra-channel and inter-channel faults o Sensor faults o Calibration data discrepancies The walkdowns and operator rounds are controlled by the plant procedures and their results are logged in the Unit Control Log which is continuously maintained and retrievable.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 9 of 31

2. System Health Checks - System engineers are required to perform system health checks per station System Monitoring and Health Reporting and take corrective actions to improve system health and the overall plant performance, safety and reliability. PMS being a critical system, would require monthly system health reporting and walkdown of the system. The I&C system check includes but is not limited to the following checks:

Damage Parameters for the current operating conditions within normal range, including review of other system logs Dust and dirt Signs of overheating Filter check LEDs, lights and annunciators indicating properly abnormal indications, unusual equipment, or unusual connections on any of the digital equipment Review of fault logs (confirming faults were captured and acted upon)

System health reports are reviewed by systems engineering management and System Monitoring Review Board and maintained in system notebooks. Issues are communicated, and adverse trends and issues not previously addressed (i.e., all alarms should have been addressed by Operations) are captured in condition reports.

Should it be determined that a diagnostic problem is identified as part of the PMS platform, a condition report (CR) would be filed by SNC and transmitted to Westinghouse.

Westinghouse would then take the corrective actions as described in the third bullet of the SNC response to Open Item 3 above.

Additional Supplemental Information This supplement revises the original LAR by 1) updating Figure A.4 of ND-19-0168 (Appendix A of Enclosures 1 and 2) to align with the actual scope of the Trip Actuating Device Operational Test (TADOT) and does not impact the evaluation provided in ND-19-0168; and 2) rescinding the deletion of the channel check surveillance for several PMS functions because they are not fully covered by self-diagnostics. As a result, the following discussions and tables are revised:

Table 1, Summary of Licensing Basis Changes Overview of Self-Diagnostic Testing Features discussion (Page 14 of 44 of ND-19-0168)

Table 2 Summary of the Manual Surveillance Tests and Self-Diagnostic Tests for the PMS Components

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 10 of 31 Table 3, Summary of the Manual Surveillance Tests and Self-Diagnostic Tests for the PMS Components Revision bars are provided in the right-hand margin to identify the revisions.

Figure A.4 Revision Revised Figure A.4 supersedes Figure A.4 provided in ND-19-0168 in its entirety.

a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 11 of 31 Table 1 Revision Description Summary of Table 1 Revisions Surveillance Requirement Revision Description SR 3.3.2.1 The proposed change to delete SR 3.3.2.1 from COL Appendix A Technical Specification (TS) 3.3.2 Reactor Trip System (RTS) Source Range Instrumentation has been rescinded. Therefore, SRs 3.3.2.3 and 3.3.2.4 are renumbered to 3.3.2.2 and 3.3.2.3, respectively.

SR 3.3.3.1 The proposed change to delete SR 3.3.3.1 from COL Appendix A TS 3.3.3 Reactor Trip System (RTS) Intermediate Range Instrumentation has been rescinded and is modified by a note that says the surveillance is not required in MODE 1. Therefore, SRs 3.3.3.3 and 3.3.3.4 are renumbered to 3.3.3.2 and 3.3.3.3, respectively.

SR 3.3.8.1 The proposed change to delete SR 3.3.8.1 from COL Appendix A TS 3.3.8 Engineered Safety Feature Actuation System (ESFAS) Instrumentation has been rescinded and is modified by a note that says the surveillance is only required for Source Range Neutron Flux Doubling. Therefore, SRs 3.3.8.3 and 3.3.8.4 are renumbered to 3.3.8.2 and 3.3.8.3, respectively.

SR 3.3.17.1 The SR note is revised to include a reference to Table 3.3.17-1 to determine which SRs apply for each PAM function. Table 3.3.17-1 is revised to remove the applicability of SR 3.3.17.1 for Functions 2 through 11, 13 through 16, and 20. SR 3.3.17.1 is modified by a note that says this surveillance is not required for Neutron Flux (Intermediate Range) in MODE 1.

SR 3.9.3.1 The proposed change to delete this CHANNEL CHECK surveillance is rescinded by this supplement.

UFSAR Appendix 1A The proposed change is modified by revising the text to explicitly address how self-diagnostics are used to verify the operability of PMS components.

UFSAR 7.1.2.11:

This UFSAR Subsection is modified by revising the text to explicitly address how self-diagnostics are used to verify the operability of PMS components.

TS Bases 3.3.1, 3.3.2, 3.3.3, 3.3.7, 3.3.8, 3.3.17, 3.7.6, and 3.9.3 These TS Bases are revised to align with the revisions made to the TS SRs listed above.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 12 of 31 Revised Table 1 supersedes Table 1 provided in Enclosures 1 and 2 of ND-19-0168 in its entirety.

Revised Table 1: Summary of Licensing Basis Changes Section Brief Description of Impact UFSAR Appendix 1A - Conformance with Regulatory Guides A discussion is added to describe conformance with IEEE 338 to align with crediting self-diagnostic test features in lieu of manual surveillance tests.

UFSAR Subsection 7.1.2.11 - Test Subsystem Revised UFSAR 7.1.2.11 to state The automatic continuous self-diagnostic features of the PMS and application software provide sufficient assurance of PMS component operability where diagnostics are credited.

The faults detected by diagnostics are alarmed and displayed in the Main Control Room. Operators assess operability of the PMS using the plant alarm response and abnormal operating procedures.

UFSAR Subsection 7.3.2.2.6 - Capability for Sensor Checks and Equipment Test and Calibration of the Engineered Safety Features Actuation (Paragraphs 5.7 and 6.5 of IEEE 603-1991)

Changed to take credit for the self-diagnostics as part of the basis for acceptability of the Engineered Safety Feature Actuation System (ESFAS) functions.

UFSAR Appendix 7A.5 (WCAP-15776)

- WCAP-15776, Safety Criteria for the AP1000 Instrumentation and Control Systems, April 2002 Section 3.13 is revised to align the text with the actual IEEE 603 requirements from IEEE 603 Section 5.7 and with crediting self-diagnostics in lieu of manual surveillances. Specifically, IEEE 603 Section 5.7 requires the protection system to be designed with the capability to test and calibrate the system. IEEE 603 does not require the manual performance of any specific test.

UFSAR Appendix 7A.8 (WCAP-16675) -

WCAP-16675-P and WCAP-16675-NP, AP1000 Protection and Safety Monitoring System Architecture Technical Report Section 2.2.5 is revised to require the protection system to be designed with the capability to test and calibrate the system, consistent with IEEE 603 Section 5.7 and with crediting self-diagnostics in lieu of manual surveillances.

Specifically, IEEE 603 Section 5.7 requires the protection system to be designed with the capability to test and calibrate the system. IEEE 603 does not require the manual performance of any specific test.

Section 6 and 6.2 are revised to say that both self-diagnostics and on-line verification tests are used to verify the safety system is capable of performing its intended safety function.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 13 of 31 Section Brief Description of Impact UFSAR Subsection 15.0.6 -

Protection and Safety Monitoring System Setpoints and Time Delays to Trip Assumed in Accident Analyses Changed to remove statement about determining instrumentation response time as part of TS requirements.

TS Section 1.1 - Definitions Definition for ALOT is deleted.

TS Section 3.2.3 - Axial Flux Difference (AFD)

The reference to Surveillance Requirement (SR) 3.3.1.5 is revised to SR 3.3.1.4 TS SR 3.3.1.1 - Channel Check of RTS Instrumentation

• SR Deleted SR 3.3.2.1 - Channel Check of RTS SR Instrumentation Deletion of SR is rescinded TS SR 3.3.3.1 - Channel Check of Reactor Trip System (RTS) Intermediate Range (IR) Instrumentation

• Deletion of SR is rescinded. The SR is modified by a note that says the surveillance is not required in MODE

1.

TS SR 3.3.8.1 - Channel Check of ESFAS Instrumentation

• Deletion of SR is rescinded. The SR is modified by a note that says the surveillance is only required for Source Range Neutron Flux Doubling.

TS SR 3.3.10.1 - Channel Check of ESFAS RCS Hot Leg Level Instrumentation

• SR Deleted TS SR 3.3.11.1 - Channel Check of ESFAS Startup Feedwater Flow Instrumentation

• SR Deleted TS SR 3.3.13.1 - Channel Check of ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization

• SR Deleted

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 14 of 31 Section Brief Description of Impact TS SR 3.3.14.1 - Channel Check of Spent Fuel Pool Level Instrumentation

• SR Deleted TS SR 3.3.17.1 - Channel Check of PAM Instrumentation

• Deletion of SR is rescinded. The SR note is revised to include a reference to Table 3.3.17-1 to determine which SRs apply for each PAM function. Table 3.3.17-1 is revised to remove the applicability of SR 3.3.17.1 for Functions 2 through 11, 13 through 16, and 20. SR 3.3.17.1 is modified by a note that says this surveillance is not required for Neutron Flux (Intermediate Range) in MODE 1.

TS SR 3.3.20.1 - Channel Check of Automatic Depressurization System (ADS) and In-containment Refueling Water Storage Tank (IRWST) Injection Blocking Device

• SR Deleted TS SR 3.9.3.1 - Channel Check of Nuclear Instrumentation Deletion of SR is rescinded.

TS SR 3.1.8.1 - Channel Operational Test (COT) for Physics Test Exceptions - MODE 2

• SR Deleted TS SR 3.3.1.6 - COT for RTS Instrumentation

• SR Deleted TS SR 3.3.1.7 - COT for RTS Instrumentation

• SR Deleted TS SR 3.3.2.2 - COT for RTS SR Instrumentation

• SR Deleted TS SR 3.3.3.2 - COT for RTS IR Instrumentation

• SR Deleted TS SR 3.3.8.2 - COT for ESFAS Instrumentation

• SR Deleted

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 15 of 31 Section Brief Description of Impact TS SR 3.3.10.2 - COT for ESFAS Reactor Coolant System (RCS) Hot Leg Level Instrumentation

• SR Deleted TS SR 3.3.11.2 - COT for ESFAS Startup Feedwater Flow Instrumentation

• SR Deleted TS SR 3.3.13.2 - COT for ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization

• SR Deleted TS SR 3.3.14.2 - COT for ESFAS Spent Fuel Pool Level Instrumentation

• SR Deleted TS SR 3.3.20.3 - COT for ADS and IRWST Injection Blocking Device SR Deleted TS SR 3.3.4.1 - Actuation Logic Test (ALT) for RTS ESFAS Instrumentation*

SR Deleted, note within SR table and Table 3.3.4-1 edited to account for reduction in SRs.

TS SR 3.3.6.1 - ALT for RTS Automatic Trip Logic

• SR Deleted TS SR 3.3.15.1 - ALT for ESFAS Actuation Logic - Operating SR Deleted TS SR 3.3.15.2 - ALOT for ESFAS Actuation Logic - Operating SR Deleted TS SR 3.3.16.1 - ALT for ESFAS Actuation Logic - Shutdown SR Deleted TS SR 3.3.16.2 - ALOT for ESFAS Actuation Logic - Shutdown

• SR Deleted TS LCO 3.3.19 Condition C.1 - Condition which requires the performance of an ALT

• Condition Deleted TS Section 5.5.14 - Setpoint Program The reference to COT is deleted.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 16 of 31 Section Brief Description of Impact TS Bases associated with SR 3.3.1.11, SR 3.3.2.4, SR 3.3.3.4, SR 3.3.8.4, SR 3.3.10.4, SR 3.3.11.4, SR 3.3.13, and SR 3.3.14.4. Surveillance Requirement section for Bases 3.3.2 and 3.3.3.

Note: current SR numbers are referenced, not the proposed renumbered SRs.

An allowance is made in the Bases to use allocated PMS equipment values for the response time surveillances in lieu of testing.

TS Bases associated with SR 3.1.9.3 and 3.6.3.5.

These SRs require a simulated or actual actuation signal be sent to the CVS containment isolation valves. A statement is added to require the actual or simulated actuation signal to be processed through the CIM. This verifies the Operability of the circuit from the CIM to the CVS containment isolation valve and satisfies a portion of the scope of ALOT.

TS Bases 3.3.1, 3.3.2, 3.3.3, 3.3.7, 3.3.8, 3.3.17, 3.7.6, and 3.9.3 These TS Bases are revised to align with the revisions made to the TS SRs listed above.

TS Bases 3.3.8, 3.3.10, 3.3.11, 3.3.13, 3.3.14, and 3.3.17 are revised to include These TS Bases are revised to state Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document.

• Indicates SRs that were renumbered within the TS and changes/additions to the associated Bases, as applicable. In addition to changes associated with specific SRs, the Bases changes include edits related to the PMS self-diagnostics in the Background section of Bases 3.3.1 and 3.3.8. This includes adding a statement to the subsection of each major PMS component to describe how their self-diagnostics are used in conjunction with the AP1000 plant surveillance program (i.e., self-checking features are used in combination with, or in lieu of, an SR).

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 17 of 31 Overview of Self-Diagnostic Testing Features Discussion Revision Description

[ ]a,c is removed from the overview of self-diagnostic testing features. The revised discussion is provided below:

[

]a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 18 of 31 Table 2 Revision Description Revised Table 2 supersedes Table 2 provided in Enclosures 1 and 2 of ND-19-0168. The specific changes for Table 2 are listed below:

Test Name Summary of Revisions Made to Table 2 Channel Check The channel check summary is modified to include the channel checks that are not being removed from the surveillance program.

Actuation Logic Output Test The summary is modified to include a description of the CIM Output Continuity Test.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 19 of 31 Revised Table 2 - Summary of the Manual Surveillance Tests and Self-Diagnostic Tests for the PMS Components Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation Channel Check 3.3.1.1 3.3.2.1 3.3.3.1 3.3.8.1 3.3.10.1 3.3.11.1 3.3.13.1 3.3.14.1 3.3.17.1 3.3.20.1 3.9.3.1 Definition: A qualitative assessment, by observation, of channel behavior. This test usually includes a comparison of the channel indication and status to other indications or statuses derived from independent instrument channels measuring the same parameter.

Test Overview: The manual Channel Check identifies if a component has failed by comparing all four divisions redundant instrument input values (inter-channel check).

This test checks for a significant deviation that may indicate a gross channel failure. This is accomplished by visual comparison of the indicators at the MTP and noting if a predefined difference exists between the highest and lowest indicator.

PMS Components Covered: The data from the process sensor passes to the A/D converter within the BPL and is displayed on the MTP.

The PMS performs continuous channel comparison on specific sensor values across all four divisions. This includes inter-channel comparison checks. This self-diagnostic test is described in WCAP-16675 Section 6.2, as follows.

[

]a,c For those functions with sensors measuring the same physical parameter in multiple PMS divisions and with all redundant measurements expected to be within the PMS pre-defined tolerance, the PMS self-diagnostic test verifies the same information verified by the manual Channel Check test. This includes the following:

Reactor trip instrumentation (SR 3.3.1.1)

Reactor trip intermediate range instrumentation. The manual Channel Check surveillance is only eliminated for the intermediate range instrumentation in MODE 1. (SR 3.3.3.1)

All ESFAS functions except source range neutron flux doubling (SR 3.3.8.1, SR 3.3.10.1, SR 3.3.11.1, SR 3.3.13.1, SR 3.3.14.1, SR 3.3.20.1)

Post-accident monitoring instrumentation for Function 1 (The manual Channel Check surveillance is only eliminated for the intermediate range instrumentation in MODE 1) and Functions 2 through 11, 13 through 16, and 20. This is shown in SV0-PMS-AR-001, Appendix D.

Therefore, the PMS Channel Checks can be eliminated for this instrumentation. The manual Channel Checks for the other functions and/or plant MODES will continue to be performed per the current TS and are excluded from this activity.

A graphical representation of the self-diagnostic channel check test is shown in Revised Figure A.5 below.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 20 of 31 Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation Channel Operational Test (COT) 3.1.8.1 3.3.1.6 3.3.1.7 3.3.2.2 3.3.3.2 3.3.8.2 3.3.10.2 3.3.11.2 3.3.13.2 3.3.14.2 3.3.20.3 Definition: Injection of a simulated or actual signal into the channel as close to the sensor as practicable to verify channel operability. Includes adjustments, as necessary, of the required alarm, interlock, and trip setpoints such that the setpoints are within the necessary range and accuracy.

Test Overview: The COT for all PMS SRs except 3.3.20.3 is satisfied by manually injecting a simulated digital signal at the MTP and verifying that the BPL actuates as expected. This includes:

Manually entering a signal value for the input to the function being tested Executing the function with the test input value Monitoring the function outputs to determine if the response to the test input value is correct.

The COT for the ADS and IRWST injection blocking device (SR 3.3.20.3) confirms the device is capable of unblocking on low CMT level. Contrary to this, the ALT for the device (SR 3.3.20.5) confirms it is capable of unblocking for each of the blocking device inputs (i.e., remote shutdown room transfer switch, block/unblock switch, battery charger under-voltage, and CMT level low).

PMS Components Covered: The BPL processor modules, CI631 module, BIOB, and the HSL equipment connecting the BPL to the LCL are used to process the digital test injection signal. In addition, the ADS and IRWST injection blocking device is covered via 3.3.20.3.

A graphical representation of the equipment covered by the COT surveillance test is shown in ND-19-0168, Figure A.6 of Appendix A.

The PMS self-diagnostic tests have been shown to adequately test the operability of the same PMS components tested as part of the manual COTs in all the SRs listed except SR 3.3.20.3, which is addressed below. The internal fault detected by the diagnostic initiates the necessary visual and audible annunciation in the main control room so that the operator can take the appropriate action.

• The PM646A Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-1 and Table A-2. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-1.

• The CI631 Module Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-3. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-3.

• The BIOB Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-4. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-2.

• Diagnostics covering the HSLs are shown in SV0-PMS-AR-001 Table A-1 and Table A-2 (note: HSL diagnostics are a subset of the PM646A diagnostics). The diagnostics are shown to cover the applicable HSL failure modes in SV0-PMS-AR-001 Table C-1.

The COT for the ADS and IRWST injection blocking can be eliminated. The ALT on the ADS and IRWST injection blocking device fully covers the component and completely overlaps the COT which only partially tests the device. [

]a,c Therefore, the COT associated with the ADS and IRWST injection blocking device can be eliminated.

In summary, the PMS self-diagnostics adequately test the components tested as part of the COT (except for SR 3.3.20.3) and, therefore, the COT can be eliminated. In addition, the COT for the ADS and IRWST injection blocking device (i.e., SR 3.3.20.3) can be eliminated because the ALT performed on the device is adequate.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 21 of 31 Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation Actuation Logic Test (ALT) 3.3.4.1 3.3.6.1 3.3.15.1 3.3.16.1 3.3.20.5 Definition: The application of various simulated or actual input combinations in conjunction with each possible interlock logic state required for operability of a logic circuit and the verification of the required logic output.

Test Overview: The ALT surveillance tests include separate tests for the reactor trip system logic (SR 3.3.6.1), ESF system logic (SR 3.3.15.1, SR 3.3.16.1), ESF generated reactor trip actuation logic (SR 3.3.4.1), and the ADS and IRWST injection blocking device logic (SR 3.3.20.5). The ALT for the ADS / IRWST injection blocking device (SR.3.3.20.5) is not applicable to this activity because it will continue to be included as a manual surveillance test within the Technical Specifications.

For the reactor trip system logic ALT (SR 3.3.6.1),

the injected signal goes from the LCL to the reactor trip matrix logic via the DO630 module. Proper function is verified using the digital output display to check the current flow through the appropriate reactor trip matrix termination unit ITP monitoring resistors, and thereafter using the DO630 status indicators.

For the ESF system logic ALT (SR 3.3.15.1 and SR 3.3.16.1), the injected signal goes from the LCL to the ILP (via the HSLs). Confirmation that the system is functioning properly is obtained by monitoring that the correct ESF system level actuation signals are received by the ILP component control processor modules.

The signal path for the ESF generated reactor trip actuation logic (SR 3.3.4.1) is almost entirely covered by the other two tests described above.

The PMS self-diagnostic tests have been shown to adequately test the operability of the same PMS components tested as part of the manual ALTs, except for two instances that are addressed below. The internal fault detected by the diagnostic initiates the necessary visual and audible annunciation in the main control room so that the operator can take the appropriate action.

• The PM646A Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-1 and Table A-2. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-1.

• The CI631 Module Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-3. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-3.

• The BIOB Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-4. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-2.

• Diagnostics covering the HSLs are shown in SV0-PMS-AR-001 Table A-1 and Table A-2 (note: HSL diagnostics are a subset of the PM646A diagnostics). The diagnostics are shown to cover the applicable HSL failure modes in SV0-PMS-AR-001 Table C-1.

• The self-diagnostics are shown to cover the applicable DO630 failure modes in SV0-PMS-AR-001 Table C-6.

The components not fully covered by self-diagnostic tests include the DO630 module and the reactor trip matrix termination unit. However, these components are also tested every 92 days as part of the TADOT associated with SR 3.3.7.1.

Any failure that would be detected in these components by the ALT will also be detected by the TADOT.

In summary, the PMS self-diagnostics for the components tested as part of the ALT and the existing TADOT associated with SR 3.3.7.1 together provide complete coverage for the components tested as part of the ALT.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 22 of 31 Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation The only aspect of the safety path associated with this surveillance tests not covered by the other two surveillance tests is the communications over the BIOB between the ESFAS processor module and the reactor trip processor module.

PMS Components Covered:

• Reactor trip system logic ALT: RT LCL processor modules, communication processor modules, CI631, BIOB, DO630, reactor trip matrix termination unit

• ESF system logic ALT: ESF LCL processor modules, communication processor modules, CI631, BIOB, HSL equipment, ILP component control processor module

• ESF generated reactor trip actuation logic ALT:

RT and ESF LCL processor modules, communication processor modules, CI631, BIOB, DO630, reactor trip matrix termination unit, BIOB between the ESF and RT processor modules.

A graphical representation of the equipment covered by the ALT surveillance test is shown in Figure A.7 and Figure A.8 of Appendix A in of ND-19-0168.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 23 of 31 Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation Actuation Logic Output Test (ALOT) 3.3.15.2 3.3.16.2 Definition: The application of simulated or actual logic signals and the verification of the required component actuation output signals up to, but not including, the actuated device. The test may be performed by means of any series of sequential, overlapping, or total steps.

Test Overview: The ALOT demonstrates that both redundant signal paths from the inputs to the ILPs through the CIM logic and CIM output driver circuits (ILP to actuator test) in the ESF Actuation Subsystem Logic process injected LCL system actuation signals for the applicable actuation Function. During this test, a signal is sent back to the MTP subsystem to determine if the CIM two-out-of-two logic was satisfied and a component control signal was sent to the actuated device.

PMS Components Covered: ILP processor modules, ILP CI631, ILP BIOB, HSL, Double Wide Transition Panels and Single Wide Transition Panels, CIM and SRNC, and the Squib Valve Termination Unit.

A graphical representation of the equipment covered by the ALOT surveillance test is shown in Figure A.10 of Appendix A. Note that the ADS and IRWST blocking device and digital inputs (e.g.,

DI621) are included on this figure for completeness, but are not within the scope of the ALOT.

The PMS self-diagnostic tests have been shown to adequately test the operability of the same PMS components tested as part of the manual ALOT, except for the CIM output circuitry to various valves addressed below. The internal fault detected by the diagnostic initiates the necessary visual and audible annunciation in the main control room so that the operator can take the appropriate action.

The PM646A Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-1 and Table A-2. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-1.

The CI631 Module Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-3. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-3.

The BIOB Common Q Platform diagnostics are evaluated in SV0-PMS-AR-001 Table A-4. The diagnostics are shown to cover the applicable processor module failure modes in SV0-PMS-AR-001 Table C-2.

Diagnostics covering the HSLs (ILP to/from SRNC) are shown in SV0-PMS-AR-001 Table H.4-2 and Table H.4-3. The diagnostics are shown to cover the applicable HSL failure modes in SV0-PMS-AR-001 Table C-1.

The SRNC diagnostics are evaluated in SV0-PMS-AR-001 Table H.4-4. The diagnostics are shown to cover the applicable SRNC failure modes in SV0-PMS-AR-001 Table H.4-5.

The CIM diagnostics are evaluated in SV0-PMS-AR-001 Table H.4-6. The diagnostics are shown to cover some CIM failure modes in SV0-PMS-AR-001 Table H.4-7. [

]a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 24 of 31 Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation

[

]a,c However, this CIM self-diagnostic test does not cover the operability of the circuitry between the CIM output and the subset of valves identified in Table 3 below. The operability of these circuits is covered by other surveillance testing as discussed in Table 3 below. Open Item 3 above includes further description of CIM field-programmable gate array (FPGA) self-checking logic, including built-in-self testing, output continuity test, and redundant core check.

Any postulated faults within the DWTP and SWTP will be detected by either the SRNC or the CIM self-diagnostics.

The Squib Valve Termination Unit contains no self-diagnostics. The only postulated failure mode for this component is covered by other surveillance testing. See Table 3 below.

In summary, the PMS self-diagnostics for the components tested as part of the ALOT and the existing surveillance requirements identified in Table 3 together provide complete coverage for the components tested as part of the ALOT.

Therefore, it is concluded that the ALOT is unnecessary and can be deleted from the TS.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 25 of 31 Test Name Relevant (PMS) SRs Test Description Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation

Response

Time Test 3.3.1.11 3.3.2.4 3.3.3.4 3.3.4.2 3.3.8.4 3.3.10.4 3.3.11.4 3.3.13.4 3.3.14.4 Definition: A test of the response time for a reactor trip and engineered safety feature protection channel. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC.

Test Overview: Response time tests verify that the individual reactor trip and ESFAS channel/division actuation response times, from sensor to actuating device, are less than or equal to the maximum values assumed in the accident analysis. This activity focuses specifically on the PMS equipment portion of the protection path and not the sensor or the actuating device.

PMS Components Covered: Figures A.9 of Appendix A in Enclosure 1 shows the signal paths taken for PMS reactor trips and ESF actuations. In each case, the signal comes into the BPL processor module from an actual or simulated signal and the applicable I/O module (i.e., DP620, AI688, AI687, or DI621 module). NIS signals go through the applicable I/O module.

The relevant NIS components for the response time testing include the source range preamplifier, intermediate range preamplifier, and the Intermediate Range Signal Processing Module (IRPM) and the Power Range Processing Module (PRPM) within the Nuclear Instrumentation System Processing Assembly.

The reactor trip inputs then pass through the reactor trip PMs in the LCL, the DO630 module, the reactor trip matrix termination unit, then to the reactor trip switchgear under-voltage and shunt trip mechanisms.

The ESF actuation inputs pass through the ESF PMs in the LCL, the ILP, SRNC, and the CIM. In each case, the signal path also passes through the HSLs, BIOB, and the CI631 module. The response time of this signal path is measured to ensure it is less than the maximum allowable response time assumed in the accident analysis.

See section below on Response Time Testing -

Summary of PMS Self-Diagnostics and Redundant Surveillance Test Coverage Evaluation.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 26 of 31 a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 27 of 31 a,c

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 28 of 31 Table 3 Revision Description Revised Table 3 supersedes Table 3 provided in Enclosures 1 and 2 of ND-19-0168. LAR 017, Technical Specification Changes for Spent Fuel Pool Level - Low 2 and IRWST Wide Range Level - Low Operability (TSR) added new SRs 3.5.7.1 and 3.5.8.3 and was approved by the NRC on January 15, 2019. Therefore, an administrative change is made to Table 3 for SR 3.5.7.1 and SR 3.5.8.4 by renumbering them to SR 3.5.7.2 and SR 3.5.8.4, respectively.

Revised Table 3: Surveillance Requirements Redundant to ALOT Scope Tested Valve TS SR TS SR Text Evaluation PXS-PL-V118A/B

- Containment Recirculation Isolation Valves SR 3.5.6.9 IRWST -

Operating SR 3.5.7.2 IRWST -

Shutdown, MODE 5 SR 3.5.8.5 IRWST -

Shutdown, MODE 6 Verify continuity of the circuit from the Protection Logic Cabinets to each IRWST injection and containment recirculation squib valve on an actual or simulated actuation signal.

SR 3.5.6.9 verifies the Operability of the circuit from the CIM to the containment recirculation squib valves (i.e., PXS-PL-V118A/B). Therefore, this component surveillance test verifies the Operability of the CIM output up to this valve and satisfies this portion of the existing ALOT.

PXS-PL-V120A/B

- Containment Recirculation Isolation Valves SR 3.5.6.9 IRWST -

Operating SR 3.5.7.2 IRWST -

Shutdown, MODE 5 SR 3.5.8.5 IRWST -

Shutdown, MODE 6 See evaluation of PXS-PL-V118A/B -

Containment Recirculation Isolation Valves above.

See evaluation of PXS-PL-V118A/B -

Containment Recirculation Isolation Valves above.

PXS-PL-V123A/B

- IRWST Injection Isolation Valves SR 3.5.6.9 IRWST -

Operating SR 3.5.7.2 IRWST -

Shutdown, MODE 5 SR 3.5.8.5 IRWST -

Shutdown, MODE 6 Verify continuity of the circuit from the Protection Logic Cabinets to each IRWST injection and containment recirculation squib valve on an actual or simulated actuation signal.

SR 3.5.6.9 verifies the Operability of the circuit from the CIM to the IRWST injection squib valves (i.e., PXS-PL-V123A/B). Therefore, this component surveillance test verifies the Operability of the CIM output up to this valve and satisfies this portion of the existing ALOT.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 29 of 31 Tested Valve TS SR TS SR Text Evaluation PXS-PL-V125A/B -

IRWST Injection Isolation Valves SR 3.5.6.9 IRWST -

Operating SR 3.5.7.2 IRWST -

Shutdown, MODE 5 SR 3.5.8.5 IRWST -

Shutdown, MODE 6 See evaluation of PXS-PL-V123A/B - IRWST injection squib valves above.

See evaluation of PXS-PL-V123A/B - IRWST injection squib valves above.

RCS-PL-V004A/B/C/D -

Fourth Stage ADS Depressurization Valves SR 3.4.11.5 ADS -

Operating SR 3.4.12.1 ADS -

Shutdown RCS Intact SR 3.4.13.2 ADS -

Shutdown, RCS Open Verify continuity of the circuit from the Protection Logic Cabinets to each stage 4 ADS valve.

SR 3.4.11.5 verifies the Operability of the circuit from the CIM to the ADS stage 4 squib valves (i.e.,

RCS-PL-V004A/B/C/D).

Therefore, this component surveillance test verifies the Operability of the CIM output up to this valve and satisfies this portion of the existing ALOT.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 30 of 31 Tested Valve TS SR TS SR Text Evaluation PXS-PL-V002A/B -

CMT Inlet Isolation Valves SR 3.5.2.3 CMTs -

Operating SR 3.5.3.1 CMTs -

Shutdown, RCS Intact Verify each CMT inlet isolation valve is fully open.

Per UFSAR Table 6.3-1, the CMT inlet isolation valves (PXS-PL-V002A/B) are normally open and the actuation position is open.

SR 3.5.2.3 requires the operator to verify the valve is fully open every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. Per SR 3.5.2.3 and SR 3.5.3.1, these valves are required to be open in MODEs 1, 2, 3, and 4, and in MODE 5 with the RCS not vented. An alarm is annunciated in the main control room if the CMT inlet isolation valves are not fully open.

Furthermore, these valves are exercised every 24 months as part of the inservice test program, per UFSAR Table 3.9-16 and TS Section 5.5.3. The testing uses the component interface module to exercise the valve.

Therefore, any failure of the circuit from the CIM up to the valve would be detected by the inservice test program.

ND-19-1129 Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items (Publicly Available Information) (LAR-19-001S1)

Page 31 of 31 Tested Valve TS SR TS SR Text Evaluation CVS-PL-V092 -

Containment Isolation Actuation

/ Zinc Injection to RCS Valve SR 3.6.3.5 Containment Isolation Valves Verify each automatic containment isolation valve that is not locked, sealed or otherwise secured in position, actuates to the isolation position on an actual or simulated actuation signal.

SR 3.6.3.5 requires the operator to verify this valve can actuate to the isolated position on an actual or simulated ESF actuation signal. A statement is added to the Bases of SR 3.6.3.5 to require the actual or simulated actuation signal to be processed through the CIM. This verifies the Operability of the circuit from the CIM to the CVS containment isolation valve (i.e., CVS-PL-V092).

Therefore, this component surveillance test verifies the Operability of the CIM outputs up to this valve and satisfies this portion of the existing ALOT.

CVS-PL-V136A/B

- DWS Isolation Valves SR 3.1.9.3 CVS Demineralized Water Isolation Valves and Makeup Line Isolation Valves Verify each CVS demineralized water isolation valve actuates to the isolation position on an actual or simulated actuation signal.

SR 3.1.9.3 requires the operator to verify this valve can actuate to the isolated position on an actual or simulated ESF actuation signal. A statement is added to the Bases of SR 3.1.9.3 to require the actual or simulated actuation signal to be processed through the CIM. This verifies the Operability of the circuit from the CIM to the CVS containment isolation valves (i.e., CVS-PL-V136A/A).

Therefore, this component surveillance test verifies the Operability of the CIM outputs up to this valve and satisfies this portion of the existing ALOT.

Southern Nuclear Operating Company ND-19-1129 0 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Reviewers Note: The revised changes to the Licensing Basis Documents provided in this Enclosure supersede the changes to the Licensing Basis Documents contained in Enclosure 3 of ND-19-0168.

Additions are identified in blue text Deletions are identified by red strikethrough text Omitted text is shown as three asterisks (* * *)

(This Enclosure consists of 33 pages, including this cover page)

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 2 of 33 Proposed revisions to the VEGP Units 3 & 4 COL Appendix A Technical Specifications are described below:

Revise COL Appendix A Technical Specification 1.1 Definitions as follows:

ACTUATION LOGIC OUTPUT TEST An ACTUATION LOGIC OUTPUT TEST shall be the application of simulated or actual logic signals and the verification of the required component actuation output signals up to, but not including, the actuated device. The ACTUATION LOGIC OUTPUT TEST may be performed by means of any series of sequential, overlapping, or total steps.

Revise COL Appendix A Technical Specification 3.1.8 PHYSICS TESTS Exceptions -

MODE 2 as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.1.8.1 Perform a COT on power range neutron flux and intermediate range neutron flux channels per SR 3.3.1.6, SR 3.3.1.7, and SR 3.3.3.2.

Prior to initiation of PHYSICS TESTS SR 3.1.8.21 Verify the RCS lowest loop average temperature is 541°F.

30 minutes SR 3.1.8.32 Verify THERMAL POWER is 5% RTP.

30 minutes SR 3.1.8.43 Verify SDM is within the limits specified in the COLR.

24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 3 of 33 Revise COL Appendix A Technical Specification 3.2.3 AXIAL FLUX DIFFERENCE (AFD)

(Constant Axial Offset Control (CAOC) Methodology) as follows:

- NOTES -

1.

The AFD shall be considered outside the target band when two or more OPERABLE excore channels indicate AFD to be outside the target band.

2.

With THERMAL POWER 50% RTP, penalty deviation time shall be accumulated on the basis of a 1 minute penalty deviation for each 1 minute of power operation with AFD outside the target band.

3.

With THERMAL POWER < 50% RTP and > 15% RTP, penalty deviation time shall be accumulated on the basis of a 0.5 minute penalty deviation for each 1 minute of power operation with AFD outside the target band.

4.

A total of 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> of operation may be accumulated with AFD outside the target band without penalty deviation time during surveillance of Power Range Neutron Flux channels in accordance with SR 3.3.1.54, provided AFD is maintained within acceptable operation limits.

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 4 of 33 Revise COL Appendix A Technical Specification 3.3.1 Reactor Trip System (RTS)

Instrumentation as follows:

SURVEILLANCE REQUIREMENTS

- NOTE -

Refer to Table 3.3.1-1 to determine which SRs apply for each RTS Function.

SURVEILLANCE FREQUENCY SR 3.3.1.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.1.21

- NOTES -

1.

Required to be met within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 15% RTP.

2.

If the calorimetric heat balance is 15% RTP, and if the nuclear instrumentation channel indicated power is:

a.

lower than the calorimetric measurement by

> 5% RTP, then adjust the nuclear instrumentation channel upward to match the calorimetric measurement.

b.

higher than the calorimetric measurement, then no adjustment is required.

Compare results of calorimetric heat balance to nuclear instrument channel output.

24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 5 of 33 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.1.32

- NOTES -

1.

Adjust the conversion factor, T°, in the T power calculation (qT) if absolute difference between qT and the calorimetric measurement is > 3% RTP.

2.

Required to be met within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching 50% RTP.

3.

If the calorimetric heat balance is < 70% RTP, and if qT is:

a.

lower than the calorimetric measurement by

> 5%, then adjust T° to match the calorimetric measurement.

b.

higher than the calorimetric measurement, then no adjustment is required.

Compare results of calorimetric heat balance to the T power calculation (qT) output.

24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> SR 3.3.1.43

- NOTES -

1.

Adjust nuclear instrument channel in PMS if absolute difference is 1.5% AFD.

2.

Required to be met within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 20% RTP.

Compare results of the incore detector measurements to nuclear instrument channel AXIAL FLUX DIFFERENCE.

31 effective full power days (EFPD)

SR 3.3.1.54

- NOTE -

Required to be met within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 50% RTP.

Calibrate excore channels to agree with incore detector measurements.

92 EFPD

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 6 of 33 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.1.6 Perform COT in accordance with Setpoint Program.

92 days SR 3.3.1.7

- NOTE -

Only required to be performed when not performed within previous 92 days.

Perform COT in accordance with Setpoint Program.

Prior to reactor startup AND 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 AND 92 days thereafter SR 3.3.1.85

- NOTE -

This Surveillance shall include verification that the time constants are adjusted to within limits.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.1.96

- NOTE -

Neutron detectors are excluded from CHANNEL CALIBRATION.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 7 of 33 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.1.107

- NOTE -

Verification of setpoint is not required.

Perform TADOT.

24 months SR 3.3.1.118

- NOTE -

Neutron detectors are excluded from response time testing.

Verify RTS RESPONSE TIME is within limits.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 8 of 33 Table 3.3.1-1 (page 1 of 2)

Reactor Trip System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS SURVEILLANCE REQUIREMENTS

1. Power Range Neutron Flux

a. High Setpoint 1,2 4

D SR 3.3.1.1 SR 3.3.1.21 SR 3.3.1.6 SR 3.3.1.96 SR 3.3.1.118

b. Low Setpoint 1(a),2 4

D SR 3.3.1.1 SR 3.3.1.7 SR 3.3.1.96 SR 3.3.1.118

2. Power Range Neutron Flux High Positive Rate 1,2 4

D SR 3.3.1.6 SR 3.3.1.96 SR 3.3.1.118

3. Overtemperature T 1,2 4 (2/loop)

D SR 3.3.1.1 SR 3.3.1.32 SR 3.3.1.43 SR 3.3.1.54 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

4. Overpower T 1,2 4 (2/loop)

D SR 3.3.1.1 SR 3.3.1.32 SR 3.3.1.43 SR 3.3.1.54 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

5. Pressurizer Pressure

a. Low 2 Setpoint 1(b) 4 E

SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

b. High 2 Setpoint 1,2 4

D SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

6. Pressurizer Water Level - High 3 1(b) 4 E

SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118 (a) Below the P-10 (Power Range Neutron Flux) interlocks.

(b) Above the P-10 (Power Range Neutron Flux) interlock.

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 9 of 33 Table 3.3.1-1 (page 2 of 2)

Reactor Trip System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS CONDITIONS SURVEILLANCE REQUIREMENTS

7. Reactor Coolant Flow - Low 2 1(b) 4 per hot leg E

SR 3.3.1.1 SR 3.3.1.32 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

8. Reactor Coolant Pump (RCP)

Bearing Water Temperature -

High 2 1,2 4 per RCP D

SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

9. RCP Speed - Low 2 1(b) 4 (1/pump)

E SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

10. Steam Generator (SG) Narrow Range Water Level - Low 2 1,2 4 per SG D

SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

11. Steam Generator (SG) Narrow Range Water Level - High 3 1,2(c) 4 per SG D

SR 3.3.1.1 SR 3.3.1.6 SR 3.3.1.85 SR 3.3.1.118

12. Passive Residual Heat Removal Actuation 1,2 4 per valve D

SR 3.3.1.107 SR 3.3.1.118 (b) Above the P-10 (Power Range Neutron Flux) interlock.

(c) Above the P-11 (Pressurizer Pressure) interlock.

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 10 of 33 Revise COL Appendix A Technical Specification 3.3.2 Reactor Trip System (RTS) Source Range Instrumentation as follows:

Reviewers Note: This supplement rescinds the proposed changes described in ND 0168.

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 11 of 33 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.2.2

- NOTES -

1.

Only required to be performed when not performed within previous 92 days.

2.

Not required to be performed prior to entering MODE 3 from MODE 2 until 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3.

Perform COT in accordance with Setpoint Program.

Prior to reactor startup AND 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6 AND 92 days thereafter SR 3.3.2.32

- NOTE -

Neutron detectors are excluded from CHANNEL CALIBRATION.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.2.43

- NOTE -

Neutron detectors are excluded from response time testing.

Verify RTS RESPONSE TIME is within limits.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 12 of 33 Revise COL Appendix A Technical Specification 3.3.3 Reactor Trip System (RTS)

Intermediate Range Instrumentation as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.3.1

- NOTE -

Not required to be met in MODE 1.

Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.3.2

- NOTE -

Only required to be performed when not performed within previous 92 days.

Perform COT in accordance with Setpoint Program.

Prior to reactor startup AND 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 AND 92 days thereafter SR 3.3.3.32

- NOTE -

Neutron detectors are excluded from CHANNEL CALIBRATION.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 13 of 33 SR 3.3.3.43

- NOTE -

Neutron detectors are excluded from response time testing.

Verify RTS RESPONSE TIME is within limits.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 14 of 33 Revise COL Appendix A Technical Specification 3.3.4 Reactor Trip System (RTS)

Engineered Safety Feature Actuation System (ESFAS) Instrumentation as follows:

SURVEILLANCE REQUIREMENTS

- NOTE -

Refer to Table 3.3.4-1 to determine to which SRs apply for each RTS ESFAS FunctionRTS ESFAS Function the SR applies.

SURVEILLANCE FREQUENCY SR 3.3.4.1 Perform ACTUATION LOGIC TEST.

92 days SR 3.3.4.21 Verify RTS RESPONSE TIME is within limit.

24 months on a STAGGERED TEST BASIS Table 3.3.4-1 (page 1 of 1)

Reactor Trip System Engineered Safety Feature Actuation System Instrumentation FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS SURVEILLANCE REQUIREMENTS

1. Safeguards Actuation Input from Engineered Safety Feature Actuation System - Automatic 1,2 4

SR 3.3.4.1 SR 3.3.4.2

2. ADS Stages 1, 2, and 3 Actuation Input from Engineered Safety Feature Actuation System - Automatic 1,2,3(a),4(a),5(a) 4 SR 3.3.4.1None

3. Core Makeup Tank Actuation Input from Engineered Safety Feature Actuation System - Automatic 1,2,3(a),4(a),5(a) 4 SR 3.3.4.1 None (a) With Plant Control System capable of rod withdrawal or one or more rods not fully inserted.

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 15 of 33 Revise COL Appendix A Technical Specification 3.3.6 Reactor Trip System (RTS)

Automatic Trip Logic as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.6.1 Perform ACTUATION LOGIC TEST.

92 days None Revise COL Appendix A Technical Specification 3.3.8 Engineered Safety Feature Actuation System (ESFAS) Instrumentation as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.1

- NOTE -

Only required to be met for Source Range Neutron Flux Doubling.

Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.8.2 Perform CHANNEL OPERATIONAL TEST (COT) in accordance with Setpoint Program.

92 days SR 3.3.8.32

- NOTE -

This surveillance shall include verification that the time constants are adjusted to within limits.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.8.43

- NOTE -

Not applicable to Function 1.a.

Verify ESF RESPONSE TIME is within limit.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 16 of 33 Revise COL Appendix A Technical Specification 3.3.10 Engineered Safety Feature Actuation System (ESFAS) Reactor Coolant System (RCS) Hot Leg Level Instrumentation as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.10.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.10.2 Perform CHANNEL OPERATIONAL TEST (COT) in accordance with Setpoint Program.

92 days SR 3.3.10.31

- NOTE -

This surveillance shall include verification that the time constants are adjusted to within limits.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.10.42 Verify ESF RESPONSE TIME is within limit.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 17 of 33 Revise COL Appendix A Technical Specification 3.3.11 Engineered Safety Feature Actuation System (ESFAS) Startup Feedwater Flow Instrumentation as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.11.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.11.2 Perform CHANNEL OPERATIONAL TEST (COT) in accordance with Setpoint Program.

92 days SR 3.3.11.31

- NOTE -

This surveillance shall include verification that the time constants are adjusted to within limits.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.11.42 Verify ESF RESPONSE TIME is within limit.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 18 of 33 Revise COL Appendix A Technical Specification 3.3.13 Engineered Safety Feature Actuation System (ESFAS) Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.13.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.13.2 Perform CHANNEL OPERATIONAL TEST (COT) in accordance with Setpoint Program.

92 days SR 3.3.13.31

- NOTE -

This surveillance shall include verification that the time constants are adjusted to within limits.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.13.42 Verify ESF RESPONSE TIME is within limit.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 19 of 33 Revise COL Appendix A Technical Specification 3.3.14 Engineered Safety Feature Actuation System (ESFAS) In-containment Refueling Water Storage Tank (IRWST) and Spent Fuel Pool Level Instrumentation as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.14.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.14.2 Perform CHANNEL OPERATIONAL TEST (COT) in accordance with Setpoint Program.

92 days SR 3.3.14.31

- NOTE -

This surveillance shall include verification that the time constants are adjusted to within limits.

Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.14.42 Verify ESF RESPONSE TIME is within limit.

24 months on a STAGGERED TEST BASIS

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 20 of 33 Revise COL Appendix A Technical Specification 3.3.15 Engineered Safety Feature Actuation System (ESFAS) Actuation Logic - Operating as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.15.1 Perform ACTUATION LOGIC TEST on ESF Coincidence Logic.

92 days on a STAGGERED TEST BASIS SR 3.3.15.2 Perform ACTUATION LOGIC OUTPUT TEST on ESF Actuation.

24 months SR 3.3.15.31

- NOTE -

Only required to be met when all four cold leg temperatures are > 275°F.

Verify pressurizer heater circuit breakers trip open on an actual or simulated actuation signal.

24 months SR 3.3.15.42 Verify reactor coolant pump breakers trip open on an actual or simulated actuation signal.

24 months SR 3.3.15.53 Verify main feedwater and startup feedwater pump breakers trip open on an actual or simulated actuation signal.

24 months SR 3.3.15.64

- NOTE -

Only required to be met in MODES 1 and 2.

Verify auxiliary spray and purification line isolation valves actuate to the isolation position on an actual or simulated actuation signal.

24 months

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 21 of 33 Revise COL Appendix A Technical Specification 3.3.16 Engineered Safety Feature Actuation System (ESFAS) Actuation Logic - Shutdown as follows:

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.16.1 Perform ACTUATION LOGIC TEST on ESF Coincidence Logic.

92 days on a STAGGERED TEST BASIS SR 3.3.16.2 Perform ACTUATION LOGIC OUTPUT TEST on ESF Actuation.

24 months SR 3.3.16.31

- NOTE -

Only required to be met in MODE 5.

Verify reactor coolant pump breakers trip open on an actual or simulated actuation signal.

24 months SR 3.3.16.42

- NOTES -

1.

Not required to be met in MODE 5 above the P-12 (Pressurizer Level) interlock.

2.

Not required to be met in MODE 6 with water level > 23 feet above the top of the reactor vessel flange.

Verify CVS letdown isolation valves actuate to the isolation position on an actual or simulated actuation signal.

24 months

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 22 of 33 Revise COL Appendix A Technical Specification 3.3.17 Post Accident Monitoring (PAM)

Instrumentation as follows:

SURVEILLANCE REQUIREMENTS

- NOTE -

SR 3.3.17.1 and SR 3.3.17.2 apply to each PAM instrumentation Function in Table 3.3.17-1.

Refer to Table 3.3.17-1 to determine which SRs apply for each PAM Function.

SURVEILLANCE FREQUENCY SR 3.3.17.1

- NOTE -

Not required to be met for Neutron Flux (Intermediate Range) in MODE 1.

Perform CHANNEL CHECK for each required instrumentation channel that is normally energized.

31 days SR 3.3.17.2

- NOTE -

Neutron detectors are excluded from CHANNEL CALIBRATION.

Perform CHANNEL CALIBRATION.

24 months

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 23 of 33 Table 3.3.17-1 (page 1 of 1)

Post-Accident Monitoring Instrumentation FUNCTION REQUIRED CHANNELS CONDITION REFERENCED FROM REQUIRED ACTION D.1 SURVEILLANCE REQUIREMENTS

1.

Neutron Flux (Intermediate Range) 2 E

SR 3.3.17.1 SR 3.3.17.2

2.

Reactor Coolant System (RCS) Hot Leg Temperature (Wide Range) 2 E

SR 3.3.17.2

3.

RCS Cold Leg Temperature (Wide Range) 2 E

SR 3.3.17.2

4.

RCS Pressure (Wide Range) 2 E

SR 3.3.17.2

5.

RCS Subcooling 2

E SR 3.3.17.2

6.

Containment Water Level 2

E SR 3.3.17.2

7.

Containment Pressure 2

E SR 3.3.17.2

8.

Containment Pressure (Extended Range) 2 E

SR 3.3.17.2

9.

Containment Area Radiation (High Range) 2 E

SR 3.3.17.2

10.

Pressurizer Level and Associated Reference Leg Temperature 2

E SR 3.3.17.2

11.

In-Containment Refueling Water Storage Tank (IRWST) Wide Range Water Level 2

E SR 3.3.17.2

12.

Passive Residual Heat Removal (PRHR) Heat Removal 2

E SR 3.3.17.1 SR 3.3.17.2

13.

Core Exit Temperature -- Quadrant 1 2(a)

E SR 3.3.17.2

14.

Core Exit Temperature -- Quadrant 2 2(a)

E SR 3.3.17.2

15.

Core Exit Temperature -- Quadrant 3 2(a)

E SR 3.3.17.2

16.

Core Exit Temperature -- Quadrant 4 2(a)

E SR 3.3.17.2

17.

Passive Containment Cooling System (PCS) Heat Removal 2

E SR 3.3.17.1 SR 3.3.17.2

18.

Penetration Flow Path Remotely Operated Containment Isolation Valve Position 2 per penetration flow path(b)(c)(d)

E SR 3.3.17.1 SR 3.3.17.2

19.

IRWST to Normal Residual Heat Removal System (RNS) Suction Valve Status 2

E SR 3.3.17.1 SR 3.3.17.2

20.

Pressurizer Pressure 2

E SR 3.3.17.2 (a) A channel consists of two thermocouples within a single division. Each quadrant contains two divisions. The minimum requirement is two OPERABLE thermocouples in each of the two divisions.

(b) Not required for isolation valves whose associated penetration is isolated by at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured.

(c) Only one position indication channel is required for penetration flow paths with only one installed control room indication channel.

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 24 of 33 Revise COL Appendix A Technical Specification 3.3.19 Diverse Actuation System (DAS)

Manual Controls as follows:

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME C.

Required Action and associated Completion Time of Condition A not met for inoperable DAS manual actuation control other than reactor trip.

C.1 AND Perform SRs 3.3.15.1 and 3.3.16.1, as applicable.

Once per 31 days on a STAGGERED TEST BASIS C.21 Restore all controls to OPERABLE status.

Prior to entering MODE 2 following next MODE 5 entry

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 25 of 33 Revise COL Appendix A Technical Specification 3.3.20 Automatic Depressurization System (ADS) and In-containment Refueling Water Storage Tank (IRWST) Injection Blocking Device as follows:

SURVEILLANCE REQUIREMENTS

- NOTE -

Refer to Table 3.3.20-1 to determine which SRs apply for each ADS and IRWST Injection Blocking Device Function.

SURVEILLANCE FREQUENCY SR 3.3.20.1 Perform CHANNEL CHECK.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SR 3.3.20.21 Verify each ADS and IRWST Injection Block switch is in the unblock position.

7 days SR 3.3.20.3 Perform CHANNEL OPERATIONAL TEST (COT) in accordance with Setpoint Program.

92 days SR 3.3.20.42 Perform CHANNEL CALIBRATION in accordance with Setpoint Program.

24 months SR 3.3.20.53 Perform ACTUATION LOGIC TEST of ADS and IRWST Injection Blocking Devices.

24 months SR 3.3.20.64

- NOTE -

Verification of setpoint not required.

Perform TRIP ACTUATING DEVICE OPERATIONAL TEST (TADOT) of ADS and IRWST Injection Block manual switches.

24 months SR 3.3.20.75 The following SRs of Specification 3.5.2, Core Makeup Tanks (CMTs) - Operating are applicable for each CMT:

SR 3.5.2.3 SR 3.5.2.6 SR 3.5.2.7 In accordance with applicable SRs

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 26 of 33 Table 3.3.20-1 (page 1 of 1)

ADS and IRWST Injection Blocking Device FUNCTION APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS REQUIRED CHANNELS PER DIVISION SURVEILLANCE REQUIREMENTS

1.

Core Makeup Tank Level for Automatic Unblocking(a) 1,2,3,4(b) 2 SR 3.3.20.1 SR 3.3.20.3 SR 3.3.20.42 SR 3.3.20.53 SR 3.3.20.75

2.

ADS and IRWST Injection Block Switches for Manual Unblocking 1,2,3,4(b) 1 SR 3.3.20.53 SR 3.3.20.64 4(c),5,6 1

SR 3.3.20.21 SR 3.3.20.53 SR 3.3.20.64 (a)

Not required to be OPERABLE with associated divisional ADS and IRWST Injection Block switch in the unblock position.

(b)

With the Reactor Coolant System (RCS) not being cooled by the Normal Residual Heat Removal System (RNS).

(c)

With the RCS being cooled by the RNS.

ND-19-1129 0 Revised Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 27 of 33 Revise COL Appendix A Technical Specification 3.9.3 Nuclear Instrumentation as follows:

Reviewers Note: This supplement rescinds the proposed changes described in ND 0168.

Revise COL Appendix A Technical Specification 5.5.14 Setpoint Program (SP) as follows:

c.

For each Technical Specification required automatic protection instrumentation function, performance of a CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT) surveillance in accordance with the Setpoint Program shall include the following:

1.

The as-found value of the instrument channel trip setting shall be compared with the previously recorded as-left value.

i.

If the as-found value of the instrument channel trip setting differs from the previously recorded as-left value by more than the pre-defined test acceptance criteria band (i.e., the specified AFT),

then the instrument channel shall be evaluated to verify that it is functioning in accordance with its design basis before declaring the surveillance requirement met and returning the instrument channel to service. An Instrument Channel is determined to be functioning in accordance with its design basis if it can be set to within the ALT.

This as-found condition shall be entered into the plants corrective action program.

ii.

If the as-found value of the instrument channel trip setting is less conservative than the specified AFT, the surveillance requirement is not met and the instrument channel shall be immediately declared inoperable.

ND-19-1129 0 Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 28 of 33 Proposed revisions to the VEGP Unit 3 & 4 Updated Final Safety Analysis Report (UFSAR) are described below:

Revise UFSAR Appendix 1A, Conformance With Regulatory Guides, as follows:

Criteria Section Referenced Criteria AP1000/

FSAR Position Clarification/Summary Descirption of Exceptions Reg. Guide 1.118, Rev. 3, 4/95 - Periodic Testing of Electric Power and Protection Systems General IEEE Std.

338-1987 Conforms Guidelines apply to safety-related dc power systems. Since the AP1000 has no safety-related ac power sources, the guidelines do not apply to the AP1000 ac power sources.

The types of tests described in IEEE 338 Section 6.3 are not all applicable to the protection and safety monitoring system. In certain instances, the self-diagnostics included within the protection and safety monitoring system are used to verify that the safety system is capable of meeting its designed safety function in lieu of manual testing as part of the surveillance program.

Specifically, logic system function tests, response time tests, and, in certain instances, channel checks are not manually performed on the protection and safety monitoring system equipment as part of the AP1000 surveillance program. In these cases, self-diagnostic test features continuously monitor the system.

Functional tests are only performed on the PMS equipment that do not have complete self-diagnostic coverage. The Technical Specifications provide the necessary manual functional testing requirements in these instances (e.g., ALT, TADOT, channel checks).

Channel calibration verification tests are included in the AP1000 surveillance program.

ND-19-1129 0 Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 29 of 33 Revise UFSAR 7.1.2.11 Test Subsystem as follows:

Reference 19, Section 6 describes the test subsystem.

The automatic continuous self-diagnostic features of the PMS and application software provide sufficient assurance of PMS component operability where diagnostics are credited.

The faults detected by diagnostics are alarmed and displayed in the Main Control Room.

Operators assess operability of the PMS using the plant alarm response and abnormal operating procedures.

Revise UFSAR 7.3.2.2.6 Capability for Sensor Checks and Equipment Test and Calibration of the Engineered Safety Features Actuation (Paragraphs 5.7 and 6.5 of IEEE 603-1991) as follows:

The discussion of system testability provided in Section 7.1 is applicable to the sensors, signal processing, and actuation logic that initiate engineered safety features actuation.

The testing program meets Regulatory Guide 1.22 as discussed in WCAP-15776 (Reference 1).

The program is as follows:

Prior to initial plant operations, engineered safety features tests are conducted.

Subsequent to initial startup, engineered safety features tests are conducted during each regularly scheduled refueling outage.

During operation of the reactor, the protection and safety monitoring system is tested as described in Subsection 7.1.2.11. In addition, the engineered safety features final actuators, whose operation is compatible with continued plant operation, are tested periodically at power.

Continuity of the wiring is verified for devices that cannot be tested at power without damaging or upsetting the plant. Operability of the final actuated equipment is demonstrated at shutdown.

During reactor operation, the basis for acceptability of engineered safety features actuation is includes the successful completion of the overlapping tests performed on the protection and safety monitoring system. Process indications are used to verify operability of sensors.

ND-19-1129 0 Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 30 of 33 Add the section below to 7A.5 WCAP-15776, Safety Criteria for the AP1000 Instrumentation and Control Systems, April 2002 between revisions to Section 3.4 and Section 7 as follows:

Revise Section 3.13, Conformance to the Requirements to Provide Capability for Test and Calibration (Paragraph 5.7 of IEEE 603-1991) as follows:

Capability for testing and calibrating channels and devices used to derive the final system output signal from the various channel signals is provided. Testing from the sensor inputs of the PMS through to the actuated equipment is can be accomplished through a series of overlapping sequential tests with the majority of the tests capable of being performed with the plant at full power. Where testing final equipment at power would upset plant operation or damage equipment, provisions are made to test the equipment at reduced power or when the reactor is shut down.

Each division of the PMS includes a test subsystem. The test subsystem provides the capability for verification of the setpoint values and other constants, and verification that proper signals appear at other locations in the system.

Verification of the signal processing algorithms is made can be accomplished by exercising the test signal sources (either by hardware or software signal injection) and observing the results up to, and including, the attainment of a channel partial trip or actuation signal at the power interface. When required for the test, the tester places the voting logic associated with the channel function under test in bypass.

The capability for overlapping test sequence continues by inputting digital test signals at the output side of the threshold functions, in combinations necessary to verify the voting logic. Some of the input combinations to the coincidence logic cause outputs such as reactor trips and engineered safety feature (ESF) initiation. The reactor trip circuit breaker arrangement is a two-out-of-four logic configuration, such that the tripping of the two circuit breakers associated with one division does not cause a reactor trip. To reduce wear on the breakers through excessive tripping, and to avoid a potential plant trip resulting from a single failure while testing is in progress, the test sequence is designed so that actual opening of the trip breakers is only required when the breaker itself is being tested.

ND-19-1129 0 Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 31 of 33 Add the sections below to 7A.8, WCAP-16675-P and WCAP-16675-NP, AP1000 Protection and Safety Monitoring System Architecture Technical Report, as follows:

The following information is added directly after Revise 2.2.5 Interface and Test Processor Subsystems, as follows:

[

SEE INSERT PROVIDED IN ENCLOSURE 4 of ND-19-0168 NOTE: The information provided in Enclosure 4 of ND-19-0168 is considered proprietary and, therefore, is requested to be withheld from public disclosure under 10 CFR 2.390

]a,c

ND-19-1129 0 Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 32 of 33 Add the section below to 7A.8, WCAP-16675-P and WCAP-16675-NP, AP1000 Protection and Safety Monitoring System Architecture Technical Report, between revisions to Section 4.2 and Section 6.1.1 as follows:

Revise Section 6, Maintenance, Testing, and Calibration as follows:

Maintenance and testing of the PMS consists of two types of tests: self-diagnostic tests and on-line verification tests. The self-diagnostic tests are built into the AC160 equipment and consist of numerous automatic checks to validate that the equipment and software are performing their functions correctly. Self-diagnostics, as well as on-line On-line verification tests are that can be manually initiated are used to verify that the safety system is capable of performing its intended safety function.

Add the section below to 7A.8, WCAP-16675-P and WCAP-16675-NP, AP1000 Protection and Safety Monitoring System Architecture Technical Report, between revisions to Section 6.1.1 and Section 6.2.2 as follows:

Revise Section 6.2, On-line Verification Tests as follows:

Via the MTP in conjunction with the ITP, the I&C technician can perform manually initiated on-line verification tests to exercise the safety system logic and hardware to verify proper system operation. The ITP and the MTP also provide support for the detection and annunciation of faults by self-diagnostics. Within each PMS division, the ITP interfaces with the NI subsystem, BPL subsystem, LCL subsystem, ILP subsystem, MTP, and the RTCB initiation relays to monitor and test the operational state of the PMS. The ITP together with the MTP provides support for on-line self-diagnostics and testing for the verification of PMS operability overall on-line verification testing.

ND-19-1129 0 Proposed Changes to the Licensing Basis Documents (Publicly Available Information)

(LAR-19-001S1)

Page 33 of 33 Revise UFSAR Section 15.0.6, Protection and Safety Monitoring System Setpoints and Time Delays to Trip Assumed in Accident Analyses, as follows:

A reactor trip signal acts to open two trip breaker sets connected in series, feeding power to the control rod drive mechanisms. The loss of power to the mechanism coils causes the mechanisms to release the RCCAs, which then fall by gravity into the core. There are various instrumentation delays associated with each trip function including delays in signal actuation, in opening the trip breakers, and in the release of the rods by the mechanisms. The total delay to trip is defined as the time delay from the time that trip conditions are reached to the time the rods are free and begin to fall. Limiting trip setpoints assumed in accident analyses and the time delay assumed for each trip function are given in Table 15.0-4a. Reference is made in that table to overtemperature and overpower T trip shown in Figure 15.0.3-1. As described in Section 7.2 and in Reference 16, the overpower T trip protects the core from exceeding the design overpower limit, and the overtemperature T trip protects the core from exceeding the DNB design limit. As shown on the figure, the overtemperature T setpoint plus the error allowances tracks the core DNB design limits, except that the setpoint includes an upper limit on allowable inlet temperature.

Table 15.0-4a also summarizes the setpoints and the instrumentation delay for engineered safety features (ESF) functions used in accident analyses. Time delays associated with equipment actuated (such as valve stroke times) by ESF functions are summarized in Table 15.0-4b.

The difference between the limiting setpoint assumed for the analysis and the nominal setpoint represents an allowance for instrumentation channel error and setpoint error. Nominal setpoints are specified in the plant Technical Specifications. During plant startup tests, it is demonstrated that actual instrument time delays are equal to or less than the assumed values. Additionally, the protection system is calibrated and surveillances are performed protection system channels are calibrated and instrument response times are determined periodically in accordance with the plant Technical Specifications.

Southern Nuclear Operating Company ND-19-1129 1 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Revised Conforming Technical Specification Bases Sections (For Information Only)

(LAR-19-001S1)

Reviewers Note: The revised conforming Technical Specification Bases Mark-up pages provided in this Enclosure supersede the Conforming Technical Specifications Bases Mark-ups provided in Enclosure 5 of ND-19-0168.

Additions are identified by blue text Deletions are identified by red strikethrough text Revisions made by this supplement are identified by a revision bar in the right-hand margin (This Enclosure consists of 70 pages, including this cover page)

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 7 Revision 43 BASES BACKGROUND (continued)

During periodic tests and maintenance performed using the Maintenance and Test Panel and Interface and Test Processor, each BPL subsystem is tested individually. During testing, the LCL processors use the redundant BPL subsystem output for trip status. This permits the division being tested to remain OPERABLE while the testing is being conducted. In combination with manual tests required by Surveillance Requirements, the BPLs are tested via continuous system self-checking features.

Local Coincidence Logic (LCL) System Each PMS division contains two identical and redundant LCL subsystems receiving the same input signals and performing the same logic. The LCL subsystems perform the logic to combine the partial trip signals from the BPL subsystems and generate a trip output signal to the Reactor Trip Initiation logic.

Eight LCL subsystems are provided in the PMS architecture. Each of the LCL subsystems receives partial reactor trip signals and status signals from each of the eight BPL subsystems. In normal operation, the LCL logic is programmed to assume that a partial trip signal in either BPL subsystem in a given division is equivalent to a partial trip signal.

In the event of a single BPL processor or associated datalink failure in a division is detected by diagnostics, the LCL logic will reject the input from the failed component and use the input from the other BPL subsystem from the affected division as the source of the trip information. This allows the function logic to remain in a 2oo4 logic configuration.

LCL processors will only permit bypass of both BPL inputs of a given function from one division (such as due to a failed sensor). In the event of a division bypass, the LCL reverts to 2oo3 logic in the affected function.

The LCL subsystems act to initiate a reactor trip when the required number of divisions reaches a partial trip state (e.g., 2oo4, 1oo2).

Each LCL subsystem provides four contact outputs to the Reactor Trip Initiation logic, two for the Undervoltage (UV) RTM and two for the Shunt Trip (ST) RTM.

The LCL also provides for the bypass of trip functions to accommodate periodic tests and maintenance. During LCL subsystem testing, each LCL subsystem is tested individually. During testing, the redundant LCL subsystem is available to provide the UV and ST output signals to the RTMs. This permits the division being tested to remain OPERABLE while the testing is being conducted. In combination with manual tests required ND-19-1129 1 Page 2 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 8 Revision 43 BASES BACKGROUND (continued) by Surveillance Requirements, the LCLs are tested via continuous system self-checking features.

Reactor Trip Initiation Logic The Reactor Trip Matrix (RTM) acts as an interface between the LCL subsystems and the RTBs. The RTM receives contact inputs from the LCL subsystems and performs the logic to determine if a division will issue a reactor trip command.

Each PMS division contains two redundant RTMs; one is configured as a ST matrix and the other a UV matrix. The combination of the two forms the complete RTM for a given division. If the ST logic is satisfied, the RTB ST coils are energized, opening both RTBs in the division. If the UV logic is satisfied, the RTB UV coils are de-energized, opening both RTBs in the division.

The PMS boundary ends at the interposing relay contacts of the RTMs.

Manual RT A manual reactor trip is initiated from the MCR by redundant momentary switches. The switches directly control the power from the RTM logic, actuating the UV and ST attachments in all four divisions.

Nominal Trip Setpoint (NTS)

The NTS is the nominal value at which the trip output is set. Any trip output is considered to be properly adjusted when the as-left value is within the band for CHANNEL CALIBRATION (i.e., +/- rack calibration accuracy).

The trip setpoints used in the trip output are based on the Safety Analysis Limits stated in Reference 2. The determination of these NTSs is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the NTSs specified in the SP are conservative with respect to the Safety Analysis Limits. A detailed description of the methodology used to calculate the NTSs, including their explicit uncertainties, is provided in the Westinghouse Setpoint Methodology for Protection Systems (Ref. 3).

The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found OPERABILITY limit for the purpose of the CHANNEL OPERATIONAL TEST (COT) is defined as the as-left limit about the NTS (i.e., +/- rack calibration accuracy).

ND-19-1129 1 Page 3 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 9 Revision 43 BASES BACKGROUND (continued)

The NTSs listed in the SP are based on the methodology described in Reference 3, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTS. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.

The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The basis of the setpoints is described in References 2 and 3. Trending of calibration results is required by the program description in Technical Specifications 5.5.14.d.

Note that the as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION or COT that requires trip setpoint verification. Trip setpoints are continuously and automatically verified by PMS self-checking features between performances of CHANNEL CALIBRATIONS.

Before unit startup, the CHANNEL CALIBRATION verifies that the trip setpoint values in the Maintenance and Test Panel (MTP) match the SP specified values.

The Protection and Safety Monitoring System testing features are designed to allow for complete functional testing by using a combination of system self-checking and manual testsfeatures, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded. For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing. To the extent possible, Protection and Safety Monitoring System functional testing will be accomplished with continuous system self-checking features in lieu of manual surveillance tests. As a result, some functions do not have manual surveillance requirements and the continuous functional testing features.

The Protection and Safety Monitoring System incorporates continuous system self-checking features wherever practical. Self-checking features include on-line diagnostics for the computer system and the hardware and communications tests. Faults detected by the self-checking features ND-19-1129 1 Page 4 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 10 Revision 43 BASES BACKGROUND (continued) are alarmed in the main control room. These self-checking tests do not interfere with normal system operation.

In addition to the self-checking features, the system includes functional testing features. Functional testing features include continuous functional testing features and manually initiated functional testing features. To the extent practical, functional testing features are designed not to interfere with normal system operation.

In addition to the system self-checking features and functional testing features, other test features Manual tests are included for those parts of the system which are not tested with self-checking features or functional testing features. These test features allow for instruments/sensor checks.

This includes manual functional checks, calibration verification, response time testing, setpoint verification and component testing. The test features again include a combination of continuous testing features and manual testing features.

All of the tests testing features are designed so that the duration of the testing is as short as possible. The manual tests Testing features are designed so that the actual logic is not modified. To prevent unwanted actuation, the teststesting features are designed with either the capability to bypass a Function during testing and/or limit the number of signals allowed to be placed in test at one time.

APPLICABLE SAFETY ANALYSES, LCOs, and APPLICABILITY The RTS functions to maintain compliance with the SLs during all AOOs and mitigates the consequences of DBAs in all MODES in which the RTBs are closed.

Each of the analyzed accidents and transients which require reactor trip can be detected by one of more RTS Functions. The accident analysis described in Reference 2 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. These RTS trip Functions may provide protection for conditions which do not require dynamic transient analysis to demonstrate function performance. These RTS trip Functions may also serve as backups to RTS trip Functions that were credited in the accident analysis.

Permissive and interlock functions are based upon the associated protection function instrumentation. Because they do not have to operate in adverse environmental conditions, the trip settings of the permissive and interlock functions use the normal environment, steady-state instrument uncertainties of the associated protection function instrumentation. This results in OPERABILITY criteria (i.e., as-found ND-19-1129 1 Page 5 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 26 Revision 43 BASES ACTIONS (continued) more channels are inoperable for a Function, thermal power must be reduced to below the P-10 interlock; a condition in which the LCO does not apply. The allowed Completion Time is reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE REQUIREMENTS The SRs for each RTS Function are identified in the SRs column of Table 3.3.1-1 for that Function.

A Note has been added to the SR table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

The CHANNEL CALIBRATION and COT areis performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies. In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measuredFor channels that include dynamic transfer functions, such as, lag, lead/lag, rate/lag, the response time test may be performed with the transfer function set to one, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time (Ref. 1). Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

ND-19-1129 1 Page 6 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 27 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate the performance of the CHANNEL CHECK.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment have drifted outside their corresponding limits.

SR 3.3.1.21 This SR 3.3.1.2 compares the calorimetric heat balance to the nuclear instrumentation channel output every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the calorimetric measurement at 15% RTP, differs from the nuclear instrument channel output by > 5% RTP, the nuclear instrument channel is not declared inoperable, but must be adjusted. If the nuclear instrument channel output cannot be properly adjusted, the channel is declared inoperable.

Two Notes modify this SR 3.3.1.2. The first Note clarifies that this Surveillance is required only if reactor power is 15% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels the calorimetric data from feedwater flow venturi measurements are less accurate. The second Note is required because, at power levels 15% RTP, calorimetric uncertainty and control rod insertion create the potential for miscalibration of the nuclear instrumentation channel. Therefore, if the calorimetric heat measurement is 15% RTP, and if the nuclear instrumentation channel indicated power is lower than the calorimetric measurement by

> 5% RTP, then the nuclear instrumentation channel shall be adjusted upward to match the calorimetric measurement. No nuclear instrumentation channel adjustment is required if the nuclear instrumentation channel is higher than the calorimetric measurement.

The Frequency of every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate based on plant operating experience, considering instrument reliability and operating history data for instrument drift.

Together, these factors demonstrate the change in the absolute difference between nuclear instrumentation and heat balance calculated powers rarely exceeds 5% RTP in any 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period.

In addition, main control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

ND-19-1129 1 Page 7 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 28 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.32 This SR 3.3.1.3 compares the calorimetric heat balance to the calculated T power (qT) in each Division every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the calorimetric measurement between 70% and 100% RTP, differs from the calculated T power by > 3% RTP, the Function is not declared inoperable, but the conversion factor, T°, must be adjusted. If T° cannot be properly adjusted, the Function is declared inoperable in the affected Division(s).

Three Notes modify this SR 3.3.1.3. The first Note indicates that T° shall be adjusted consistent with the calorimetric results if the absolute difference between the calculated T power and the calorimetric measurement between 70% and 100% RTP is > 3% RTP.

The second Note clarifies that this Surveillance is required only if reactor power is 50% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for performing the first Surveillance after reaching 50% RTP. At lower power levels, the calorimetric data from feedwater flow venturi measurements are less accurate. The calculated T power is normally stable (less likely to need adjustment or to be grossly affected by changes in the core loading pattern than the nuclear instrumentation), and its calibration should not be unnecessarily altered by a possibly inaccurate calorimetric measurement at low power.

The third Note is required because at power levels below 70%,

calorimetric uncertainty creates the potential for non-conservative adjustment of the T° conversion factor, in cases where the calculated T power would be reduced to match the calorimetric power. Therefore, if the calorimetric heat measurement is less than 70% RTP, and if the calculated T power is lower than the calorimetric measurement by > 5%,

then the T° conversion factor shall be adjusted so that the calculated T power matches the calorimetric measurement. No T° conversion factor adjustment is required if the calculated T power is higher than the calorimetric measurement.

The Frequency of every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on plant operating experience, considering instrument reliability and the limited effects of fuel burnup and rod position changes on the accuracy of the calculated T power.

ND-19-1129 1 Page 8 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 29 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.43 This SR 3.3.1.4 compares the AXIAL FLUX DIFFERENCE determined using the incore system to the nuclear instrument channel AXIAL FLUX DIFFERENCE every 31 effective full power days (EFPD) and adjusts the excore nuclear instrument channel if the absolute difference between the incore and excore AFD is 1.5% AFD.

Each nuclear instrument channel is calibrated to an average weighted peripheral AFD, which accounts for the fact that neutron leakage from the peripheral fuel assemblies nearest each excore detector will have the largest effect on the channel response. This calibration method reduces the effect of changes in the radial power distribution, caused by either burnup or control rod motion, on the channel AFD calibration. The calibration method is consistent with the development of the f(I) penalty functions for the overpower T and overtemperature T functions, which are made a function of the same average weighted peripheral AFD (i.e., the AFD used in determining the f(I) penalty is calculated using the same radial weighting factors as are used to calibrate the excore detector nuclear instrument channels). The incore AFD used as the basis for comparison when performing this SR 3.3.1.4 is also calculated in the same weighted peripheral manner.

If the absolute difference is 1.5% AFD the nuclear instrument channel is still OPERABLE, but must be readjusted. If the nuclear instrument channel cannot be properly readjusted, the channel is declared inoperable. This surveillance is performed to verify the f(I) input to the overpower T and overtemperature T functions.

Two Notes modify this SR 3.3.1.4. The first Note indicates that the excore nuclear instrument channel shall be adjusted if the absolute difference between the incore and excore AFD is 1.5% AFD. Note 2 clarifies that the Surveillance is required only if reactor power is 20%

RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first Surveillance after reaching 20% RTP. Below 20% RTP, the design of the incore detector system, low core power density, and detector accuracy make use of the incore detectors inadequate for use as a reference standard for comparison to the excore channels.

The Frequency of every 31 EFPD is adequate based on plant operating experience, considering instrument reliability and operating history data for instrument drift. Also, the slow changes in neutron flux during the fuel cycle can be detected during this interval.

ND-19-1129 1 Page 9 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 30 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.54 This SR 3.3.1.5 is a calibration of the excore channels to the incore channels. If the measurements do not agree, the excore channels are not declared inoperable but must be adjusted to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(I) input to the overtemperature T Function.

A Note modifies this SR 3.3.1.5. The Note states that this Surveillance is required only if reactor power is > 50% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for performing the first surveillance after reaching 50% RTP.

The Frequency of 92 EFPD is adequate based on industry operating experience, considering instrument reliability and operating history data for instrument drift.

SR 3.3.1.6 SR 3.3.1.6 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The SR 3.3.1.6 testing is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.

This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended Function.

A test subsystem is provided with the Protection and Safety Monitoring System to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

ND-19-1129 1 Page 10 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 31 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, Protection and Safety Monitoring System functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

This test frequency of 92 days is justified based on Reference 6 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the Protection and Safety Monitoring System cabinets to the operator within 10 minutes of a detectable failure.

During the COT, the Protection and Safety Monitoring System cabinets in the division under test may be placed in bypass.

ND-19-1129 1 Page 11 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 32 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT as described in SR 3.3.1.6(which refers to this test as an RTCOT), except it is modified by a Note that allows this surveillance to be satisfied if it has been performed within the previous 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The Frequency of prior to reactor startup ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-10.

The MODE of Applicability for this surveillance is < P-10 for the power range low channels. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed ND-19-1129 1 Page 12 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 33 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued) prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10) for periods

> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

SR 3.3.1.85 A CHANNEL CALIBRATION is performed every 24 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance),

and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The differences between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.

If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing ND-19-1129 1 Page 13 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 34 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued) plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

This SR 3.3.1.8 is modified by a Note stating that this test shall include verification that the time constants are adjusted to within limits where applicable.

SR 3.3.1.96 This SR 3.3.1.9 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.

This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power calorimetric and flux map performed above 20% RTP. Below 20% RTP, the design of the incore detector system, low core power density, and detector accuracy make use of the incore detectors inadequate for use as a reference standard for comparison to the excore channels.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.

If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

ND-19-1129 1 Page 14 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 35 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the 24 month Frequency.

SR 3.3.1.107 This SR 3.3.1.10 is the performance of a TADOT of the Passive Residual Heat Removal Actuation valve position indicator contact inputs. This TADOT is performed every 24 months.

The Frequency is based on the known reliability of the Function and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.

SR 3.3.1.118 This SR 3.3.1.11 verifies that the individual channel/division actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response Time testing criteria are included in Reference 1.

In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values.

The response time may be measured by a series of overlapping tests such that the entire response time is measured.

ND-19-1129 1 Page 15 of 70

Technical Specifications Bases RTS Instrumentation B 3.3.1 VEGP Units 3 and 4 B 3.3.1 - 36 Revision 43 BASES SURVEILLANCE REQUIREMENTS (continued)

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 8), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

The Passive Residual Heat Removal (PRHR) Actuation Function RTS RESPONSE TIME is the time interval between input of a PRHR discharge valve not-fully-closed position feedback signal and the loss of gripper coil voltage. The RTS RESPONSE TIME for the PRHR actuation does not include testing actuation of the discharge valves by EFSAS instrumentation signals because it cannot be tested if an ESFAS function (e.g., CMT Actuation) has already caused a reactor trip.

Each division response must be verified every 24 months on a STAGGERED TEST BASIS (i.e., all four Protection Channel Sets would be tested after 96 months). Response times cannot be determined during plant operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed on a refueling frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

The SR 3.3.1.11 is modified by a note indicating that neutron detectors may be excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

ND-19-1129 1 Page 16 of 70

Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 VEGP Units 3 and 4 B 3.3.2 - 4 Revision 39 BASES ACTIONS (continued)

E.1 and E.2 Condition E is entered when the Required Action and associated Completion Time of Condition D is not met. If three of the four required source range instrumentation channels are not restored to OPERABLE status within the allowed Completion Time, Required Action E.1 requires that action be initiated to fully insert all rods within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and Required Action E.2 requires that the PLS be placed in a condition incapable of rod withdrawal within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the specified condition in an orderly manner and without challenging plant systems.

F.1 Condition F addresses the situation where three or more source range instrumentation channels are inoperable. With three or more channels inoperable, single failure criterion cannot be met and the reactor trip breakers must be opened immediately.

SURVEILLANCE REQUIREMENTS The CHANNEL CALIBRATION and COT are is performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies. For channels that include dynamic transfer functions, such as, lag, lead/lag, rate/lag, the response time test may be performed with the transfer function set to one, In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time (Ref. 1). Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

SR 3.3.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two ND-19-1129 1 Page 17 of 70

Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 VEGP Units 3 and 4 B 3.3.2 - 5 Revision 39 SURVEILLANCE REQUIREMENTS (continued) one of the channels or of even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment have drifted outside their corresponding limits.

The Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate the performance of the CHANNEL CHECK.

SR 3.3.2.2 SR 3.3.2.2 is the performance of a COT. The testing is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.

This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended Function.

A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

ND-19-1129 1 Page 18 of 70

Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 VEGP Units 3 and 4 B 3.3.2 - 6 Revision 39 SURVEILLANCE REQUIREMENTS (continued)

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

This test frequency of 92 days is justified based on Reference 2 (which refers to this test as RTCOT) and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the protection and safety monitoring system cabinets to the operator within 10 minutes of a detectable failure.

SR 3.3.2.2 is modified by two Notes. The first Note allows this surveillance to be satisfied if it has been performed within the previous 92 days. The second Note provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance when entering MODE 3 from MODE 2. This note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.2.2 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for a time greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3.

ND-19-1129 1 Page 19 of 70

Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 VEGP Units 3 and 4 B 3.3.2 - 7 Revision 39 SURVEILLANCE REQUIREMENTS (continued)

The Frequency of prior to reactor startup ensures this surveillance is performed prior to critical operations. The Frequency of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6 allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-6. The MODE of Applicability for this surveillance is < P-6. If power is to be maintained

< P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, range instrumentation channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-6) for periods > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.

SR 3.3.2.32 This SR 3.3.2.3 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.

This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

The CHANNEL CALIBRATION for the source range neutron detectors consists of obtaining the preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturers data.

ND-19-1129 1 Page 20 of 70

Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 VEGP Units 3 and 4 B 3.3.2 - 8 Revision 39 SURVEILLANCE REQUIREMENTS (continued)

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.

If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the 24 month Frequency.

SR 3.3.2.43 This SR 3.3.2.4 verifies that the individual channel actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response Time testing criteria are included in Reference 1.

For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one,In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic ND-19-1129 1 Page 21 of 70

Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 VEGP Units 3 and 4 B 3.3.2 - 9 Revision 39 SURVEILLANCE REQUIREMENTS (continued) response times with actual response time tests on the remainder of the channel.

ND-19-1129 1 Page 22 of 70

Technical Specifications Bases RTS Source Range Instrumentation B 3.3.2 VEGP Units 3 and 4 B 3.3.2 - 10 Revision 39 BASES SURVEILLANCE REQUIREMENTS (continued)

Each channel response must be verified every 24 months on a STAGGERED TEST BASIS (i.e., all four Protection Channel Sets would be tested after 96 months). Response times cannot be determined during plant operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed on a refueling frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR 3.3.2.4 is modified by a note exempting neutron detectors from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

REFERENCES

1.

FSAR Chapter 7.0, Instrumentation and Controls.

2.

APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.

ND-19-1129 1 Page 23 of 70

Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 VEGP Units 3 and 4 B 3.3.3 - 4 Revision 1 BASES ACTIONS (continued) intermediate range instrumentation channels inoperable, three of the four required channels must be restored to OPERABLE status prior to increasing THERMAL POWER above the P-6 setpoint. With the unit in this condition, below P-6, the Source Range Neutron Flux channels perform the monitoring and protection functions.

D.1, D.2, and D.3 Condition D addresses the situation where three or more intermediate range instrumentation channels are inoperable. With three or more channels inoperable, operations involving positive reactivity addition must be suspended immediately. This will preclude any power level increase since there are insufficient OPERABLE Intermediate Range channels to adequately monitor power escalation. In addition, THERMAL POWER must be reduced below the P-6 interlock setpoint within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, and the plant must be placed in MODE 3 within 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. The allowed Completion Times for Required Actions D.2 and D.3 are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE REQUIREMENTS The CHANNEL CALIBRATION and COT are is performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies. For channels that include dynamic transfer functions, such as, lag, lead/lag, rate/lag, the response time test may be performed with the transfer function set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time (Ref. 1). Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

ND-19-1129 1 Page 24 of 70

Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 VEGP Units 3 and 4 B 3.3.3 - 5 Revision 1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.3.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment have drifted outside their corresponding limits.

This SR is modified by a Note. The Note states that the SR is not applicable in MODE 1. In MODE 1, the OPERABILITY of the Intermediate Range Neutron Instrumentation is verified by self-checking features in lieu of performing a CHANNEL CHECK.

The Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate the performance of the CHANNEL CHECK.

SR 3.3.3.2 SR 3.3.3.2 is the performance of a COT. The testing is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.

This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended Function.

ND-19-1129 1 Page 25 of 70

Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 VEGP Units 3 and 4 B 3.3.3 - 6 Revision 1 A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

This test frequency of 92 days is justified based on Reference 2 (which refers to this test as RTCOT) and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the protection and safety monitoring system cabinets to the operator within 10 minutes of a detectable failure.

ND-19-1129 1 Page 26 of 70

Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 VEGP Units 3 and 4 B 3.3.3 - 7 Revision 1 SR 3.3.3.2 is modified by a Note. The Note allows this surveillance to be satisfied if it has been performed within 92 days of the Frequencies prior to reactor startup and four hours after reducing power below P-10. The Frequency of prior to reactor startup ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10 allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-10. The MODE of Applicability for this surveillance is

< P-10. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS intermediate range instrumentation channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10) for periods > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.

SR 3.3.3.32 This SR 3.3.3.3 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable.

This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

The CHANNEL CALIBRATION for the intermediate range neutron detectors consists of obtaining the detector plateau curves, evaluating those curves, and comparing the curves to the manufacturers data.

ND-19-1129 1 Page 27 of 70

Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 VEGP Units 3 and 4 B 3.3.3 - 8 Revision 1 Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.

If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the 24 month Frequency.

SR 3.3.3.43 This SR 3.3.3.4 verifies that the individual channel actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response Time testing criteria are included in Reference 1.

For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one,In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel.

ND-19-1129 1 Page 28 of 70

Technical Specifications Bases RTS Intermediate Range Instrumentation B 3.3.3 VEGP Units 3 and 4 B 3.3.3 - 9 Revision 1 BASES SURVEILLANCE REQUIREMENTS (continued)

Each channel response must be verified every 24 months on a STAGGERED TEST BASIS (i.e., all four Protection Channel Sets would be tested after 96 months). Response times cannot be determined during plant operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed on a refueling frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR 3.3.3.4 is modified by a note exempting neutron detectors from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

REFERENCES

1.

FSAR Chapter 7.0, Instrumentation and Controls.

2.

APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.

ND-19-1129 1 Page 29 of 70

Technical Specifications Bases RTS Automatic Trip Logic B 3.3.6 VEGP Units 3 and 4 B 3.3.6 - 2 Revision 39 BASES ACTIONS (continued)

B.1 Condition B addresses the situation where the Required Action and associated Completion Time of Condition A is not met, or there are three or more divisions inoperable in MODE 1 or 2. Required Action B.1 directs that the plant must be placed in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems.

C.1 Condition C addresses the situation where one or two RTS Automatic Trip Logic divisions are inoperable in MODE 3, 4, or 5. With one or two divisions inoperable, the Required Action is to restore three of four divisions to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. Restoring all channels but one to OPERABLE status ensures that a single failure will not prevent the protective function, nor will it cause the protective function (with the exception of a limited number of PMS component failures). The 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time is considered reasonable since the protective function will still function.

D.1 and D.2 Condition D addresses the situation where the Required Action and associated Completion Time of Condition C is not met, or three or more RTS Automatic Trip Logic divisions are inoperable in MODE 3, 4, or 5.

Required Action D.1 requires that action be initiated to fully insert all control rods within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and Required Action D.2 requires that the Plant Control System be placed in a condition incapable of rod withdrawal within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition in an orderly manner and without challenging plant systems.

SURVEILLANCE REQUIREMENTS SR 3.3.6.1None are required due to self-checking features that continuously monitor logic OPERABILITY and alert the operator to any failures. The OPERABILITY of the Reactor Trip Digital Outputs and the Reactor Trip Matrix Termination Units are verified by the TADOT performed in SR 3.3.7.1.

SR 3.3.6.1 is the performance of an ACTUATION LOGIC TEST every 92 days.

An ACTUATION LOGIC TEST is performed on each channel to provide reasonable assurance that the entire channel will perform the intended Function. The test demonstrates that the Local Coincidence Logic (LCL) performs the required coincidence logic using injected, partial trip signals ND-19-1129 1 Page 30 of 70

Technical Specifications Bases RTS Automatic Trip Logic B 3.3.6 VEGP Units 3 and 4 B 3.3.6 - 3 Revision 39 and communicates reactor trip signals to the Reactor Trip Switchgear Interface Logic.

BASES SURVEILLANCE REQUIREMENTS (continued)

The LCL to Reactor Trip Matrix (RTM) test provides verification of proper operation of the LCL Reactor Trip (RT) Processor Module (PM) voting logic and digital outputs. Test signals are injected into the voting logic of one of the four redundant LCL RT PMs. Injecting the correct combination of test signals, simulating the partial trip signals from the eight redundant BPL PMs, satisfies the voting logic and actuates the undervoltage and shunt trip outputs of the associated digital output (DO) module. The LCL to RTM test provides overlap with the Reactor Trip Digital Output (RTDO) to Reactor Trip Circuit Breaker (RTCB) test in SR 3.3.7.1 (TADOT). Each RT PM can be individually tested and its output monitored at the RTM without tripping any of the reactor trip breakers.

A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the ACTUATION LOGIC TEST.

The test subsystem is designed to allow for complete functional testing by using a combination of system self checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The ACTUATION LOGIC TEST shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the ACTUATION LOGIC TEST cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the ACTUATION LOGIC TEST can be performed using portable test equipment.

ND-19-1129 1 Page 31 of 70

Technical Specifications Bases RTS Automatic Trip Logic B 3.3.6 VEGP Units 3 and 4 B 3.3.6 - 4 Revision 39 BASES SURVEILLANCE REQUIREMENTS (continued)

This test frequency of 92 days is justified based on Reference 1 (which refers to this test as RTCOT) and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the protection and safety monitoring system cabinets to the operator within 10 minutes of a detectable failure.

During the ACTUATION LOGIC TEST, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.

REFERENCES

1.

APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.None ND-19-1129 1 Page 32 of 70

Technical Specifications Bases RTS Trip Actuation Devices B 3.3.7 VEGP Units 3 and 4 B 3.3.7 - 3 Revision 39 BASES ACTIONS (continued)

C.1 Condition C addresses the situation where the Required Action and associated Completion Time of Condition A or B are not met in MODE 1 or 2, or there are one or both RTS Trip Actuation functions within three or more divisions inoperable in MODE 1 or MODE 2. Required Action C.1 directs that the plant must be placed in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times for Required Action C.1 is reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems.

D.1 and D.2 Condition D addresses the situation where the Required Action and associated Completion Time of Condition A or B are not met in MODE 3, 4, or 5, or there are one or both RTS Trip Actuation functions within three or more divisions inoperable in MODE 3, 4, or 5. Required Action D.1 requires initiating action to fully insert all control rods within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and Required Action D.2 requires that the Plant Control System be placed in a condition incapable of rod withdrawal within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition in an orderly manner and without challenging plant systems.

SURVEILLANCE REQUIREMENTS SR 3.3.7.1 SR 3.3.7.1 is the performance of a TADOT on the Reactor Trip Digital Outputs, the Reactor Trip Matrix Termination Units, and on both reactor trip breakers associated with a single division every 92 days on a STAGGERED TEST BASIS for four divisions. This test shall verify OPERABILITY by actuation of the end devices.

The Reactor Trip Breaker (RTB) test shall include separate verification of the undervoltage and shunt trip mechanisms. Each RTB in a division shall be tested separately in order to minimize the possibility of an inadvertent trip. Both breakers in a single division are tested during each STAGGERED TEST.

The Frequency of every 92 days on a STAGGERED TEST BASIS is adequate based on industry operating experience, considering instrument reliability and operating history data. In addition, the design provides additional breakers to enhance reliability.

REFERENCES

1.

FSAR Chapter 15.0, Accident Analysis.

ND-19-1129 1 Page 33 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 6 Revision 44 BASES BACKGROUND (continued)

Bistable Processor Logic (BPL) System Each PMS division contains two identical and redundant BPL subsystems receiving the same input signals and performing the same calculations and logic. The BPL subsystems receive data from field sensors and manual inputs (such as system-level blocks and resets) from the MCR to perform the protective function calculations.

Within each division, the input from each sensor is provided in parallel to each of the two BPL subsystems' analog or digital input modules. Analog transmitter and sensor measurements are converted from analog to digital form by analog to digital input modules within the BPL subsystems.

Signal conditioning may be applied to selected inputs following the conversion to digital form. The subsystems provide signal outputs for MCR indications and via the Plant Control System (PLS) for the non-safety related Remote Shutdown Workstation indications.

Following necessary calculations, processing, and logic, the measurements are compared against the applicable setpoints. The basis of the setpoints is described in References 2 and 6. The results of the required calculations and setpoint comparisons determine the partial actuation status for each ESF actuation function.

The partial ESF actuation signals are transmitted to all eight LCLs in the PMS for use in coincidence logic voting. The PMS uses datalinks to communicate the partial actuations and related status information calculated in the BPL subsystems to the LCL subsystems. These datalinks are used both locally within a division and externally across divisions. A partial actuation signal from either BPL subsystem in a division is interpreted by the LCL coincidence logic as a partial actuation signal.

During periodic tests and maintenance performed using the Maintenance and Test Panel and Interface and Test Processor, each BPL subsystem is tested individually. During testing, the LCL processors use the redundant BPL subsystem for actuation status. This permits the division being tested to remain OPERABLE while the testing is being conducted. In combination with manual tests required by Surveillance Requirements, the BPLs are tested via continuous system self-checking features.

ESF Coincidence Logic (Local Coincidence Logic (LCL) System)

Each PMS division contains two identical and redundant LCL subsystems receiving the same input signals and performing the same logic. The LCL subsystems perform the logic to combine the partial actuation signals from the BPL subsystems, along with automatic and manual permissives, ND-19-1129 1 Page 34 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 7 Revision 44 BASES BACKGROUND (continued) blocks, and resets, and generate an actuation output signal to the ESF Actuation Subsystem Logic (Integrated Logic Cabinet (ILC)).

Eight LCL subsystems are provided in the PMS architecture. Each of the LCL subsystems receives partial ESF actuation signals and status signals from each of the eight BPL subsystems. In normal operation, the LCL logic is programmed to assume that a partial actuation signal in either BPL subsystem in a given division is equivalent to a partial actuation signal.

In the event of a single BPL processor or associated datalink failure in a division is detected by diagnostics, the LCL logic will reject the input from the failed component and use the input from the other BPL subsystem from the affected division as the source of actuation information. This allows the function logic to remain in a 2oo4 logic configuration.

LCL processors will only permit bypass of both BPL inputs of a given function from one division (such as due to a failed sensor). In the event of a division bypass, the LCL reverts to 2oo3 logic in the affected function.

The LCL subsystems act to initiate an ESF actuation when the required number of divisions reaches a partial actuation state (e.g., 2oo4, 1oo2).

The LCL also provides for the bypass of actuation functions to accommodate periodic tests and maintenance. During LCL subsystem testing, each LCL subsystem is tested individually. During testing, the redundant LCL subsystem is available to provide output signals to the ILCs. This permits the division being tested to remain OPERABLE while the testing is being conducted. In combination with manual tests required by Surveillance Requirements, the LCLs are tested via continuous system self-checking features.

Within each division, datalinks transfer the ESF system-level actuations and related status information calculated in the LCL controllers to the ESF Actuation Subsystem. Actuation signals from both LCL subsystems are transmitted to the redundant ILPs in each ILC.

MCR ESF Manual Controls Each of the manual system-level actuations is implemented using switches wired to digital input modules included in the LCL. The switch inputs to the LCL produce the ESF system-level actuation signals that are communicated to the ESF Actuation Subsystem.

ND-19-1129 1 Page 35 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 8 Revision 44 BASES BACKGROUND (continued)

ESF Actuation Subsystem (Integrated Logic Cabinet (ILC))

Within each division, ESF system-level actuation outputs from the LCLs are inputs to the ESF Actuation Subsystem for generation of logic commands to the actuated components. The ESF Actuation Subsystem consists of internally redundant ILPs and non-redundant CIMs. The ILPs decode the system commands and actuate the final equipment through the CIM logic specific to each component.

Each of the two ILP processors receives inputs from both ESF Coincidence logic processors (LCLs) in a division. The ILPs perform the component fan-out for each ESF system-level actuation command. As long as the outputs from both ESF Coincidence logic processors (LCLs) agree that an actuation should occur (i.e., 2oo2 logic), the ILPs will generate actuation signals to the CIMs. For each Function, if one of the LCLs has no output signal, provides a bad quality signal, or is in test, a good quality signal input to the ILP processors from the other LCL is sufficient to maintain OPERABILITY. With a good quality signal from only one LCL, the ILP logic becomes 1oo1.

Each CIM provides an actuation signal to its associated actuated device.

Each CIM receives inputs from both processors in an ILP and produces component actuation signals if the input signals agree (i.e., 2oo2 logic). If one of the ILP processors has no output signal or provides a bad quality signal, a good quality signal input to the CIM from the other ILP processor is sufficient to maintain OPERABILITY. With a good quality signal from only one ILP processor, the CIM logic becomes 1oo1.

The PMS boundary ends at the output terminals of the CIMs. In lieu of manual tests required by a sureveillance requirement, the ILPs and CIMs are tested via continuous system self-checking features. The output of the CIMs up to, but not including the component, are tested via a combination of manual surveillance tests and continuous self-checking features.

ADS and IRWST Injection Blocking Device The ADS and IRWST injection blocking device is a Class 1E module physically located within each of the PMS divisions. The blocking device is diverse from the PMS hardware and software that is used to create the automatic ADS and IRWST injection ESF actuation signals. There are no inter-divisional connections between the blocking devices nor is there any coincidence voting among the blocking devices. The ADS and IRWST injection blocking device uses core makeup tank (CMT) level. The ADS and IRWST injection block in each division receives an input from a level sensor on each CMT that removes the block if the water level in either ND-19-1129 1 Page 36 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 9 Revision 44 BASES BACKGROUND (continued)

CMT is below a predetermined setpoint. Additionally, one switch for each division is provided in the Main Control Room (MCR) to allow the operators to manually clear the ADS and IRWST blocks.

The ADS and IRWST injection blocking device design uses conventional analog components that do not rely on software. The ADS and IRWST injection blocking device outputs provide CIM inputs for ADS stage 1, 2, and 3 MOVs, and the ADS Stage 4 and IRWST injection squib valves.

The ADS and IRWST injection blocking device outputs block any attempt to open the ADS and IRWST injection valves from the PMS Integrated Logic Processors.

Nominal Trip Setpoints (NTSs)

The NTS is the nominal value at which the trip output is set. Any trip output is considered to be properly adjusted when the as-left value is within the band for CHANNEL CALIBRATION, i.e., +/- rack calibration accuracy.

The trip setpoints used in the trip output are based on the Safety Analysis Limits stated in Reference 2. The determination of these NTSs is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 4), the NTSs specified in the SP are conservative with respect to the Safety Analysis Limits. A detailed description of the methodology used to calculate the NTSs, including their explicit uncertainties, is provided in the Westinghouse Setpoint Methodology for Protection Systems (Ref. 6). The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found OPERABILITY limit for the purpose of the CHANNEL OPERATIONAL TEST (COT) is defined as the as-left limit about the NTS (i.e., +/- rack calibration accuracy).

The NTSs listed in the SP are based on the methodology described in Reference 6, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTS. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.

ND-19-1129 1 Page 37 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 10 Revision 44 BASES BACKGROUND (continued)

The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The basis of the setpoints is described in References 2 and 6. Trending of calibration results is required by the program description in Technical Specification 5.5.14.d.

Note that the as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION, CHANNEL OPERATIONAL TESTS, or a TRIP ACTUATING DEVICE OPERATIONAL TEST that requires trip setpoint verification. Trip setpoints are continuously and automatically verified by PMS self-checking features between performances of CHANNEL CALIBRATIONS. Before unit startup, the CHANNEL CALIBRATION verifies that the trip setpoint values in the Maintenance and Test Panel (MTP) match the SP specified values.

The protection and safety monitoring system testing features are designed to allow for complete functional testing by using a combination of system self-checking and manual testsfeatures, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded. For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing. To the extent possible, protection and safety monitoring system functional testing will be accomplished with continuous system self-checking features in lieu of manual surveillance tests. As a result, some functions do not have manual surveillance requirements. the continuous functional testing features.

The protection and safety monitoring system incorporates continuous system self-checking features wherever practical. Self-checking features include on-line diagnostics for the computer system and the hardware and communications tests. Faults detected by the self-checking features are alarmed in the main control room. These self-checking tests do not interfere with normal system operation.

In addition to the self-checking features, the system includes functional testing features. Functional testing features include continuous functional testing features and manually initiated functional testing features. To the extent practical, functional testing features are designed not to interfere with normal system operation.

In addition to the system self-checking features and functional testing features, other test featuresManual tests are included for those parts of ND-19-1129 1 Page 38 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 11 Revision 44 BASES BACKGROUND (continued) the system which are not tested with self-checking features. This includes manual functional checks, or functional testing features. These test features allow for instruments/sensor checks, calibration verification, response time testing, setpoint verification and component testing. The test features again include a combination of continuous testing features and manual testing features.

All of the teststesting features are designed so that the duration of the testing is as short as possible. Testing featuresThe manual tests are designed so that the actual logic is not modified. To prevent unwanted actuation, the testing featurestests are designed with either the capability to bypass a Function during testing and/or limit the number of signals allowed to be placed in test at one time.

APPLICABLE SAFETY ANALYSES, LCOs, and APPLICABILITY Each of the analyzed accidents can be detected by one or more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure - Low 3 is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation not specifically credited in the accident safety analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. These Functions may provide protection for conditions which do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 2).

Permissive and interlock functions are based upon the associated protection function instrumentation. Because they do not have to operate in adverse environmental conditions, the trip settings of the permissive and interlock functions use the normal environment, steady-state instrument uncertainties of the associated protection function instrumentation. This results in OPERABILITY criteria (i.e., as-found tolerance and as-left tolerance) that are the same as the associated protection function sensor and process rack modules. The NTSs for permissives and interlocks are based on the associated protection function OPERABILITY requirements; i.e., permissives and interlocks performing enabling functions must be set to occur prior to the specified trip setting of the associated protection function.

The LCO requires all instrumentation performing an ESFAS Function, listed in Table 3.3.8-1 in the accompanying LCO, to be OPERABLE. The as-left and as-found tolerances specified in the SP define the ND-19-1129 1 Page 39 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 12 Revision 44 BASES BACKGROUND (continued)

OPERABILITY limits for a channel during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the as-left and as-found tolerances differ from the NTS by plus or minus the PMS rack BASES APPLICABLE SAFETY ANALYSES, LCOs, and APPLICABILITY (continued) calibration accuracy and envelope the expected calibration accuracy and drift. In this manner, the actual setting of the channel (NTS) prevents exceeding an SL at any given point in time as long as the channel has not drifted beyond the expected tolerances during the surveillance interval.

Note that the as-left and as-found recorded values must be confirmed to be within the assumptions of the statistical uncertainty calculations.

If the actual setting of the channel is found outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance) and evaluating the channels response. If the channel is functioning as required and expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A trip setpoint may be set more conservative than the NTS as necessary in response to plant conditions. However, in this case, the OPERABILITY of this instrument must be verified based on the actual field setting and not the NTS. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

ESFAS Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlocks backup manual actions to ensure bypassable Functions are in operation under the conditions assumed in the safety analyses. Proper operation of these interlocks supports OPERABILITY of the associated TS Functions and/or the requirement for actuation logic OPERABILITY. Interlocks must be in the required state, as appropriate, to support OPERABILITY of ESFAS.

ND-19-1129 1 Page 40 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 53 Revision 44 BASES ACTIONS (continued)

The primary means of opening a containment air flow path is by establishing a VFS air flow path into containment. Manual actuation and maintenance as necessary to open a purge supply, purge exhaust, or vacuum relief flow path are available means to open a containment air flow path. In addition, opening of a spare penetration is an acceptable means to provide the necessary flow path. Opening of an equipment hatch or a containment airlock is acceptable. Containment air flow paths opened must comply with LCO 3.6.7, Containment Penetrations.

The 44 hour5.092593e-4 days <br />0.0122 hours <br />7.275132e-5 weeks <br />1.6742e-5 months <br /> Completion Time is reasonable for opening a containment air flow path in an orderly manner.

SURVEILLANCE REQUIREMENTS The following SRs apply to each ESFAS Instrumentation Function in Table 3.3.8-1, except where noted below.

SR 3.3.8.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.

The Surveillance Requirement is modified by a Note. The Note states that this SR is only required for Source Range Neutron Flux Doubling.

The OPERABILITY for the other Functions is verified by self-checking features in lieu of performing a CHANNEL CHECK.

The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.

ND-19-1129 1 Page 41 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 54 Revision 44 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.8.2 SR 3.3.8.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.

This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended ESF Function.

A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

ND-19-1129 1 Page 42 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 55 Revision 44 BASES SURVEILLANCE REQUIREMENTS (continued)

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The 92 day Frequency is based on Reference 5 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets to the operator.

During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.

SR 3.3.8.32 This SR 3.3.8.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and ND-19-1129 1 Page 43 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 56 Revision 44 BASES SURVEILLANCE REQUIREMENTS (continued) evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.

If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

The Frequency is based on operating experience and consistency with the refueling cycle.

This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits where applicable.

SR 3.3.8.43 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).

ND-19-1129 1 Page 44 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 57 Revision 44 BASES SURVEILLANCE REQUIREMENTS (continued)

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 1) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.

The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 7), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

The Surveillance Requirement is modified by a Note: Not applicable to Function 1.a for Containment Pressure - Low. The exception is appropriate because the Containment Pressure - Low signal provides an ND-19-1129 1 Page 45 of 70

Technical Specifications Bases ESFAS Instrumentation B 3.3.8 VEGP Units 3 and 4 B 3.3.8 - 58 Revision 44 interlock function for the containment vacuum relief valves manual initiation function and does not directly actuate any ESF.

ND-19-1129 1 Page 46 of 70

Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 VEGP Units 3 and 4 B 3.3.10 - 5 Revision 23 BASES SURVEILLANCE REQUIREMENTS SR 3.3.10.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.

The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.

SR 3.3.10.2 SR 3.3.10.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) Function.

ND-19-1129 1 Page 47 of 70

Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 VEGP Units 3 and 4 B 3.3.10 - 6 Revision 23 BASES SURVEILLANCE REQUIREMENTS (continued)

A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

ND-19-1129 1 Page 48 of 70

Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 VEGP Units 3 and 4 B 3.3.10 - 7 Revision 23 BASES SURVEILLANCE REQUIREMENTS (continued)

The 92 day Frequency is based on Reference 3 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets to the operator.

During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.

SR 3.3.10.31 This SR 3.3.10.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.

If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

ND-19-1129 1 Page 49 of 70

Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 VEGP Units 3 and 4 B 3.3.10 - 8 Revision 23 BASES SURVEILLANCE REQUIREMENTS (continued)

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

The Frequency is based on operating experience and consistency with the refueling cycle.

This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits.

SR 3.3.10.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 2) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.

The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements ND-19-1129 1 Page 50 of 70

Technical Specifications Bases ESFAS RCS Hot Leg Level Instrumentation B 3.3.10 VEGP Units 3 and 4 B 3.3.10 - 10 Revision 23 BASES SURVEILLANCE REQUIREMENTS (continued)

ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

REFERENCES

1.

FSAR Chapter 15.0, Accident Analysis.

2.

FSAR Chapter 7.0, Instrumentation and Controls.

3.

APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.

4.

APP-GW-GLR-004, Rev. 0, AP1000 Shutdown Evaluation Report, July 2002.

5.

FSAR Chapter 19.0, Probabilistic Risk Assessment, Appendix 19E, Shutdown Evaluation.

6.

WCAP-13632-P-A (Proprietary) and WCAP-13787-A (Non-Proprietary), Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, January 1996.

ND-19-1129 1 Page 51 of 70

Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 VEGP Units 3 and 4 B 3.3.11 - 2 Revision 16 BASES ACTIONS (continued)

In the event a channels as-found condition is outside the as-found tolerance described in the Setpoint Program, or the channel is not functioning as required, or the transmitter, instrument loop, signal processing electronics, or ESF output associated with a specific Function is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the particular protection Function(s) affected.

A.1 With one or more startup feedwater lines with one startup feedwater channel inoperable, the inoperable channel must be placed in a trip condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If one channel is tripped, the interlock condition is satisfied. The specified Completion Time is reasonable considering the time required to complete this action.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met or if one or more startup feedwater lines has two channels inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in MODE 4 with the RCS being cooled by the RNS within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

SURVEILLANCE REQUIREMENTS SR 3.3.11.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

ND-19-1129 1 Page 52 of 70

Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 VEGP Units 3 and 4 B 3.3.11 - 3 Revision 16 BASES SURVEILLANCE REQUIREMENTS (continued)

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.

The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.

SR 3.3.11.2 SR 3.3.11.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) function.

A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

ND-19-1129 1 Page 53 of 70

Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 VEGP Units 3 and 4 B 3.3.11 - 4 Revision 16 BASES SURVEILLANCE REQUIREMENTS (continued)

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

The 92 day Frequency is based on Reference 2 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the BPL subsystems to the operator.

During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.

SR 3.3.11.31 This SR 3.3.11.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the BPL subsystems. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.

This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

ND-19-1129 1 Page 54 of 70

Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 VEGP Units 3 and 4 B 3.3.11 - 5 Revision 16 BASES SURVEILLANCE REQUIREMENTS (continued)

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

The Frequency is based on operating experience and consistency with the refueling cycle.

This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits where applicable.

SR 3.3.11.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum values assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 2) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.

The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements ND-19-1129 1 Page 55 of 70

Technical Specifications Bases ESFAS Startup Feedwater Flow Instrumentation B 3.3.11 VEGP Units 3 and 4 B 3.3.11 - 7 Revision 16 BASES SURVEILLANCE REQUIREMENTS (continued)

ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

REFERENCES

1.

FSAR Chapter 15.0, Accident Analysis.

2.

FSAR Chapter 7.0, Instrumentation and Controls.

3.

APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.

4.

WCAP-13632-P-A (Proprietary) and WCAP-13787-A (Non-Proprietary), Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, January 1996.

ND-19-1129 1 Page 56 of 70

Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 VEGP Units 3 and 4 B 3.3.13 - 4 Revision 24 BASES SURVEILLANCE REQUIREMENTS SR 3.3.13.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.

The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.

SR 3.3.13.2 SR 3.3.13.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) function.

ND-19-1129 1 Page 57 of 70

Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 VEGP Units 3 and 4 B 3.3.13 - 5 Revision 24 BASES SURVEILLANCE REQUIREMENTS (continued)

A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

The 92 day Frequency is based on Reference 3 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets to the operator.

During the COT, the Protection and Safety Monitoring System cabinets in the division under test may be placed in bypass.

ND-19-1129 1 Page 58 of 70

Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 VEGP Units 3 and 4 B 3.3.13 - 6 Revision 24 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.13.31 This SR 3.3.13.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.

This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

The Frequency is based on operating experience and consistency with the refueling cycle.

This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to within limits where applicable.

SR 3.3.13.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).

ND-19-1129 1 Page 59 of 70

Technical Specifications Bases ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization B 3.3.13 VEGP Units 3 and 4 B 3.3.13 - 7 Revision 24 BASES SURVEILLANCE REQUIREMENTS (continued)

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 1) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.

The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 4), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

ND-19-1129 1 Page 60 of 70

Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 VEGP Units 3 and 4 B 3.3.14 - 4 Revision 44 BASES ACTIONS (continued)

Refueling Water Storage Tank (IRWST) - Shutdown, MODE 6) to dictate the required measures. The IRWST LCO(s) provide appropriate Required Actions for the inoperability of the IRWST and Spent Fuel Pool Level Instrumentation. This action is in accordance with LCO 3.0.6, which requires that the applicable Conditions and Required Actions for the IRWST declared inoperable shall be entered in accordance with LCO 3.0.2.

SURVEILLANCE REQUIREMENTS SR 3.3.14.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.

The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.

SR 3.3.14.2 SR 3.3.14.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the ND-19-1129 1 Page 61 of 70

Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 VEGP Units 3 and 4 B 3.3.14 - 5 Revision 44 BASES SURVEILLANCE REQUIREMENTS (continued) channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended engineered safety features (ESF) Function.

A test subsystem is provided with the protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

The 92 day Frequency is based on Reference 2 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets to the operator.

ND-19-1129 1 Page 62 of 70

Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 VEGP Units 3 and 4 B 3.3.14 - 6 Revision 44 BASES SURVEILLANCE REQUIREMENTS (continued)

During the COT, the protection and safety monitoring system cabinets in the division under test may be placed in bypass.

SR 3.3.14.31 This SR 3.3.14.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the integrated protection cabinets (IPC). The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

The Frequency is based on operating experience and consistency with the refueling cycle.

This Surveillance Requirement is modified by a Note. The Note states that this test shall include verification that the time constants are adjusted to within limits where applicable.

SR 3.3.14.42 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).

ND-19-1129 1 Page 63 of 70

Technical Specifications Bases ESFAS IRWST and Spent Fuel Pool Level Instrumentation B 3.3.14 VEGP Units 3 and 4 B 3.3.14 - 7 Revision 44 BASES SURVEILLANCE REQUIREMENTS (continued)

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to oneIn lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured, with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 2) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.

The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 4), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

ND-19-1129 1 Page 64 of 70

Technical Specifications Bases PAM Instrumentation B 3.3.17 VEGP Units 3 and 4 B 3.3.17 - 9 Revision 33 BASES ACTIONS (continued)

E.1 and E.2 If the Required Action and associated Completion Time of Condition C are not met for the Functions in Table 3.3.17-1, the plant must be placed in a MODE in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE REQUIREMENTS The following SRs apply to each PAM instrumentation function in Table 3.3.17-1:The SRs for each PAM Function are identified in the SRs column of Table 3.3.17-1 for that Function. A Note has been added to the SR table stating that Table 3.3.17-1 determines which SRs apply to each PAM Function.

SR 3.3.17.1 Performance of the CHANNEL CHECK once every 31 days verifies that a gross instrumentation failure has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar plant instruments located throughout the plant.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal-processing equipment has drifted outside its limit. If the channels are within the match criteria, it is an indication that the channels are OPERABLE.

As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized.

The Surveillance Requirement is modified by a Note. The Note states that this SR is not required for Neutron Flux (Intermediate Range) in MODE 1.

In MODE 1, the OPERABILITY of the Intermediate Range Neutron Instrumentation is verified by self-checking features in lieu of performing a ND-19-1129 1 Page 65 of 70

Technical Specifications Bases PAM Instrumentation B 3.3.17 VEGP Units 3 and 4 B 3.3.17 - 10 Revision 33 CHANNEL CHECK.

The Frequency of 31 days is based on operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given function in any 31 day interval is rare.

The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the required channels of this LCO.

ND-19-1129 1 Page 66 of 70

Technical Specifications Bases PAM Instrumentation B 3.3.17 VEGP Units 3 and 4 B 3.3.17 - 11 Revision 33 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.17.2 A CHANNEL CALIBRATION is performed every 24 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop including the sensor. The test verifies that the channel responds to the measured parameter with the necessary range and accuracy. This SR is modified by a Note that excludes neutron detectors. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.3, "Reactor Trip System (RTS)

Intermediate Range Instrumentation. RTD and Thermocouple channels are to be calibrated in place using cross-calibration techniques. The Frequency is based on operating experience and consistency with the typical industry refueling cycle.

REFERENCES

1.

Regulatory Guide 1.97, Rev. 3, Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, U.S. Nuclear Regulatory Commission.

ND-19-1129 1 Page 67 of 70

Technical Specifications Bases VES B 3.7.6 VEGP Units 3 and 4 B 3.7.6 - 12 Revision 24 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.6.3 Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on this system are not too severe, testing VES once every month provides an adequate check of the system. The 31 day Frequency is based on the reliability of the equipment and the availability of system redundancy.

SR 3.7.6.4 VES air header isolation valves are required to be verified open at 31 day intervals. This SR is designed to ensure that the pathways for supplying breathable air to the MCRE are available should loss of VBS occur.

These valves should be closed only during required testing or maintenance of downstream components, or to preclude complete depressurization of the system should the VES isolation valves in the air delivery line open inadvertently or begin to leak.

SR 3.7.6.5 Verification that the air quality of the air storage tanks meets the requirements of Appendix C, Table C-1 of ASHRAE Standard 62 (Ref. 4) with a pressure dew point of 40°F at 3400 psig is required every 92 days. If air has not been added to the air storage tanks since the previous verification, verification may be accomplished by confirmation of the acceptability of the previous surveillance results along with examination of the documented record of air makeup. The purpose of ASHRAE Standard 62 states: This standard specifies minimum ventilation rates and indoor air quality that will be acceptable to human occupants and are intended to minimize the potential for adverse health effects. Verification of the initial air quality (in combination with the other surveillances) ensures that breathable air is available for 11 MCRE occupants for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Confirmation of the pressure dew point verifies that water has not formed in the line, eliminating the potential for freezing at the pressure regulating valve during VES operation. In addition, the dry air allows the MCRE to remain below the maximum relative humidity to support the 90°F WBGT required for human factors performance.

SR 3.7.6.6 Verification that the VBS isolation valves and the Sanitary Drainage System (SDS) isolation valves are OPERABLE and will actuate upon demand is required every 24 months to ensure that the MCRE can be isolated upon loss of VBS operation. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance.

ND-19-1129 1 Page 68 of 70

Technical Specifications Bases VES B 3.7.6 VEGP Units 3 and 4 B 3.7.6 - 14 Revision 24 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.6.11 This SR verifies that the required VES testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VES filter tests are in accordance with Regulatory Guide 1.52 (Ref. 7). The VFTP includes testing the performance of the HEPA filter, charcoal adsorber efficiency, minimum flow rate, and physical properties of the activated charcoal. Specific test frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.6.12 Verification that the MCR load shed function actuates on an actual or simulated signal from each PMS Division is required every 24 months to confirm that the non-safety stage 1 and stage 2 MCR heat loads can be de-energized by the VES actuation signal within the required time. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage to minimize the potential for adversely affecting MCR operations.

SR 3.7.6.13 Verification that the main VES air delivery isolation valves actuate on an actual or simulated signal to the correct position is required every 24 months to confirm that the VES operates as assumed in the safety analysis. The ACTUATION LOGIC OUTPUT TEST provides overlap with this Surveillance. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage to minimize adversely affecting MCR operations.

REFERENCES

1.

FSAR Section 6.4, Main Control Room Habitability Systems.

2.

FSAR Section 9.5.1, Fire Protection System.

3.

Regulatory Guide 1.196, Control Room Habitability at Light-Water Nuclear Power Reactors.

4.

ASHRAE Standard 62-1989, Ventilation for Acceptable Indoor Air Quality.

5.

NEI 99-03, Control Room Habitability Assessment, June 2001.

ND-19-1129 1 Page 69 of 70

Technical Specifications Bases Nuclear Instrumentation B 3.9.3 VEGP Units 3 and 4 B 3.9.3 - 3 Revision 39 BASES SURVEILLANCE REQUIREMENTS SR 3.9.3.1 SR 3.9.3.1 is the performance of a CHANNEL CHECK, which is the comparison of the indicated parameter values monitored by each of these instruments. It is based on the assumption that the two indication channels should be consistent for the existing core conditions. Changes in core geometry due to fuel loading can result in significant differences between the source range channels, however each channel should be consistent with its local conditions.

The Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is consistent with the CHANNEL CHECK Frequency specified for these same instruments in LCO 3.3.2, Reactor Trip System (RTS) Instrumentation and LCO 3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation, Function 17.

SR 3.9.3.2 This SR 3.9.3.2 is the performance of a CHANNEL CALIBRATION every 24 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the source range neutron flux monitors consisting of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturers data. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage. Operating experience has shown these components usually pass the Surveillance when performed at a 24 month Frequency.

REFERENCES

1.

FSAR Chapter 15, Accident Analysis.

2.

FSAR Section 14.2.7.1, Initial Fuel Loading.

ND-19-1129 1 Page 70 of 70

Southern Nuclear Operating Company ND-19-1129 2 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Affidavit from Southern Nuclear Operating Company for Withholding Under 10 CFR 2.390 (LAR-19-001S1)

(This Enclosure consists of 3 pages, including the cover page)

ND-19-1129 2 Affidavit from Southern Nuclear Operating Company for Withholding Under 10 CFR 2.390 (LAR-19-001S1)

Page 2 of 3 Affidavit of Brian H. Whitley

1. My name is Brian H. Whitley. I am the Regulatory Affairs Manager, Nuclear Development, of Southern Nuclear Operating Company (SNC). I have been delegated the function of reviewing proprietary information sought to be withheld from public disclosure and am authorized to apply for its withholding on behalf of SNC.

2. I am making this affidavit on personal knowledge, in conformance with the provisions of 10 CFR Section 2.390 of the Commissions regulations, and in conjunction with SNCs filings on dockets52-025 and 52-026, Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Supplement to Request for License Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR-19-001S1), also referred to as Westinghouse LAR-220. I have personal knowledge of the criteria and procedures used by SNC to designate information as a trade secret, privileged or as confidential commercial or financial information.

3. Based on the reason(s) at 10 CFR 2.390(a)(4), this affidavit seeks to withhold from public disclosure Enclosure 8 of Vogtle Electric Generating Plant (VEGP) Units 3 and 4, Supplement to Request for License Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR-19-001S1), also referred to as Westinghouse LAR-220.

4. The following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

a. The information sought to be withheld from public disclosure has been held in confidence by SNC and Westinghouse Electric Company.

b. The information is of a type customarily held in confidence by SNC and Westinghouse and not customarily disclosed to the public.

ND-19-1129 2 Affidavit from Southern Nuclear Operating Company for Withholding Under 10 CFR 2.390 (LAR-19-001 S1)

c. The release of the information might result in the loss of an existing or potential competitive advantage to SNC and/or Westinghouse Electric Company.

d. Other reasons identified in Enclosure 13 of SNC letter ND-19-1129 for Vogtle Electric Generating Plant (VEGP) Units 3 and 4, Supplement to Request for License Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR 001 S 1 ), and those reasons are incorporated here by reference.

5. Additionally, release of the information may harm SNC because SNC has a contractual relationship with the Westinghouse Electric Company regarding proprietary information.

SNC is contractually obligated to seek confidential and proprietary treatment of the information.

6. The information is being transmitted to the Commission in confidence and, under the provisions of 10 CFR Section 2.390, it is to be received in confidence by the Commission.

7. To the best of my knowledge and belief, the information sought to be protected is not available in public sources or available information has not been previously employed in the same original manner or method.

I declare under penalty of perjury that the foregoing is true and correct.

Brian H\\.)Nhitley Executed on 1

Date Page 3 of 3

Southern Nuclear Operating Company ND-19-1129 3 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Westinghouse Authorization Letter CAW-194955, Affidavit, Proprietary Information Notice, and Copyright Notice (LAR-19-001S1)

(This Enclosure consists of 4 pages, plus the cover page)

SVP_SV0_005590 October 7, 2019 Page 1 of 113 Westinghouse Non-Proprietary Class 3 AFFIDAVIT COMMONWEALTH OF PENNSYLVANIA:

COUNTY OF BUTLER:

CAW-19-4955 Pagel of 3 (1)

I, Zachary S. Harper, have been specifically delegated and authorized to apply for withholding and execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).

(2)

I am requesting the proprietary portions of APP-FSAR-GEF-090 Revision O be withheld from public disclosure under 10 CPR 2.390.

(3)

I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.

(4)

Pursuant to 10 CPR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i)

The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.

(ii)

Public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses.

Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

SVP_SV0_005590 October 7, 2019 Page 2 of 113 Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-19-4955 Page 2 of 3 (5)

Westinghouse has policies in place to identify proprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a)

The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b)

It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

( c)

Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d)

It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

( e)

It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f)

It contains patentable ideas, for which patent protection may be desirable.

(6)

The attached document is bracketed and marked to indicate the bases for withholding. The justification for withholding is indicated by means of lower case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower case letters refer to the types of SVP_SV0_005590 October 7, 2019 Page 3 of 113 Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-19-4955 Page 3 of 3 information Westinghouse customarily holds in confidence identified in Sections (5)(a) through (f) of this Affidavit.

I declare that the averments of fact set forth in this Affidavit are true and correct to the best of my knowledge, information, and belief.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on: to/-zµot, Zachary S. Harper, Manager AP I 000 Licensing SVP_SV0_005590 October 7, 2019 Page 4 of 113 PROPRIETARY INFORMATION NOTICE Transmitted herewith are proprietary and non-proprietary versions of a document, furnished to the NRC in connection with requests for generic and/or plant-specific review and approval.

In order to conform to the requirements of 10 CPR 2.390 of the Commission's regulations concerning the protection of proprietary information so submitted to the NRC, the information which is proprietary in the proprietary versions is contained within brackets, and where the proprietary information has been deleted in the non-proprietary versions, only the brackets remain (the information that was contained within the brackets in the proprietary versions having been deleted).

The justification for claiming the information so designated as proprietary is indicated in both versions by means of lower case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower case letters refer to the types of information Westinghouse customarily holds in confidence identified in Sections ( 4)(ii)(a) through ( 4)(ii)(f) of the Affidavit accompanying this transmittal pursuant to 10 CPR 2.390(b)(l).

COPYRIGHT NOTICE The reports transmitted herewith each bear a Westinghouse copyright notice. The NRC is permitted to make the number of copies of the information contained in these reports which are necessary for its internal use in connection with generic and plant-specific reviews and approvals as well as the issuance, denial, amendment, transfer, renewal, modification, suspension, revocation, or violation of a license, permit, order, or regulation subject to the requirements of 10 CPR 2.390 regarding restrictions on public disclosure to the extent such information has been identified as proprietary by Westinghouse, copyright protection notwithstanding. With respect to the non-proprietary versions of these reports, the NRC is permitted to make the number of copies beyond those necessary for its internal use which are necessary in order to have one copy available for public viewing in the appropriate docket files in the public document room in Washington, DC and in local public document rooms as may be required by NRC regulations if the number of copies submitted is insufficient for this purpose. Copies made by the NRC must include the copyright notice in all instances and the proprietary notice if the original was identified as proprietary.