CP-202100394, Supplement to License Amendment Request (LAR) 20-006

From kanterella
(Redirected from ML21194A078)
Jump to navigation Jump to search

Supplement to License Amendment Request (LAR)20-006
ML21194A078
Person / Time
Site: Comanche Peak  Luminant icon.png
Issue date: 07/13/2021
From: Thomas McCool
Luminant, Vistra Operations Company
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
CP-202100394, TXX-21093
Download: ML21194A078 (174)
v  d  e


Text

m Luminant CP-202100394 TXX-21093 July 13, 2021 Thomas P. McCool Site Vice President Comanche Peak Nuclear Power Plant (Vistra Operations Company LLC)

P.O. Box 1002 6322 North FM 56 Glen Rose, TX 76043 T 254.897.6042 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Ref 10 CFR 50.90 10 CFR 50.91(a)(6) 10 CFR 50.91(b)(1)

Subject:

Reference:

Comanche Peak Nuclear Power Plant (CPNPP)

Docket Nos. 50-445 and 50-446 Supplement to License Amendment Request (LAR)20-006 APPLICATION TO REVISE TECHNICAL SPECIFICATIONS TO ADOPT RISK INFORMED COMPLETION TIMES, TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES - RITSTF INITIATIVE 4b (Accession No. ML21131A233)"

1.

Letter TXX-21046 from Thomas P. McCool to the NRC, License Amendment Request (LAR)20-006, APPLICATION TO REVISE TECHNICAL SPECIFICATIONS TO ADOPT RISK INFORMED COMPLETION TIMES, TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES - RITSTF lNITIA TIVE 4b," dated May 11, 2021 (Accession No. ML21131A233)

2.

Letter from Dennis Galvin to Ken Peters, SUPPLEMENTAL INFORMATION NEEDED FOR ACCEPTANCE OF REQUESTED LICENSING ACTION RE: LICENSE AMENDMENT REQUEST TO ADOPT TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES-RITSTF INITIATIVE 4b" (EPID L-2021-LLA-0085) (Accession Number: ML21166A338)

Dear Sir or Madam:

Pursuant to 10 CFR 50.90 and 10 CFR 50.91, Vistra Operations Company LLC (Vistra OpCo) hereby submits a supplement to the license amendment request for the Comanche Peak Nuclear Power Plant (CPNPP) Unit 1 and Unit 2 Technical Specifications in connection with LAR 20-006, Revision to multiple specifications as requested in Reference 1. This change supplement applies to both units.

This submittal addresses information requested by Reference 2 and supplements the proposed amendment that would modify Technical Specifications (TS) requirements for CPNPP to permit the use of Risk Informed Completion Times in accordance with TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b", (ADAMS Accession No. ML18183A493). A model safety evaluation was provided by the NRC to the TSTF on November 21, 2018 (ADAMS Accession No. ML18267A259). This supplement includes the following additional information:

Executive Summary for Supplement

  • provides a revised Description and Assessment

TXX-21093 Page 2 of 3

  • provides revised proposed Technical Specification changes
  • provides a revised Cross Reference between TSTF-505, Revision 2 and CPNPP Technical Specifications proposed changes
  • provides a revised List of Required Actions to Corresponding PRA Functions Table El In Scope TS /LCO Conditions to Corresponding PRA Functions Table El In Scope TS/LCO Conditions RICT Estimates Table El Conditions Requiring Additional Technical Justification Table El Evaluation of Instrumentation and Control Systems Table El Reactor Trip System (RTS) Instrumentation Functions Table El Engineered Safety Features Actuation System (ESF AS) Instrumentation Functions Table El Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions Table El Event Protection and Diverse Functions
  • provides a revised description of the PRA Model Update Process Attachments 1, 2, and 4 and Enclosures 1 and 7 of letter TXX-21093 replace the corresponding Attachments and Enclosures of letter TXX-21046 (Accession Number: ML21131A233). Attachment 3, Enclosures 2 through 6, and Enclosures 8 through 12 of TXX-21046 remain valid.

In accordance with 10 CFR 50.91(b)(1), a copy of the supplement for the proposed license amendment is being forwarded to the State of Texas.

Vistra OpCo has determined that this supplement does not change the No Significant Hazards Consideration provided in the Enclosure submitted by Reference 1.

This communication contains no new commitments regarding CPNPP Units 1 and 2.

Should you have any questions, please contact Garry Struble at (254) 897-6628 or Garry.Struble@luminant.com.

I state under penalty of perjury that the foregoing is true and correct.

Executed on July 13, 2021.

Sincerely, Th:£;

TXX:-21093 Page 3 of 3 Executive Summary: Supplement to License Amendment Request (LAR)20-006 RICT Attachments:

1. Description and Assessment

Enclosures:

c (email) -

2.

Proposed Technical Specification pages (markup)

4.

Cross-Reference of TSTF-505 and CPNPP Technical Specifications

1.

List of Required Actions to Corresponding PRA Functions Tables: El-1 In Scope TS /LCO Conditions to Corresponding PRA Functions El-2 In Scope TS/LCO Conditions RICT Estimate El-3 Conditions Requiring Additional Technical Justification El-4 Evaluation of Instrumentation and Control Systems El-5 Reactor Trip System (RTS) Instrumentation Functions El-6 Engineered Safety Features Actuation System (ESFAS) Instrumentation Functions El-7 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions El-8 Event Protection and Diverse Functions

7.

PRA Model Update Process Scott Morris, Region IV [Scott.Morris@nrc.gov]

Dennis Galvin, NRR [Dennis.Galvin@nrc.gov]

John Ellegood, Senior Resident Inspector, CPNPP Uohn.Ellegood@nrc.gov]

Neil Day, Resident Inspector, CPNPP [Neil.Day@nrc.gov]

Mr. Robert Free [robert.free@dshs.state.tx.us]

Environmental Monitoring & Emergency Response Manager Texas Department of State Health Services Mail Code 1986 P.O. Box 149347 Austin, TX 78714-9347

Executive Summary for TXX-21093 Page 1 of 16 SUPPLEMENT to LICENSE AMENDMENT REQUEST (LAR)20-006 APPLICATION TO REVISE TECHNICAL SPECIFICATIONS TO ADOPT RISK INFORMED COMPLETION TIMES, TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES - RITSTF INITIATIVE 4b"

[Original submittal is found under Accession Number: ML21131A233]

Executive Summary The following items describe the supplemental changes to the original LAR submittal based on information received by letter on June 22, 2021 to the Licensee (Vistra Operations Company LLC (Vistra OpCo)) from the Nuclear Regulatory Commission (Accession No. ML21166A363).

NRC Acceptance Review Information Insufficiencies (ARII) and CPNPP Response NRC ARII 1 LAR Enclosure 7, "PRA [Probabilistic Risk Assessment] Model Update Process,"

Section 2.2, "Review of Plant Changes for Incorporation into the PRA Model," Item 3 proposes a standard frequency of 48 months for PRA model updates; however, Nuclear Energy Institute (NE/) report NE/ 06-09, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS)

Guidelines," Section 2.3.4, "PRA Technical Adequacy," Item 7.1 (ADAMS Package Accession No. ML122860402) states that the PRA shall be maintained and updated on a periodic basis not to exceed two refueling cycles. Comanche Peak has a nominal 18-month refueling cycle which, according to NE/ 06-09, should bound the PRA update to every 36 months. Provide an explanation and justification for the inconsistency between the PRA model update frequency proposed in the LAR and frequency in NE/ 06-09.

CPNPP ARII 1 - Response Comanche Peak Nuclear Power Plant (CPNPP) contends that our PRA update process complies with NEI 06-09-A, Section 2.3.5, Item 9.1 as follows; CPNPP is a dual unit facility with a common PRA for both units as stated in Enclosure 7, Section 2.2.3. In order to capture input from both units across two refueling cycles it could take between 42 and 45 months based on variations in operating cycles. With CPNPP periodic basis at 48 months we ensure that the update includes two refueling cycles for each unit while not exceeding two refueling cycles on either unit. Section 2.2.3 of Enclosure 7 to TXX-21093 is updated to reflect this information.

NRC ARll 2 LAR Enclosure 1, "List of Revised Required Actions to Corresponding PRA Functions,"

Table E1-1, "In Scope TSILCO [Technical Specification/Limiting Condition of Operation]

to Corresponding PRA [Probabilistic Risk Assessment] Functions,' does not provide information on the PRA success criteria for TS Condition 3. 7. 4. C, "Three or more

Executive Summary for TXX-21093 Page 2 of 16 required ARV [atmospheric relief valve] lines inoperable." Provide the applicable PRA success criteria.

CPNPP ARII 2 - Response This item is an error of omission, please refer to attached updated Enclosure 1, Table E1-1. The updated Table E1-1 also includes revision to TS 3.7.4.A and 3.7.4.B. All three Condition's PRA Success Criteria are, "One of four for Transient/ SGTR."

NRC ARll 3 LAR Enclosure 1, Table E1-2, "In Scope TS/LCO Conditions RICT [Risk-Informed Completion Time] Estimate, " does not provide a RICT estimate for TS Condition 3.4.9.B, "One required group of pressurizer heaters inoperable." Provide a RICT for this TS.

CPNPP ARII 3 - Response This item is an error of omission, please refer to attached updated Enclosure 1, Table E1-2. The updated Table E1-2 states "30 days" as the RICT estimate.

NRC ARll 4 The LAR does not address "what redundant or diverse means were available to assist the licensee in responding to various plant conditions." This LAR does not provide a defense-in-depth assessment to address these guidelines for each proposed RICT TS. Describe the defense-in-depth for instrumentation and control features per the guidelines in TSTF-505, Revision 2, Enclosure 1.

CPNPP ARII 4 - Response The approach taken was to include this information in Attachment 1, pages 7 through 12. There is also supporting information found in Attachment 4, Comments.

CPNPP includes the information in updated Enclosure 1, by adding Table E1-3, Conditions Requiring Additional Technical Justification as an attachment to this supplement. Enclosure 1 and associated tables have been revised to include details of the redundancy, independence, diversity, and defense-in-depth of the instrumentation Functions.

NRC ARll 5 The licensee stated in this LAR that "[t]he proposed amendment is consistent with TSTF-505, Revision 2. TSTF-505, Revision 2 excludes loss of function (LOF) conditions, in which there is insufficient operable equipment to meet the safety function of the system, from the RICT program.

The NRC staff identified TS Conditions that appear to include LOF based on the data in columns "Tech Spec Description" and "Design Success Criteria" in Table E1-1; 3.3.1.P One or more Turbine Stop Valve Closure Turbine Trip channel(s) inoperable.

3. 3. 5. B Two channels per bus for the Preferred offsite source bus undervoltage function inoperable.

Executive Summary for TXX-21093 Page 3 of 16

3. 3. 5. C Two channels per bus for the Alternate offsite source bus undervoltage function inoperable.

3.3.5.D Two channels per bus for the 6.9 kV [kilovolt] bus loss of voltage function inoperable.

3. 3. 5. E Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable.

3.3.5.F One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

3. 4. 11. C One block valve inoperable.
3. 7. 4. C Three or more required ARV lines inoperable.

CPNPP ARII 5 - Response 3.3.1.P, One or more Turbine Stop Valve Closure Turbine Trip channel(s) inoperable.

From CPNPP TS Bases; This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

These channels also are not a Support System for the Reactor Trip System (RTS) and as such they are not an input into the Safety Function Determination Program (SFDP). This shows that there is no loss of safety function due to the "one or more" verbiage.

3.3.5.B, Two channels per bus for the Preferred offsite source bus undervoltage function inoperable.

3.3.5.C, Two channels per bus for the Alternate offsite source bus undervoltage function inoperable.

3.3.5.D, Two channels per bus for the 6.9kV bus loss of voltage function inoperable.

3.3.5.E, Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable.

From CPNPP TS Bases; Each of the above groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The network of logic and actuation relays actuate the off site power source breakers and generator start signals...

The LOP DG start instrumentation is required for the Engineered Safety Features (ESF)

Systems to function in any accident with a loss of offsite power or degraded power system. Its design basis is that of the ESF Actuation System (ESFAS).

Executive Summary for TXX-21093 Page 4 of 16 In other words, the LOP DG Start Instrumentation is a support system for each Emergency Diesel Generator (EDG) in TS 3.8.1, AC Sources -- Operating. This group of Conditions is the picture of diverse instrumentation in that they all lead to an automatic start of the EDGs, if needed (loss of all offsite power or degraded voltage) while still allowing automatic actions to maintain or restore AC power without an EOG start. The EDGs may also be started from the Control Room or locally if the LOP DG Start Instrumentation is not available. The two-out-of-two coincidence is required to actuate a response which is bus related. That leaves the other bus to provide the safety function. The application of the RICT for Conditions B, C, D, and E only changes the Completion Time based on risk. There is no change in the safety function status due to the extended Completion Time. and Attachment 2 to the original submittal have been revised to address the identified issues.

3.3.5.F, One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

This Condition is like TS 3.3.2.C in that the circuitry for LOP DG Start Instrumentation was part of the Engineered Safety Feature (ESF) Actuation System. Under that prior Technical Specification (3/4.3.2, Engineered Safety Features Actuation System Instrumentation)

Automatic Action Logic and Actuation Relays appear in the following Functions; 1.b Safety Injection - Automatic Action Logic and Actuation Relays 2.b Containment Spray - Automatic Action Logic and Actuation Relays 3.a.2 Containment Isolation - Phase "A" Isolation - Automatic Action Logic and Actuation Relays 3.b.2 Containment Isolation - Phase "B Isolation - Automatic Action Logic and Actuation Relays 3.c.2 Containment Isolation - Containment Vent Isolation - Automatic Action Logic and Actuation Relays 4.b Steam Line Isolation - Automatic Action Logic and Actuation Relays 5.a Turbine Trip & Feedwater Isolation - Automatic Action Logic and Actuation Relays 6.a Auxiliary Feedwater - Automatic Action Logic and Actuation Relays 7.a Automatic Initiation of ECCS Switchover to Containment Sump - Automatic Action Logic and Actuation Relays The Safety Injection Function 1.b always has the manual backup of Function 1.a which provides a diversity of actuation methods. Current TS 3.3.2, ESFAS Instrumentation allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to recover a single train inoperable via Conditions C, G, and H for Automatic Action Logic and Actuation Relays. If both trains are inoperable then LCO 3.8.1, Condition E will be entered. The required action is to restore one DG to OPERABLE status in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

In TS 3.3.5, LOP DG Start Instrumentation Condition F for one or more Automatic Action Logic and Actuation Relays trains inoperable provides 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore the inoperable train(s). If not restored in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, immediately declared associated DG(s) inoperable in accordance with TS 3.8.1. This is only a loss of safety function if all AC sources are declared inoperable, TS 3.8.1 addresses that condition. The RICT would only extend the Completion Time prior to declaring a DG inoperable if supported by risk analysis. Keeping a unit online when a known remedy exists for the LOP DG Start system may be in the public's best interest.

Executive Summary for TXX-21093 Page 5 of 16 3.4.11.C One block valve inoperable.

From CPNPP TS Bases; LCO 3.4.11, Pressurizer PORVs requires the PORVs and their associated block valves to be OPERABLE for manual operation to mitigate the effects associated with an SGTR.

By maintaining two PORVs and their associated block valves OPERABLE, the single failure criterion is satisfied. An OPERABLE block valve may be either open or closed and energized with the capability to be opened, since the required safety function is accomplished by manual operation. Although typically open to allow PORV operation, the block valves may be OPERABLE while closed to isolate the flow path of an inoperable PORV that is capable of being manually cycled (e.g., as in the case of excessive PORV leakage). Similarly, isolation of an OPERABLE PORV does not render the PORV or the block valve inoperable provided the relief function remains available with manual action.

If one block valve is inoperable, then it is necessary to either restore the block valve to OPERABLE status within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or place the associated PORV in manual control. The prime importance for the capability to close the block valve is to isolate a stuck open PORV. Therefore, if the block valve cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Because at least one PORV remains OPERABLE, the operator is permitted a Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore the inoperable block valve to OPERABLE status. The time allowed to restore the block valve is based upon the Completion Time for restoring an inoperable PORV in Condition B, since the PORVs may not be capable of mitigating an event if the inoperable block valve is not fully open. If the block valve is restored within the Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the power will be restored and the PORV restored to OPERABLE status. If it cannot be restored within this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition 0. The Required Actions are modified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with other Required Actions. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of Condition B or E entry with PORV(s) inoperable and not capable of being manually cycled (e.g., as a result of failed control power fuse(s) or control switch malfunction(s)).

With a single block valve inoperable the other PORV and block valve pair are capable of manual operation to mitigate a SGTR event. Applying the RICT would only change the Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> if supported by risk analysis. It may not be in the public's best interest to shutdown a unit if there is reasonable assurance that a single PORV block valve can be returned to OPERABLE status within the limitations of the RICT.

Depending on plant equipment available the Steam Generator (SG) Atmospheric Relief Valves (ARV), the Steam Dumps, Steam Drains, Main Steam Safety Valves (MSSV), and Pressurizer Safety Valves all are capable of lowering Reactor Coolant System (RCS) pressure.

Executive Summary for TXX-21093 Page 6 of 16 3.7.4.C Three or more required ARV lines inoperable.

From the CPNPP TS Bases; The ARVs provide a method for cooling the unit to residual heat removal (RHR) entry conditions should the preferred heat sink via the Steam Dump System to the condenser not be available.

The ARVs may a/so be required to meet the design coo/down rate during a normal coo/down when steam pressure drops too low for maintenance of a vacuum in the condenser to permit use of the Steam Dump System.

The ARVs are OPERABLE with only a DC power source available, however, the automatic controls for the ARVs do not perform a safety function.

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a SGTR, The design basis for the maximum relief capacity is established by the 10CFR100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses. The design rate of 50°F per hour is applicable for a natural circulation coo/down using two steam generators, each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

In the safety analysis, the ARVs are assumed to be used by the operator to cool down the unit to RHR entry conditions for events accompanied by a loss of offsite power. Prior to operator actions to cool down the unit, the main steam safety valves (MSSVs) are assumed to operate automatically to relieve steam and maintain the steam generator pressure below the design value. For the recovery from a steam generator tube rupture (SGTR) event, the operator is a/so required to perform a limited coo/down to establish adequate subcooling as a necessary step to terminate the primary to secondary break flow into the ruptured steam generator. The time required to terminate the primary to secondary break flow for an SGTR is more critical than the time required to cool down to RHR conditions for this event and a/so for other accidents. Thus, the SGTR is the limiting event for the ARVs. Four ARVs are required to be OPERABLE to satisfy the SGTR accident analysis requirements based on consideration of single failure assumptions regarding the failure of one or two ARVs to open on demand.

An ARV is considered OPERABLE when it is capable of providing controlled relief of the main steam flow and capable of fully opening and closing on demand using associated remote manual control.

With three or more ARV lines inoperable, action must be taken to restore at least two ARV line to OPERABLE status. This will result in at least two OPERABLE ARVs. Since the block valve can be closed to isolate an ARV, some repairs may be possible with the unit at power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable to repair inoperable ARV lines, based on the availability of the Steam Dump System and MSSVs, and the low probability of an event occurring during this period that would require the ARV lines.

The RICT would only change the Completion Time based on risk analysis, not introduce a loss of safety function.

Executive Summary for TXX-21093 Page 7 of 16 NRC ARll 6 TSTF-505, Revision 2, Table 1, "Conditions Requiring Additional Technical Justification:

NUREG-1431, Westinghouse STS [Standard Technical Specifications]," requires additional justification for the following TS conditions listed below. The mark-up pages in TSTF-505, Revision 2 a/so indicate that additional technical justification is need for these TS conditions.

3.3.1.0 One Power Range Neutron Flux - High channel inoperable.

3.3.1.S One RTB [Reactor Trip Breaker] train inoperable.

3. 4. 9. B One required group of pressurizer heaters inoperable.
3. 6. 2. C One or more containment air locks inoperable for reasons other than Condition A or B.
3. 6. 6.A One containment spray train inoperable.
3. 7.2.A One MSIV [Main Steam Isolation Valve] inoperable in MODE 1.
3. 7.4.B Two required ARV lines inoperable.

The LAR does not contain such technical justification on changes to these conditions.

Provide the additional justification for these conditions in accordance with TSTF-505, Revision 2.

CPNPP ARII 6 - Response The information is now contained in Enclosure 1 and associated tables.

3.3.1.D One Power Range Neutron Flux - High channel inoperable.

The Reactor Trip System (RTS) instrumentation is segmented into four distinct but interconnected modules: field transmitters and process sensors, Signal Process Control and Protection System, Solid State Protection System (SSPS), and reactor trip switchgear. Field transmitters provide measurement of the unit parameters to the Signal Process Control and Protection System via separate, redundant channels. The Signal Process Control and Protection System forwards outputs to the SSPS, which consists of two redundant trains, to actuate a Reactor Trip or an Engineered Safety Feature (ESF).

This redundancy maintains safety function.

Depending on the measured parameter, three or four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a trip logic. Failure of any one trip logic does not result in an inadvertent trip. Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient. In both cases, a

Executive Summary for TXX-21093 Page 8 of 16 single failure will neither cause nor prevent the protective safety function actuation. With a failed power range instrument and rated thermal power greater than 75% the Quadrant Power Tilt Ratio must be verified 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the channel became inoperable and then every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> until the channel is restored to OPERABLE status.

3.3.1.S One RTB [Reactor Trip Breaker] train inoperable.

A trip breaker train consists of all trip breakers associated with a single Reactor Trip System logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Consistent with the requirement in WCAP-15376-P-A to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when an RTB train is inoperable for maintenance are included. Multiple SSPS outputs provide trip signals to the trip logic which in turn opens the trip breakers. Additionally, CPNPP has ATWS Mitigation System Actuation Circuitry (AMSAC). At CPNPP the ATWS is referred to as the Anticipated Transient Without Trip (ATWT). AMSAC is independent of SSPS. AMSAC actuation will occur if turbine load is greater than 40% and three of four Steam Generator (SG) narrow range levels are less than 10%. There is a built in time delay to allow SSPS time to actuate. The AMSAC output will trip the main turbine, start all Auxiliary Feedwater (AFW) pumps, isolate SG blowdown and sample lines, and close the Condensate Storage Tank (CST) discharge valves. Due to a different main feedwater design on Unit 2, AMSAC also close the Feedwater Split-flow Bypass Valves (FSBVs). The system design is to provide AFW flow to the SGs and conserve feedwater while responding to an ATWT.

CPNPP adopted TSTF-411 with License Amendment 114 (ML050460331). It can be seen that the CPNPP SSPS which provides protection through actuation of required reactor trips and engineered safety features and the adoption the AMSAC system described above, there is defense-in-depth should the reactor not trip. AMSAC actuation is delayed allowing SSPS the opportunity to trip the reactor and actuate ESF components. If SSPS fails to perform its safety function, AMSAC will actuate to preserve a heat sink, preventing core damage.

A manual reactor trip from two different handswitches and a manual turbine trip in the Control Room are available, providing diversity and defense-in-depth.

CPNPP adds the following LCOs for completeness in Enclosure 1, Table E1-3, Conditions Requiring Additional Technical Justification; 3.3.5.B Two channels per bus for the Preferred offsite source bus undervoltage function inoperable 3.3.5.C Two channels per bus for the Alternate offsite source bus undervoltage function inoperable 3.3.5.D Two channels per bus for the 6.9 kV bus loss of voltage function inoperable

Executive Summary for TXX-21093 Page 9 of 16 3.3.5.E Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses. For Conditions B, C, D, E, and F separate entries are allowed by TS 3.3.5. Currently each of these Conditions call for restoring one channel per bus to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. "Two channels per bus" is acceptable as each bus must have both channels to initiate the start signal for the DG in Conditions B, C, D, or E. Condition Fallows for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore Automatic Actuation Logic and Actuation Relays train(s) whether one or both trains are inoperable. If one or both Automatic Actuation Logic and Actuation Relays train(s) are inoperable then the associated DG is declared inoperable after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. If both buses are found to be inoperable per Conditions B, C, D, or Ethen actions for the inoperable source or bus will be required. In applying the RICT, the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Times may be extended based on plant configuration and acceptable risk. Failure to meet the Completion Time will cause entry into TS 3.8.1 for an inoperable Diesel Generator in accordance with TS 3.3.5, Condition G.

For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage.

Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

3.4.9.B One required group of pressurizer heaters inoperable.

Safety analyses do not take credit for pressurizer heaters. The initial assumption is that the RCS is at normal pressure. Any RICT application will evaluate the anticipated demand for more than one group of heaters. The current model of record does not explicitly model the pressurizer heater directly, instead, we use a surrogate to represent its function/impact in the RICT model. For the RICT, this is done by increasing the likelihood of a reactor trip by a factor of 10 (conservative modeling). The unavailability of one required group of pressurizer heaters would not have any significant impact on

Executive Summary for TXX-21093 Page 10 of 16 plant transient response so there is no quantifiable impact to CDF or LERF. While mitigation of a SGTR is enhanced by the availability of pressurizer heaters, ECA-3.3A/B provides for mitigation of a SGTR without pressurizer heaters, if necessary.

Degraded pressurizer heater capability is supplemented by the availability of the remaining heaters for plant pressure control, and the availability of plant procedures which provide plant shutdown and cooldown guidance with pressurizer heaters. If the available heaters are sufficient to maintain RCS pressure control, normal plant operations can continue. CPNPP design includes one control heater group and three backup heater groups. Only two groups of heaters are required with an output of 150 KW each.

3.6.2.C One or more containment air locks inoperable for reasons other than Condition A or B.

TS 3.6.2 Condition C Action C.1 initiates action to evaluate the overall containment leakage rate per LCO 3.6.1. Actions also include verifying a door is closed in the affected air lock and restoring the air lock to OPERABLE status in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If air lock is not restored, be in MODE 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

3.6.6.A One containment spray train inoperable.

The Containment Spray (CT) System for each unit consists of two separate and completely redundant safety trains. Each Containment Spray train has two pumps. The CPNPP model of record/ RICT model requires two CT spray pumps per train to meet its success criteria (only one train is required to meet the PRA success criteria). As this is explicitly modeled, when either pump (in a train) is removed from service the function is failed for that train and the RICT will be calculated based on the new configuration.

3.7.2.A One MSIV [Main Steam Isolation Valve] inoperable in MODE 1.

The design of the secondary system precludes the uncontrolled blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSIV to close on demand.) This is accomplished by the closing of the other three MSIVs manually or automatically.

3.7.4.B Two required ARV lines inoperable.

The unit can be cooled to residual heat removal (RHR) entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

Currently the Completion Time for one ARV inoperable is 7 days, for two ARVs inoperable is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and for three or more ARVs inoperable is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a SGTR, The design basis for the maximum relief capacity is established by the 10CFR100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses. The design cooldown rate of 50°F per hour is applicable for a natural circulation cooldown

Executive Summary for TXX-21093 Page 11 of 16 using two steam generators, each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

NRC ARll 7 Condition 3. 7.8.A, "Required SSW Pump on the opposite unit or its associated cross-connects inoperable, " and the Required Actions A. 1 and A. 2 are plant-specific and per the TSTF-505, Revision 2 model application, a description of the variation and a justification of the applicability of TSTF-505 are required. LAR Attachment 1 treats Condition 3. 7. 8.A as an administrative difference, which is for differences in numbering or titles, which do not affect the applicability of TSTF-505. However, Condition 3. 7. 8.A is associated with the portion of the limiting condition for operation that is not covered by TSTF-505 and thus is a non-administrative plant-specific variation and a justification for the applicability of TSTF-505 is needed. Provide a description and justification of the applicability of TSTF-505 to Required Actions 3. 7.8.A.1 and 3. 7.8.A.2 in accordance with TSTF-505.

CPNPP ARII 7 - Response From CPNPP TS Bases; The SSWS consists of two separate, 100% capacity, safety related, cooling water trains. Each train consists of one 100% capacity pump, piping, valving, and instrumentation. The pumps and valves are remote and manually aligned to be operable in the unlikely event of a loss of coolant accident (LOCA). The pumps aligned to their respective loops are automatically started upon receipt of a safety injection signal. An automatic valve in the discharge of each pump is interlocked to open on a pump start.

An automatic valve in the SSWS cooling water flow path for each emergency diesel generator automatically opens on a diesel generator start. All other valves are manual valves operated locally. The SSWS also is the backup water supply to the Auxiliary Feedwater System.

Cross-connections are provided between trains and between units such that any pump can supply any other pump's required flow.

Train isolation by two normally closed valves in series or one locked closed valve is provided to satisfy GDC-44. Unit isolation by one locked closed valve is provided to satisfy GDC-5.

In the event of a total Loss of Station Service Water (LOSSW) event in one unit at Comanche Peak, backup cooling capability is available via a cross-connect between the two units. An OPERABLE pump is manually realigned, and flow balanced to provide cooling to essential heat loads to one or both units as required. The OPERABILITY of the unit cross-connect along with a Station Service Water pump in the shutdown unit ensures the availability of sufficient redundant cooling capacity for the operating unit.

The Limiting Condition of Operation will ensure a significant risk reduction as indicated

Executive Summary for TXX-21093 Page 12 of 16 by the analyses of a Loss of Station Service Water System event. The surveillance requirements ensure the short and long-term OPERABILITY of the Station Service Water System and cross-connect between the two units.

The Station Service Water System cross-connect between the two units consists of appropriate piping and cross-connect valves connecting the discharge of the Station Service Water pumps of the two units. By aligning the cross-connect flow paths, additional redundant cooling capacity from one unit is available to the Station Service Water System of the other unit.

The principal safety related function of the SSWS is the removal of decay heat from the reactor via the CCW System. The design basis of the SSWS is for one SSWS train, in conjunction with the CCW System and a 100% capacity containment cooling system, to remove core decay heat following a design basis LOCA.

An SSW Pump on the opposite unit is OPERABLE as back-up in the event of a LOSSW if it is capable of providing required flow rates. An emergency diesel generator power source is not required because loss of offsite power is not assumed coincident with a LOSSW event.

A cross-connect valve is OPERABLE if it can be cycled or is locked open. A valve that cannot be demonstrated OPERABLE by cycling is considered inoperable until the valve is surveilled in the locked open position. However, at least one cross-connect valve between units is required to be maintained closed in accordance with GDC-5 unless required for flushing or due to total loss of Station Service Water pumps for either unit.

If no SSW pump on the opposite unit or its associated cross-connects are operable, the overall reliability is degraded since a back-up in the event of a Loss of Station Service Water System (LOSSWS) event may not be capable of performing the function. The 7 day completion time is based on the low probability of a LOSSWS during this time period.

CPNPP has consider the condition where a unit in MODEs 5, 6, and Defueled could have a single or no SSWP available. That would put the opposite unit, that is likely in MODE1 in a condition where they could have both trains of SSW OPERABLE but be in a forced unit shutdown based on the unavailability of an SSW pump on the opposite unit.

The RICT estimate for TS 3.7.8, Condition A is 30 days and Condition Bis 12.2 days. In this situation Conditions A and B need to be considered in the aggregate to determine the appropriate Completion Times for the unit at power. Redundancy is maintained on the operating unit by the opposite train of SSW. It may not be in the public interest to shutdown a CPNPP unit based on the condition of SSW on the shutdown unit.

Executive Summary for TXX-21093 Page 13 of 16 NRC Other Issues Identified During the Acceptance Review (011) and CPNPP

Response

The NRG staff a/so identified the following information requests that, although not required for the NRG to complete its acceptance review, the staff would provide the licensee if the staff ultimately accepts the application for review.

NRC 0111

1.

These are editorial items identified in the proposed changes:

NRC 0111.a

a. Proposed TS 1.3-8 in LAR Attachment 2 does not align with TSTF-505, Revision 2. Some of the defined terms and headings are not capitalized consistent with TSTF-505, Revision 2.

CPNPP 011 1.a - Response TS Example 1.3-8 in Attachment 2 is revised to match TSTF-505, Revision 2.

NRC 0111.b

b. Proposed TS 5.5.23, "Risk Informed Completion Time Program," differs from TSTF-505, Revision 3:
i.

missing title underscore, ii. paragraph c has an extra word in first sentence, and 111. paragraph e has different wording in third sentence.

CPNPP 011 1.b - Response Wording in Attachment 2 is revised to match TSTF-505-A, Revision 2 in accordance with WOG markup pages.

NRC 0111.c

c. TS 3. 3. 1: Several renumbered TS Conditions do not have their corresponding Required Actions renumbered in the markups in LAR Attachment 2 (Proposed TS 3.3.1 Conditions R, S, T, U, and V).

CPNPP 011 1.c - Response Conditions identified in Attachment 2 are revised as identified.

NRC 0111.d

d. Proposed Required Action 3. 3. 1. V. 1 (identified as Required Action 3. 3. 1. U. 1 in LAR Attachment 2) is inconsistent with the proposed changes in TSTF-505,

Executive Summary for TXX-21093 Page 14 of 16 Revision 2. TSTF-505, Revision 2 deletes "inoperable" while the proposed change does not.

CPNPP 011 1.d - Response Required Action 3.3.1.V.1 in Attachment 2 is revised to delete "inoperable."

NRC 0111.e

e. TS Required Action 3.6.2.C.1 appears to add text "LCO 3.6.1" ("LCO 3.6.1" is colored.) Proposed TS Required Action 3. 6. 2. C. 1 is the same as in the current Comanche Peak TS.

CPNPP 011 1.e - Response Required Action 3.6.2.C.1 red text "LCO 3.6.1" is black to match ADAMS TS.

NRC 0112

2.

In the LAR, the licensee requested deletion of TS notes that have one-time change requirements but did not provide justification for these variations. This affects TS Required Actions 3.7.8.B.1, 3.7.8.B.2, 3.8.1.B.4.1, 3.8.1.B.4.2, and 3.8.4.B.2.

CPNPP 011 2 - Response The justification for removal of the listed Required Actions is that they are no longer applicable. They are historical actions that have already been used. Removal deletes historical information that is no longer needed and is no longer valid. Not included in this list is 3.7.19.A.2 which is also deleted in Attachment 2.

NRC 0113

3.

LAR Attachment 1, Section 1.0, Paragraph 4, states in part:

... only those Required Actions described in Attachment 4 and Enclosure 1, as reflected in the proposed TS mark-ups provided in Attachment 2, are proposed to be changed, because some of the modified Required Actions in TSTF-505 are not applicable to CPNPP, and there are some plant-specific Required Actions not included in TSTF-505 that are included in this proposed amendment.

However, there are proposed TS mark-ups in Attachment 2, which appear to be consistent with TSTF-505, that are not described in Attachment 4 and Enclosure 1.

Clarify the inconsistency between the statement in LAR Attachment 1 and the changes indicated and LAR Attachments 2 and 4.

Executive Summary for TXX-21093 Page 15 of 16 CPNPP 011 3 - Response LAR Attachments 1, 2, 4 and Enclosure 1 have been synchronized to eliminate identified inconsistencies. Attachment 1 has been revised to state that the default conditions are consistent with TSTF-505, Revision 2. Attachment 2 includes the proposed TS changes including changes consistent with TSTF-505, Revision 2 and the removal of previously implemented one-time license amendments. Attachment 4 only lists cross-references to those TS changes proposed in Attachment 2. Enclosure 1 is revised to ensure consistency with Attachments 1, 2, and 4.

Revisions to Enclosure 1 include updating Tables E1-1, In Scope TS/LCO Conditions to Corresponding PRA Functions and E1-2, In Scope TS/LCO Conditions RICT Estimate.

Additional tables are provided in Enclosure 1 to document additional justifications and evaluation of instrument and control system.

NRC 0114

4.

As part of its TSTF-505 review, the NRC staff examines each proposed TS condition for the potential LOF. One method to do that is reviewing the design success criteria (DSC) the licensee provided in the LAR. The DSC is a minimum set of remaining equipment required to perform the safety function. The DSC must demonstrate that the proposed change will not result in a LOF. The staff notes that the following DSC in Table E1-1 of the LAR do not reflect the criteria of DSC and therefore, raise the concern of the potential LOF.

a. TS Condition 3.8.1.C is "Two required offsite circuits inoperable." The DSC in Table E1-1 for this TS condition is one offsite circuit. With both required offsite circuits inoperable, there is no required offsite circuit available to perform the safety function (providing alternating current (AC) power). However, according to the updated final safety analysis report (ADAMS Package Accession No. ML20315A055), the AC power system consists of the offsite circuits and the onsite AC power sources (i.e. emergency diesel generators).

Therefore, with both offsite circuits inoperable, the onsite AC power sources can provide the AC power. Clarify or correct the DSC information in the Table.

b. TS Condition 3.8.4.A is "One or two required battery chargers on one train inoperable." The DSC in Table E1-1 for this TS condition is "One 100%

capacity battery for one of two DC trains." TS Condition 3.8.4.A is a TS condition related to battery charger inoperability, but the DSC in Table E1-1 describes the battery. Clarify or correct this DSC information in the Table.

CPNPP 011 4 - Response Clarification added to Table E1-1 for above LCOs.

Executive Summary for TXX-21093 Page 16 of 16 NRC 0115

5.

LAR Table E1 -1 should be reviewed to determine if additional DSC need to be clarified comparable to the two examples in the previous question.

CPNPP 011 5 - Response Table E1-1 has been reviewed and updated as necessary.

Replacement documents that support the supplemental submittal; Please make the following changes to the original submittal made under Accession No. ML21131A233;

1.

Replace Attachment 1 to TXX-21046 with Attachment 1 to TXX-21093.

2.

Replace Attachment 2 to TXX-21046 with Attachment 2 to TXX-21093.

3.

Replace Attachment 4 to TXX-21046 with Attachment 4 to TXX-21093.

4.

Replace Enclosure 1 to TXX-21046 with Enclosure 1 to TXX-21093. Attached Tables E1-1 and E1-2 have been updated and Tables E1-3, E1-4, E1-5, E1-6, E1-7, and E1-8 have been added to address evaluation of instrument and control Functions and Function redundancy, independence, diversity, and defense-in-depth.

5.

Replace Enclosure 7 to TXX-21046 with Enclosure 7 to TXX-21093.

to TXX-21093 Page 1 of 17 ATTACHMENT 1 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" Description and Assessment of the Proposed Changes to TXX-21093 Page 2 of 17

1.0 DESCRIPTION

2.0 ASSESSMENT

Table of Contents 2.1 Applicability of Published Safety Evaluation 2.2 Verifications and Regulatory Commitments 2.3 Optional Changes and Variations

3.0 REGULATORY ANALYSIS

3.1 No Significant Hazards Consideration Determination 3.2 Conclusions

4.0 ENVIRONMENTAL CONSIDERATION

5.0 REFERENCES

to TXX-21093 Page 3 of 17

1.0 DESCRIPTION

In accordance with CFR 50.90, "Application for amendment of license, construction permit, or early site permit," Vistra Operations Company LLC (Vistra OpCo) requests an amendment to Facility Operating License Nos. NPF-87 and NPF-89 for Comanche Peak Nuclear Power Plant, Units 1 and 2, (CPNPP).

The proposed amendment would modify the Technical Specification (TS) requirements related to Completion Times (CTs) for Required Actions to provide the option to calculate a longer, risk-informed CT (RICT). A new program, the Risk-Informed Completion Time (RICT) Program, is added to TS Section 5.0, "Administrative Controls."

The methodology for using the RICT Program is described in NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS)

Guidelines," Revision 0, which was approved by the NRC on May 17, 2007. Adherence to NEI 06-09-A is required by the RICT Program.

The proposed amendment is consistent with TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b." However, only those Required Actions described in Attachment 4 and Enclosure 1, as reflected in the proposed TS mark-ups provided in Attachment 2, are proposed to be changed, because some of the modified Required Actions in TSTF-505 are not applicable to CPNPP, and there are some plant-specific Required Actions not included in TSTF-505 that are included in this proposed amendment.

The proposed amendment also removes the following three one-time only amendments;

1. License Amendment 170: COMANCHE PEAK NUCLEAR POWER PLANT, UNIT NOS.

1 AND 2 -

ISSUANCE OF AMENDMENTS RE: REVISION TO TECHNICAL SPECIFICATION 3.8.4, "DC SOURCES-OPERATING," CONDITION B (EXIGENT CIRCUMSTANCES) (EPID: L-2018-LLA-0238) (ML18267A384)

2. License Amendment 175: COMANCHE PEAK NUCLEAR POWER PLANT, UNIT NOS.

1 AND 2 - ISSUANCE OF AMENDMENT NOS. 175 AND 175 REGARDING ONE-TIME REVISION TO TECHNICAL SPECIFICATION 3.7.19, "SAFETY CHILLED WATER" (EPID L-2020-LLA-0137) (ML20223A349)

3. License Amendment 178: COMANCHE PEAK NUCLEAR POWER PLANT, UNIT NOS.

1 AND 2 - ISSUANCE OF AMENDMENT NOS. 178 AND 178 REGARDING ONE-TIME REVISION TO TECHNICAL SPECIFICATIONS 3.7.8, "STATION SERVICE WATER SYSTEM (SSWS)," AND 3.8.1, "AC SOURCES-OPERATING" (EPID L-2020-LLA-0250)

(ML21015A212)

The proposed amendment also establishes default Conditions in TS 3.3.1, Reactor Trip System (RTS) Instrumentation and TS 3.3.2, Engineered Safety Feature Actuation System (ESFAS)

Instrumentation. While preparing this proposed amendment it became clear that establishing the default Conditions will bring the CPNPP Technical Specifications more in alignment with NUREG-1431, Standard Technical Specifications-Westinghouse Plants and the Technical Specification Writer's Guide.

to TXX-21093 Page 4 of 17 The following default Conditions are proposed;

1. TS 3.3.1, Condition N: This Condition establishes the Required Action to Reduce THERMAL POWER to < P-7 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time when the Required Action and associated Completion Time of Condition M is not met.
2. TS 3.3.1, Condition Q: This Condition establishes the Required Action to Reduce THERMAL POWER to < P-9 with a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time when the Required Action and associated Completion Time of Condition O or P is not met.
3. TS 3.3.1, Condition W: This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time when the Required Action and associated Completion Time of Condition B, D, E, R, S, T, or Vis not met.
4. TS 3.3.1, Condition X: This Condition establishes the Required Action to Be in MODE 2 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time when the Required Action and associated Completion Time of Condition U is not met.
5. TS 3.3.2, Condition M: This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time AND Be in MODE 5 with a 36 Completion Time when the Required Action and associated Completion Time of Condition B, C, or K is not met.
6. TS 3.3.2, Condition N: This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time AND Be in MODE 4 with a 12 Completion Time when the Required Action and associated Completion Time of Condition D, E, F, G, or Lis not met.
7. TS 3.3.2, Condition 0 : This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion when the Required Action and associated Completion Time of Condition H, I, or J is not met.

The TS mark-ups in Attachment 2 include proposed changes due to implementation of TSTF-505, Revision 2, the removal of the one-time license amendments and the addition of the default Conditions in TS 3.3.1 and TS 3.3.2. These default conditions are consistent with TSTF-505, Revision 2.

The TS Bases mark-ups in Attachment 3 are provided "for information only." These proposed changes include changes due to implementation of TSTF-505, Revision 2, the removal of the one-time license amendments and the addition of the default Conditions in TS 3.3.1 and TS 3.3.2.

2.0 ASSESSMENT

2.1 Applicability of Published Safety Evaluation Vistra OpCo has reviewed TSTF-505, Revision 2 (ADAMS Accession No. ML18183A493),

and the model safety evaluation dated November 21, 2018 (ADAMS Accession No. ML18267A259). This review included the information provided to support TSTF-505 and the safety evaluation for NEI 06-09-A (ADAMS Accession No. ML12286A322 (part of ADAMS Package Accession No. ML122860402)).

As described in the subsequent paragraphs, Vistra OpCo has concluded that the technical basis is applicable to CPNPP and support incorporation of this amendment in the CPNPP TS.

to TXX-21093 Page 5 of 17 2.2 Verifications and Regulatory Commitments In accordance with Section 4.0, Limitations and Conditions, of the safety evaluation for NEI 06-09-A, the following is provided:

1. Enclosure 1 identifies each of the TS Required Actions to which the RICT Program will apply, with a comparison of the TS functions to the functions modeled in the probabilistic risk assessment (PRA) of the structures, systems and components (SSCs) subject to those actions.
2. Enclosure 2 provides a discussion of the results of peer reviews and self-assessments conducted for the plant-specific PRA models which support the RICT Program, as required by Regulatory Guide (RG) 1.200, Section 4.2.
3. Enclosure 3 is not applicable since each PRA model used for the RICT Program is addressed using a standard endorsed by the Nuclear Regulatory Commission.
4. Enclosure 4 provides appropriate justification for excluding sources of risk not addressed by the PRA models.
5. Enclosure 5 provides the plant-specific baseline core damage frequency (CDF) and large early release frequency (LERF) to confirm that the potential risk increases allowed under the RICT Program are acceptable.
6. Enclosure 6 is not applicable since the RICT Program is not being applied to shutdown models.
7. Enclosure 7 provides a discussion of the licensee's programs and procedures that assure the PRA models that support the RICT Program are maintained consistent with the as-built, as-operated plant.
8. Enclosure 8 provides a description of how the baseline PRA model, which calculates average annual risk, is evaluated and modified to assess real time configuration risk, and describes the scope of, and quality controls applied to the real-time model.
9. Enclosure 9 provides a discussion of how the key assumptions and sources of uncertainty in the PRA models were identified, and how their impact on the RICT Program was assessed and dispositioned.
10. Enclosure 10 provides a description of the implementing programs and procedures regarding the plant staff responsibilities for the RICT Program implementation, including risk management action (RMA) implementation.
11. Enclosure 11 provides a description of the monitoring program as described in NEI 06-09-A, Section 2.3.2, Step 7.

to TXX-21093 Page 6 of 17

12. Enclosure 12 provides a description of the process to identify and provide RMAs, including examples.

2.3 Optional Changes and Variations Vistra OpCo is proposing the following variations from the TS changes described in TSTF-505, Revision 2, or the applicable parts of the NRC's model safety evaluation dated November 21, 2018. These options were recognized as acceptable variations in TSTF-505 and the NRC's model safety evaluation.

Note that, in several instances, the CPNPP TS use different numbering and titles than the Standard Technical Specifications (STS) on which TSTF-505 was based. These differences are administrative and do not affect the applicability of TSTF-505 to the CPNPP TS. Only TS changes consistent with the CPNPP design and TS are included. Attachment 4 provides specific information. is a cross-reference that provides a comparison between the NUREG-1431, "Standard Technical Specifications Westinghouse Plants," Required Actions included in TSTF-505 and the CPNPP Actions included in this license amendment request. The attachment includes a summary description of the referenced Required Actions, which is provided for information purposes only and is not intended to be a verbatim description of the Required Actions. The cross-reference in Attachment 4 identifies the following:

1. CPNPP Actions that have identical numbers to the corresponding NUREG-1431 Required Actions are not deviations from TSTF-505, except for administrative deviations (if any) such as formatting. These deviations are administrative with no impact on the NRC's model safety evaluation dated November 21, 2018.
2. CPNPP Actions that have different numbering than the NUREG-1431 Required Actions are an administrative deviation from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21, 2018.
3. For NUREG-1431 Required Actions that are not contained in the CPNPP TS, the corresponding TSTF-505 mark-ups for the Required Actions are not applicable to CPNPP. This is an administrative deviation from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21, 2018.
4. Existing CPNPP Actions that have new numbers because of additional Actions added to the TS consistent with TSTF-505 are administrative deviations from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21, 2018.
5. The model application provided in TSTF-505, Revision 2, includes an attachment for typed, camera-ready (revised) TS pages reflecting the proposed changes. CPNPP is not including such an attachment due to the number of TS pages included in this submittal that have the potential to be affected by other unrelated license amendment requests and the straightforward nature of the proposed changes. Providing only mark-ups of the proposed TS changes satisfies the requirements of 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit," in that the mark-ups fully describe the changes desired. This is an administrative to TXX-21093 Page 7 of 17 deviation from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21, 2018. Because of this deviation, the contents and numbering of the attachments for this amendment request differ from the attachments specified in the model application in TSTF-505, Revision 2.
6. As stated in TSTF-505, Revision 2, it is necessary to adopt TSTF-439, "Eliminate Second Completion Times Limiting Time from Discovery of Failure to Meet an LCO,"

in order to adopt TSTF-505 for those Required Actions that are affected by both travelers. On December 19, 2006, (ADAMS Accession No. ML070580149) Vistra OpCo submitted a license amendment request (LAR) for CPNPP to adopt TSTF-439.

This LAR impacts the following TS.

TS 3.7.5, Auxiliary Feedwater System TS 3.8.1, AC Sources-Operating TS 3.8.9, Distribution Systems-Operating There are several plant-specific LCOs and associated Actions for which CPNPP are proposing to apply the RICT Program that are variations from TSTF-505 as identified in with additional justification provided below:

3.3.5. B.1 -

Two channels per bus for the Preferred offsite source bus undervoltage function inoperable.

The requirements of TS 3.3.5, Action B.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status. This will result in at least one operable sensing relay per bus. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring a loss of power (LOP) start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses.

For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered to TXX-21093 Page 8 of 17 from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function.

3.3.5.C.1 -

Two channels per bus for the Alternate offsite source bus undervoltage function inoperable.

The requirements of TS 3.3.5, Action C.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status. This will result in at least one operable sensing relay per bus. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses.

For each unit, the undervoltage protection system, leading to the start of the diesel generators on loss of offsite power, consists of the following functional groups:

Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function.

3.3.5. D.1 - Two channels per bus for the 6.9 kV buss loss of voltage function inoperable.

The requirements of TS 3.3.5, Action D.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status. This will result in at least one operable sensing relay per bus. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to to TXX-21093 Page 9 of 17 repair most failures and considers the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses.

For each unit, the undervoltage protection system, leading to the start of the diesel generators on loss of offsite power, consists of the following functional groups:

Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function.

3.3.5.E.1 - Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable.

The requirements of TS 3.3.5, Action E.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status. This will result in at least one operable sensing relay per bus. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses.

For each unit, the undervoltage protection system, leading to the start of the diesel generators on loss of offsite power, consists of the following functional groups:

Preferred offsite source undervoltage, alternate offsite source undervoltage, to TXX-21093 Page 10 of 17 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function.

3.3.5.F.1 - One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

The requirements of TS 3.3.5, Action F.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one train to OPERABLE status. This will result in at least one operable Automatic Logic and Actuation Relays train operable. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses.

For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

to TXX-21093 Page 11 of 17 Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function.

3.5.2.A.1 -

One train inoperable because of the inoperability of a centrifugal charging pump.

The requirements of TS 3.5.2, Action A.1 currently allow for 7 days to restore the centrifugal charging pump to operable status. With one centrifugal charging pump inoperable the Emergency Core Cooling System (ECCS) is still capable of providing 100% capacity. The 7 day completion time is based on a risk-informed assessment to manage the risk associated with the equipment in accordance with the Configuration Risk Management Program and is responsible for the repair of a centrifugal charging pump.

The ECCS consists of three separate subsystems: centrifugal charging (high head), safety injection (intermediate head), and residual heat removal (low head).

Each of the three subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100%

of the flow required to mitigate accident consequences. The interconnecting and redundant subsystem design provides the operators with the ability to utilize components from opposite trains to achieve the required 100% flow.

Application of a RICT for this Action will not adversely affect the ability of the ECCS to perform their intended safety function.

3.7.4.C.1 - Steam Generator Atmospheric Relief Valves (ARVs); Three or more required ARV lines inoperable.

The requirements of TS 3.7.4, Action C.1 currently allow 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore at least two ARV lines to OPERABLE status. This will result in at least two OPERABLE ARVs. Since the block valve can be closed to isolate an ARV, some repairs may be possible with the unit at power. The 24-hour Completion Time is reasonable to repair inoperable ARV lines, based on the availability of the Steam Dump System and Main Steam Safety Valves (MSSVs), and the low probability of an event occurring during this period that would require the ARV lines.

The ARVs provide a method for cooling the unit to residual heat removal (RHR) entry conditions should the preferred heat sink via the Steam Dump System to the condenser not be available. This is done in conjunction with the Auxiliary Feedwater System providing cooling water from the condensate storage tank (CST).

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a steam generator tube rupture (SGTR). The design basis for the maximum relief capacity is established by the 10 CFR 100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses. The design rate of 50°F per hour is to TXX-21093 Page 12 of 17 applicable for a natural circulation cooldown using two steam generators, each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

Application of a RICT for this Action will not adversely affect the ability of the Steam Generator ARVs to perform their intended safety function.

3.7.8.B.1 -Station Service Water System, One SSWS train inoperable The requirements of TS 3. 7.8, Action B.1 currently allow 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore the SSWS train to operable status. In this condition, the remaining OPERABLE SSWS is adequate to provide a heat sink for the removal of process and operating heat from safety related components.

The SSWS consists of two separate, 100% capacity, safety related, cooling water trains. Each train consists of one 100% capacity pump, piping, valving, and instrumentation. The pumps and valves are remote and manually aligned to be operable in the unlikely event of a loss of coolant accident (LOCA). The pumps aligned to their respective loops are automatically started upon receipt of a safety injection signal. An automatic valve in the discharge of each pump is interlocked to open on a pump start. An automatic valve in the SSWS cooling water flow path for each emergency diesel generator automatically opens on a diesel generator start. All other valves are manual valves operated locally. The SSWS also is the backup water supply to the Auxiliary Feedwater System.

In the event of a total Loss of Station Service Water (LOSSW) event in one unit at Comanche Peak, backup cooling capability is available via a cross-connect between the two units. An OPERABLE pump is manually realigned, and flow balanced to provide cooling to essential heat loads to one or both units as required. The OPERABILITY of the unit cross-connect along with a Station Service Water pump in the shutdown unit ensures the availability of sufficient redundant cooling capacity for the operating unit. The Limiting Condition of Operation will ensure a significant risk reduction as indicated by the analyses of a Loss of Station Service Water System event. The surveillance requirements ensure the short and long-term OPERABILITY of the Station Service Water System and cross-connect between the two units.

The Station Service Water System cross-connect between the two units consists of appropriate piping and cross-connect valves connecting the discharge of the Station Service Water pumps of the two units. By aligning the cross-connect flow paths, additional redundant cooling capacity from one unit is available to the Station Service Water System of the other unit.

The principal safety related function of the SSWS is the removal of decay heat from the reactor via the CCW System. The design basis of the SSWS is for one SSWS train, in conjunction with the CCW System and a 100% capacity to TXX-21093 Page 13 of 17 containment cooling system, to remove core decay heat following a design basis LOCA.

An SSW Pump on the opposite unit is OPERABLE as back-up in the event of a LOSSW if it is capable of providing required flow rates. An emergency diesel generator power source is not required because loss of offsite power is not assumed coincident with a LOSSW event.

A cross-connect valve is OPERABLE if it can be cycled or is locked open. A valve that cannot be demonstrated OPERABLE by cycling is considered inoperable until the valve is surveilled in the locked open position. However, at least one cross-connect valve between units is required to be maintained closed in accordance with GDC-5 unless required for flushing or due to total loss of Station Service Water pumps for either unit.

If no SSW pump on the opposite unit or its associated cross-connects are operable, the overall reliability is degraded since a back-up in the event of a Loss of Station Service Water System (LOSSWS) event may not be capable of performing the function. The 7 day completion time is based on the low probability of a LOSSWS during this time period.

Application of a RICT for this Action will not adversely affect the ability of the Station Service Water System to perform its safety function.

3.7.19.A.1 - Safety Chilled Water; One safety chilled water train inoperable The requirements of TS 3.7.19, Action A.1 currently allow 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore the safety chilled water train to OPERABLE status. In this condition, the remaining OPERABLE Safety Chilled Water System train is adequate to perform the heat removal function for its associated essential equipment.

However, the overall reliability is reduced because a single failure in the OPERABLE Safety Chilled Water System train could result in loss of the Safety Chilled Water System function. The 72-hour Completion Time is based on the redundant capabilities afforded by the OPERABLE train, and the low probability of a OBA occurring during this time.

The design basis of the Safety Chilled Water System is to support emergency fan coil units (EFCUs) that maintain air temperatures as required in selected rooms containing safety-related equipment during normal operation and during and after a design basis accident (with or without a loss of offsite power) or a blackout (loss of offsite power, LOOP). The system is designed to provide chilled water to maintain the ambient air temperature within the design limits of the essential equipment served by the system.

The Safety Chilled Water System for each unit consists of two separate and completely redundant safety trains. Each train consists of one packaged centrifugal chiller, one centrifugal chilled water recirculation pump, interconnecting piping, valves, controls, and instrumentation. There are no automatic valves in the system.

to TXX-21093 Page 14 of 17 Additionally, the two trains share a common chilled water surge (expansion) tank, partitioned in the middle into two separate compartments to provide complete separation of the two trains, that function to ensure sufficient net positive suction head is available.

Application of a RICT for this Action will not adversely affect the ability of the Safety Chilled Water to perform its intended safety function.

Vistra OpCo has determined that the application of a RICT for these CPNPP plant specific LCOs is consistent with TSTF-505, Revision 2, and with the NRC's model safety evaluation dated November 21, 2018. Application of a RICT for these plant specific LCOs will be controlled under the RICT Program. The RICT Program provides the necessary administrative controls to permit extension of Completion Times and thereby delay reactor shutdown or remedial actions if risk is assessed and managed within specified limits and programmatic requirements. The specified safety function or performance levels of TS required structures, systems or components (SSCs) are unchanged, and the remedial actions, including the requirement to shut down the reactor, are also unchanged; only the Action completion times are extended by the RICT Program.

Application of a RICT is evaluated using the methodology and probabilistic risk guidelines contained in NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines," Revision 0, which was approved by the NRC on May 17, 2007 (ADAMS Accession No. ML071200238). The NEI 06-09-A, Revision O methodology includes a requirement to perform a quantitative assessment of the potential impact of the application of a RICT on risk, to reassess risk due to plant configuration changes, and to implement compensatory measures and risk management actions (RMAs) to maintain the risk below acceptable regulatory risk thresholds. In addition, the NEI 06-09-A, Revision O methodology satisfies the five key safety principles specified in Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making: Technical Specifications," dated August 1998 (ADAMS Accession No. ML003740176), relative to the risk impact due to the application of a RICT.

Therefore, the proposed application of a RICT in the CPNPP plant specific Actions is consistent with TSTF-505, Revision 2, and with the NRC's model safety evaluation dated November 21, 2018.

Vistra OpCo has reviewed these changes and determined that they do not affect the applicability of TSTF-505, Revision 2, to the CPNPP TS.

3.0 REGULA TORY ANALYSIS 3.1 No Significant Hazards Consideration Determination Vistra OpCo has evaluated the proposed changes to the TS using the criteria in 10 CFR 50.92 and has determined that the proposed changes do not involve a significant hazards consideration.

Comanche Peak Nuclear Power Plant, Units 1 and 2, request adoption of an approved change to the standard technical specifications (STS) and plant-specific technical to TXX-21093 Page 15 of 17 specifications (TS), to modify the TS requirements related to Completion Times for Required Actions to provide the option to calculate a longer, risk-informed Completion Time. The allowance is described in a new program in Section 5.0, "Administrative Controls," entitled the "Risk-Informed Completion Time Program."

As required by 10 CFR 50.91 (a), an analysis of the issue of no significant hazards consideration is presented below:

1. Do the proposed changes involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed changes permit the extension of Completion Times provided the associated risk is assessed and managed in accordance with the NRC approved Risk-Informed Completion Time Program, removes historical information, and establishes default Conditions in TS 3.3.1 and TS 3.3.2. The proposed changes do not involve a significant increase in the probability of an accident previously evaluated because the changes involve no change to the plant or its modes of operation. The proposed changes do not increase the consequences of an accident because the design-basis mitigation function of the affected systems is not changed and the consequences of an accident during the extended Completion Time are no different from those during the existing Completion Time.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Do the proposed changes create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed changes do not change the design, configuration, or method of operation of the plant. The proposed changes do not involve a physical alteration of the plant (no new or different kind of equipment will be installed).

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Do the proposed changes involve a significant reduction in a margin of safety?

Response: No.

The proposed change permits the extension of Completion Times provided risk is assessed and managed in accordance with the NRC approved Risk-Informed Completion Time Program, removes historical information, and establishes default Conditions in TS 3.3.1 and TS 3.3.2. The proposed change implements a risk-informed configuration management program to assure that adequate margins of safety are maintained.

Application of these new specifications and the configuration management program considers cumulative effects of multiple systems or components being out of service and does so more effectively than the current TS.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

to TXX-21093 Page 16 of 17 Based on the above, Vistra OpCo, concludes that the proposed changes present no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

3.2 Conclusions In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

4.0 ENVIRONMENTAL CONSIDERATION

Vistra OpCo has reviewed the environmental evaluation included in the model safety evaluation published on November 21, 2018 as part of the Notice of Availability. Vistra OpCo has concluded that the NRC staff findings presented in that evaluation are applicable to CPNPP Units 1 and 2, NPF-87 and NPF-89.

The proposed change would change a requirement with respect to installation or use of a facility component located within the restricted.area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9).

Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed changes.

5.0 REFERENCES

1. Topical Report NEI 06-09, Revision 0-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines" (ADAMS Accession No. ML12286A322 (part of ADAMS Package Accession No.

ML122860402)).

2. NUREG-0800, Standard Review Plan 19.1, "Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," Revision 3, May 2012.
3. NUREG-0800, Standard Review Plan 19.2, "Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance," Revision 0, November 2002.
4. NUREG-0800, Standard Review Plan 16.1, "Risk-Informed Decisionmaking:

Technical Specifications," Revision 1, March 2007.

5. Regulatory Guide 1.174, Revision 2, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," May 2011, Accession No. ML 10091006.
6. Regulatory Guide 1. 177, Revision 1, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications,"

May 2011,

Accession No.

ML100910008.

to TXX-21093 Page 17 of 17

7. Regulatory Guide 1.200, Revision 2, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,"

March 2009, Accession No. ML090410014.

to TXX-21093 Page 1 of 49 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" Proposed Technical Specification pages (markup) to TXX-21093 Page 2 of 49 Completion Times 1.3 1.3 Completion Times EXAMPLES EXAMPLE 1.3-6 (continued)

If after entry into Condition B, Required Action A.1 or A.2 is met, Condition B is exited and operation may then continue in Condition A.

EXAMPLE 1.3-7 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One subsystem A.1 Verify affected 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable.

subsystem isolated.

AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND A.2 Restore subsystem to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> OPERABLE status.

B. Required Action B.1 Be in MODE 3.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and associated Completion Time AND not met.

B.2 Be in MODE 5.

36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> Required Action A.1 has two Completion Times. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time begins at the time the Condition is entered and each "Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter" interval begins upon performance of Required Action A.1.

If after Condition A is entered, Required Action A.1 is not met within either the initial 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or any subsequent 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> interval from the previous performance (plus the extension allowed by SR 3.0.2), Condition Bis entered. The Completion Time clock for Condition A does not stop after Condition B is entered, but continues from the time Condition A was initially entered. If Required Action A.1 is met after Condition B is entered, Condition B is exited and operation may continue in accordance with Condition A, provided the Completion Time for Required Action A.2 has not expired.

~

~

EXAMPLE 1.3-8 INSERT IMMEDIATE COMPLETION TIME When "Immediately" is used as a Completion Time, the Required Action should be pursued without delay and in a controlled manner COMANCHE PEAK-UNITS 1 AND 2 1.3-8 Amendment No. 150 to TXX-21093 Page 3 of 49 3.3 INSTRUMENTATION 3.3.1 Reactor Trip System (RTS) Instrumentation RTS Instrumentation 3.3.1 LCO 3.3.1 The RTS instrumentation for each Function in Table 3.3.1-1 shall be OPERABLE.

APPLICABILITY:

According to Table 3.3.1-1 ACTIONS

N OT E--------------------------------------------------------------

Sep a rate Condition entry is allowed for each Function.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions with A.1 Enter the Condition referenced in Immediately one or more required Table 3.3.1-1 for the channel(s) or channels or trains train(s).

inoperable.

B. One Manual Reactor Trip B.1 Restore channel to OPERABLE 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> channel inoperable.

status.

GR IRICT INSE RT 13.2 Be iA MGge d.

§4 A91:ffS COMANCHE PEAK - UNITS 1 AND 2 3.3-1 Amendment No. 150 to TXX-21093 Page 4 of 49 ACTIONS (continued)

CONDITION REQUIRED ACTION D. One Power Range Neutron -----------------------NOTE------------------------

Flux - High channel One channel may be bypassed for up to inoperable.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing and setpoint adjustment.

D.1.1 ------------------NOTE--------------------

Only required to be performed when the Power Range Neutron Flux input to QPTR is inoperable.

Perform SR 3.2.4.2.

AND D.1.2 Place channel in trip.

00

~ Bein MODE3 COMANCHE PEAK-UNITS 1 AND 2 3.3-3 RTS Instrumentation 3.3.1 COMPLETION TIME 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from discovery of THERMAL POWER

> 75% RTP AND Once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />

-<---IRICT INSERT I 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> Amendment No. 150 to TXX-21093 Page 5 of 49 ACTIONS (continued)

CONDITION E. One channel inoperable.

F. One Intermediate Range Neutron Flux channel inoperable.

G. Two Intermediate Range Neutron Flux channels inoperable.

REQUIRED ACTION

N OT E------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

E.1 Place channel in trip.

GR e.~ Be iR MG9e 3.

F.1 Reduce THERMAL POWER to

< P-6.

OR F.2 Increase THERMAL POWER to

> P-10.

G.1 ------------------NOTE-----------------------

Limited boron concentration changes associated with RCS inventory control or limited plant temperature changes are allowed.

Suspend operations involving positive reactivity additions.

AND G.2 Reduce THERMAL POWER to

< P-6.

COMANCHE PEAK - UNITS 1 AND 2 3.3-4 RTS Instrumentation 3.3.1 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INS 78 A91:::1FS 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 24 hours Immediately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> ERT Amendment No. 150 to TXX-21093 Page 6 of 49 ACTIONS (continued)

CONDITION M. One channel inoperable.

REQUIRED ACTION

NOTE-----------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

M.1 Place channel in trip.

GR M.2 ReE11::1ee +l=leRMAb PGVVeR ta 4-P+.

/

INSERT TS 3.3.1 I N. ri.Jat 1::1seEI.

Condition N

0. One Low Fluid Oil pressure ------------------------NOTE-----------------------

Turbine Trip channel One channel may be bypassed for up to inoperable.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

0.1 Place channel in trip.

GR G.2 ReE11::1ee +l=leRMAb PGWeR ta

~

P. One or more Turbine Stop P.1 Place channel(s) in trip.

Valve Closure Turbine Trip channel(s) inoperable.

GR P.2 ReEl1::1oe +l=leRMAb PGVVeR ta INSERT TS 3.3.1

~

Condition Q COMANCHE PEAK - UNITS 1 AND 2 3.3-6 RTS Instrumentation 3.3.1 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INSE 78 R81::1FS 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INSE 7@ Ral::IFS 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> RT RT IRICT INSE RT

-7H=l-eu rs Amendment No. 150 to TXX-21093 Page 7 of 49 ACTIONS (continued)

CONDITION Q-:. One train inoperable.

R One RTB train inoperable.

&. One or more required channel(s) inoperable.

REQUIRED ACTION

NOTE-----------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

R.1 Q-:4 Restore train to OPERABLE status.

GR Q.2 Be iA MGQe 3.

NOTE-----------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing or maintenance, provided the other train is OPERABLE.

S.1 R-4 Restore train to OPERABLE status.

GR R.2 Be iA MGQe 3.

-I. I

&4 Verify interlock is in required state for existing unit conditions.

-~

C',..,

~ :- ~U""\\l"'\\I"":,:,

COMANCHE PEAK-UNITS 1 AND 2 3.3-7 RTS Instrumentation 3.3.1 COMPLETION TIME 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> jRICT INSE 3Q R9l::IFS 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> IRICT INSE 3Q R9l::IFS 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> "7 i..~ -

Amendment No. 150 RT RT to TXX-21093 Page 8 of 49 ACTIONS (continued)

CONDITION REQUIRED ACTION RTS Instrumentation 3.3.1 COMPLETION TIME

+. One or more required 0---17 channel(s) inoperable.

+. Verify interlock is in required state for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> existing unit conditions.

V.1 Y:- One trip mechanism

~

inoperable for one RTB.

-Y:4 Restore inoperable trip mechanism to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> OPERABLE status.

GR

-<---IRICT INSERT I U.2 Be in MODE 3.

54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> INSERT TS 3.3.1

~ Not used. +-------1 w

Condition W

~

Condition X SURVEILLANCE REQUIREMENTS

NOTE-------------------------------------------------------------

Refer to Table 3.3.1-1 to determine which SRs apply for each RTS Function.

SURVEILLANCE SR 3.3.1.1 Perform CHANNEL CHECK.

COMANCHE PEAK - UNITS 1 AND 2 3.3-8 FREQUENCY In accordance with the Surveillance Frequency Control Program.

Amendment No. 4W, 156 to TXX-21093 Page 9 of 49 APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS

16. Turbine Trip
a.

Low Fluid Oil 1 U)

Pressure

b. Turbine Stop Valve 1 (j)

Closure

17. Safety Injection (SI) Input 1,2 from Engineered Safety Feature Actuation System (ESFAS)
18. Reactor Trip System Interlocks
a. Intermediate Range 2(e)

Neutron Flux, P-6

b.

Low Power Reactor Trips Block, P-7 C.

Power Range Neutron Flux, P-8

d.

Power Range Neutron Flux, P-9 e, Power Range 1,2 Neutron Flux, P-10

f.

Turbine First Stage Pressure, P-13

19. Reactor Trip 1,2 Breakers(RTBs)'kl 3(b), 4(b), 5(b)

Table 3.3.1-1 (page 4 of 6)

Reactor Trip System Instrumentation REQUIRED CHANNELS CONDITIONS 3

0 4

p 2 trains

~

Q 2

~

g 1 per train

~

+

4

~

+

4

~

+

4

~

g 2

~

+

2 trains ~

R 2 trains C

RTS Instrumentation 3.3.1 SURVEILLANCE ALLOWABLE REQUIREMENTS VALUE(a)

SR 3.3.1.10 2 46.6 psig SR 3.3.1.15 SR 3.3.1.10 21% open SR 3.3.1.15 SR 3.3.1.14 NA SR 3.3.1.1 1 2 6E-11 amp SR 3.3.1.13 SR 3.3.1.5 NA SR 3.3.1.11

~ 50.7% RTP SR 3.3.1.13 SR 3.3.1.11

~ 52.7% RTP SR 3.3.1.13 SR 3.3.1.11 2 7.3% RTP and SR 3.3.1.13

~ 12.7% RTP SR 3.3.1.10

~ 12.7% turbine SR 3.3.1.13 power SR 3.3.1.4 NA SR 3.3.1.4 NA (a)

The Allowable Value defines the limiting safety system setting except for Trip Functions 2a, 2b, 6, 7, and 14 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions). See the Bases for the Nominal Trip Setpoints.

(b)

With Rod Contol System capable of rod withdrawal or one or more rods not fully inserted.

(e)

Below the P-6 (Intermediate Range Neutron Flux) interlock.

G)

Above the P-9 (Power Range Neutron Flux) interlock.

(k)

Including any reactor trip bypass breakers that are racked in and closed for bypassing an RTB.

COMANCHE PEAK-UNITS 1 AND 2 3.3-18 Amendment No. 4-§G, 156 to TXX-21093 Page 1 O of 49 FUNCTION

20. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms(k)
21. Automatic Trip Logic APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS 1,2 1,2 Table 3.3.1-1 (page 5 of 6)

Reactor Trip System Instrumentation REQUIRED CHANNELS CONDITIONS ti 1 each per RTB C

2 trains

~

Q 2 trains C

RTS Instrumentation 3.3.1 SURVEILLANCE ALLOWABLE VALUE(a)

REQUIREMENTS SR 3.3.1.4 SR 3.3.1.4 SR 3.3. 1.5 SR 3.3.1.5 NA NA NA NA (a)

The Allowable Value defines the limiting safety system setting except for Trip Functions 2a, 2b, 6, 7, and 14 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions). See the Bases for the Nominal Trip Setpoints.

(b}

With Rod Contol System capable of rod withdrawal or one or more rods not fully inserted.

(k)

Including any reactor trip bypass breakers that are racked in and closed for bypassing an RTB.

COMANCHE PEAK-UNITS 1 AND 2 3.3-19 Amendment No. 4W, 156 to TXX-21093 Page 11 of 49 3.3 INSTRUMENTATION ESFAS Instrumentation 3.3.2 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation LCO 3.3.2 The ESFAS instrumentation for each Function in Table 3.3.2-1 shall be OPERABLE.

APPLICABILITY:

According to Table 3.3.2-1 ACTIONS

NOTE-------------------------------------------------------------

S e para t e Condition entry is allowed for each Function.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions with A.1 Enter the Condition referenced in Immediately one or more required Table 3.3.2-1 for the channel(s) or channels or trains train(s).

inoperable.

B. One channel or train B.1 Restore channel or train to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> inoperable.

OPERABLE status.

GR IRICT INSE B.2.1 Be in MODE 3.

54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> ANG B.2.2 Be in MODE 5.

g4 hours COMANCHE PEAK - UNITS 1 AND 2 3.3-21 Amendment No. 4-W;- 156 RT to TXX-21093 Page 12 of 49 ACTIONS (continued)

CONDITION C. One train inoperable.

D. One channel inoperable.

REQUIRED ACTION

NO TE------------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

C.1 Restore train to OPERABLE status.

GR C.2.1 Be in MODE 3.

ANG C.2.2 Be in MODE 13.

NOTE------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

D.1 Place channel in trip.

GR D.2.1 Be in MODE 3.

ANG D.2.2 Be in MODE 4.

COMANCHE PEAK - UNITS 1 AND 2 3.3-22 ESFAS Instrumentation 3.3.2 COMPLETION TIME 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

(

IRICT INSE 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> eO hOUFS 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> RT

(

IRICT INS ERT 78 hOUFS 84 hOUFS Amendment No. 4W, 156 to TXX-21093 Page 13 of 49 ACTIONS (continued)

CONDITION E. One Containment Pressure channel inoperable.

F. One channel or train inoperable.

REQUIRED ACTION

NOTE------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

E.1 Place channel in bypass.

GR E.2.1 Be in MODE 3.

AN&

E.2.2 Be in MODE 4.

F.1 Restore channel or train to OPERABLE status.

GR F.2.1 Be in MODE 3.

AN&

F.2.2 Be in MODE 4.

COMANCHE PEAK - UNITS 1 AND 2 3.3-23 ESFAS Instrumentation 3.3.2 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> 78 hours 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> 48 hours IRICT INSE 54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br />

@Q hours Amendment No. 4W, 156 RT to TXX-21093 Page 14 of 49 ACTIONS (continued)

CONDITION G. One train inoperable.

H. One train inoperable.

REQUIRED ACTION

NOTE------------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

G.1 Restore train to OPERABLE status.

GR G.2.1 Be in MODE 3.

ANf}

G.2.2 Be in MODE 4.

NOTE------------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

H.1 Restore train to OPERABLE status.

GR 1=1.2 Be in MODE 3.

COMANCHE PEAK - UNITS 1 AND 2 3.3-24 ESFAS Instrumentation 3.3.2 COMPLETION TIME 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> IRICT INSE 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> 3@ hours 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> IRICT INSE 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> Amendment No. 4W, 156 RT RT to TXX-21093 Page 15 of 49 ACTIONS (continued)

CONDITION I.

One channel inoperable.

J. One Main Feedwater Pump trip channel inoperable.

K. One channel inoperable.

REQUIRED ACTION

NOTE------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

1.1 Place channel in trip.

GR 1.2 Be iR MGge 3.

J.1 Place channel in trip.

GR d.2 Be iR MGge 3.

N OT E------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

K.1 Place channel in bypass.

GR K.2.1 Be iR MGge 3.

ANG K.2.2 Be iR MGge: a.

COMANCHE PEAK-UNITS 1 AND 2 3.3-25 ESFAS Instrumentation 3.3.2 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />

(

IRICT INS ERT

+8 A81:!FS 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />

(

IRICT INS ERT 12 A81:!FS 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />

+8 A81:!FS 1 Q8 A81:!FS Amendment No. 4eG, 156 to TXX-21093 Page 16 of 49 ACTIONS (continued)

CONDITION L. One or more required channeltst inoperable.

INSERT TS 3.3.2 Conditions M, N, and r

0 REQUIRED ACTION L.1 Verify interlock is in required state for existing unit condition.

GR L.2.1 Be in MODE 3.

ANQ L.2.2 Be in MODE 4.

SURVEILLANCE REQUIREMENTS ESFAS Instrumentation 3.3.2 COMPLETION TIME 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 7 hours 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />

N OT E-------------------------------------------------------------

Refer to Table 3.3.2-1 to determine which SRs apply for each ESFAS Function.

SURVEILLANCE SR 3.3.2.1 Perform CHANNEL CHECK.

SR 3.3.2.2 Perform ACTUATION LOGIC TEST.

SR 3.3.2.3 Not Used.

COMANCHE PEAK - UNITS 1 AND 2 3.3-26 FREQUENCY In accordance with the Surveillance Frequency Control Program.

In accordance with the Surveillance Frequency Control Program.

Amendment No. 4-eG, 156 to TXX-21093 Page 17 of 49 3.3 INSTRUMENTATION LOP DG Start Instrumentation 3.3.5 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation LCO 3.3.5 The Loss of Power Diesel Generator Start Instrumentation for each Function in Table 3.3.5-1 shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, 3, and 4

N OT E------------------------------------------------

Not applicable for 6.9 kV Preferred Offsite Source Undervoltage function when associated source breaker is open.

ACTIONS

NOTE-------------------------------------------------------------

S e pa rate Condition entry is allowed for each Function.

NOTE---------------------------------------------------------------

RI CT entry is not permitted for more than one Condition at a time for Conditions B, C, Dor E.

CONDITION A. --------------NOTE-------------

N ot applicable to Automatic Actuation Logic and Actuation Relays Function REQUIRED ACTION One or more Functions with A.1 Place channel in trip.

one channel per bus inoperable.

COMANCHE PEAK-UNITS 1 AND 2 3.3-42 COMPLETION TIME 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />

~<--IRICT INSERT I Amendment No. 4W, 156 to TXX-21093 Page 18 of 49 ACTIONS (continued)

CONDITION B. Two channels per bus for the Preferred offsite source bus undervoltage function inoperable.

C. Two channels per bus for the Alternate offsite source bus undervoltage function inoperable.

D. Two channels per bus for the 6.9 kV bus loss of voltage function inoperable.

LOP DG Start Instrumentation 3.3.5 REQUIRED ACTION COMPLETION TIME B.1 Restore one channel per bus to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> OPERABLE status.

IRICT INSE RT I OR B.2.1 Declare the Preferred offsite source 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable.

AND B.2.2 Open associated Preferred offsite 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> source bus breaker.

C.1 Restore one channel per bus to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> OPERABLE status.

IRICT INSE RT I OR C.2.1 Declare the Alternate offsite source 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable.

AND C.2.2 Open associated Alternate offsite 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> source bus breaker.

D.1 Restore one channel per bus to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> OPERABLE status.

IRICT INSE RT I OR D.2 Declare the affected A.C. emergency 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> buses inoperable.

COMANCHE PEAK - UNITS 1 AND 2 3.3-43 Amendment No. 4-W-; 156 to TXX-21093 Page 19 of 49 ACTIONS (continued)

CONDITION E. Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable F. One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

G. Required Action and associated Completion Time not met.

REQUIRED ACTION E.1 Restore one channel per bus to LOP DG Start Instrumentation 3.3.5 COMPLETION TIME 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> OPERABLE status.

(

IRICT INSE RT I OR E.2.1 Declare both offsite power source 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> buses inoperable.

AND E.2.2 Open offsite power source 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> breakers to the associated buses.

F.1 Restore train(s) to OPERABLE 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> status.

(

IRICT INSE RT I G.1 Enter applicable Condition(s) and Immediately Required Action(s) for the associated DG made inoperable by LOP DG start instrumentation.

COMANCHE PEAK - UNITS 1 AND 2 3.3-44 Amendment No. 4W, 156 to TXX-21093 Page 20 of 49 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.9 Pressurizer LCO 3.4.9 The pressurizer shall be OPERABLE with:

a.

Pressurizer water level::; 92%; and Pressurizer 3.4.9

b.

Two groups of pressurizer heaters OPERABLE with the capacity of each group ~ 150 kW.

APPLICABILITY:

MODES 1, 2, and 3 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. Pressurizer water level not A.1 Be in MODE 3.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> within limit.

AND A.2 Fully insert all rods.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AND A.3 Place Rod Control System in a 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> condition incapable of rod withdrawal.

AND A.4 Be in MODE 4.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> B. One required group of B.1 Restore required group of pressurizer 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> pressurizer heaters heaters to OPERABLE status.

inoperable.

IRICT INSE RT I COMANCHE PEAK - UNITS 1 AND 2 3.4-18 Amendment No. 4W, 156 to TXX-21093 Page 21 of 49 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)

Pressurizer PORVs 3.4.11 LCO 3.4.11 Each PORV and associated block valve shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, and 3 ACTIONS

N OT E-------------------------------------------------------------

Sep a rate Condition entry is allowed for each PORV.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more PORVs A.1 Close and maintain power to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable and capable of associated block valve.

being manually cycled.

B. One PORV inoperable and B.1 Close associated block valve.

1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> not capable of being manually cycled.

AND B.2 Remove power from associated 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> block valve.

AND B.3 Restore PORV to OPERABLE status. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> EE IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.4-22 Amendment No. 4-eO, 156 to TXX-21093 Page 22 of 49 ACTIONS (continued)

CONDITION C. One block valve inoperable.

D. Required Action and associated Completion Time of Condition A, B, or C not met.

E. Two PORVs inoperable and not capable of being manually cycled.

REQUIRED ACTION

N OT E------------------------

Required Actions do not apply when block valve is inoperable solely as a result of complying with Required Actions 8.2 or E.2.

C.1 Place associated PORV in manual control.

AND C.2 Restore block valve to OPERABLE status.

D.1 Be in MODE 3.

AND D.2 Be in MODE 4 E.1 Close associated block valves.

AND E.2 Remove power from associated block valves.

AND E.3 Be in MODE 3 AND E.4 Be in MODE 4 COMANCHE PEAK-UNITS 1 AND 2 3.4-23 Pressurizer PORVs 3.4.11 COMPLETION TIME 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 72 hours IRICT INSE 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 12 hours 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 1 hour 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 12 hours RT I Amendment No. 4W, 156 to TXX-21093 Page 23 of 49 ECCS -- Operating 3.5.2 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3.5.2 ECCS -- Operating LCO 3.5.2 APPLICABILITY:

ACTIONS Two ECCS trains shall be OPERABLE.

NOTES----------------------------------------------

1. In MODE 3, both safety injection (SI) pump flow paths may be isolated by closing the isolation valves for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to perform pressure isolation valve testing per SR 3.4.14.1.
2. Operation in MODE 3 with ECCS pumps made incapable of injecting, pursuant to LCO 3.4.12, "Low Temperature Overpressure Protection (L TOP) System," is allowed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or until the temperature of all RCS cold legs exceeds 375°F, whichever comes first.

MODES 1, 2, and 3 CONDITION REQUIRED ACTION COMPLETION TIME A. One train inoperable A.1 Restore pump to OPERABLE status. 7 days because of the inoperability of a centrifugal charging pump.

-<-----IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.5-4 Amendment No. 4W, 156 to TXX-21093 Page 24 of 49 ACTIONS (continued)

CONDITION B. One or more trains inoperable for reasons other than one inoperable centrifugal charging pump.

AND At least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available.

C. Required Action and associated Completion Time not met.

REQUIRED ACTION B.1 Restore train(s) to OPERABLE status.

C.1 Be in MODE 3.

AND C.2 Be in MODE 4.

SURVEILLANCE REQUIREMENTS SR 3.5.2.1 SURVEILLANCE Verify the following valves are in the listed position with power to the valve operator removed.

Number 8802 A&B 8809 A&B 8835 8840 8806 8813 Position Closed Open Open Closed Open Open Function SI Pump to Hot Legs RHR to Cold Legs SI Pump to Cold Legs RHR to Hot Legs SI Pump Suction from RWST SI Pump Miniflow Valve ECCS -- Operating 3.5.2 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INSE 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 12 hours FREQUENCY In accordance with the Surveillance Frequency Control Program.

COMANCHE PEAK-UNITS 1 AND 2 3.5-5 Amendment No. 4-eQ, 156 RT !

to TXX-21093 Page 25 of 49 ACTIONS (continued)

CONDITION C. One or more containment air locks inoperable for reasons other than Condition A or B.

D. Required Action and associated Completion Time not met.

REQUIRED ACTION C.1 Initiate action to evaluate overall containment leakage rate per LCO 3.6.1.

AND C.2 Verify a door is closed in the affected air lock.

AND C.3 Restore air lock to OPERABLE status.

D.1 Be in MODE 3.

AND D.2 Be in MODE 5.

COMANCHE PEAK-UNITS 1 AND 2 3.6-5 Containment Air Locks 3.6.2 COMPLETION TIME Immediately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 24 hours IRICT INSE 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours RTI Amendment No. 150 to TXX-21093 Page 26 of 49 ACTIONS (continued)

CONDITION A. --------------NO TE--------------

Only applicable to penetration flow paths with two containment isolation valves.

One or more penetration flow paths with one containment isolation valve inoperable except for containment purge, hydrogen purge or containment pressure relief valve leakage not within limit.

Containment Isolation Valves 3.6.3 REQUIRED ACTION A.1 Isolate the affected penetration flow path by use of at least one closed and de-activated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured.

AND A. 2 --------------------NO TES-------------------

1. Isolation devices in high radiation areas may be verified by use of administrative means.
2. Isolation devices that are locked, sealed or otherwise secured may be verified by administrative means.

Verify the affected penetration flow path is isolated.

COMPLETION TIME 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> IRICT INSE RT I Once per 31 days for isolation devices \\_ f outside containment i

allowing solation AND Prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days for isolation devices inside containment COMANCHE PEAK - UNITS 1 AND 2 3.6-8 Amendment No. 150 to TXX-21093 Page 27 of 49 ACTIONS (continued)

CONDITION C. ---------------NOTE-------------

Only applicable to penetration flow paths with only one containment isolation valve and a closed system.

One or more penetration flow paths with one containment isolation valve inoperable.

D. One or more penetration flow paths with one or more containment purge, hydrogen purge or containment pressure relief valves not within leakage limits.

C.1 AND Containment Isolation Valves 3.6.3 REQUIRED ACTION COMPLETION TIME Isolate the affected penetration flow 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> path by use of at least one closed and de-activated automatic valve, IRICT INSERT I closed manual valve, or blind flange.

C.2 -------------------NOTES--------------------

1. Isolation devices in high radiation areas may be verified by use of administrative means.
2. Isolation devices that are locked, sealed or otherwise secured may be verified by administrative means.

Verify the affected penetration flow Once per 31 days path is isolated.

1-following isolation D.1 Isolate the affected penetration flow 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> path by use of at least one closed and de-activated automatic valve, closed manual valve, or bl.ind flange.

AND COMANCHE PEAK - UNITS 1 AND 2 3.6-10 Amendment No. 150 I

to TXX-21093 Page 28 of 49 Containment Spray System 3.6.6 3.6 CONTAINMENT SYSTEMS 3.6.6 Containment Spray System LCO 3.6.6 Two containment spray trains shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION A. One containment spray A.1 Restore containment spray train to train inoperable.

OPERABLE status.

B. Required Action and B.1 Be in MODE 3.

associated Completion Time of Condition A not AND met.

B.2 Be in MODE 5.

C. Two containment spray C.1 Enter LCO 3.0.3.

trains inoperable.

SURVEILLANCE REQUIREMENTS SR 3.6.6.1 SURVEILLANCE Verify each containment spray manual, power operated, and automatic valve in the flow path that is not locked, sealed, or otherwise secured in position is in the correct position.

COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />

(

IRICT INSE 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 84 hours Immediately FREQUENCY In accordance with the Surveillance Frequency Control Program.

RTI COMANCHE PEAK - UNITS 1 AND 2 3.6-16 Amendment No. 4W, 156 to TXX-21093 Page 29 of 49 3.7 PLANT SYSTEMS 3.7.2 Main Steam Isolation Valves (MSIVs)

LCO 3.7.2 Four MSIVs shall be OPERABLE.

APPL! CAB I LITY:

MODE 1, MSIVs 3.7.2 MODES 2 and 3 except when all MSIVs are closed and deactivated.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One MSIV inoperable in A.1 Restore MSIV to OPERABLE status. 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> MODE 1.

IRICT INSER B. Required Action and B.1 Be in MODE 2.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition A not met.

C. --------------NO TE--------------

Separate Condition entry is allowed for each MSIV.

One or more MSIV C.1 Close MSIV.

8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> inoperable in MODE 2 or 3.

AND C.2 Verify MSIV is closed.

Once per 7 days D. Required Action and D.1 Be in MODE 3.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition C not AND met.

D.2 Be in MODE 4.

12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> COMANCHE PEAK - UNITS 1 AND 2 3.7-6 Amendment No. 150 to TXX-21093 Page 30 of 49 3.7 PLANT SYSTEMS 3.7.4 Steam Generator Atmospheric Relief Valves (ARVs)

LCO 3.7.4 Four ARV lines shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, and 3 ACTIONS CONDITION REQUIRED ACTION A. One required ARV line A.1 Restore required ARV line to inoperable.

OPERABLE status.

B. Two required ARV lines B.1 Restore at least one ARV line to inoperable.

OPERABLE status.

C. Three or more required C.1 Restore at least two ARV lines to ARV lines inoperable.

OPERABLE status.

D. Required Action and D.1 Be in MODE 3.

associated Completion Time not met.

AND D.2 Be in MODE 4 COMANCHE PEAK - UNITS 1 AND 2 3.7-10 ARVs 3.7.4 COMPLETION TIME 7 days IRICT INSER 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INSER 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> IRICT INSER 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 12 hours Amendment No. 150 Tl to TXX-21093 Page 31 of 49

3. 7 PLANT SYSTEMS 3.7.5 Auxiliary Feedwater (AFW) System LCO 3.7.5 Three AFW trains shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, and 3 ACTIONS AFW System 3.7.5

N OT E---------------------------------------------------------------

L CO 3.0.4.b is not applicable.

CONDITION REQUIRED ACTION COMPLETION TIME A. One steam supply to A.1 Restore steam supply to OPERABLE 7 days turbine driven AFW pump status.

inoperable.

IRICT INSER B. One AFW train inoperable B.1 Restore AFW train to OPERABLE 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for reasons other than status.

IRICT INSE Condition A.

RT I COMANCHE PEAK - UNITS 1 AND 2 3.7-12 Amendment No. 150 to TXX-21093 Page 32 of 49 3.7 PLANT SYSTEMS 3.7.7 Component Cooling Water (CCW) System LCO 3.7.7 Two CCW trains shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION A. One CCW train inoperable. -----------------------NOTE------------------------

Enter applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops -

MODE 4," for residual heat removal loops made inoperable by CCW.

A.1 Restore CCW train to OPERABLE status.

B. Required Action and B.1 Be in MODE 3.

associated Completion Time of Condition A not AND met.

B.2 Be in MODE 5.

COMANCHE PEAK - UNITS 1 AND 2 3.7-18 CCW System 3.7.7 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INSE 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours RTI Amendment No. 4-eG, 156 to TXX-21093 Page 33 of 49

3. 7 PLANT SYSTEMS 3.7.8 Station Service Water System (SSWS) ssws 3.7.8 LCO 3.7.8 Two SSWS trains and a SSW Pump on the opposite unit with its associated cross-connects shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. Required SSW Pump on A.1 Restore a SSW Pump on the 7 days the opposite unit or its opposite unit to OPERABLE status.

IRICT INSERT I associated cross-connects inoperable.

AND A.2 Restore associated cross-connects 7 days to OPERABLE status.

IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.7-20 Amendment No. 4W;- 156 to TXX-21093 Page 34 of 49 ACTIONS (continued)

CONDITION B. One SSWS train inoperable.

B.1 GR REQUIRED ACTION

NOTES-------------------

1. Enter applicable Conditions and Required Actions of LCO 3.8.1, "AC Sources -- Operating," for emergency diesel generator made inoperable by SSWS.
2. Enter applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops -- MODE 4," for residual heat removal loops made inoperable by SSWS.

~JG+e

~eE11:::1iFeEl,A,stiaR e.U is Ret a1313liealale te l::JRit 2 El1:::1FiR§ Fe13IaseR9eRt ei tl:le SSWS Pl:::IR9J3 2 02 (+rniR 8) El1:::1FiR§ l::lRit 2 Gysle rn.

Restore SSWS train to OPERABLE status.

ssws 3.7.8 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INSE RT I COMANCHE PEAK - UNITS 1 AND 2 3.7-21 Amendment No. 150, 156, 178 to TXX-21093 Page 35 of 49 ACTIONS CONDITION 8. (oontinued)

C. Required Action and associated Completion Time of Condition A or B not met.

REQUIRED ACTION 8.2

~JG+e ReeiuiFed,A.otion 8.2 is a1313Iioal3Ie on a one tiFfle 13asis to Fe13laoe SS!JlJS PUFflJ3 2 Q2 (+Fain 8) duFin§ blnit 2 Gyole ~9. If: blnit 2, +min,A, SSVlJS 13eGOFfleS ino13eFal3Ie, iFflFflediately enteF l::GG J.Q.J. Re§ulator:y GoFflFflitFflent a9ee82a (Attaol:!Fflent ~

to +XX 2QQ8e) will Be iFflJ3leFflented dUFin§ tl:le g day GGMPl::e+IG~J

+4Me:-

n--*-~~ Cl"\\ A/C *--;~ ~~ ("'\\nr-o /I DI C sta-R::I&.

C.1 Be in MODE 3.

AND C.2 Be in MODE 5.

COMANCHE PEAK - UNITS 1 AND 2 3.7-21a ssws 3.7.8 COMPLETION TIME 0

,.,I~ -~

J 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours Amendment No. 178 to TXX-21093 Page 36 of 49

3. 7 PLANT SYSTEMS 3.7.19 Safety Chilled Water LCO 3.7.19 Two safety chilled water trains shall be OPERABLE APPLICABILITY:

MODES 1, 2, 3, and 4.

ACTIONS CONDITION REQUIRED ACTION A. One safety chilled water A.1 Restore safety chilled water train to train inoperable.

OPERABLE status.

GR A.2

~JG+e R:eei1::1iFeEl,C..etiaR A.2 is a1313lieaele aR a aRe tiFRe easis ta Fe13laee Safety Gl=lilleF 2 Ge E+FaiR 13) eaFR13FessaF 81::lFiR§ 61Rit 2 Gyele 19. If +FaiR A safety el=lilleEl 11.<<ateF eeeaFRes iRa13eFaele, iFRFReEliately eRteF bGG J.G.J. R:e§1::1lataPj GaFRFRitFReRt

§9GG4 4 4 EAUael=lFReRt 2 ta

+XX 2GGie) will ee iFR13leFReRteEl 81::lFiR§ tl=le 7 Elay GGMPbe+IG~J

=RMe-:

~estaFe safety el=lilleEl 'NateF tFaiR ta GPeR:ABbe stat1::1s.

B. Required Action and B.1 Be in MODE 3.

associated Completion Time of Condition A not AND met.

B.2 Be in MODE 5.

Safety Chilled Water 3.7.19 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />

/

RICT INSE 7 Elays 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours RT COMANCHE PEAK - UNITS 1 AND 2 3.7-45 Amendment No. 1 ae, 1 @2, 175 to TXX-21093 Page 37 of 49 ACTIONS AC Sources -- Operating 3.8.1

NOTE---------------------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION A. One required offsite circuit A.1 Perform SR 3.8.1.1 for required inoperable.

OPERABLE offsite circuit.

AND A. 2 --------------------NOTE--------------------

1 n MODES 1, 2 and 3, the TDAFW pump is considered a required redundant feature.

Declare required feature(s) with no offsite power available inoperable when its redundant required feature(s) is inoperable.

AND A.3 Restore required offsite circuit to OPERABLE status.

COMPLETION TIME 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from discovery of no offsite power to one train concurrent with inoperability of redundant required feature(s) 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> ~----~ I IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.8-2 Amendment No. 150, 152, 160, 164, 177 to TXX-21093 Page 38 of 49 No markups on this page.

Included for information only.

ACTIONS (continued)

CONDITION B. One DG inoperable.

AC Sources -- Operating 3.8.1 REQUIRED ACTION COMPLETION TIME B.1 Perform SR 3.8.1.1 for the required 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> offsite circuit(s).

AND B. 2 ---------------------NO TE--------------------

1 n MODES 1, 2 and 3, the TDAFW pump is considered a required redundant feature.

AND Declare required feature(s) supported by the inoperable DG inoperable when its required redundant feature(s) is inoperable.

AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from discovery of Condition B concurrent with inoperability of redundant required feature(s)

B.3.1 Determine OPERABLE DG(s) is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> not inoperable due to common cause failure.

OR B. 3. 2 -------------------NO TE-------------------

Th e SR need not be performed if the DG is already operating and loaded.

Perform SR 3.8.1.2 for OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> DG(s).

COMANCHE PEAK-UNITS 1 AND 2 3.8-3 Amendment No. 150 to TXX-21093 Page 39 of 49 ACTIONS (continued)

CONDITION B. ( continued)

AND B.4.1 REQUIRED ACTION

~JG+e ReeiuiFeEI AetieR B.4.1 is Rat a1313lieasle ta 6JRit 2 EluFiR§ Fe13laeeFfleRt sf tl=le SSW£ Pum13 2 02 (+raiR B) EluFiR§ 6JRit 2 Gyele 19.

Restore DG to OPERABLE status.

GR B.4.2

~JG+e ReeiuiFeEI AetieR B.4.2 is a1313lieasle SR a eRe time sasis ta Fe13laee SSW£ P1:1m13 2 02 (+FaiR 13) El1:1FiR§ 6JRit 2 Gyele 19. If 6JRit 2, +FaiR,6, SSW£ seeemes iRe13eFasle, immeEliately eRteF bGG a.0.a.

Re§1:1lateFy GemmitmeRt a9ll82a (Attael=lmeRt 1 ta +X:X: 2008@) will se im13lemeRteEI El1:1FiR§ tl=le g Elay GGMPbe+IG~J +IMe.

ResteFe QG ta GPeRABbe stat1:1s.

COMANCHE PEAK-UNITS 1 AND 2 3.8-4 AC Sources -- Operating 3.8.1 COMPLETION TIME 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> IRICT INSE RT I g Elays Amendment No. 4-eQ,--178 to TXX-21093 Page 40 of 49 ACTIONS (continued)

CONDITION REQUIRED ACTION C. Two required offsite circuits C.1 --------------------NOTE--------------------

inoperable.

In MODES 1, 2 and 3, the TDAFW pump is considered a required redundant feature.

AND Declare required feature(s) inoperable when its redundant required feature(s) is inoperable.

AC Sources -- Operating 3.8.1 COMPLETION TIME 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from discovery of Condition C concurrent with inoperability of redundant required features C.2 Restore one required offsite circuit to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> OPERABLE status.

-<--IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.8-4a Amendment No. 178 to TXX-21093 Page 41 of 49 ACTIONS (continued)

CONDITION D. One required offsite circuit inoperable.

AND One DG inoperable.

E. Two DGs inoperable.

F. One SI sequencer inoperable.

G. Required Action and associated Completion Time of Condition A, B, C, D, E, or F not met.

REQUIRED ACTION

NOTE------------------------

Enter applicable Conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating," when Condition D is entered with no AC power source to any train.

D.1 Restore required offsite circuit to OPERABLE status.

OR D.2 Restore DG to OPERABLE status.

E.1 Restore one DG to OPERABLE status.

F.1 --------------------NOTE---------------------

One required SI sequencer channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other channel is operable.

Restore SI sequencer to OPERABLE status.

G.1 Be in MODE 3.

AND G.2 Be in MODE 5.

COMANCHE PEAK-UNITS 1 AND 2 3.8-5 AC Sources -- Operating 3.8.1 COMPLETION TIME 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> IRICT INSERT I 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> IRICT INSERT I 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 24 hours IRICT INSERT I 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours Amendment No. 150 to TXX-21093 Page 42 of 49 3.8 ELECTRICAL POWER SYSTEMS 3.8.4 DC Sources -- Operating DC Sources -- Operating 3.8.4 LCO 3.8.4 The Train A and Train B DC electrical power subsystems shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or two required battery A.1 Restore affected battery(ies) terminal 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> chargers on one train voltage to greater than or equal to the inoperable.

minimum established float voltage.

AND A.2 Verify affected battery(ies) float currents 2 amps.

AND Once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> A.3 Restore required battery charger(s) 7 days to OPERABLE status.

+-(-----1IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.8-23 Amendment No. 4-eQ, 170 to TXX-21093 Page 43 of 49 ACTIONS (continued)

CONDITION B. One or two batteries on one train inoperable.

C. One DC electrical power subsystem inoperable for reasons other than Condition A or B.

D. Required Action and Associated Completion Time not met.

REQUIRED ACTION B.1 Restore affected battery(ies) to OPERABLE status.

GR El~

~JG+e R:eeitiiFeEI,A,etiaR 13.~ is a1313liea0le faF a aRe tiFRe sasis ta Fe13laee eell ~+ iR sattept 13+1 eg~ a REI eell 41 iR satteFy 13+1 Eg4 Elt1FiR§ l::JRit 1 Gyele ~8 (Rat at U1e saFRe tiFRe). If tl=le seeaREI sattept aR tl=le saFRe tFaiR seeaFRes iR9f38F8Sle, iFRFReEliately iRitiate R:eeitiiFeEI,A,etiaRS g _ 1 aREI g _~.

R:e§tilataFy b9FRFRitFReRt §@44411 (Attael=IFReRt ~ ta +X:X: 188@4) will se iFR13leFReRteEI ElmiR§ tl=le 1 g R9tlF GaFR13letiaR +iFRe.

R:estarn affeeteEI satter=y ta GPeR:Al3be stattis.

C.1 Restore DC electrical power subsystem to OPERABLE status.

D.1 Be in MODE 3.

AND D.2 Be in MODE 5.

DC Sources -- Operating 3.8.4 COMPLETION TIME 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> IRICT INSE RT I 18 R9t1FS 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> IRICT INSE RT I 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours COMANCHE PEAK-UNITS 1 AND 2 3.8-24 Amendment No. 1 §8, 1 a@, 170 to TXX-21093 Page 44 of 49 3.8 ELECTRICAL POWER SYSTEMS 3.8.7 Inverters -- Operating Inverters - Operating 3.8.7 LCO 3.8.7 The required Train A and Train B inverters shall be OPERABLE.

APPLICABILITY:

ACTIONS

NOTE----------------------------------------------

I nverters may be disconnected from one DC bus for::::; 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to perform an equalizing charge on their associated common battery, provided:

a.

The associated AC vital bus(es) are energized; and

b.

All other AC vital buses are energized from their associated OPERABLE inverters.

MODES 1, 2, 3, and 4 CONDITION REQUIRED ACTION COMPLETION TIME A. One required inverter inoperable.

A. 1 ---------------------NOTE--------------------

Enter applicable Conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating" with any vital bus de-energized.

Restore inverter to OPERABLE status.

COMANCHE PEAK - UNITS 1 AND 2 3.8-33 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

-<--IRICT INSERT I Amendment No. 4W, 156 to TXX-21093 Page 45 of 49 3.8 ELECTRICAL POWER SYSTEMS 3.8.9 Distribution Systems -- Operating Distribution Systems - Operating 3.8.9 LCO 3.8.9 Train A and Train B AC, DC, and AC vital bus electrical power distribution subsystems shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One AC electrical power A.1 Restore AC electrical power 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> distribution subsystem distribution subsystem to inoperable.

OPERABLE status.

IRICT INSE RTI B. One AC vital bus 8.1 Restore AC vital bus subsystem to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> subsystem inoperable.

OPERABLE status.

IRICT INSE RT I C. One DC electrical power C.1 Restore DC electrical power 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> distribution subsystem distribution subsystem to inoperable.

OPERABLE status.

~RICT INSE RT I D. Required Action and D.1 Be in MODE 3.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time not met.

AND D.2 Be in MODE 5.

36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> E. Two trains with inoperable E.1 Enter LCO 3.0.3.

Immediately distribution subsystems that result in a loss of safety function.

COMANCHE PEAK - UNITS 1 AND 2 3.8-37 Amendment No. 4-§.G. 156 to TXX-21093 Page 46 of 49 Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.22 Spent Fuel Storage Rack Neutron Absorber Monitoring Program (continued)

In order to ensure the reliability of the Neutron Poison material, a monitoring program is required to routinely confirm that the assumptions utilized in the criticality analysis remain valid and bounding. The Neutron Absorber Monitoring Program is established to monitor the integrity of neutron absorber test coupons periodically as described below.

A test coupon "tree" shall be maintained in each SFP. Each coupon tree originally contained 8 neutron absorber surveillance coupons. Detailed measurements were taken on each of these 16 coupons prior to installation, including weight, length, width, thickness at several measurement locations, and B-10 content (g/cm2). These coupons shall be maintained in the SFP to ensure they are exposed to the same environmental conditions as the neutron absorbers installed in the Region I storage cells, until they are removed for analysis.

One test coupon from each SFP shall be periodically removed and analyzed for potential degradation, per the following schedule. The schedule is established to ensure adequate coupons are available for the planned life of the storage racks.

Year Coupon Number Year Coupon Number 2013 1

2028 5

2015 2

2033 6

2018 3

2043 7

2023 4

2053 8

Further evaluation of the absorber materials, including an investigation into the degradation and potential impacts on the Criticality Safety Analysis, is required if:

A decrease of more than 5% in B-10 content from the initial value is observed in any test coupon as determined by neutron attenuation.

An increase in thickness at any point is greater than 25% of the initial thickness at that point.

~<----iliNSERT SECTION 5.5.23 I COMANCHE PEAK - UNITS 1 AND 2 5.5-19 Amendment No. 173 to TXX-21093 Page 47 of 49 EXAMPLE 1.3-8 INSERT Example 1.3-8 ACTIONS CONDITION A.

One subsystem inoperable.

B. Required Action and associated Completion Time not met.

CPNPP TS INSERTS REQUIRED ACTION COMPLETION TIME A.1 Restore subsystem 7 days to OPERABLE status.

OR In accordance with the Risk Informed Completion Time Program B.1 Be in MODE 3.

6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AND B.2 Be in MODE 5.

36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> When a subsystem is declared inoperable, Condition A is entered. The 7 day Completion Time may be applied as discussed in Example 1.3-2. However, the licensee may elect to apply the Risk Informed Completion Time Program which permits calcu lation of a Risk Informed Completion Time (RICT) that may be used to complete the Required Action beyond the 7 day Completion Time. The RICT cannot exceed 30 days. After the 7 day Completion Time has expired, the subsystem must be restored to OPERABLE status within the RICT or Condition B must also be entered.

The Risk Informed Completion Time Program requires recalculation of the RICT to reflect changing plant conditions. For planned changes, the revised RICT must be determined prior to implementation of the change in configuration. For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.

If the 7 day Completion Time clock of Condition A has expired and subsequent changes in plant condition result in exiting the applicability of the Risk Informed Completion Time Program without restoring the inoperable subsystem to OPERABLE status, Condition B is also entered and the Completion Time clocks for Required Actions B.1 and B.2 start.

If the RICT expires or is recalculated to be less than the elapsed t ime since the Condition was entered and the inoperable subsystem has not been restored to OPERABLE status, Condition Bis also entered and the Completion Time clocks for Required Actions B.1 and B.2 start. If the inoperable subsystems are restored to OPERABLE status after Condition B is entered, Conditions A is exited, and therefore, the Required Actions of Condition B may be terminated.

to TXX-21093 Page 48 of 49 RICT INSERT OR CPNPP TS INSERT In accordance with the Risk Informed Completion Time Program.

INSERT TS 3.3.1 Condition N N.

Required Action and associated N.1 Reduce THERMAL POWER to Completion Time of Condition M

< P-7 not met.

INSERT TS 3.3.1 Condition Q g,_

Required Action and associated Q.l Reduce THERMAL POWER to Completion Time of Condition 0

< P-9 or P not met.

INSERT TS 3.3.1 Condition W

w.

Required Action and associated W.1 Be in MODE 3.

Completion Time of Condition B, D, E, R, S, Tor V not met.

INSERT TS 3.3.1 Condition X X.

Required Action and associated X.1 Be in MODE 2.

Completion Time of Condition U not met.

INSERT TS 3.3.2 Condition M M.

Required Action and associated M.l Be in MODE 3 Completion Time of Conditions B, C, or K not met.

AND M.2 Be in MODE 5 INSERT TS 3.3.2 Condition N N.

Required Action and associated N.1 Be in MODE 3 Completion Time of Conditions D, E, F, G, or L not met.

AND N.2 Be in MODE 4 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 4 hours 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 6 hours 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 36 hours 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 12 hours to TXX-21093 Page 49 of 49 INSERT TS 3.3.2 Condition 0

0.

Required Action and associated 0.1 Be in MODE 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of Conditions H, I, or J not met.

SECTION 5.5.23 INSERT 5.5.23 Risk Informed Completion Time Program This program provides controls to calculate a Risk Informed Completion Time (RICT) and must be implemented in accordance with NEI 06-09-A, Revision 0, "Risk-Managed Technical Specifications (RMTS) Guidelines." The program shall include the following:

a.

The RICT may not exceed 30 days;

b.

A RICT may only be utilized in MODE 1 and 2;

c.

When a RICT is being used, any change to the plant configuration, as defined in NEI 06-09-A, Appendix A, must be considered for the effect on the RICT.

1.

For planned changes, the revised RICT must be determined prior to implementation of the change in configuration.

2. For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.
3.

Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.

d.

For emergent conditions, if the extent of condition evaluation for inoperable structures, systems, or components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of common cause failure (CCF) by either:

1.

Numerically accounting for the increased possibility of CCF in the RICT calculation; or

2. Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.
e. The risk assessment approaches and methods shall be acceptable to the NRC. The plant PRA shall be based on the as-built, as-operated, and maintained plant; and reflect the operating experience at the plant, as specified in Regulatory Guide 1.200, Revision 2. Methods to assess the risk from extending the Completion Times must be PRA methods used to support this license amendment, or other methods approved by the NRC for generic use; and any change in the PRA methods to assess risk that are outside these approval boundaries require prior NRC approval.

to TXX-21093 Page 1 of 15 ATTACHMENT 4 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" Cross-Reference of TSTF-505 and CPNPP Technical Specifications to TXX-21093 Page 2 of 15 Tech Spec Description Completion Times Example 1.3-8 RTS Instrumentation One Manual Reactor Trip channel inoperable.

One Power Range Neutron Flux - High channel inoperable.

One Channel inoperable.

One channel inoperable.

Required Action and associated Completion Time of Condition M not met.

One Low Fluid Oil Pressure Turbine rrrip channel inoperable One or more Turbine Stop Valve Closure rrurbine Trip channel(s) inoperable.

Required Action and associated Completion Time of Condition O or P not met.

One train inoperable.

One RTB train inoperable.

One or more required channel(s) inoperable.

CPNPPTS 1.3

[NEW TS] 1.3-8 3.3.1 3.3.1.B.1 3.3.1.D.1.2 3.3.1.E.1 3.3.1.M.1

[New TS]

3.3.1 N.l 3.3.1.0.1 3.3.1.P.1

[New TS]

3.3.1 Q 3.3.1.R.1 3.3.1.S.l 3.3.1.T.1 TS-505 TS Apply RICT?

Comments 1.3 The CPNPP TS do not currently contain this example. Example to be

[NEW TS] 1.3-8 No added to CPNPP TS to be consistent with TSTF-505. This is a new definition only (i.e., there is no RICT directly applicable to the TS.)

3.3.1 3.3.1.B.1 Yes rrsTF-505 changes are incorporated. (Function 1, Manual Reactor rrrip) 3.3.1.D.2.1 Yes rrsTF-505 changes are incorporated. (Function 2.a, Power Range Neutron Flux - High) 3.3.1.E.1 Yes TSTF-505 changes are incorporated. [Note 1]

3.3.1.L.1 Yes TSTF-505 changes are incorporated. [Note 2]

[New TS]

3.3.1.M.1 No This a new TS "default" condition added consistent with TSTF-505.

TSTF-505 Changes are incorporated. The wording of TSTF-505 3.3.1.R.1 Yes tvaries from CPNPP TS (i.e., TS specifies One Low Fluid Oil Pressure Turbine Trip channel inoperable.) (Function 16.a, rrurbine Trip - Low Fluid Oil Pressure) rrsTF-505 Changes are incorporated. The wording of TSTF-505 3.3.1.R.1 Yes tvaries from CPNPP TS (i.e., TS specifies One or more Turbine Stop Valve Closure Trip channel(s) inoperable.) (Function 16.b, Turbine Trip - Turbine Stop Valve Closure)

[New TS]

3.3.1.S.l No This a new TS "default" condition added consistent with TSTF-505.

3.3.1.T.1 Yes TSTF-505 changes are incorporated. [Note 3]

3.3.1.U.l Yes rrsTF-505 changes are incorporated. (Function 19, Reactor Trip Breakers (RTBs))

3.3.1.V.1 No rrsTF-505 changes are incorporated. [Note 4]

to TXX-21093 Page 3 of 15 Tech Spec Description One or more required channel(s) inoperable.

One trip mechanism inoperable for one RTB.

Required Action and associated Completion Time of Condition B, D, E, R, S, Tor V not met.

Required Action and associated Completion Time of Condition U not met.

ESFAS Instrumentation One channel or train inoperable.

One train inoperable.

One channel inoperable.

One Containment Pressure channel inoperable One channel or train inoperable.

One train inoperable.

One train inoperable.

One channel inoperable.

One Main Feedwater Pumps trip channel inoperable.

One channel inoperable.

One or more channels inoperable Required Action and associated Completion Time of Conditions B, C or K not met.

CPNPPTS 3.3.1.U.1 3.3.1.V.1

[New TS]

3.3.1 W.1

[New TS]

3.3.1.X.1 3.3.2 3.3.2.B.1 3.3.2.C.1 3.3.2.D.1 3.3.2.E.1 3.3.2.F.1 3.3.2.G.1 3.3.2.H.1 3.3.2.1.1 3.3.2.J.1 3.3.2.K.1 3.3.2.L.1

[New TS]

3.3.2.M.1 TS-505 TS ApplyRICT?

Comments 3.3.1.W.1 No il"STF-505 changes are incorporated. [Note SJ 3.3.1.Y.1 Yes TSTF-505 changes are incorporated. (Function 20, Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms)

[New TS]

No This a new TS "default" condition added consistent with TSTF-505.

3.3.1.Z.1

[New TS]

3.3.1.X.1 No This a new TS "default" condition added consistent with TSTF-505.

3.3.2 3.3.2.B.1 Yes rTSTF-505 changes are incorporated. [Note 6]

3.3.2.C.1 Yes il"STF-505 changes are incorporated. [Note 7]

3.3.2.D.1 Yes rTSTF-505 changes are incorporated. [Note 8]

3.3.2.E.1 No TSTF-505 changes are incorporated. [Note 9]

3.3.2.F.1 Yes TSTF-505 changes are incorporated. [Note 10]

3.3.2.G.l Yes TSTF-505 changes are incorporated. [Note 11]

3.3.2.H.1 Yes TSTF-505 changes are incorporated. [Note 12]

3.3.2.1.1 Yes TSTF-505 changes are incorporated. [Note 13]

3.3.2.J.1 Yes

[TSTF-505 changes are incorporated. [Note 14]

3.3.2.K.1 No iTSTF-505 changes are incorporated. [Note 15]

3.3.2.L.1 No TSTF-505 changes are incorporated. [Note 16]

[New TS]

3.3.2.M.1 No This a new TS "default" condition added consistent with TSTF-505.

to TXX-21093 Page 4 of 15 Tech Spec Description Required Action and associated Completion Time of Conditions D, E, F, G or L not met.

Required Action and associated Completion Time of Conditions H, I, or J not met.

LOP DG Start Instrumentation One or more Functions with one channel per bus inoperable.

rrwo channels per bus for the Preferred offsite source bus undervoltage function inoperable.

lfwo channels per bus for the Alternate offsite source bus undervoltage function inoperable.

Two channels per bus for the 6.9 kV bus loss of voltage function inoperable Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

CPNPPTS

[New TS]

3.3.2.N.1

[New TS]

3.3.2 0.1 3.3.5 3.3.5.A.1 3.3.5.B.1 3.3.5.C.1 3.3.5.D.1 3.3.5.E.1 3.3.5.F.1 TS-505 TS Apply RICT?

Comments

[New TS]

3.3.2.N.1 No This a new TS "default" condition added consistent with TSTF-505.

[New TS]

3.3.2.0.1 No This a new TS "default" condition added consistent with TSTF-505.

3.3.5 3.3.5.A.1 Yes TSTF-505 changes are incorporated.

rTSTF-505 changes are incorporated. The wording of TSTF-505

~aries from CPNPP TS (i.e., TS specifies the Preferred offsite source 3.3.5.B.1 Yes bus undervoltage function inoperable; and TSTF-505 refers to one or more Functions inoperable.) [Note 17]

iTSTF-505 changes are incorporated. The wording ofTSTF-505

~aries from CPNPP TS (i.e., TS specifies the Alternate offsite source 3.3.5.B.1 Yes bus undervoltage function inoperable; and TSTF-505 refers to one or more Functions inoperable.) [Note 18]

TSTF-505 changes are incorporated. The wording ofTSTF-505 3.3.5.B.1 Yes varies from CPNPP TS (i.e., TS specifies the 6.9kV buss loss of voltage function inoperable; and TSTF-505 refers to one or more Functions inoperable.) [Note 19]

TSTF-505 changes are incorporated. The wording of TSTF-505

~aries from CPNPP TS (i.e., TS specifies the degraded voltage or low 3.3.5.B.1 Yes

~rid undervoltage function inoperable; and TSTF-505 refers to one or more Functions inoperable.) [Note 20]

3.3.5.B.1 Yes TSTF-505 changes are incorporated. The wording of TSTF-505 varies from CPNPP TS (This Function is treated similar TS 3.3.2.C.1 with a 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> CT) [Note 21]

to TXX-21093 Page 5 of 15 Tech Spec Description Pressurizer One required group of pressurizer heaters inoperable.

Pressurizer Power Operated Relief Valves (PORVs)

One PORV inoperable and not capable of being manually cycled.

One block valve inoperable.

ECCS -- Operating One train inoperable because ofthe inoperability of a centrifugal charging pump.

One or more trains inoperable for reasons other than one inoperable centrifugal charging pump.

~

At least 100% of the ECCS flow equivalent to a single OPERABLE ECCS

~rain available.

Containment Air Locks One or more containment air locks inoperable for reasons other than Condition A or B.

CPNPPTS 3.4.9 3.4.9.B.1 3.4.11 3.4.11.B.3 3.4.11.C.2 3.5.2 3.5.2.A.1 3.5.2.B.1 3.6.2 3.6.2.C.3 TS-505 TS ApplyRICT?

Comments 3.4.9 3.4.9.B.1 Yes TSTF-505 changes are incorporated.

3.4.11 3.4.11.B.3 Yes TSTF-505 changes are incorporated.

3.4.11.C.2 Yes TSTF-505 changes are incorporated.

3.5.2 rrsTF-505 Changes are incorporated. The wording of TSTF-505 rvaries from CPNPP TS (i.e., TS refers to one train inoperable due to N/A Yes inoperability of a centrifugal charging pump; and TSTF-505 refers

~o one or more trains and does not specify the cause of inoperability)

TSTF-505 changes are incorporated. The wording of TSTF-505 varies from CPNPP TS (i.e., TS includes AND At least 100% ofthe 3.5.2.A.1 Yes ECCS flow equivalent to a single OPERABLE ECCS train available.

TSTF-505 does not include this statement.)

3.6.2 3.6.2.C.3 Yes TSTF-505 changes are incorporated.

to TXX-21093 Page 6 of 15 Tech Spec Description Containment Isolation Valves One or more penetration flow paths with one containment isolation valve inoperable except for containment purge, hydrogen purge or containment pressure relief valve leakage not within limit.

One or more penetration

  • low paths with one containment isolation valve inoperable.

Containment Spray System One containment spray

~rain inoperable.

Main Steam Isolation Valves (MSIVs)

One MSIV inoperable in MODE 1.

Steam Generator Atmospheric Relief Valves (ARVs)

One required ARV line inoperable.

irwo required ARV lines inoperable.

CPNPPTS 3.6.3 3.6.3.A.1 3.6.3.C.1 3.6.6 3.6.6.A.1 3.7.2 3.7.2.A.1 3.7.4 3.7.4.A.1 3.7.4.B.1 TS-505 TS Apply RICT?

Comments I

3.6.3 TSTF-505 changes are incorporated. The wording of TSTF-505 3.6.3.A.1 Yes varies from CPNPP TS (i.e., TSTF-505 states One or more penetration flow paths with one containment isolation valve inoperable [for reasons other than Condition[s] D [and E)).

3.6.3.C.1 Yes TSTF-505 changes are incorporated.

3.6.6 irSTF-505 changes are incorporated. CPNPP TS did not contain the 3.6.6.A.1 Yes second Completion Time for this condition and therefore it was not included in the LAR to adopt TSTF-439.

3.7.2 3.7.2.A.1 Yes TSTF-505 changes are incorporated.

3.7.4 irSTF-505 changes are incorporated. The wording of TSTF-505 3.7.4.A.1 Yes

~aries from CPNPP TS (i.e., TS refers to ARV line and TSTF-505 refers to ADV line.)

irSTF-505 changes are incorporated. The wording of TSTF-505 3.7.4.B.1 Yes varies from CPNPP TS (i.e., TS refers to ARV line and TSTF-505 refers to ADV line.)

to TXX-21093 Page 7 of 15 Tech Spec Description lfhree or more required ARV lines inoperable.

Auxiliary Feedwater (AFW) System One steam supply to turbine driven AFW pump inoperable.

One AFW train inoperable for reasons other than Condition A.

Component Cooling Water (CCW)

System One CCW train inoperable.

Station Service Water System (SSWS)

Required SSW Pump on the opposite unit or its associated cross-connects inoperable.

CPNPPTS TS-505 TS 3.7.4.C.1 N/A 3.7.5 3.7.5 3.7.5.A.1 3.7.5.A.1 3.7.5.B.1 3.7.5.B.1 3.7.7 3.7.7 3.7.7.A.1 3.7.7.A.1 3.7.8 3.7.8 3.7.8.A.l NA Apply RICT?

Comments rrhis is a CPNPP-specific condition with restoration action (i.e.,

Yes Restore at least two ARV lines to operable status) and a completion time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Vistra OpCo proposes to apply RICT to the existing CPNPP TS 3.7.4, Action C.l.

TSTF-505 changes are incorporated. The wording of TSTF-505 varies from CPNPP TS (i.e., TS does not include OR One turbine Yes driven AFW pump inoperable in Mode 3 for refueling). The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No. ML073400037).

rTSTF-505 changes are incorporated. The wording ofTSTF-505

~aries from CPNPP TS (i.e., TS refers to One AFW train inoperable for reasons other than Condition A and TSTF-505 refers to One Yes

~FW train inoperable in MODE 1, 2, or 3 for reasons other than Condition A). The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037)

Yes lfSTF-505 changes are incorporated.

rrsTF-505 Changes are incorporated. The wording of TSTF-505 Yes

~aries from CPNPP TS (i.e., TS refers to Required SSW Pump on the opposite unit or its associated cross-connects inoperable and TSTF-505 refers to one SWS train inoperable.)

to TXX-21093 Page 8 of 15 Tech Spec Description Required SSW Pump on the opposite unit or its associated cross-connects inoperable.

One SSWS train inoperable.

One SSWS train inoperable.

Safety Chilled Water One safety chilled water train inoperable.

One safety chilled water train inoperable.

IAC Sources -- Operating One required offsite circuit inoperable.

One DG inoperable.

CPNPPTS TS-505 TS 3.7.8.A.2 NA 3.7.8.B.1 3.7.8.A.1 3.7.8.B.1 NA 3.7.19 N/A 3.7.19.A.1 N/A 3.7.19.A.1 NA 3.8.1 3.8.1 3.8.1.A.3 3.8.1.A.3 3.8.1.B.4 3.8.1.B.4 Apply RICT?

Comments ITSTF-505 Changes are incorporated. The wording of TSTF-505 rvaries from CPNPP TS (i.e., TS refers to Required SSW Pump on the Yes opposite unit or its associated cross-connects inoperable and TSTF-505 refers to one SWS train inoperable.)

TSTF-505 Changes are incorporated. The wording of TSTF-505 Yes varies from CPNPP TS (i.e., TS refers to One SSWS train inoperable and TSTF-505 refers to one SWS train inoperable.)

Removal of one-time change to TS 3. 7.8, Required Action B. 1 Note NA and Required Action B.2 (LA 178 - ML21015A212). This change is not related to TSTF-505, Rev 2 as stated in Attachment 1 to original submittal (ML21131A233).

IThis is a CPNPP-specific Condition with restoration action (i.e.,

Yes Restore safety chilled water train to OPERABLE status.) and a completion time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Vistra OpCo proposes to apply a RICT to the existing CPNPP TS 3.7.19, Action A.l.

Removal of one-time change to TS 3.7.8, Condition A.2 (LA 175 -

NA ML20223A349). This change is not related to TSTF-505, Rev 2 as stated in Attachment 1 to original submittal (ML21131A233).

ITSTF-505 changes are incorporated. The second Completion Time Yes

~or this condition was addressed by Vistra OpCo LAR to Adopt ITSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037)

ITSTF-505 changes are incorporated. The second Completion Time Yes for this condition was addressed by Vistra OpCo LAR to Adopt ITSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037) to TXX-21093 Page 9 of 15 Tech Spec Description One DG inoperable.

tfwo required offsite circuits inoperable.

One required offsite circuit inoperable.

AND One DG inoperable.

One required offsite circuit inoperable.

AND One DG inoperable.

One SI sequencer inoperable.

DC Sources -- Operating One or two required battery chargers on one train inoperable.

One or two batteries on one train inoperable.

One or two batteries on one train inoperable.

CPNPPTS 3.8.1.B.4 3.8.1.C.2 3.8.1.D.1 3.8.1.D.2 3.8.1.F.1 3.8.4 3.8.4.A.3 3.8.4.B.1 3.8.4.B.1 TS-505 TS Apply RICT?

Comments Removal of one-time change to TS 3.8.1, Condition B. 4 Notes and NA NA Required Action B.4.2 (LA 178 - ML21015A212). This change is not related to TSTF-505, Rev 2 as stated in Attachment 1 to original submittal (ML21131A233).

3.8.1.C.2 Yes tfSTF-505 changes are incorporated.

3.8.1.D.1 Yes TSTF-505 changes are incorporated.

3.8.1.D.2 Yes TSTF-505 changes are incorporated.

tfSTF-505 Changes are incorporated. The wording of TSTF-505 3.8.1.F.1 Yes

~aries from CPNPP TS (i.e., TS refers to One SI sequencer inoperable and TSTF-505 refers to One required automatic load sequencer inoperable.

3.8.4 TSTF-505 changes are incorporated. The wording ofTSTF-505 3.8.4.A.3 Yes varies from CPNPP TS (i.e., TS refers to One or two required battery chargers on one t rain inoperable and TSTF-505 does not use the tword "required.")

3.8.4.B.1 Yes tfSTF-505 changes are incorporated.

Removal of one-time change to TS 3.8.4, Condition B. 2 Note and NA NA Required Action B.2 (LA 170 - ML18267A384). This change is not related to TSTF-505, Rev 2 as stated in Attachment 1 to original submittal (ML21131A233).

to TXX-21093 Page 10 of 15 Tech Spec Description One DC electrical power subsystem inoperable for reasons other than Condition A or B.

Inverters -- Operating One required inverter inoperable.

Distribution Systems -- Operating One AC electrical power distribution subsystem inoperable.

One AC vital bus subsystem inoperable.

CPNPPTS TS-505 TS 3.8.4.C.1 3.8.4.C.1 3.8.7 3.8.7 3.8.7.A.1 3.8.7.A.1 3.8.9 3.8.9 3.8.9.A.1 3.8.9.A.1 3.8.9.B.1 3.8.9.B.1 Apply RICT?

Comments Yes rT"STF-505 changes are incorporated.

Yes TSTF-505 changes are incorporated.

TSTF-505 changes are incorporated. The wording of TSTF-505 Ktaries from CPNPP TS (i.e., TS refers to One AC electrical power distribution subsystem inoperable and TSTF-505 refers to one or Yes more AC electrical power distribution subsystems inoperable). The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No. ML073400037).

TSTF-505 changes are incorporated. The wording ofTSTF-505 varies from CPNPP TS (i.e., TS refers to One AC vital bus subsystem inoperable and TSTF-505 refers to One or more AC vital buses Yes inoperable). The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037).

to TXX-21093 Page 11 of 15 Tech Spec Description One DC electrical power distribution subsystem inoperable.

Programs and Manuals Programs and Manuals CPNPPTS TS-505 TS 3.8.9.C.1 3.8.9.C.1 5.5 5.5

[New TS]

[New TS]

5.5.23 5.5.18 Apply RICT?

Comments lfSTF-505 changes are incorporated. The wording ofTSTF-505 rvaries from CPNPP TS (i.e., TS refers to One DC electrical power distribution subsystems inoperable and TSTF-505 refers to One or Yes more DC electrical power distribution subsystems inoperable). The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No. ML073400037).

The CPNPP TS do not currently contain this program. The new RICT No Program will be added to the CPNPP TS 5.5 consistent with TSTF-505.

to TXX-21093 Page 12 of 15 NOTES

1.

TS 3.3.1 Condition E applies to the following trip inputs; Power Range Neutron Flux - Low (Function 2.b)

Power Range Neutron Flux Rate High Positive Rate (Function 3)

Overtemperature N-16 (Function 6)

Overpower N-16 (Function 7)

Pressurizer Pressure - High (Function 8.b)

Steam Generator (SG) Water Level - Low-Low (Function 14)

2.

TS 3.3.1 Condition M applies to the following trip inputs; Pressurizer Pressure - Low (Function 8.a)

Pressurizer Water Level - High (Function 9)

Reactor Coolant Flow - Low (Function 10)

Undervoltage RCPs (Function 12)

Underfrequency RCPs (Function 13)

3.

TS 3.3.1 Condition R applies to the following trip inputs; Safety Injection (SI) from Engineered Safety Feature Actuation System (ESFAS) (Function 17)

Automatic Trip Logic (Function 21)

4.

TS 3.3.1 Condition T applies to the following Reactor Trip System Interlocks; Intermediate Range Neutron Flux, P-6 (Function 18.a)

Power Range Neutron Flux, P-10 (Function 18.e)

5.

TS 3.3.1 Condition U applies to the following Reactor Trip System Interlocks; Low Power Reactor Trips Block, P-7 (Function 18.b)

Power Range Neutron Flux, P-8 (Function 18.c)

Power Range Neutron Flux, P-9 (Function 18.d)

Turbine First Stage Pressure, P-13 (Function 18.f) to TXX-21093 Page 13 of 15

6.

TS 3.3.2 Condition B applies to the following ES FAS inputs; Safety Injection Manual Initiation (Function 1.a)

Containment Spray Manual Initiation (Function 2.a)

Containment Isolation Phase A Manual Initiation (Function 3.a.(1))

Containment Isolation Phase B Manual Initiation (Function 3.b.(1))

7.

TS 3.3.2 Condition C applies to the following ESFAS inputs; Safety Injection Automatic Actuation Logic and Actuation Relays (Function l.b)

Containment Spray Automatic Actuation Logic and Actuation Relays (Function 2.b)

Containment Isolation Phase A Automatic Actuation Logic and Actuation Relays (Function 3.a.(2))

Containment Isolation Phase B Automatic Actuation Logic and Actuation Relays (Function 3.b.(2))

Automatic Switchover to Containment Sump Automatic Actuation Logic and Actuation Relays (Function 7.a)

8.

TS 3.3.2 Condition D applies to the following ESFAS inputs; Safety Injection Containment Pressure - High 1 (Function 1.c)

Safety Injection Pressurizer Pressure - Low (Function 1.d)

Safety Injection Steam Line Pressure - Low (Function 1.e)

Steam Line Isolation Containment Pressure - High 2 (Function 4.c)

Steam Line Isolation Steam Line Pressure - Low (Function 4.d.(1))

Steam Line Isolation Steam Line Pressure Negative Rate - High (Function 4.d.(2))

Auxiliary Feedwater SG Water Level - Low-Low (Function 6.c)

9.

TS 3.3.2 Condition E applies to the following ESFAS inputs; Containment Spray Containment Pressure - High 3 (Function 2.c)

Containment Isolation Phase B Containment Pressure - High 3 (Function 3.b.(3))

10.

TS 3.3.2 Condition F applies to the following ESFAS inputs; Steam Line Isolation Manual Initiation (Function 4.a)

Auxiliary Feedwater Loss of Offsite Power (Function 6.e)

ESFAS Interlocks Reactor Trip, P-4 (Function 8.a) to TXX-21093 Page 14 of 15

11.

TS 3.3.2 Condition G applies to the following ESFAS inputs; Steam Line Isolation Automatic Actuation Logic and Actuation Relays (Function 4.b)

Auxiliary Feedwater Automatic Actuation Logic and Actuation Relays (Solid State Protection System) (Function 6.a)

12.

TS 3.3.2 Condition H applies to the following ESFAS inputs; Turbine Trip and Feedwater Isolation Automatic Actuation Logic and Actuation Relays (Function 5.a)

13.

TS 3.3.2 Condition I applies to the following ESFAS inputs; Turbine Trip and Feedwater Isolation SG Water Level High-High (P-14) (Function 5.b)

14.

TS 3.3.2 Condition J applies to the following ESFAS inputs; Auxiliary Feedwater Trip of all Main Feedwater Pumps (Function 6.g)

15.

TS 3.3.2 Condition K applies to the following ESFAS inputs; Automatic Switchover to Containment Sump Refueling Water Storage Tank (RWST) Level Low-Low (Function 7.b)

16.

TS 3.3.2 Condition L applies to the following ESFAS inputs; ESFAS Interlocks Pressurizer Pressure, P-11 (Function 8.b)

17.

TS 3.3.5 Condition B applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions; Preferred offsite source bus undervoltage (Function 2)

18.

TS 3.3.5 Condition C applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions; Alternate offsite source bus undervoltage (Function 3)

19.

TS 3.3.5 Condition D applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions; 6.9 kV Class 1E bus undervoltage (Function 4) to TXX-21093 Page 15 of 15

20.

TS 3.3.5 Condition E applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions; 6.9 kV Class lE bus degraded voltage (Function 5) 480 V Class lE bus low grid undervoltage (Function 6) 480 V Class lE bus degraded voltage (Function 7)

21.

TS 3.3.5 Condition F applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions; Automatic Actuation Logic and Actuation Relays (Function 1) to TXX-21093 Page 1 of 71 ENCLOSURE 1 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" List of Required Actions to Corresponding PRA Functions to TXX-21093 Page 2 of 71 1.0 Introduction Section 4.0, "Limitations and Conditions", Item 2 of the NRC Final Safety Evaluation [Ref. 1] for NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk Managed Technical Specifications (RMTS) Guidelines", Revision O [Ref. 2], identifies the following needed content:

The license amendment request (LAR) will provide identification of the TS Limiting Conditions for Operation (LCOs) and action requirements to which the RMTS will apply.

The LAR will provide a comparison of the TS functions to the PRA modeled functions of the structures, systems, and components (SSCs) subject to those LCO actions.

The comparison should justify that the scope of the PRA model, including applicable success criteria such as number of SSCs required, flow rate, etc., are consistent with licensing basis assumptions (i.e., 50.46 [Emergency Core Cooling System (ECCS)]

flowrates) for each of the TS requirements, or an appropriate disposition or programmatic restriction will be provided.

This enclosure provides confirmation that the Comanche Peak Nuclear Power Plant (CPNPP)

PRA models include the necessary scope of SSCs and their functions to address each proposed application of the Risk-Informed Completion Time (RICT) Program to the proposed scope TS LCO Conditions, and provides the information requested for Section 4.0, Item 2 of the NRC Final Safety Evaluation. The scope of the comparison includes each of the TS LCO conditions and associated required actions within the scope of the RICT Program.

2.0 In Scope TS/LCO to Corresponding PRA Functions Table E1-1, "In Scope TS/LCO Conditions to Corresponding PRA Functions" lists each TS LCO Condition to which the RICT Program is proposed to be applied and documents the following information regarding the TSs with the associated safety analyses, the analogous PRA functions, and the results of the comparison:

Column "Tech Spec Description": Lists all LCOs and condition statements within the scope of the RICT Program.

Column "SSCs Covered by TS LCO Condition": Lists SSCs addressed by each action requirement.

Column "Modeled in PRA?": Indicates whether the SSCs addressed by the TS LCO Condition are included in the PRA.

Column "Function Covered by TS LCO Condition": Lists a summary of the required functions from the design basis analyses.

Column "Design Success Criteria": A summary of the success criteria from the design basis analyses.

Column "PRA Success Criteria": The function success criteria modeled in the PRA.

Column "Comments": Provides the justification or resolution to address any inconsistencies between the TS and PRA functions regarding the scope of SSCs and the success criteria. Where the PRA scope of SSCs is not consistent with the TS, additional information is provided to describe how the LCO condition can be evaluated using appropriate surrogate events. Differences in the success criteria for TS functions are addressed to demonstrate the PRA criteria provide a realistic estimate of the risk of the TS condition as required by NEI 06-09-A, Revision 0.

The corresponding SSCs for each TS LCO and the associated TS functions are identified and compared to the PRA. This description also includes the design success criteria and the applicable PRA success criteria. Any differences between the scope or success criteria are described in the table. Scope differences are justified by identifying appropriate surrogate events which permit a risk evaluation to be completed using the Configuration Risk Management Program tool for the RICT Program. Differences in success criteria typically arise due to the requirement in the American Society of Mechanical Engineers (ASME)/American Nuclear Society to TXX-21093 Page 3 of 71 (ANS) RA-Sa-2009 PRA Standard (hereafter "ASME/ANS PRA Standard") to make PRAs realistic rather than bounding, whereas design basis criteria are necessarily conservative and bounding.

The use of realistic success criteria is necessary to conform to capability Category II of the ASME/ANS PRA standard as required by NEI 06-09-A, Revision 0.

3.0 In Scope TS/LCO Conditions RICT Estimate Table E1-2, "In Scope TS/LCO Conditions RICT Estimate" provides examples of calculated RICT for each individual Condition to which the RICT applies (assuming no other SSCs modeled in the PRA are unavailable). These example calculations demonstrate the scope of the SSCs covered by TSs modeled in the PRA. RICTs were calculated for both units and while the results were generally similar, the most limiting RICT is shown in Table E1-2. Also note that the more limiting of the core damage frequency (CDF) and large early release frequency (LERF) RICT result is shown.

Following implementation of the RICT Program, the actual RICT values will be calculated on a unit-specific basis, using the actual plant configuration and the current revision of the PRA model representing the as-built, as-operated condition of the plant, as required by NEI 06-09-A and the NRC Final Safety Evaluation. The actual RICT values may differ from the RICTs presented in this enclosure.

Table E1-3, "Conditions Requiring Additional Technical Justification," contains a list of Required Actions proposed for inclusion in the RICT Program. Additional technical justification is provided to explain why the Condition would not represent a loss of specified safety function as used in the RICT program.

4.0 Evaluation of Instrumentation and Control Systems In accordance with TSTF-505, Revision 2, Safety Evaluation "Evaluation of Instrumentation and Control Systems" the following is intended to describe the redundant, diverse, and defense-in-depth attributes of the functions for the Reactor Trip System (RTS) Instrumentation, the Engineered Safety Feature Actuation System (ESFAS) Instrumentation, and the LOP DG Start Instrumentation systems.

For the purposes of this evaluation the following definitions are provided; Redundancy - Parameters that are used for indication of an unsafe condition have redundant measurement systems. Sufficient redundant measurements are provided to allow a coincident logic scheme so that a spurious measurement on one channel will not cause nor prevent a reactor trip or safeguard feature actuation. (Example: the use of four separate Power Range Channels to monitor Reactor Power.)

One exception to this rule is the source and intermediate range instruments.

They have a coincidence in which actuation of protective features occurs on a single input, but these instruments are not in service at power.

The degree of redundancy is the difference between the number of channels monitoring a Function and the number of channels which when tripped will cause a reactor trip, an ESFAS actuation, or a LOP DG start.

Further redundancy is provided by having two trains of protection logic, two trains of SSPS, with either train being capable of initiating a full train of protective functions. The minimum degree of redundancy is the degree of redundancy below which operation is prohibited or otherwise restricted by Technical Specifications.

RTS and ESFAS are each redundant safety systems. No single failure will cause or prevent a reactor trip or ESFAS actuation. Each redundant channel is powered by an independent power to TXX-21093 Page 4 of 71 supply, and a loss of power will place the channel output bistable in a trip condition. The three exceptions to this scheme are Containment Spray, RWST Auto Switchover, and permissive P-6.

The instrumentation and control systems provide equipment diversity and functional diversity.

Equipment diversity provides different types of instruments to achieve the same Function.

Functional diversity uses different variables to achieve a backup Function. For example, a loss of RCS flow is primarily monitored, and the reactor is tripped due to low RCS flow. The undervoltage and underfrequency RCP trips provide diversity to the RCS low flow trip.

This feature and the other listed features meet the "single failure" criteria for RPS, by meeting the IEEE Standard 279 1971 's single failure criteria. IEEE 279 1971 requires that any single failure within the protection system not prevent proper protection system action when required.

Redundant channels and trains are electrically isolated and physically separated so that any single failure within a channel or train will not prevent protective action at the system level when required. Channel independence is carried throughout the systems.

Independence - Each channel of measurement and each train of protection is physically and electrically independent. Components of different channels are physically separated, penetrate the containment at different locations, and are supplied by independent electrical power supplies.

Independence ensures that a single malfunction or casualty will interrupt only one of the redundant channels or trains. The systems (channels and trains) are also designed such that no single failure will cause a loss of Function.

Physical separation is used to the maximum extent practical to maintain the integrity of redundant protection system instrument channels, providing independence for each channel. There are four separate process protection analog sets. Physical separation of the redundant analog protection channels originates at the process sensors and continues through the field wiring and containment penetrations to the analog protection racks.

Diversity - Several different methods are used to perform similar functions or to indicate the same casualty. For example: Excessive localized fuel element power (KW/FT) protection is provided by both the Power Range Nuclear Instruments and by ion chambers measuring gamma flux in the reactor coolant from Nitrogen 16 decay (N-16 Detectors). Several parameters are also used for protection against a departure from nucleate boiling (DNB) in the Reactor Core.

Certain reactor trips are automatically or manually bypassed at low power when they are not required for safety.

For a function to be bypassed, a series of conditions or permissives must be met. The bypass circuit design is such that the bypass is automatically removed whenever the permissive conditions are not met.

Defense-In-Depth (DID) - For this evaluation the seven considerations from Regulatory Guide 1.174, Revision 3, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis" are used to review impact of proposed change on function defense-in-depth philosophy.

1. Preserve a reasonable balance among the layers of defense.
2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.
3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.
4. Preserve adequate defense against potential CCFs.
5. Maintain multiple fission product barriers.
6. Preserve sufficient defense against human errors.
7. Continue to meet the intent of the plant's design criteria.

to TXX-21093 Page 5 of 71 DID is enhanced by minimizing the chances for a common mode failure through the use of anticipatory trips such as that provided when the turbine trips above 50% power which initiates a reactor trip signal from the turbine tripping independent of any process signals.

Anticipatory trips function to prevent or minimize the severity of an undesired plant event (transient). The systems also use alarms and actions in a layered approach for DID. For example, Overtemperature N-16 and Overpower N-16 provide reactor trip signals at specified setpoints.

The two parameters also provide turbine run backs at a setpoint below the setpoints of the trips.

Automatic Actuation Logic and Actuation Relays are provided in the Solid State Protection System (SSPS).

The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition.

The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices.

Each of the analyzed accidents can be detected by one or more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure-Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS. The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents.

4.1 3.3.1 Reactor Trip System (RTS) Instrumentation The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The RTS design creates defense-in-depth due to the redundancy of the channels for each Function in Table 3.3.1-1, "Reactor Trip System Instrumentation."

to TXX-21093 Page 6 of 71 Each Function has multiple channels.

Each Function will cause a reactor trip with one-out-of-two (1/2), two-out-of-three (2/3), or two-out-of-four (2/4) coincidence trip signals.

A bypassed channel does not initiate a trip signal. It reduces the number of total available channels from (1/2) to (1), (2/3) to (2/2), or (2/4) to (2/3) coincidence to trip.

A channel placed in a tripped condition will provide a tripped input for the applicable Function.

Manual reactor trip handswitches provide diversity and DID for all automatic reactor trips See Table E1-5, "Reactor Trip Systems (RTS) Instrumentation Functions" for redundancy discussion.

4.2 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.

The ESFAS design creates defense-in-depth due to the redundancy of the channels for each Function in Table 3.3.2-1, "Engineered Safety Feature Actuation System Instrumentation."

Each Function has multiple channels.

Each Function will cause an ESFAS actuation with one-out-of-two (1/2), two-out-of-three (2/3), or two-out-of-four (2/4) coincidence trip signals.

A bypassed channel does not initiate an actuation signal. It reduces the number of total available channels from (1/2) to (1), (2/3) to (2/2), or (2/4) to (2/3) coincidence to actuate.

A channel placed in a tripped condition will provide a tripped input for the applicable Function.

ESFAS redundant channels and trains are electrically isolated and physically separated so that any single failure within a channel or train will not prevent protective action at the system level when required. Channel independence is carried throughout the system.

No single failure will prevent the ESFAS from generating the proper actuation signal on demand for an engineered safety feature. Failures are either in the safe direction or a redundant channel or train ensures the necessary actuation capability.

See Table E1-6, "Engineered Safety Features Actuation System (ESFAS) Instrumentation Functions" for redundancy discussion.

The following information is from CPNPP Design Bases Document, EE-DBD-021, Reactor Protection and NSSS Related Control Systems, Table 1, "Reactor Protection System Diversity."

This augments the information provided in Table E1-4, "Evaluation of Instrumentation and Control Systems." Table E1-4 only covers the accidents from CPNPP FSAR, Chapter 15, "Accident Analysis." The following table includes the accidents analyzed as well as other events that rely on TS Instrumentation systems.

See Table E1-8, "Event Protection and Diverse Functions" for redundancy, independence, diversity, and defense-in-depth Functions discussion.

4.3 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation The DGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation. Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the 6.9 kv bus.

to TXX-21093 Page 7 of 71 For each unit, the undervoltage protection system, leading to the start of the diesel generators on loss of power, consists of the following functions:

Preferred offsite source undervoltage, Alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9 kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage.

Each function consists of two sensing relays per bus that provide input to two-out-of-two logic.

The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents, in which a loss of offsite power is assumed.

The LCO for LOP DG start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP DG start instrumentation supports safety systems associated with the ESFAS. The two-out-of-two logic minimizes the probability of spurious DG starts due to instrument failure while maintaining a robust LOP DG Start system. Two trains of Automatic Actuation Logic and Actuation Relays shall also be OPERABLE in MODES 1, 2, 3 and 4.

The six Functions described above provide redundant signals to start a DG due to undervoltage or degraded voltage on the 6.9 kV buses. This provides defense-in-depth by, preserving adequate capability of design features without an overreliance on programmatic activities as compensatory measures and preserves system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty. When any of the six Functions described above become inoperable or when one or more Automatic Actuation Logic and Actuation Relays trains become inoperable, within one hour the Function must be restored or entry into LCO 3.8.1, "AC Sources -- Operating" for the applicable Condition is required for offsite power sources or diesel generator. For the Functions that are bus related entry into LCO 3.8.9, "Distribution Systems -- Operating" is entered.

The LOP DG Start design creates defense-in-depth due to the redundancy of the channels for each Function in Table 3.3.5-1, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation."

Each Function has multiple channels.

Functions 2, 3, 4, 5, 6, and 7 (LCO 3.3.5, Conditions B, C, D, and E) are considered as a functional grouping. Not more than one Condition will be entered at one time. The following NOTE will be added;

N OT E-------------------------------------------------------------

RIC T entry is not permitted for more than one Condition at a time for Conditions B, C, D or E.

This will ensure that multi-layered, redundant inputs are available for LOP DG Start Instrumentation. With this new NOTE the intent of NUREG-1431, "Standard Technical Specifications -

Westinghouse Plants" is maintained. CPNPP utilizes Conditions B, C, D, and E to administer Condition B in the standard. Please refer to Attachment 2, "Proposed Technical Specification Changes - Supplement."

See Table E1-7, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions" for redundancy discussion.

to TXX-21093 Page 8 of 71 In summary, CPNPP instrumentation systems as described in TS 3.3, employ input parameters and equipment that provide redundancy, independence, diversity, and a defense-in-depth (DID) philosophy as described in Regulatory Guide 1.174, Revision 4.

1. Preserve a reasonable balance among the layers of defense.

The RTS, ESFAS and LOP DG Start instrumentation systems use multiple layers of defense as they rely on redundant, independent, and diverse means to trip the reactor, actuate ESF components, and provide a LOP DG start. In all cases manual operator action provides a final layer of defense if all automatic actions fail. Plant response to events normally has at least one primary protection input with backups as described in preceding table, Event Protection and Diversity, for RTS and ESFAS. Preceding Table, LOP DG Start Signals indicates that train redundancy provides independent and diverse layers of defense from a partial loss of Function as given in TS 3.3.5, Conditions A and F. Conditions B, C, D, and E are viewed as providing layers of redundancy by utilizing undervoltage or degraded voltage from diverse signals.

2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.

The RTS, ESFAS, and LOP DG Start instrumentation systems only rely on programmatic actions and compensatory measures when no other action is available. For the RTS and ES FAS systems programmatic actions are confined to actions taken to comply with Required Actions in their respective Technical Specifications which are captured in Operations Administrative procedure ODA-308, "LCO Tracking Program." Also, the TS provides actions to take when a Completion Time will not be met. The LOP DG Start Instrumentation confines actions to those required by LCO 3.3.5 which restore the channel or declare associated offsite power source, applicable 6.9 kV buses, or the associated DG inoperable.

3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.

For the RTS, a loss of RCS flow/Locked rotor shows the redundancy, independence, and diversity commensurate with a loss of Reactor Coolant flow. Two low flow trip signals are provided; above P-7 (10% power) but below P-8 (48% power) two-out-of-four low flow channels are required to trip the reactor, above P-8 one-out-of-four low flow channels are required to trip the reactor.

A Reactor Coolant Pump (RCP) undervoltage trip is provided which anticipates a loss of RCS flow and is independent from the flow channels. An RCP underfrequency trip is provided which anticipates a loss of RCS flow and is independent from the flow channels and the RCP undervoltage channel. Also, a Pressurizer Pressure high is provided that could trip the reactor during an RCS loss of flow or locked rotor.

For the ESFAS, a Safety Injection (SI) is initiated by the redundant, independent, and diverse inputs commensurate with the accidents that cause a safety injection. An SI can be initiated by one-of-two handswitches on the Main Control Board (MCB). An SI is automatically initiated by a Containment Pressure - High 1, a Pressurizer Pressure Low, or a Steam Line Pressure Low. All of these signals are independent from each other, they are diverse in that monitor and actuate on completely different parameters, and they provide DID as they are layered. Depending on the event; LOCA, SGTR, Main Steam Line fault, or Main Feedwater Line Break each of the independent signals could be the first to respond.

For the LOP DG Start, the inputs are redundant, independent, and diverse. Power to the safety-related 6.9 kV buses is protected by the system design. A single channel cannot cause or prevent a DG start. A single Function failure must be restored or placed in a tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Automatic Actuation Logic and Actuation Relays trains inoperable must be to TXX-21093 Page 9 of 71 restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the associated DG is declared inoperable. In both cases the other redundant train maintains the safety function. The other LOP DG starts are a group of inputs that will start the associated DG under the following conditions; Preferred offsite source bus undervoltage Alternate offsite source bus undervoltage 6.9 kV Class 1 E bus undervoltage 6.9 kV Class 1 E bus degraded voltage 480 V Class 1 E bus low grid undervoltage 480 V Class 1 E bus degraded voltage These channels are independent from each other and are a diverse group of parameters which can cause a DG start. The DID layering begins at the source for 1 E power with the two offsite source undervoltage, a second layer adds 6.9 kV 1 E bus undervoltage, a third layer provides for 6.9 kV 1 E bus degraded voltage, a fourth layer adds the 480 V 1 E bus grid undervoltage, and a fifth layer provides for 480 V 1 E bus degraded voltage.

4. Preserve adequate defense against potential CCFs.

Common Cause Failures (CCF) are avoided by the redundancy, independence, diversity, and DID philosophy that are in the plant design. The preceding tables provide primary trip and ESFAS signals for Functions. The tables show how diverse signals are available to support the Function and that the diversity minimizes or eliminates CCFs. System and Function diversity and DID are also shown when the required coincidence changes based on interlocks with the RTS and ESFAS systems. Most CCFs are eliminated by train related Functions. The remaining train can actuate the required signal when needed.

5. Maintain multiple fission product barriers.

The RTS provides trips that are designed to maintain the fuel cladding intact. Specifically, the Power Range Neutron Flux High, Power Range Neutron Flux Rate Positive High, Overtemperature N-16, and Overpower N-16 trips respond to power excursions minimizing the stress to the fuel cladding. These trips act to protect the fuel cladding (fission product barrier).

The Pressurizer Pressure High and the Pressurizer Water Level High in conjunction with the Pressurizer Power Operated Relief Valves (PORV) and Pressurizer Safety Valves to limit the pressure in the RCS.

These trips and components act to protect the RCS piping (fission product barrier).

The ESFAS actuations focus on keeping the reactor core cooled and maintaining the Containment below design temperature and pressure. The three automatic SI actuation signals respond to potential challenges to Containment integrity. Containment Pressure High 1 initiates a safety injection based on rising pressure in the Containment. Pressurizer Pressure Low is an indication that a LOCA is in progress that could challenge Containment integrity. Steam Line Pressure Low is an indication of either a steam line break or a feedwater line break. Either break if inside Containment could challenge Containment integrity.

Containment isolation signals are designed to protect Containment integrity. When a Safety Injection is actuated, Containment Phase A Isolation is actuated to isolate non-essential penetrations. Containment Phase A Isolation actuates a Containment Ventilation Isolation to ensure ventilation into and out of Containment are isolated. Steam Line Isolation is actuated by either Steam Line Pressure Low or Containment Pressure High 2 to close the Main Steam Isolation Valves (MSIV) to further ensure Containment integrity. Containment Pressure High 3 initiates Containment Spray and Containment Phase B Isolation. Containment Spray acts to lower Containment temperature and pressure. Containment Phase B isolation isolates Component Cooling Water (CCW) to the RCPs inside Containment. CCW will not be required in this condition as the RCPs are secured. With Containment isolated and Containment Spray actuated the Containment integrity is maintained (Fission product barrier).

to TXX-21093 Page 10 of 71

6. Preserve sufficient defense against human errors.

Operator errors are minimized by a multi-layered approach. Most actions taken by operators are given in written procedures that have gone through 10 CFR 50.59 review. Control board and plant labelling minimize errors as they provide a positive component verification prior to operation. The protection system is designed so that a single failure will not cause or prevent an actuation when needed. The test procedures for the protection system ensure the steps taken will not lead to an inadvertent actuation. There is also a "fail-safe" element in the design. For example, most components actuated by the protection system are actuated when an input de-energizes, so a loss of power takes the system to a safe position. There are some exceptions and they are based on positive actions to initiate Containment Spray and switchover of the suctions for ECCS and Containment Spray pumps to the Containment Sumps when RWST level reaches a specific level.

These signal energize to actuate. This is a case also where the operator may play a significant role if the automatic actuation fails.

7. Continue to meet the intent of the plant's design criteria.

The plant design criteria are not changed by the license amendment request to adopt TSTF-505, Revision 2. The PRA and design review have not identified any significant safety concern by extending the Completion Times when implemented by the submitted program. Any LCOs that may have challenged the plant's design criteria have not been submitted for inclusion in the RICT program. Particularly, CPNPP has not submitted changes for low MODE conditions.

5.0 Tables E1-1, "In Scope TS/LCO Conditions to Corresponding PRA Functions" E1-2, "In Scope TS/LCO Conditions RICT Estimate" E1 -3, "Conditions Requiring Additional Technical Justification" E1-4, "Evaluation of Instrumentation and Control Systems" E1 -5, "Reactor Trip System (RTS) Instrumentation Functions" E1-6, "Engineered Safety Features Actuation System (ESFAS) Instrumentation Functions" E1-7, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions" E1-8, "Event Protection and Diverse Functions" to TXX-21093 Page 11 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria One Manual Two Manual Mapped to modeled 3.3.1.B Reactor Trip Reactor Trip Yes Reactor Trip Initiation One of two reactor Same components.

channel channels trip channels inoperable (Note 4)

RTS is modeled in the CPNPP PRA using two generic RX Trip logics, one four channel instrument loop and one three channel One Power instrument loop based on Range Four Power every trip that would generate Neutron Range Neutron Two of four at least two sets of signals.

3.3.1.D Flux-High Flux-High Yes Reactor Trip Initiation channels Same For the RICT program, if the channel channels components were not inoperable.

explicitly modeled, they were mapped to one of the two logics based on the number of channels and their impact on the function.

(Notes 1 and 2) to TXX-21093 Page 12 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Two of Four Four Power Power Range Flux RTS is modeled in the Range Flux Low Low channels CPNPP PRA using two channels generic RX Trip logics, one Two of Four four channel instrument loop Four Power Power Range and one three channel Range Neutron Neutron Flux Rate instrument loop based on Flux Rate High High Positive Rate every trip that would generate Positive Rate channels at least two sets of signals.

channels For the RICT program, if the Two of Four components were not Four Overtemperature explicitly modeled, they were 3.3.1.E One channel Overtemperature Yes Reactor Trip Initiation N-16 channels Same mapped to one of the two inoperable.

N-16 channels logics based on the number Two of Four of channels and their impact Four Overpower Overpower N-16 on the function.

N-16 channels channels Four Pressurizer Two of Four (Notes 1 and 2)

Pressure-High Pressurizer channels Pressure-High channels Four SG Water Level Low-Low Two of Four SG channels Water Level Low-Low channels to TXX-21093 Page 13 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Two of Four Pressurizer Four Pressurizer Pressure Low RTS is modeled in the Pressure Low channels channels CPNPP PRA using two Two of Three generic RX Trip logics, one Three Pressurizer Pressurizer Water four channel instrument loop Water Level High Level Low and one three channel instrument loop based on channels channels every trip that would generate One channel Three Reactor Two of Three at least two sets of signals.

3.3.1.M inoperable.

Coolant Flow Low Yes Reactor Trip Initiation Reactor Coolant Same For the RICT program, if the channels per loop Flow Low components were not channels per loop explicitly modeled, they were Four Undervoltage mapped to one of the two RCPs Two of Four logics based on the number Undervoltage of channels and their impact Four RCPs on the function.

Underfrequency (Notes 1 and 2)

RCPs channels Two of Four Underfrequency RCPs channels RTS is modeled in the CPNPP PRA using two generic RX Trip logics, one four channel instrument loop and one three channel One Low Fluid Oil instrument loop based on Pressure Three Low Fluid Two of Three every trip that would generate 3.3.1.0 Turbine Trip Oil pressure Yes Reactor Trip Initiation channels Same at least two sets of signals.

channel channels For the RICT program, if the inoperable.

components were not explicitly modeled, they were mapped to one of the two logics based on the number of channels and their impact on the function.

to TXX-21093 Page 14 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria RTS is modeled in the CPNPP PRA using two generic RX Trip logics, one four channel instrument loop One or more and one three channel Turbine Stop Four Turbine Stop instrument loop based on Valve Valve Closure Four of Four every trip that would generate 3.3.1.P Closure channels (One for Yes Reactor Trip Initiation channels Same at least two sets of signals.

Turbine Trip each valve)

For the RICT program, if the channel(s) components were not inoperable.

explicitly modeled, they were mapped to one of the two logics based on the number of channels and their impact on the function. (Note 11)

RTS is modeled in the CPNPP PRA using two One of Two Safety generic RX Trip logics, one Two Safety Injection (SI) Input four channel instrument loop Injection (SI) Input from Engineered and one three channel from Engineered Safety Feature instrument loop based on One train Safety Feature Actuation System every trip that would generate 3.3.1.R inoperable.

Actuation System Yes Reactor Trip Initiation (ESFAS) trains Same at least two sets of signals.

(ESFAS) trains For the RICT program, if the One of Two components were not Two Automatic Automatic Trip explicitly modeled, they were Trip Logic trains Logic trains mapped to one of the two logics based on the number of channels and their impact on the function.

One RTB Two Reactor Trip Mapped to modeled 3.3.1.S train Breaker (RTB)

Yes Reactor Trip Initiation One of Two RTBs Same components.

inoperable.

trains open (Note 3)

One trip RTB Undervoltage Mapped to modeled 3.3.1.V mechanism and Shunt trip Yes Reactor Trip Initiation One trip Same components.

inoperable mechanisms mechanism for one RTB.

(Note 4) to TXX-21093 Page 15 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria One of Two Two Manual Manual Initiation Initiation Safety Safety Injection Injection channels channels Two Manual One of Two Initiation Manual Initiation Containment Containment Spray channels Spray channels One channel (per train)

(per train) 3.3.2.B or train Yes ESF Actuation Same Mapped to modeled inoperable.

Two Manual One of Two components.

Initiation Phase A Manual Initiation Containment Phase A Isolation channels Containment Isolation channels Two Manual One of Two Initiation Phase B Containment Manual Initiation Isolation channels Phase B Containment Isolation channels to TXX-21093 Page 16 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria One of Two Safety Two Safety Injection Injection Automatic Automatic Actuation Logic Actuation Logic and Actuation and Actuation Relays trains Relays trains One of Two Two Containment Containment Spray Automatic Spray Automatic Actuation Logic Actuation Logic and Actuation and Actuation Relays trains Relays trains Two Phase A One of Two Phase Containment A Containment Isolation ESF Actuation, P-14:

Isolation Mapped to modeled Automatic Trips Main Feed Pumps, Automatic components. Surrogates 3.3.2.C One train Actuation Logic Yes Trips Main Turbine, Actuation Logic Same used for certain components inoperable.

and Actuation Closes Feedwater and Actuation (relays) are conservatively Relays trains Isolation and Discharge Relays trains mapped based on their effect Valves on the function.

Two Phase B One of Two Phase Containment B Containment Isolation Isolation Automatic Automatic Actuation Logic Actuation Logic and Actuation and Actuation Relays trains Relays trains Two Automatic One of Two Switchover to Automatic Containment Switchover to Sump Automatic Containment Actuation Logic Sump Automatic and Actuation Actuation Logic Relays trains and Actuation Relavs trains to TXX-21093 Page 17 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Three Safety Two of Three Safety Injection Injection Containment Containment Pressure - High 1 Pressure - High 1 channels channels Four Safety Two of Four Safety Injection Injection Pressurizer Pressurizer Pressure - Low Pressure - Low channels channels Three (per line)

Two of Three (per Safety Injection line) Safety Steam Line Injection Steam Pressure Low Line Pressure Low channels channels Three Steam Line Two of Three Isolation Steam Line 3.3.2.D One channel Containment Yes ESF Actuation Isolation Same Mapped to modeled inoperable.

Pressure - High 2 Containment components.

channels Pressure - High 2 channels Three (per line)

Two of Three (per Steam Line Isolation Steam line) Steam Line Line Pressure Low Isolation Steam channels Line Pressure Low channels Three (per line)

Two of Three (per Steam Line Isolation Negative line) Steam Line Rate-High Isolation Negative Rate - High channels channels Four (per SG)

Two of Four (per Auxiliary SG) Auxiliary Feedwater SG Water Level Low-Feedwater SG Low channels Water Level Low-Low channels to TXX-21093 Page 18 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by PRA by TS LCO Design Success Spec Description in PRA?

TS LCO Condition Criteria Success Comments Condition Criteria Two Steam Line One of Two Isolation Manual Steam Line Initiation channels Isolation Manual Initiation channels Two Auxiliary Mapped to modeled One channel Feedwater Loss of One of Two Safety components. Surrogates 3.3.2.F or train Offsite Power Yes ESF Actuation Injection Loss of Same used for certain components inoperable.

channels Offsite Power (hand switch/relays) are channels conservatively mapped based Two ESFAS on their effect on the function.

Interlocks Reactor One of Two Trip channels ESFAS Interlocks (P-4)

Reactor Trip channels One of Two Two Steam Line Steam Line Isolation Isolation Automatic Automatic Actuation Logic Actuation Logic and Actuation and Actuation Mapped to modeled One train Relays trains Relays trains components. Surrogates 3.3.2.G inoperable.

Yes ESF Actuation Same used for certain components Two Auxiliary One of Two (hand switch/relays) are Feedwater Auxiliary conservatively mapped based Automatic Feedwater on their effect on the function.

Actuation Logic Automatic and Actuation Actuation Logic Relays trains and Actuation Relavs trains Two Turbine Trip One of Two and Feedwater Turbine Trip and Mapped to modeled Isolation Feedwater components. Surrogates One train 3.3.2.H Automatic Yes ESF Actuation Isolation Same used for certain components inoperable Actuation Logic Automatic are conservatively mapped and Actuation Actuation Logic based on their effect on the Relays trains and Actuation function.

Relays trains to TXX-21093 Page 19 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by PRA by TS LCO Design Success Spec Description in PRA?

TS LCO Condition Criteria Success Comments Condition Criteria Three (per SG)

Two of Three (per Turbine Trip and SG) Turbine Trip One channel Feedwater and Feedwater 3.3.2.1 inoperable.

Isolation SG Yes ESF Actuation Isolation SG Same Mapped to modeled Water Level -

Water Level -

components.

High-High (P-14)

High-High (P-14) channels channels One Main Mapped to modeled Feedwater All Main components. Surrogates 3.3.2.J Pump trip Feedwater Pumps Yes ESF Actuation One of two per Same used for certain components channel trip channels AFWpump (switch/relays) are inoperable.

conservatively mapped based on their effect on the function.

One of Two Sustained channels (per bus) undervoltage of the loss of One or more voltage and Functions (SUR), Transient Mapped to modeled with one undervoltage (TU)

Diesel Generator Start undervoltage components. Surrogates 3.3.5.A and Loss of Yes Instrumentation - Loss of Functions Same used for certain components channel per voltage (LOV)

Power (relays) are conservatively bus sensors on safety One of two trains mapped based on their effect inoperable related 6.9kV of Automatic on the function.

buses Actuation Logic and Actuation Relavs Two channels per bus for the Two (per bus)

Two of Two Surrogates used for Preferred preferred offsite Diesel Generator Start undervoltage components (relays) are 3.3.5.B offsite source source bus Yes Instrumentation - Loss of channels on each Same conservatively mapped based bus undervoltage Power preferred offsite on their effect on the function.

undervoltage channels source bus function (Notes 5 and 6) inoperable.

Two channels per bus for the Two (per bus)

Two of Two Surrogates used for Alternate Alternate offsite Diesel Generator Start undervoltage components (relays) are 3.3.5.C offsite source source bus Yes Instrumentation - Loss of channels on each Same conservatively mapped based bus undervoltage Power alternate offsite on their effect on the function.

undervoltage channels source bus function (Notes 5 and 6) inoperable.

to TXX-21093 Page 20 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Two channels per Two of Two bus for the Two (per bus) 6.9 Diesel Generator Start undervoltage Mapped to modeled 3.3.5.D 6.9 kV bus kV Class 1 E bus Yes Instrumentation - Loss of channels on each Same components.

loss of undervoltage Power 6.9 kV Class 1 E voltage channels bus (Notes 5 and 6) function inoperable Two of Two degraded voltage Two (per bus) 6.9 channels on each Two kV Class 1E 6.9 kV Class 1 E channels per Degraded voltage bus channels bus for one Two of Two Surrogates used for certain or more Two (per bus) 480 Diesel Generator Start degraded voltage components (relays) are 3.3.5.E degraded V Class 1 E bus Yes Instrumentation - Loss of channels on each Same conservatively mapped based voltage or degraded voltage Power 480 V Class 1 E on their effect on the function.

low grid channels bus undervoltage (Notes 5 and 6) functions Two (per bus) 480 Two of Two low inoperable V Class 1 E bus grid undervoltage low grid channels on each undervoltage 480 V Class 1 E bus One or more Surrogates used for certain Automatic One of Two Actuation Two Automatic Diesel Generator Start Automatic components (relays) are 3.3.5.F Logic and Actuation Logic Yes Instrumentation - Loss of Actuation Logic Same conservatively mapped based and Actuation on their effect on the function.

Actuation Relays trains Power and Actuation Relays trains Relays trains inoperable.

(Notes 5 and 6)

Surrogates used for components are mapped based on their effect on the One required group of Two groups of One of two groups PRA does function. For the RICT, the 3.4.9.B pressurizer pressurizer No RCS subcooling of pressurizer not model impact has been mapped to heaters with a an increase in the likelihood heaters heaters capacity :::: 150 kW PRZ heaters.

of a plant trip due to inoperable.

degraded pressure control.

(Note 9) to TXX-21093 Page 21 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria One PORV OPERABLE One PORV inoperable RCS depressurization for One PORV with and not SGTR response two CCPs Mapped to modeled 3.4.11.B capable of Two PORVs Yes Same being Feed and bleed core OR components.

manually cooling cycled.

Two PORVs with one CCPAND one SI pump_

One PORVand associated block valve OPERABLE One PORVand Isolate associated PORV associated block One block valve with two 3.4.11.C valve Two PORV block Yes Open to allow PORV CCPs Same Mapped to modeled inoperable.

valves functions in Function components.

3.4.11.B OR Two PORVs and associated block valves with one CCP AND one SI pump to TXX-21093 Page 22 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following One train accidents:

Mapped to modeled inoperable

a. Loss of coolant components.

because of accident (LOCA), coolant the Two centrifugal leakage greater than the 1 of 2 centrifugal The centrifugal charging 3.5.2.A inoperability Yes capability of the normal Same subsystem consists of two of a charging pumps charging system; charging pumps.

redundant, 100% capacity centrifugal

b. Rod ejection accident; trains.

charging

c. Loss of secondary pump.

coolant accident, (Note 8) including uncontrolled steam release or loss of feedwater; and

d. Steam generator tube rupture (SGTR).

to TXX-21093 Page 23 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Provide core cooling and negative reactivity to ensure that the reactor core is protected after Mapped to modeled One or more any of the following components. Surrogates trains accidents:

used for certain components inoperable Two ECCS trains

a. Loss of coolant (pump/valves) are accident (LOCA), coolant conservatively mapped based for reasons consisting of, leakage greater than the on their effect on the function 3.5.2.B other than safety injection Yes capability of the normal One of two ECCS Same one pump, RHR charging system; trains TS 3.5.2 Condition B requires inoperable Pump, RHR heat
b. Rod ejection accident; 100% flow equivalent to a centrifugal exchangers
c. Loss of secondary single OPERABLE ECCS charging coolant accident, train is available.

pump.

including uncontrolled steam release or loss of (Note 8) feedwater; and

d. Steam generator tube rupture (SGTR).

Surrogates used for components are conservatively mapped based on their effect on the function.

For RICT, the impact for this condition will be assumed One or more that one end of the containment containment air lock has air locks One of two been verified to be able to 3.6.2.C inoperable Containment Not Containment integrity containment air Same perform its function 3.6.2.C.1.

for reasons Airlocks explicitly lock doors closed.

The components will other than therefore be mapped to a Condition A surrogate representing a loss or B.

of a single CIV for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> requirement.

TS 3.6.2 Condition C Action 1 initiates action to evaluate overall containment leakage rate oer LCO 3.6.1.

to TXX-21093 Page 24 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria One or more penetration flow paths with one containment isolation valve Mapped to modeled inoperable except for Two active or components. Surrogates containment passive isolation Containment boundary One of two used for certain components 3.6.3.A devices on each Yes and minimization of RCS isolation devices Same (CIV not explicitly modeled)

purge, fluid penetration inventory loss per penetration are conservatively mapped hydrogen line based on their effect on the purge or function.

containment pressure relief valve leakage not within limit.

One or more penetration See LCO Condition 3.6.3.A flow paths 3.6.3.C with one containment isolation valve inoperable.

Mapped to modeled components. Surrogates used for certain components (breakers/valves) are One Two Containment conservatively mapped based 3.6.6.A containment Spray System Yes Containment atmosphere One of two trains Same on their effect on the function spray train trains cooling inoperable.

The Containment Spray System for each unit consists of two separate and completely redundant safety trains.

to TXX-21093 Page 25 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Mapped to modeled components.

The design of the secondary One MSIV Main Steam One MSIV closure system precludes the 3.7.2.A inoperable in Isolation Valves Yes Isolate Main Steam Lines per steam Same uncontrolled blowdown of Mode 1 (MSIVs) generator more than one steam generator, assuming a single active component failure (e.g., the failure of one MSIV to close on demand.)

One required Steam Generator One of four Mapped to modeled 3.7.4.A ARV line Atmospheric Yes Pressure relief and plant Two of four SG for Transient components.

Relief Valves cooldown ARVs inoperable (ARVs)

/SGTR (Note 7)

Two required Steam Generator One of four Mapped to modeled Atmospheric Pressure relief and plant Two of four SG 3.7.4.B ARV lines Relief Valves Yes cooldown ARVs for Transient components.

inoperable.

(ARVs)

/SGTR (Note 7)

Three or Steam Generator One of four SG Mapped to modeled more Atmospheric Pressure relief and plant ARVs and CST One of four components.

3.7.4.C required ARV Yes for Transient lines Relief Valves cooldown cooling water

/SGTR inoperable.

(ARVs) supply (Note 7)

One steam Mapped to modeled supply to the Turbine driven components. Surrogates 3.7.5.A turbine AFW steam Yes Supply steam to turbine One of two steam Same used for certain components driven AFW supply line valves driven AFW pump feed lines (CIV valves) are pump and flowpath conservatively mapped based inoperable on their effect on the function.

to TXX-21093 Page 26 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria All transients:

One of three AFW pumps supplying 1 OneAFW Three AFW trains SG Mapped to modeled (two motor driven All LOCAs:

train pumps and Supply feedwater to One of three AFW

One of three components. Surrogates 3.7.5.B inoperable flowpath, one Yes steam generators to trains supplying AFWpumps used for certain components for reasons turbine driven remove RCS decay heat two SGs supplying 2 (CIV valves) are other than pump and SGs conservatively mapped based Condition A flowpath)

SGTR: :One on their effect on the function.

of three AFW pumps supplying 1 SG Two CCW trains One CCW comprised of a full Heat sink for removing 3.7.7.A train capacity pump, Yes process and operating One of two CCW Same Mapped to modeled inoperable.

heat exchanger, heat from safety related trains components.

piping, valves, and components instrumentation Required SSW Pump Two 100%

on the capacity SSW Heat sink for removal of One of two opposite unit cooling water process and operating opposite unit SSW Mapped to modeled 3.7.8.A or its pumps and Yes heat from safety related trains with cross-Same components associated associated cross components during OBA cross-connects on or transient ties open.

connects opposite unit inoperable.

Two 100%

Heat sink for removal of One SSWS capacity SSWS process and operating One of two unit Mapped to modeled 3.7.8.B train cooling water Yes heat from safety related SSWS trains Same components.

inoperable.

components during OBA trains or transient to TXX-21093 Page 27 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Provide water to Mapped to modeled emergency fan coil units components.

One safety chilled water Two safety chilled (EFCUs) to maintain One of two safety The Safety Chilled Water 3.7.19.A train water Yes ambient air temperature chilled water trains Same System for each unit consists within design limits of the inoperable.

essential equipment in of two separate and ESF pump rooms completely redundant safety trains.

Two trains with One qualified two qualified circuit between circuits between the offsite One required the offsite Provide power from transmission 3.8.1.A offsite circuit transmission Yes offsite transmission network and the Same Mapped to modeled inoperable.

network and the network to onsite Class onsite 1 E AC components.

onsite 1 E AC 1 E buses.

Electrical Power Electrical Power Distribution Distribution System.

System.

Two independent DGs per train Provide power to safety capable of 3.8.1.B OneDG supplying onsite Yes related buses when 1 of 2 DGs per Same Mapped to modeled inoperable.

1 E AC Electrical offsite power to them is unit components.

Power Distribution lost.

System Two trains with two qualified circuits between Two required the offsite Provide power from 1 of 2 DGs per 3.8.1.C offsite transmission Yes offsite transmission unit when offsite Same Mapped to modeled circuits network and the network to onsite Class power is components.

inoperable.

onsite 1 E AC 1E buses.

unavailable.

Electrical Power Distribution System.

to TXX-21093 Page 28 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria Two trains with two qualified One qualified circuits between circuit between the offsite the offsite transmission transmission One required network and the network and the offsite circuit onsite 1 E AC Provide power from onsite 1 E AC 3.8.1.D inoperable.

Electrical Power Yes offsite transmission Electrical Power Same Mapped to modeled AND Distribution network to onsite Class Distribution components.

One DG System and Two 1E buses.

System if offsite inoperable.

independent DGs power available.

per train capable of supplying onsite One DG per unit if 1 E AC Electrical offsite power Power Distribution unavailable.

Svstem One SI See LCO Condition 3.8.1.B 3.8.1.F sequencer inoperable.

One or two Ensure availability of Mapped to modeled required Two 100%

required DC power to One 100%

components. Surrogates 3.8.4.A battery capacity chargers Yes shut down the reactor capacity battery Same used for certain components chargers on per battery and maintain it in a safe for one of two DC (inverters) are conservatively one train trains mapped based on their effect inoperable.

condition on the function. (Note 10)

One or two Ensure availability of Mapped to modeled batteries on required DC power to One battery components. Surrogates 3.8.4.B one Two batteries per Yes shut down the reactor available for one Same used for certain components train train and maintain it in a safe of two DC trains (inverters) are conservatively inoperable.

condition mapped based on their effect on the function.

One DC electrical power Ensure availability of Mapped to modeled subsystem Two DC electrical required DC power to components. Surrogates 3.8.4.C inoperable power distribution Yes shut down the reactor One of Two DC Same used for certain components for subsystems and maintain it in a safe trains (inverters) are conservatively reasons mapped based on their effect other than condition on the function.

Condition A or B.

to TXX-21093 Page 29 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions Tech Tech Spec SSCs Covered Modeled Function Covered by Design Success PRA by TS LCO Success Comments Spec Description Condition in PRA?

TS LCO Condition Criteria Criteria One of two Mapped to modeled One required inverters components. Surrogates 3.8.7.A inverter Four inverters per Yes Provide AC power to vital supplying AC vital Same used for certain components inoperable.

train.

buses bus electrical (INSTR Panel) are power distribution conservatively mapped based system.

on their effect on the function.

One AC electrical Two AC electrical One of two AC 3.8.9.A power power distribution Yes Provide power to safety electrical power Same Mapped to modeled distribution subsystems related equipment.

distribution components.

subsystem subsystems inoperable.

Mapped to modeled One AC vital One of two AC components. Surrogates 3.8.9.B bus Two AC vital bus Yes Provide power to safety vital bus Same used for certain components subsystem subsystems related equipment.

distribution (INSTR Panel) are inoperable.

subsystems conservatively mapped based on their effect on the function.

One DC Ensure availability of electrical Two DC electrical required DC power to One of two DC Mapped to modeled 3.8.9.C power power distribution Yes shut down the reactor power distribution Same distribution subsystems and maintain it in a safe subsystems components.

subsystem inoperable.

condition Notes:

1. The Reactor Trip System instrumentation is segmented into four distinct but interconnected modules: field transmitters and process sensors, Signal Process Control and Protection System, Solid State Protection System (SSPS), and reactor trip switchgear. Field transmitters provide measurement of the unit parameters to the Signal Process Control and Protection System via separate, redundant channels. The Signal Process Control and Protection System forwards outputs to the SSPS, which consists of two redundant trains, to indicate a reactor trip or actuate Engineering Safety Functions.
2.

Depending on the measured parameter, three or four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a trip logic. Failure of any one trip logic does not result in an inadvertent trip. Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient.

3.

A trip breaker train consists of all trip breakers associated with a single Reactor Trip System logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Consistent with the requirements in WCAP-15376-P-A to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a RTB train is inoperable for maintenance are included.

to TXX-21093 Page 30 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions

4.

Each RTB is equipped with a shunt trip device that is energized to trip the RTB open upon receipt of a manual reactor trip signal, thus providing a redundant and diverse trip mechanism. Two Manual Reactor Trip channels provide the signal from reactor trip switches located in the Main Control Room to the RTBs.

5. Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses.
6. For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed. A NOTE will be added to LCO 3.3.5 limits the use of the RICT for Conditions B, C, D, or E to only one of these Conditions at any one time.
7.

The unit can be cooled to residual heat removal (RHR) entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

8.

The ECCS consists of three separate subsystems: centrifugal charging (high head), safety injection (intermediate head), and residual heat removal (low head). Each of the three subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100% of the flow required to mitigate accident consequences.

9.

The unavailability of one required group of pressurizer heaters would not have any significant impact on plant transient response so there is no quantifiable impact to CDF or LERF. While mitigation of a SGTR is enhanced by the availability of pressurizer heaters, ECA-3.3A/B provides for mitigation of a SGTR without pressurizer heaters, if necessary.

Degraded pressurizer heater capability is supplemented by the availability of the remaining heaters for plant pressure control, and the availability of plant procedures which provide plant shutdown and cooldown guidance with pressurizer heaters. If the available heaters are sufficient to maintain RCS pressure control, normal plant operations can continue. For the RICT, the impact has been mapped to an increase in the likelihood of a plant trip (factor of 10) due to degraded pressure control.

10. With both chargers inoperable on a single train of DC power the battery becomes the source of DC power until at least one changer can be restored to OPERABLE status. TS 3.8.4 also provides that the opposite train will provide the safety function.

11. The turbine stop valve trip is a backup for the turbine low oil pressure trip. The stop valve trip is not required to operate in the presence of a single or more channel failure. With a loss of load, the Pressurizer Pressure High trip and the Pressurizer safety valves protect the core and RCS integrity.

to TXX-21093 Page 31 of 71 Table E1-2, In Scope TS/LCO Conditions RICT Estimate Tech LCO Condition RICT Spec Estimate1*2*3 3.3.1.B One Manual Reactor Trip channel inoperable.

30 days 3.3.1.D One Power Ranqe Neutron Flux-Hiqh channel inoperable.

30 days 3.3.1.E One channel inoperable 30 days 3.3.1.M One channel inoperable.

30 days 3.3.1.0 One Low Fluid Oil Pressure Turbine Trip channel inoperable.

30 days 3.3.1.P One Turbine Trip channel inoperable.

30 days 3.3.1.R One or more Turbine Stop Valve Closure Turbine Trip 30 days channel(s) inoperable.

3.3 1 S One RTB train inoperable.

30 days 3.3.1.V One trip mechanism inoperable for one RTB.

30 days 3.3.2.B One channel or train inoperable.

30 days 3.3.2.C One train inoperable.

30 days 3.3.2.D One channel inoperable.

30 days 3.3.2.F One channel or train inoperable.

30 days 3.3.2.G One train inoperable.

30 days 3.3.2.H One train inoperable.

30 days 3.3.2.1 One channel inoperable.

30 days 3.3.2.J One Main Feedwater Pumps trip channel inoperable.

30 days 3.3.5.A One or more Functions with one channel per bus inoperable.

30 days 3.3.5.B Two channels per bus for the Preferred offsite source bus 30 days undervoltaqe function inoperable.

Two channels per bus for the Alternate offsite source bus 3.3.5.C undervoltage function inoperable.

30 days 3.3.5.D Two channels per bus for the 6.9 kV bus loss of voltage 30 days function inoperable.

3.3.5.E Two channels per bus for one or more degraded voltage or 30 days low grid undervoltaqe function inoperable.

3.3.5.F One or more Automatic Actuation Logic and Actuation Relays 30 days trains inoperable.

3.4.9.B One required group of pressurizer heaters inoperable.

30 days 3.4.11.B One PORV inoperable and not capable of being manually 30 days cycled.

3.4.11.C One block valve inoperable.

26.7 days 3.5.2.A One train inoperable because of the inoperability of a 30 days centrifugal charqinq pump.

One or more trains inoperable for reasons other than one inoperable centrifugal charging pump.

3.5.2.B AND 30 days At least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available.

3.6.2.C One or more containment air locks inoperable for reasons 30 days other than Condition A or B.

One or more penetration flow paths with one containment 3.6.3.A isolation valve inoperable except for containment purge, 30 days hydrogen purge or containment pressure relief valve leakage not within limit.

One or more penetration flow paths with one containment 3.6.3.C isolation valve inoperable except for containment purge, 30 days hydrogen purge or containment pressure relief valve leakage not within limit.

to TXX-21093 Page 32 of 71 Table E1-2, In Scope TS/LCO Conditions RICT Estimate Tech LCO Condition RICT Spec Estimate1*2*3 3.6.6.A One containment spray train inoperable.

30 days 3.7.2.A One MSIV inoperable in MODE 1.

30 days 3.7.4.A One required ARV line inoperable 30 days 3.7.4.B Two required ARV lines inoperable.

30 days 3.7.4.C Three or more required ARV lines inoperable.

30 days 3.7.5.A One steam supply to turbine driven AFW pump inoperable.

30 days 3.7.5.B One AFW train inoperable for reasons other than Condition A.

30 days 3.7.7.A One CCW train inoperable.

27.5 days 3.7.8.A Required SSW Pump on the opposite unit or its associated 30 days cross-connects inoperable.

3.7.8.B One SSWS train inoperable.

12.2 days 3.7.19.A One safety chilled water train inoperable.

24.8 days 3.8.1.A One required offsite circuit inoperable.

30 days 3.8.1.B One DG inoperable.

30 days 3.8.1.C Two required offsite circuits inoperable.

29.9 days One required offsite circuit inoperable.

3.8.1.D AND 28.1 days One DG inoperable.

3.8.1.F One SI sequencer inoperable.

30 days

3. 8.4.A One or two required battery charqers on one train inoperable.

13.4 days

3. 8.4.B One or two batteries on one train inoperable.

28 days

3. 8.4.C One DC electrical power subsystem inoperable for reasons other 30 days than Condition A or B.
3. 8.7.A One required inverter inoperable.

30 days

3. 8. 9.A One AC electrical power distribution subsystem inoperable.

30.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 3.8.9.B One AC vital bus subsystem inoperable.

19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> 3.8.9.C One DC electrical power distribution subsystem inoperable.

86 hours9.953704e-4 days <br />0.0239 hours <br />1.421958e-4 weeks <br />3.2723e-5 months <br /> Notes:

1.

The actual RICT values will be calculated using the existing plant configuration and the current revision of the PRA model representing the as-built, as-operated condition of the plant, as required by NEI 06-09-A, Revision 0-A and the NRC safety evaluation, and may differ from the pre-calculated RICT values presented here.

2.

RICTs are based on the internal events, internal flood, and internal fire PRA model calculations with seismic and high winds CDF and LERF penalties. RICTs calculated to be greater than 30 days are capped at 30 days based on NEI 06-09-A, Revision 0-A.

RICTs not capped at 30 days are rounded to nearest number of hours.

3.

Per NEI 06-09-A, Revision 0-A, for cases where the total CDF or LERF is greater than 1 E-03/yr or 1 E-04/yr, respectively, the RICT Program will not be entered.

to TXX-21093 Page 33 of 71 Table E1-2, In Scope TS/LCO Conditions RICT Estimate 2.0 References

1. Letter from Jennifer M. Golder (NRC) to Biff Bradley (NEI), "Final Safety Evaluation for Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06-09-A, 'Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines,"'

dated May 17, 2007 (ADAMS Accession No. ML071200238)

2. Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines,"

Revision 0-A, dated October 12, 2012 (ADAMS Accession No. ML12286A322) to TXX-21093 Page 34 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

  • Tech S~ec Descriotion One Power 3.3.1.D.1.2 3.3.1.D.2.1 Licensee must justify that the condition does not Notes 1 and 2 Range represent the inability to perform the safety function Neutron Flux -

assumed in the FSAR given the loss of spacial High channel distribution of the remaining Power Range detectors.

inoperable.

The justification can include that the Actions require periodic monitoring of spacial power distribution and imposition of compensatory limits and reduced power.

One RTB 3.3.1.S.1 3.3.1.U.1 The licensee must include information regarding how Note 3 train the TSTF-411 conditions and limitations will be inoperable.

implemented (or similar conditions if TSTF-411 has not been adopted), including discussion of ATWS Mitigation System Actuation (AMSAC), and why those actions are sufficient, including a discussion of defense in depth.

Two channels 3.3.5.B.1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required the Preferred trains or subsystems of a TS required system are offsite source inoperable or modify the Action to not apply a RICT bus when all required trains or subsystems are undervoltage inoperable. [See attached Safeguards UV Operation function diagram, Figure E1.1]

inoperable.

to TXX-21093 Page 35 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

  • Tech S12ec Descriotion Two channels 3.3.5.C.1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required the Alternate trains or subsystems of a TS required system are offsite source inoperable or modify the Action to not apply a RICT bus when all required trains or subsystems are undervoltage inoperable. [See attached Safeguards UV Operation function diagram, Figure E1.1]

inoperable.

Two channels 3.3.5.D.1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required the 6.9 kV trains or subsystems of a TS required system are bus loss of inoperable or modify the Action to not apply a RICT voltage when all required trains or subsystems are function inoperable. [See attached Safeguards UV Operation inoperable.

diagram, Figure E1.1]

Two channels 3.3.5.E.1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required one or more trains or subsystems of a TS required system are degraded inoperable or modify the Action to not apply a RICT voltage or low when all required trains or subsystems are grid inoperable. [See attached Safeguards UV Operation undervoltage diagram, Figure E1.1]

function inoperable to TXX-21093 Page 36 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

  • Tech S12ec Descriotion One or more 3.3.5.F.1 3.3.5.B.1 Licensee must justify that one or more channels per Notes 4 and 5 Automatic bus inoperable is not a condition in which all required Actuation trains or subsystems of a TS required system are Logic and inoperable or modify the Action to not apply a RICT Actuation when all required trains or subsystems are Relays trains inoperable.

inoperable.

One required 3.4.9.B.1 3.4.9.B.1 Pressurizer is typically not modeled in the PRA.

Note 6 group of Licensee must justify the ability to calculate a RICT pressurizer for the condition, including how the system is heaters modeled in the PRA, whether all functions of the inoperable.

system are modeled, and, if a surrogate is used, why that modeling is conservative.

to TXX-21093 Page 37 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

  • Tech S~ec Descriotion One or more 3.5.2.B 3.5.2.A Licensee must justify that one or more ECCS trains The Condition trains inoperable is not a condition in which all required acknowledges that inoperable for trains or subsystems of a TS required system are individual component reasons other inoperable. Acceptable justification is TS Condition failures could affect both than one requiring 100% flow equivalent to a single ECCS trains but 100% flow inoperable train.

equivalent to that of a centrifugal single train is still required.

charging pump.

AND At least 100%

of the ECCS flow equivalent to a single OPERABLE ECCS train available.

One or more 3.6.2.C.3 3.6.2.C.3 Licensee must justify that an inoperable containment TS 3.6.2 Condition C containment air lock is not a condition in which all required trains Action C.1 initiates action air locks or subsystems of a TS required system are to evaluate the overall inoperable for inoperable. An acceptable argument may be that a containment leakage rate reasons other note in TS 3.6.2 requires the condition to be per LCO 3.6.1. While also than assessed in accordance with TS 3.6.1, Containment verifying a door is closed in Condition A or Integrity, and excessive leakage would require an the affected air lock and B.

immediate plant shutdown under that TS.

restore the air lock to OPERABLE status in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If air lock is not restored, be in MODE 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

to TXX-21093 Page 38 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

  • Tech S~ec Descriotion One 3.6.6.A.1 3.6.6A Licensee must justify the ability to calculate a RICT Note 7 containment for the condition, including how the system is spray train modeled in the PRA, whether all functions of the inoperable.

system are modeled, and, if a surrogate is used, why that modeling is conservative. [See attached Containment Spray One-Line diaqram, Fiqure E1.21 One MSIV 3.7.2.A.1 3.7.2.A.1 Licensee must justify that the condition would not The design of the inoperable in prevent performance of the steam line break secondary system MODE 1.

isolation function assumed in the accident analysis.

precludes the uncontrolled An acceptable method may be a second MSIV per blowdown of more than steam line, another design feature, or an alternate one steam generator, method of preventing blowdown of more than one assuming a single active steam generator.

component failure (e.g.,

the failure of one MSIV to close on demand.) This is accomplished by closing the other three MS IVs manually or automatically.

Two required 3.7.4.B.1 3.7.4.B.1 Licensee must justify that two or more inoperable Note 8 ARV lines ADVs is not a condition in which all required trains or inoperable.

subsystems of a TS required system are inoperable or modify the Action to not apply a RICT when all required trains or subsystems are inoperable.

to TXX-21093 Page 39 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

  • Tech S~ec Descriotion Three or more 3.7.4.C.1 N/A Licensee must justify that three or more inoperable Note 8 required ARV ADVs is not a condition in which all required trains or lines subsystems of a TS required system are inoperable inoperable.

or modify the Action to not apply a RICT when all required trains or subsystems are inoperable.

One SSWS 3.7.8.B.1 N/A Licensee must justify that one SSWS train is not a Note 9 train condition in which all required trains or subsystems inoperable.

of a TS required system are inoperable.

One safety 3.7.19.A.1 N/A Licensee must justify that one safety chilled water The Safety Chilled Water chilled water train inoperable is not a condition in which all System for each unit train required trains or subsystems of a TS required consists of two separate inoperable.

system are inoperable. [See attached Safety and completely redundant Chilled Water One-Line diagram, Figure E1.3]

safety trains.

Notes:

Justification for applying the RICT to any Completion Time must recognize a key fundamental for Technical Specification use.

Once in a Condition with Required Actions no additional failures are considered. So, when applying the RICT Completion Time extensions, CPNPP will evaluate if the risk to be in the Condition for the extended time is acceptable.

1. The Reactor Trip System (RTS) instrumentation is segmented into four distinct but interconnected modules: field transmitters and process sensors, Signal Process Control and Protection System, Solid State Protection System (SSPS), and reactor trip switchgear. Field transmitters provide measurement of the unit parameters to the Signal Process Control and Protection System via separate, redundant channels. The Signal Process Control and Protection System forwards outputs to the SSPS, to TXX-21093 Page 40 of 71 Table E1-3, Conditions Requiring Additional Technical Justification which consists of two redundant trains, to actuate a Reactor Trip or an Engineered Safety Feature (ESF). This redundancy maintains safety function.
2. Depending on the measured parameter, three or four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a trip logic. Failure of any one trip logic does not result in an inadvertent trip. Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient. In both cases, a single failure will neither cause nor prevent the protective safety function actuation. With a failed power range instrument and rated thermal power greater than 75% the Quadrant Power Tilt Ratio must be verified 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the channel became inoperable and then every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> until the channel is restored to OPERABLE status.
3. A trip breaker train consists of all trip breakers associated with a single Reactor Trip System logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Consistent with the requirement in WCAP-15376-P-A to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when an RTB train is inoperable for maintenance are included. Multiple SSPS outputs provide trip signals to the trip logic which in turn opens the trip breakers. Additionally, CPNPP has ATWS Mitigation System Actuation Circuitry (AMSAC). At CPNPP the ATWS is referred to as the Anticipated Transient Without Trip (ATWT). AMSAC is independent of SSPS. AM SAC actuation will occur if turbine load is greater than 40% and three of four Steam Generator (SG) narrow range levels are less than 10%. There is a built in time delay to allow SSPS time to actuate. The AM SAC output will trip the main turbine, start all Auxiliary Feedwater (AFW) pumps, isolate SG blowdown and sample lines, and close the Condensate Storage Tank (CST) discharge valves. Due to a different main feedwater design on Unit 2, AMSAC also close the Feedwater Split-flow Bypass Valves (FSBVs). The system design is to provide AFW flow to the SGs and conserve feedwater while responding to an ATWT.

CPNPP adopted TSTF-411 with License Amendment 114 (ML050460331). It can be seen that the CPNPP SSPS which provides protection through actuation of required reactor trips and engineered safety features and the adoption the AM SAC system described above, there is defense-in-depth should the reactor not trip. AMSAC actuation is delayed allowing SSPS the opportunity to trip the reactor and actuate ESF components. If SSPS fails to perform its safety function, AMSAC will actuate to preserve a heat sink, preventing core damage. A manual reactor trip from two different handswitches and a manual turbine trip in the Control Room are available, providing diversity and defense-in-depth.

4. Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV to TXX-21093 Page 41 of 71 Table E1-3, Conditions Requiring Additional Technical Justification Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses. For Conditions B, C, D, E, and F separate entries are allowed by TS 3.3.5. Currently each of these Conditions call for restoring one channel per bus to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. "Two channels per bus" is acceptable as each bus must have both channels to initiate the start signal for the DG in Conditions B, C, D, or E.

Condition F allows for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore Automatic Actuation Logic and Actuation Relays train(s) whether one or both trains are inoperable. One train is sufficient to start the train-related DG and satisfy the required functionality. If one or both Automatic Actuation Logic and Actuation Relays train(s) are inoperable, then the associated DG(s) are declared inoperable after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. If both buses are found to be inoperable per Conditions B, C, D, or E, then actions for the inoperable source or bus will be required. In applying the RICT, the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Times may be extended based on plant configuration and acceptable risk. Failure to meet the Completion Time will cause entry into TS 3.8.1 for an inoperable Diesel Generator in accordance with TS 3.3.5, Condition G.

This TS LCO (3.3.5) will have a NOTE that states that the RICT may only be applied to one Condition from Conditions B, C, D or E at a time to maintain Function redundancy, independence, diversity, and defense-in-depth.

5. For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undeNoltage, alternate offsite source undeNoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1 E buses low grid undeNoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable.

The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

6. Safety analyses do not take credit for pressurizer heaters. The initial assumption is that the RCS is at normal pressure. Any RICT application will evaluate the anticipated demand for more than one group of heaters. The current model of record does not explicitly model the pressurizer heater directly, instead, we use a surrogate to represent its function/impact in the RICT model. For the RICT, this is done by increasing the likelihood of a reactor trip by a factor of 10 (conseNative modeling). The unavailability of one required group of pressurizer heaters would not have any significant impact on plant transient response so there is no quantifiable impact to CDF or LERF. While mitigation of a SGTR is enhanced by the availability of pressurizer heaters, ECA-3.3A/B, "SGTR without Pressurizer Pressure Control" provides for mitigation of a SGTR without pressurizer heaters, if necessary.

to TXX-21093 Page 42 of 71 Table E1-3, Conditions Requiring Additional Technical Justification Degraded pressurizer heater capability is supplemented by the availability of the remaining heaters for plant pressure control, and the availability of plant procedures which provide plant shutdown and cooldown guidance with pressurizer heaters. If the available heaters are sufficient to maintain RCS pressure control, normal plant operations can continue. CPNPP design includes one control heater group and three backup heater groups. Only two groups of heaters are required with an output of 150 KW each.

7. The Containment Spray (CT) System for each unit consists of two separate and completely redundant safety trains. Each Containment Spray train has two pumps. The CPNPP model of record / RICT model requires two CT spray pumps per train to meet its success criteria (only one train is required to meet the PRA success criteria). As this is explicitly modeled, when either pump (in a train) is removed from service the function is failed for that train and the RICT will be calculated based on the new configuration.
8. The unit can be cooled to residual heat removal (RHR) entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST. Currently the Completion Time for one ARV inoperable is 7 days, for two ARVs inoperable is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and for three or more ARVs inoperable is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a SGTR, The design basis for the maximum relief capacity is established by the 10CFR100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses. The design cooldown rate of 50°F per hour is applicable for a natural circulation cooldown using two steam generators, each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

9. The SSWS consists of two separate, 100% capacity, safety related, cooling water trains. Each train consists of one 100%

capacity pump, piping, valving, and instrumentation. The pumps and valves are remote and manually aligned to be operable in the unlikely event of a loss of coolant accident (LOCA). The pumps aligned to their respective loops are automatically started upon receipt of a safety injection signal. An automatic valve in the discharge of each pump is interlocked to open on a pump start. An automatic valve in the SSWS cooling water flow path for each emergency diesel generator automatically opens on a diesel generator start. All other valves are manual valves operated locally. The SSWS also is the backup water supply to the Auxiliary Feedwater System.

Cross-connections are provided between trains and between units such that any pump can supply any other pump's required flow.

to TXX-21093 Page 43 of 71 SAFEGUARDS UNDERVOLTAGE OPERATION OVERVIEW XST1 138KV/ 6.9KV ~

~

X y

EDGl-1

,-y---,.

5185 Volts Alternate Offsite Source Bus Undervoltage 5185 Volts cause the applicable bus feeder breaker to open.

X y

,-y---,.

NO) lEAl-2 NO) lEGl BTlEAl Preferred Offsite Source Bus Undervoltage NC)

I 1EA1 1

n 1

_________.....,iiiiii,,i,ii..,... _____._ ___ NC __________

~

6.9 KV Class 1 E Bus Undervoltage I

I PT/lEAl-1

)

)

Cause the following :

1. Starts applicable EDG after 1 TlEBl NC NC T1EB3 Setpoint:

sec time delay.

L L Blackout Sequencer Undervoltage Cause the following:

1. Energizes Operator Lockouts & Automatic Lockouts.
2. Once voltage restored, THEN loads are sequenced bus and Operator Lockouts are automatically reset.
3. Automatic Lockouts must be manually reset.

1EB1 N0 lEBl-1 2022 Volts

2. Load Shed of Bus lEAl.
3. Enables permissive to close lEAl-2.
4. If not reset within 1 sec then EDG starts in Emergency Mode.

ca use t he following:

1. St.arts 60 sec timer.
2. At the end of 60 secs, l EAl-1 Setpo1nt:

opens.

6163.2 Volts 3. 2 secs later if voltage NOT restored, THEN lEAl-2 opens.

6.9 KV Class 1 E Bus Degraded Voltage 1EB3 I

PT/lEBl X LNO J XPT/1EB3 v

336 Volts BT1EB13 336 Volts 480 V Class 1 E Bus Degraded Voltage 480 V Class 1 E Low Grid Undervoltage NC) 1EB3-1 I

XST2 345KV/ 6.9KV Notes:

~- l EAl-1 and lEAl -2 open automatically under the following conditions:

A. An 86-1 or 86-2 lockout of their respective transformer occurs.

B. An 86-1 or 86-2 lockout on 6.9KV Bus lEAl occurs.

C. An undervoltage condition occurs as sensed by the applicable undervoltage relays. (see notes next to the relays) lEAl-1 2. l EGl will close in AUTO under the following conditions:

A. The EOG is at operating Frequency and Voltage.

B. Both lEAl -1 and lEAl -2 are open.

C. If either Bus l EAl and/or the EOG have a 86-2 lockout, THEN the diesel MUST have started due to either a Safety Injection or Blackout (Emergency Start).

tl. If an 86-1 lockout occurs on Bus lEAl, then all feeder breakers will open and cannot be reclosed until the condition has been reset.

14. If an 86-1 lockout occurs on EDGl-1, then l EGl will open and cannot be reclosed until the condition has been reset. If an 86-2 lockout occurs lEGl can be closed as long as as the EOG started because of an SI or Blackout (Emergency Start).

~-The following outlines the normal sequence of events that should occur on a loss of the normal feeder to the bus.

A. l EAl -1 opens either due to low voltage or an 86 lockout of XSTl.

B. As voltage degrades the Blackout Sequencer will energize all OL and AL contacts.

C. Once 2022 volts is reached (a)l EAl load shed occurs, (bl the close permissive for l EAl-2 is enabled (breaker should close) and (c) the EOG gets an emergency start signal AFTER a 1 sec time delay.

0. Normally lEAl -2 should close and re-energize the bus before the EOG ever starts. However if the bus is not re-energized in 1 sec the EOG will start and come up to rated voltage and frequency within 10 secs.

E. Once voltage drops below 6163.2 volts and l EAl-1 is open then voltage must be above the reset voltage within 2 secs or lEAl-2 will open or if already closed it will be tripped open.

F. In the event lEAl -2 does not restore voltage then the lEGl will close as long as its permissives are met (see note 2 above).

G. Once voltage is restored the BOS wi ll then sequence on all loads onto the bus.

Figure E1.1 to TXX-21093 Page 44 of 71 SPRAY NOZZLES

~

~

~

CONTAINMENT SUMPS IRC ORC RWST uCT-0050 uct:*0078 uCT-0028 (i:\\

,CT-0026 r;,x-0,L.....--

~

~

~

,-HV4783:.,..___ _ _

Containment Spray System Figure E1.2 ToS Pl u-HV-4759 To SFPCS Refueling Water Purification Pumps PUMPS to TXX-21093 Page 45 of 71 Safety ch*ned W ter System Figure E1.3 SFGDs 810' Electrical Switchgear Room SFGDs 852' Electrical Switchgear Room AFW SIP RHR CSP CSP U-2 Safety Chill Water Train "A" Pump Pump Pump Pump Pump Room Room Room Room Room From Unit 2 Train "A" Safety Chill Water System Train "B" AFW SIP RHR CSP CSP Pump Pump Pump Pump Pump Room Room Room Room Room U-2 Safety Chill Water Train "B" CCP ccw Pump Pump Room Room Rx Make-up --.-..--",f-~-...,.....;i_/7'--'---- Demin Water Water Evaporator Train "A" Safety Chiller

,--~-:---'---...,,,---1-~Component Condenser Cooling

'--===_,,.--r-- Water Safety Chill Water Recirc Pump Tr "A" Chem Add Tank Safety Chill Water Recirc Pump Tr "B" to TXX-21093 Page 46 of 71 Table E1-4, Evaluation of Instrument and Control Systems Accident RTS Function ESFAS Function LOP DG Start Equipment Function 15.1 INCREASE IN HEAT REMOVED BY THE SECONDARY SYSTEM Feedwater system

  • Overpower N-16 malfunctions that result
  • Power range high flux in a decrease in
  • Power range high flux
  • High SG level
  • FWIVs malfunctions that result
  • High SG level (P-14) produced in an increase in
  • Manual FWI & Turbine feedwater flow Trio Excessive increase in
  • Power range high flux
  • PRZR Safety secondary steam flow
  • Overtemperature Valves N-16
  • Manual Inadvertent opening of a
  • Low PRZR Press
  • Low PRZR Press
  • Manual
  • Manual Steam system piping
  • Low PRZR Press (Note 1)
  • Low PRZR Press
  • Manual
  • CNTMT Press High 1
  • Manual ESF Equipment
  • AFW System ie SI System to TXX-21093 Page 47 of 71 Table E1-4, Evaluation of Instrument and Control Systems Accident RTS Function ESFAS Function LOP DG Start Equipment Function 15.2 DECREASE IN HEAT REMOVAL BY THE SECONDARY SYSTEM Loss of external
  • High PRZR Press le PRZR Safety electrical load / turbine
  • Manual Loss of non-emergency
  • Low-Low SG level
  • Low-Low SG level Note 2 1e MSSVs AC power to the station
  • Manual (AFW Initiation) auxiliaries Loss of normal feedwater
  • Low-Low SG level
  • Low-Low SG level
  • CNTMT Press Note 1
  • High PRZR Press High 1
  • Feedline isolation
  • Low-Low SG level
  • PRZR Safety
  • Manual
  • Low MSL Press Valves
  • RCS low flow le MSSVs loss of forced reactor
  • RCP underfrequency
  • PRZR Safety shaft seizure (locked
  • Manual Valves rotor)
  • AFW System AFW System le AFW System 1e SI System to TXX-21093 Page 48 of 71 Table E1-4, Evaluation of Instrument a1nd Control Systems Accident RTS Function ESFAS Function LOP DG Start Equipment Function 15.4 REACTIVITY AND POWER DISTRIBUTION ANOMALIES Uncontrolled rod cluster
  • Power range high flux control assembly bank (Low setpoint) withdrawal from a
  • Manual subcritical or low power startup condition Uncontrolled rod cluster
  • Power range high flux
  • PRZR Safety control assembly bank
  • Power range high flux Valves withdrawal at power rate
  • Overtemperature N-16
  • High PRZR Press
  • Manual Rod cluster control
  • Low PRZR Press assembly misalignment
  • Overtemperature N-16
  • Manual Chemical and Volume
  • Source range high
  • Rod insertion limit Control System flux alarms malfunction that results
  • Power range high flux
  • Power range high flux
  • Overtemperature N-16
  • Manual Spectrum of rod cluster
  • Power range high flux control assembly
  • Power range high flux ejection accidents (Low setpoint)
  • Power range high flux rate
  • Manual ESF Equipment to TXX-21093 Page 49 of 71 Table E1-4, Evaluation of Instrument and Control Systems Accident RTS Function ESFAS Function LOP DG Start Equipment Function 15.5 INCREASE IN REACTOR COOLANT INVENTORY Inadvertent operation of
  • Low PRZR Press the ECCS during power
  • Manual operation
  • Low PRZR Press pressurizer safety or
  • Overtemperature relief valve N-16
  • Low PRZR Press
  • Low PRZR Press Note 1
  • SSW System failure
  • Overtemperature
  • Manual
  • Manual
  • PORVs Loss of coolant accidents
  • SSW System resulting from the
  • CCW System spectrum of postulated
  • Emergency Power
  • CNTMT Spray
  • Emergency Power
1. The emergency Diesel Generators (DG) have two automatic starts outside of the starts provided in TS LCO 3.3.5, LOP DG Start Instrumentation; Blackout (undervoltage) and Safety Injection (SI). If the SI is the event initiator the SI starts the DG. If a loss of all offsite power (LOOP) is the event initiator the Blackout will start the DG. The starts provided in LCO 3.3.5 are anticipatory to a loss of offsite power. Separate relays provide the starts form LCO 3.3.5 Functions.

to TXX-21093 Page 50 of 71 Table E1-4, Evaluation of Instrument and Control Systems

2. A loss of non-emergency offsite power will likely be accompanied by a loss of safety related offsite power. If that is so the Blackout (undervoltage) will start the DGs. If the Blackout start malfunctions, then any of the LCO 3.3.5 will start the DGs due to degraded voltage or undervoltage.

to TXX-21093 Page 51 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either 1

Manual Reactor Trip (Two handswitches) 1/2 of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions.

The Power Range Neutron Flux-High trip Function ensures that protection is provided, from all power levels, against a 2.a Power Range Neutron Flux High setpoint 2/4 positive reactivity excursion leading to DNB during power operations. These can be caused by rod withdrawal or reductions in RCS temperature.

[Required below P-10]

The LCO requirement for the Power Range Neutron Flux-2.b Power Range Neutron Flux Low setpoint 2/4 Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.

The Power Range Neutron Flux-High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA or an Power Range Neutron Flux Rate High uncontrolled RCCA bank 3

2/4 withdrawal during power (Positive Rate) operation. This Function complements the Power Range Neutron Flux-High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range or an uncontrolled RCCA bank withdrawal during power operation.

to TXX-21093 Page 52 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence

[Required above P-6 and below P-10)

The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an 4

Intermediate Range Neutron Flux 1/2 uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function.

[Required below P-6)

The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod 5

Source Range Neutron Flux 1/2 withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux trip Functions.

The Overtemperature N-16 trip Function is provided to ensure that the design limit DNBR is met. The inputs to the 6

Overtemperature N-16 2/4 Overtemperature N-16 trip include pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop N-16 power monitors, assuming full reactor coolant flow.

The Overpower N-16 trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1 % cladding strain) under all 7

Overpower N-16 2/4 possible overpower conditions.

This trip Function also limits the required range of the Overtemperature N-16 trip Function and provides a backup to the Power Range Neutron Flux-High Setpoint trip.

to TXX-21093 Page 53 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence

[Required above P-7]

The Pressurizer Pressure-Low 8.a Pressurizer Pressure Low 2/4 trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The Pressurizer Pressure-High trip Function ensures that protection is provided against overpressurizing the RCS. This 8.b Pressurizer Pressure High 2/4 trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

[Required above P-7]

The Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High 9

Pressurizer Water Level High 2/3 trip and also provides protection against water relief through the pressurizer safety valves. These valves are designed to pass steam in order to achieve their design enerqy removal rate.

[Required above P-8]

The Reactor Coolant Flow-Low trip Function ensures that protection is provided against 10 Reactor Coolant Flow Low (1 of 4 loops) 2/3 violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow.

[Required above P-7 and below P-8]

The Reactor Coolant Flow-Low trip Function ensures that 10 Reactor Coolant Flow Low (2 of 4 loops) 2/3 protection is provided against violating the DNBR limit due to low flow in two or more RCS loops, while avoiding reactor trips due to normal variations in loop flow.

to TXX-21093 Page 54 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence

[Required above P-7]

The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit 12 Undervoltage RCPs (1 per RCP) 2/4 due to a loss of flow in two or more RCS loops.

This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low Trip Setpoint is reached.

[Required above P-7]

The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the 13 Underfrequency RCPs (1 per RCP) 2/4 pumps, thereby reducing their coastdown time following a pump trip. An adequate coastdown time is required so that reactor heat can be removed immediately after reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low Trip Setpoint is reached.

The SG Water Level-Low Low trip Function ensures that 14 SG Water Level Low-Low (1 of 4 SGs) 2/4 protection is provided against a loss of heat sink and actuates the AFW System prior to uncoverinQ the SG tubes.

to TXX-21093 Page 55 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence

[Required above P-9]

The Turbine Trip-Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient 16.a Turbine Trip - Low Fluid Oil Pressure 2/3 on the reactor. Any turbine trip from a power level below the P-9 setpoint of 50% power will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip.

[Required above P-9]

The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the 16.b Turbine Trip - Turbine Stop Valve Closure 4/4 stop valves close. This trip Function will not and is not required to operate in the presence of a single channel failure. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Fluid Oil Pressure triJ:>. Function.

The SI Input from ESFAS ensures that if a reactor trip has 17 SI signal from ESFAS (2 trains) 1/2 not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any automatic signal that initiates SI.

to TXX-21093 Page 56 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not 18 RTS Interlocks bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES.

The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel 18.a P-6, Intermediate Range Neutron Flux 1/2 goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated.

[Required when P-10 or P-13 :::_

10%]

The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine First Stage 18.b P-7, Low Power Reactor Trip Blocks 1/2 Pressure, P-13 interlock. Above P-7 the following reactor trips are enabled, below P-7 they are blocked automatically;

  • PRZR Pressure Low
  • PRZR Water Level High
  • Underfrequencv RCPs to TXX-21093 Page 57 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence The Power Range Neutron Flux, P-8 interlock is actuated at approximately 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low reactor trip on low 18.c P-8, Power Range Neutron Flux 2/4 flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than 48% power.

The Power Range Neutron Flux, P-9 interlock is actuated at approximately 50% power as determined by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip-Low Fluid Oil Pressure and Turbine Trip-Turbine Stop Valve Closure 18.d P-9, Power Range Neutron Flux 2/4 reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacities of the Steam Dump and Rod Control Systems. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.

The Power Range Neutron Flux, P-10 interlock is actuated at 10% power, as determined by two-out-of-four NIS power 18.e P-10, Power Range Neutron Flux 2/4 range detectors. If power level falls below 10% RTP on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked.

to TXX-21093 Page 58 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence The Turbine First Stage Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than approximately 10% of the full P-13, Turbine First Stage Pressure power pressure. The full power 18.f 1/2 pressure corresponds to the first stage pressure at 100%

RTP. The interlock is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, 19 Reactor Trip Breakers (RTB) (2 trains) 1/2 closed, and capable of supplying power to the CRD System. Thus, the train may consist of the main breaker or the main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service.

The trip mechanisms are not required to be OPERABLE for trip breakers that are open, RTB Undervoltage & Shunt Trip racked out, incapable of 20 Mechanisms (1 per RTB) 1/2 supplying power to the Rod Control System or declared inoperable under Function 19.

OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

to TXX-21093 Page 59 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy-Notes Coincidence The LCO requirement for the RTBs (Functions 19 and 20) and Automatic Trip Logic (Function 21) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core.

Each RTB is equipped with an undervoltage coil and a shunt 21 Automatic Trip Logic (2 trains) 1/2 trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

to TXX-21093 Page 60 of 71 Table E1 -6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence Provides two primary functions; 1. Remove heat via water 1

Safety Injection addition; and

2. Add boron to recover and maintain core reactivity neqative.

Each handswitch actuates both 1.a Manual (2 handswitches) 1/2 trains. Also initiates a manual reactor trio.

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 1.b Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Provides no input to any control functions. Thus, three 1.c Containment Pressure High 1 2/3 OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.

Provides both control and protection functions: input to the 1.d Pressurizer Pressure Low 2/4 Pressurizer Pressure Control System, reactor trip, and SI.

May block below P-11 Provides no input to any control functions. Thus, three OPERABLE channels on each Steam Line Pressure Low (1 of 4 steam steam line are sufficient to 1.e 2/3 satisfy the protective lines) requirements with a two-out-of-three logic on each steam line. May block below P-11 Provides three primary functions:

1. Lower CNTMT pressure &

2 Containment Spray temperature;

2. Reduce CNTMT atmosphere iodine; and
3. Adjust pH of CNTMT sump water after LB LOCA to TXX-21093 Page 61 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence The operator can initiate containment spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train.

Because an inadvertent actuation of containment spray could have such serious 2.a Manual (2/2 handswitches) 1/2 locations consequences, two switches must be turned simultaneously to initiate containment spray.

There are two sets of two switches each in the control room. Simultaneously turning the two switches in either set will actuate containment spray in both trains in the same manner as the automatic actuation siqnal.

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 2.b Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the CNTMT Spray equipment.

This Function requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of 2.c Containment Pressure High 3 2/4 containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

Four channels are used in a two-out-of-four logic confiquration.

to TXX-21093 Page 62 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate 3

Containment Isolation containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a LB LOCA.

Phase A containment isolation is actuated automatically by SI, or manually via the automatic 3.a Phase A Isolation actuation logic. All process lines penetrating containment, with the exception of CCW (RCP CoolinQ), are isolated.

Accomplished by either of two switches in the control 3.a.(1)

Manual (2 handswitches) 1 /2 locations room. Either switch actuates both trains. Also actuates Containment Ventilation Isolation (CVI).

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 3.a.(2)

Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the Phase A equipment.

3.a.(3)

Safety Injection (Any SI signal)

Initiated by all Functions that initiate SI. (Function 1)

Actuated by Containment 3.b Phase B Isolation Pressure-High 3 or manually.

RCPs need to be secured as CCW will be isolated.

Accomplished by the same switches that actuate Containment Spray. When the 3.b.(1)

Manual (2/2 handswitches) 1 /2 locations two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

to TXX-21093 Page 63 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 3.b.(2)

Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the Phase B equiQment.

This Function requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of 3.b.(3)

Containment Pressure High 3 2/4 containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

Four channels are used in a two-out-of-four logic configuration.

Provides protection in the event of an SLB inside or outside containment. Rapid isolation of 4

Steam Line Isolation the steam lines will limit the steam break accident to the blowdown from one SG, at most.

Accomplished from the control room. There are two switches in 4.a Manual (2 handswitches) 1/2 the control room and either switch can initiate action to immediately close all MSIVs.

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 4.b Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the SU equipment.

Actuates closure of the MS IVs in the event of a LOCA or an SLB inside containment to 4.c Containment Pressure High 2 2/3 maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

to TXX-21093 Page 64 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence Provides closure of the MS IVs in the event of an SLB to maintain at least one unfaulted 4.d Steam Line Pressure SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

Function provides closure of the MSIVs in the event of a feed 4.d.(1)

Low 2/3 line break to ensure a supply of steam for the turbine driven AFW pump. May block below P-11 Provides closure of the MS IVs for an SLB when less than the P-11 setpoint to maintain at 4.d.(2)

Negative Rate - High (1/4 steam lines) 2/3 least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent 5

Turbine Trip & Feedwater Isolation damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs.

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 5.a Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating turbine trip and FWI.

P-14 (Protection Grade Signal) provides protection against 5.b SG Water Level High-High P-14 2/3 excessive feedwater flow.

Trips MFW pumps (1 of 4 SGs)

Trips Main Turbine Generates FWI siqnal 5.c Safety Injection (Any SI signal)

Initiated by all Functions that initiate SI.

Provide a secondary side heat 6

Auxiliary Feedwater sink for the reactor in the event that the MFW System is not available.

to TXX-21093 Page 65 of 71 Table E1-6, Engineered Safety Features Actuation System {ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 6.a Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the AFW equipment.

Provides protection against a loss of heat sink. A feed line 6.c SG Water Level Low-Low ( 1 of 4 SGs) 2/4 break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level.

6.d Safety Injection (Any SI signal)

Initiated by all Functions that initiate SI.

During a loss of offsite power, to both safety related busses feeding the motor driven AFW pumps, the loss of power to the bus feeding the turbine driven AFW pump valve control motor 6.e Loss of Offsite Power (1 per train) 1/2 will start the turbine driven AFW pump to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. Blackout undervoltaqe starts the DGs.

A Trip of all MFW pumps is an indication of a loss of MFW Trip of All Main Feedwater Pumps and the subsequent need for 6.g (2 per pump) 2/2 some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure.

At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the 7

Automatic Switchover to Containment ECCS to remove decay heat.

Sump The source of water for the RHR pumps is semi-automatically switched to the containment recirculation sumos.

to TXX-21093 Page 66 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence Requires two trains to be OPERABLE. Actuation logic consists of all circuitry 7.a Automatic Actuation Logic and Actuation 1/2 housed within the actuation Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the Auto-Switchover equipment.

During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low-low level in the 7.b Refueling Water Storage Tank 2/4 RWST coincident with an SI signal provides protection (RWST) Level Low-Low against a loss of water for the ECCS pumps and indicates the end of the ECCS injection phase of the LOCA.

Interlock Functions back up manual actions to ensure by 8

ESFAS Interlocks passable functions are in operation under the conditions assumed in the safety analyses.

The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open. The P-4 permissive also prevents re-actuation of safety injection after a manual reset of safety injection following at least a 60 second delay time. This Function allows operators to 8.a P-4, Reactor Trip (1 per train) 1/2 take manual control of SI systems after the initial phase of injection is complete. Once SI is blocked, automatic actuation of SI cannot occur until the RTBs have been manually closed.

  • FWI with low Tavg
  • Arms Steam Dumps
  • Prevents openinq FWIVs to TXX-21093 Page 67 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy-Notes Coincidence Permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. Below setpoint 8.b P-11, Pressurizer Pressure 2/3 operator can manually block;

  • PRZR Press low SI,
  • Enables MSL Negative rate Above setpoint blocks are automatically removed.

to TXX-21093 Page 68 of 71 Table E1-7, Loss of Power (LOP) Diesel Generator (DG) Start lnstrumentaion Functions Degree of LOP DG Start Function Redundancy-Notes Coincidence Sensing relays for each train feed a network of logic and actuation relays for their 1

Automatic Actuation Logic and Actuation 1/2 respective trains. The network Relays (2 trains) of logic and actuation relays actuate the offsite power source breakers and generator start siqnals.

If not restored to OPERABLE within one hour declare preferred offsite power source 2

Preferred offsite source bus undervoltage 2/2 inoperable and within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> open supply breaker to exit applicability. Requires entry into LCO 3.8.1.

If not restored to OPERABLE within one hour declare alternate offsite power source 3

Alternate offsite source bus undervoltage 2/2 inoperable and within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> open supply breaker to exit applicability. Requires entry into LCO 3.8.1.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage 4

6.9 kV Class 1 E bus undervoltage 2/2 condition occurs in the 6.9kv bus. Group consists of two sensing relays per bus that provide input to two-out-of-two loqic.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage 5

6.9 kV Class 1 E bus degraded voltage 2/2 condition occurs in the 6.9kv bus. Group consists of two sensing relays per bus that provide input to two-out-of-two logic.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage 6

480 V Class 1 E low grid undervoltage 2/2 condition occurs in the 6.9kv bus. Group consists of two sensing relays per bus that provide input to two-out-of-two logic.

to TXX-21093 Page 69 of 71 Table E1-7, Loss of Power (LOP) Diesel Generator (DG) Start lnstrumentaion Functions Degree of LOP DG Start Function Redundancy-Notes Coincidence Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage 7

480 V Class 1 E bus degraded voltage 2/2 condition occurs in the 6.9kv bus. Group consists of two sensing relays per bus that provide input to two-out-of-two loqic.

to TXX-21093 Page 70 of 71 Table E1-8, Event Protection and Diverse Functions Event Primary Protection Diverse/DID Protection Uncontrolled RCCA Bank 2.b. Power Range Neutron Flux

3. Power Range Neutron Flux Withdrawal from Subcritical Low setpoint Rate High (Positive Rate)
4. Intermediate Range Neutron Flux High
5. Source Range Neutron Flux High Uncontrolled RCCA Bank 2.a. Power Range Neutron Flux 8.b. Pressurizer Pressure High Withdrawal at Power High setpoint
9.

Pressurizer Water Level

6.

Overtemperature N-16 High

7.

Overpower N-16 RCCA Drop

6.

Overtemperature N-16 8.b. Pressurizer Pressure High eves Malfunction Resulting in 2.b. Power Range Neutron Flux

6.

Overtemperature N-16 Boron Dilution Low setpoint

7.

Overpower N-16 2.a. Power Range Neutron Flux HiQh setpoint Startup of Inactive Loop

10.

Reactor Coolant Flow Low

12. Undervoltage RCPs (1 of 4 loops above P-9))
13. Underfrequency RCPs
10. Reactor Coolant Flow Low (2 of 4 loops below P-9))

Feedwater Enthalpy Reduction 2.a. Power Range Neutron Flux 8.a. Pressurizer Pressure Low Incident High setpoint

6.

Overtemperature N-16

7.

Overpower N-16 Excessive Feedwater Flow ESF 2.a. Power Range Neutron Flux 5.b. SG Water Level High-High High setpoint (P-14)

6.

Overtemperature N-16

7.

Overpower N-16 16.a.

Low Fluid Oil Pressure 16.b.

Turbine Stop Valve Closure Excessive Load Increase 2.a. Power Range Neutron Flux 8.a. Pressurizer Pressure Low Incident High setpoint

6.

Overtemperature N-16

7.

Overpower N-16 Loss of Flow/Locked Rotor

10. Reactor Coolant Flow Low 8.b. Pressurizer Pressure High (1 of 4 loops above P-9))
12. Undervoltage RCPs
10. Reactor Coolant Flow Low
13. Underfrequency RCPs (2 of 4 loops below P-9))

Loss of External Electrical

6.

Overtemperature N-16

9.

Pressurizer Water Level Load/Turbine Trip

7.

Overpower N-16 High 8.b. Pressurizer Pressure High 16.a.

Low Fluid Oil Pressure 16.b.

Turbine Stop Valve Closure

14. SG Water Level Low-Low ESF 6.c. SG Water Level Low-Low to TXX-21093 Page 71 of 71 Table E1-8, Event Protection and Diverse Functions Event Primary Protection Diverse/DID Protection Loss of Normal Feedwater
14. SG Water Level Low-Low 8.b. Pressurizer Pressure High ESF
9.

Pressurizer Water Level 6.c. SG Water Level Low-Low High Loss of AC Power (Station

14. SG Water Level Low-Low 8.b. Pressurizer Pressure High Blackout)

ESF

9.

Pressurizer Water Level 6.c. SG Water Level Low-Low High Feedwater Linebreak

14. SG Water Level Low-Low
6.

Overtemperature N-16 ESF

7.

Overpower N-16 6.c. SG Water Level Low-Low 8.b. Pressurizer Pressure High

9.

Pressurizer Water Level High ESF 1.e. Steam Line Pressure Low 4.d.(1) Steam Line Pressure Low Steamline Break ESF 2.a.

Power Range Neutron 4.d.(1) Steam Line Pressure Flux High setpoint Low

6.

Overtemperatu re N-16 1.d. Pressurizer Pressure Low

7.

Overpower N-16 ESF 1.c.

Containment Pressure High 1 4.c.

Containment Pressure High 2 RCCA Ejection 2.a. Power Range Neutron Flux

3. Power Range Neutron Flux High setpoint Rate High (Positive Rate)
4. Intermediate Range Neutron Flux High
5. Source Range Neutron Flux High ESF 1.c. Containment Pressure High 1 1.d. Pressurizer Pressure Low Loss of Coolant Accident ESF ESF 1.d. Pressurizer Pressure Low 1.c. Containment Pressure High 1 Steam Generator Tube Rupture
6.

Overtemperature N-16 8.a. Pressurizer Pressure Low

7.

Overpower N-16 ESF 1.d. Pressurizer Pressure Low Spurious SI 8.b. Pressurizer Pressure High The PRZR PORVs and PRZR Safety Valves provide protection during a spurious SI event.

RCS Depressurization 8.a. Pressurizer Pressure Low

6.

Overtemperature N-16 ESF

7.

Overpower N-16 1.d. Pressurizer Pressure Low to TXX-21093 Page 1 of 3 ENCLOSURE 7 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" PBA Model Update Process to TXX-21093 Page 2 of 3 1.0 Introduction Section 4.0, Item 8 of the Nuclear Regulatory Commission's (NRC) Final Safety Evaluation [Ref. 1] for NEI 06-09-A, Revision 0-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS)

Guidelines," [Ref. 2] requires that the license amendment request (LAR) provide a discussion of the licensee's programs and procedures which assure the PRA models which support the RMTS are maintained consistent with the as-built/as-operated plant.

This enclosure describes the administrative controls and procedural processes applicable to configuration control of the PRA model used to support the Risk-Informed Completion Time (RICT) Program, which will be in place to ensure that these models reflect the as-built/as-operated plant. Plant changes, including physical modifications and procedure revisions, will be identified and reviewed prior to implementation to determine if they could impact the PRA models per STA-762 [Ref. 3] and STl-762.02

[Ref. 4]. The configuration control program will ensure these plant changes are incorporated into the PRA models as appropriate. The process will include discovered conditions associated with the PRA models, which will be addressed by the site Corrective Action Program.

Should a plant change or a discovered condition be identified that has a significant impact to the RICT Program calculations as defined by the above procedure, an unscheduled update of the PRA model will be implemented. Otherwise, the PRA model change is incorporated into a subsequent periodic model update. Such pending changes are considered when evaluating other changes until they are fully implemented into the PRA models.

2.0 PRA Model Update Process 2.1 Internal Event, Internal Flood, and Fire PRA Model Maintenance and Update The risk management process ensures that the applicable PRA model used for the RICT Program reflects the as-built/as-operated plant for each of the Comanche Peak units. The PRA configuration control process delineates the responsibilities and guidelines for updating the full power internal events, internal flood, and fire PRA models, and includes both periodic and unscheduled PRA model updates.

The process includes provisions for monitoring potential impact areas affecting the technical elements of the PRA models (e.g., due to plant changes, plant/industry operational experience, or errors or limitations identified in the model), assessing the individual and cumulative risk impact of unincorporated changes, and controlling the model and necessary computer files, including those associated with the Real Time Risk model.

2.2 Review of Plant Changes for Incorporation into the PRA Model

1. Plant changes or discovered conditions are reviewed for potential impact to the PRA models, including the Real Time Risk Monitor model (NEI 06-09-A, Section 2.3.4, Items 7.2 and 7.3, and 2.3.5, Items 9.2 and 9.3).
2. Plant changes that meet the criteria defined in Reference 4 (including consideration of the cumulative impact of other pending changes) will be incorporated in the applicable PRA model(s), consistent with the NEI 06-09-A guidance. Otherwise, the change is assigned a priority and is incorporated at a subsequent periodic update consistent with procedural requirements. (NEI 06 A, Section 2.3.5, Item 9.2) to TXX-21093 Page 3 of 3
3. PRA updates for plant changes are performed at least once every 48 months. A single PRA model is used for both Comanche Peak units. Each Comanche Peak unit has a nominal 18-month refueling cycle; the outages are staggered by approximately 6 to 9 months. Therefore, a standard frequency of 48 months for PRA model updates is specified.

In order to capture input from both units across two refueling cycles it could take between 42 and 45 months based on variations in operating cycles. With CPNPP periodic basis at 48 months we ensure that the update includes two refueling cycles for each unit while not exceeding two refueling cycles on either unit.

4. If a PRA model change is required for the Real Time Risk Monitor model, but cannot be immediately implemented for a significant plant change or discovered condition, either:
a. Interim analyses to address the expected risk impact of the change will be performed. In such a case, these interim analyses become part of the RICT Program calculation process until the plant changes are incorporated into the PRA model during the next update. The use of such bounding analyses is consistent with the guidance of NEI 06-09-A.
b. Appropriate administrative restrictions on the use of the RICT Program for extended Completion Times are put in place until the model changes are completed, consistent with the guidance of NEI 06-09-A.

These actions satisfy NEI 06-09-A, Section 2.3.5, Item 9.3.

3.0 References

1. Letter from Jennifer M. Golder (NRC) to Biff Bradley (NEI), "Final Safety Evaluation for Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06 A, 'Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines,"' dated May 17, 2007 (ADAMS Accession No. ML071200238)
2. Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines," Revision 0-A, dated October 12, 2012 (ADAMS Accession No. ML12286A322)
3. STA-762, "Risk Informed Completion Time Implementation"
4. STl-762.02, "Risk-Informed Completion Times - PRA Model Configuration Control"
Retrieved from "https://kanterella.com/w/index.php?title=CP-202100394,_Supplement_to_License_Amendment_Request_(LAR)_20-006&oldid=5459296"