Text

Supplemental Information No. 2 for R.E. Ginna Nuclear Power Plant to Adopt TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b
	ML22118B143
Person / Time
Site:	Ginna
Issue date:	04/28/2022
From:	David Gudger; Constellation Energy Generation
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML22118B143 (97)
	v • d • e

200 Exelon Way Kennett Square, PA 19348 www.constellation.com 10 CFR 50.90 April 28, 2022 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 R. E. Ginna Nuclear Power Plant Renewed Facility Operating License No. DPR-18 NRC Docket No. 50-244

Subject:

Supplemental Information No. 2 for R.E. Ginna Nuclear Power Plant to Adopt TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times -

RITSTF Initiative 4b.

References:

1. Letter from D. Gudger (Exelon Generation Company, LLC) to U.S. Nuclear Regulatory Commission, License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times -

RITSTF Initiative 4b, dated May 20, 2021 (ML21140A324)

2. Letter from V. Sreenivas (Senior Project Manager, U.S. Nuclear Regulatory Commission) R.E. Ginna Nuclear Power Plant - Audit Plan in Support of Review of License Amendment Request Regarding TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4B and 10 CFR 50.69, Risk-Informed Categorization and Treatment of Structures, Systems and Components for Nuclear Power Reactors (EPID L-2021-LLA-0091 and L-2021-LLA-0092), dated August 25, 2021 (ML21222A114)

By letter dated May 20, 2021 (Reference 1), Exelon Generation Company, LLC (Exelon) requested to change the R. E. Ginna Nuclear Power Plant (Ginna) Technical Specification (TS). The proposed amendment would modify TS requirements to permit the use of Risk Informed Completion Times in accordance with TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, (ADAMS Accession No. ML18183A493).

By letter dated August 25, 2021 (Reference 2), the NRC notified Exelon of their intent to conduct a regulatory virtual audit the week of September 13, 2021 with Exelon staff and associated contractors in support of the License Amendment Requests (LARs) in Reference 1.

U.S. Nuclear Regulatory Commission Supplemental Information TSTF-505, Risk-Informed Extended Completion Times Docket No. 50-244 April 28, 2022 Page 2 This letter is a supplement to the Reference 1 LAR. Attachment 1 to this letter provides a response to audit questions from the SNSB branch posed by the NRC staff during the regulatory virtual audit. to this letter provides the revised TS markups to address the requested supplemental information. The information provided in Attachments 1, 2, and 3 to this letter supersedes the information provided in Attachments 2 and 3 of Reference 1. All other information in Attachments 2 and 3 of Reference 1 remains unchanged.

Constellation Energy Generation, LLC (CEG) has reviewed the information supporting a finding of no significant hazards consideration and the environmental consideration provided to the NRC in Reference 1. The responses provided in this letter do not affect the bases for concluding that the proposed license amendment does not involve a significant hazards consideration. Furthermore, the responses provided in this letter do not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendment.

There are no commitments contained in this response.

In accordance with 10 CFR 50.91, "Notice for public comment; State consultation,"

paragraph (b), CEG is notifying the State of New York of this application for license amendment by transmitting a copy of this letter and its attachments to the designated State Official.

Should you have any questions concerning this letter, please contact Jessie Hodge at (610) 765-5532.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 28th day of April 2022.

Respectfully, David T. Gudger Senior Manager - Licensing Constellation Energy Generation, LLC Attachments: 1. Response to NRC Audit Questions

2. Revised Technical Specification Marked-Up Pages (Red Text) 3.

Technical Specification Bases Marked-Up Pages (Red Text) cc:

USNRC Region I, Regional Administrator w/ attachments USNRC Senior Resident Inspector, Ginna USNRC Project Manager, Ginna A. L. Peterson, NYSERDA

ATTACHMENT 1 License Amendment Request R. E. Ginna Nuclear Power Plant Renewed Facility Operating License No. DPR-18 Docket No. 50-244 Response to NRC Audit Questions

Response to NRC Audit Questions License Amendment Request to Adopt Page 1 of 6 Risk Informed Completion Times TSTF-505 Docket No. 50-244

References:

1. Letter from D. Gudger (Exelon Generation Company, LLC) to U.S. Nuclear Regulatory Commission, License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times -

RITSTF Initiative 4b, dated May 20, 2021 (ML21140A324)

2. Letter from V. Sreenivas (Senior Project Manager, U.S. Nuclear Regulatory Commission) R.E. Ginna Nuclear Power Plant - Audit Plan in Support of Review of License Amendment Request Regarding TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4B and 10 CFR 50.69, Risk-Informed Categorization and Treatment of Structures, Systems and Components for Nuclear Power Reactors (EPID L-2021-LLA-0091 and L-2021-LLA-0092) dated August 25, 2021 (ML21222A114)

By letter dated May 20, 2021 (Reference 1), Exelon Generation Company, LLC (Exelon) requested to change the R. E. Ginna Nuclear Power Plant (Ginna) Technical Specification (TS). The proposed amendment would modify TS requirements to permit the use of Risk Informed Completion Times in accordance with TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, (ADAMS Accession No. ML18183A493).

By letter dated August 25, 2021 (Reference 2), the NRC notified Exelon of their intent to conduct a regulatory virtual audit the week of September 13, 2021 with Exelon staff and associated contractors in support of the License Amendment Requests (LARs) in Reference

1. The attachment to this letter provides a response to some of the audit questions posed by the NRC staff during the regulatory virtual audit. NOTE: The NRC staffs questions are in italics throughout this attachment to distinguish from the Constellation Energy Generation, LLC (CEG) responses.

SNSB-1 SNSB-1: TS 3.4.11.B and TS 3.4.11.C - One PORV inoperable and One Block Valve Inoperable Ginna Technical Specification Bases 3.4.11 indicates that the pressurizer PORVs and block valves have many safety functions, including (1) providing flow path for depressurization control during a SGTR event, and (2) terminating a small break LOCA (SBLOCA) in the event a pressurizer PORV fails to reclose following actuation.

Discuss whether the following two plant configuration cases would be allowed for the RICT application or not. If they not allowed, specify the references that disallow these cases. If they are allowed, discuss if the cases would result in a loss of the associated function (LOF) discussed above. If the LOF would occur, discuss, and justify the eligibility of Case 1 and Case 2 for applying the RICT program in accordance with the guidelines of the NRC-approved NEI-06-09. Specifically, Condition 3 in the SE approving NEI-06-09 (ADAMS No.

ML12286A322) imposes a restriction that when an LOF of specific safety function for the affected TS system occurs, the RMTS cannot be applied.

Response to NRC Audit Questions License Amendment Request to Adopt Page 2 of 6 Risk Informed Completion Times TSTF-505 Docket No. 50-244

a. Case 1: one PORV is inoperable and closed (allowed by TS 3.4.11.B) and one blocked valve on the other PORV line is inoperable and closed (allowed by TS 3.4.11.C), and

b. Case 2: one PORV is inoperable and open (allowed by TS 3.4.11.B) and one PORV associated blocked valve is inoperable and open (allowed by TS 3.4.11.C).

Additional Comment Page TS B 3.4.11-3 states that The PORV is required to be OPERABLE to mitigate the effects associated with an SGTR and its block valve must be OPERABLE to limit the potential for a small break loss-of-coolant accident through the flow path.

Justify the use of the block valve to control pressurizer pressure for an SGTR to show that the AOR, assuming the PORV for pressurizer pressure control, in Ginna UFSAR Section 15.6.3 remains valid. The requested information should show that the relief capacity of the block valve is equivalent to the PORV, adequate steps of using the block valve for pressurizer pressure control during an SGTR are available in the emergency response procedures or similar procedures, and the operator training data show the required manual actions using the block valve can be completed within the time frames assumed in the SGTR for pressure control using the PORV specified in the following UFSAR Tables:

1. Table 15.6-3: MARGIN TO OVERFILL ANALYSIS (Page 211 of 276)

PORV opened at 47.4 minutes from the SGTR initiation and

PORV closed at 47.9 minutes.

2. Table 15.6-5: OFFSITE RADIATION DOSE ANALYSIS (Page 213 of 276)

PORV opened at 73.2 minutes and

PORV closed at 74.1 minutes.

The licensee stated that the modified TS 3.4.11 is to ensure that there will always be one OPERABLE PORV train, not relying on a block valve for pressure control, in order to implement RICT.

As shown in the modified TS changes above, the operator has an option to perform current RA B.3 and RA C.2, or perform the added RAs (in red). Is there any assurance that the operator will perform the added RAs to meet the intent such that there will always be one OPERABLE PORV train? Should stats be status?

Response

NOTE: Any reference below to a train of Pressure Operated Relief Valve (PORV) and PORV Block Valve is specific to a PORV and its associated PORV Block Valve.

Case 1: one PORV is inoperable and closed (allowed by TS 3.4.11.B) and one blocked valve on the other PORV line is inoperable and closed (allowed by TS 3.4.11.C)

Response -If one PORV is inoperable and the block valve on the other line is inoperable and CLOSED, CEG agrees that this would constitute a loss of function, and RICT could not be applied. CEG has proposed additional conditions as part of

Response to NRC Audit Questions License Amendment Request to Adopt Page 3 of 6 Risk Informed Completion Times TSTF-505 Docket No. 50-244 TS LCO 3.4.11.B and TS 3.4.11.C that require verifying at least one train of PORV and PORV block valve are operable prior to applying RICT to a single inoperable PORV or PORV Block Valve. Case 1 results in a loss of function and RMTS cannot be applied. Specifically, the Steam Generator Tube Rupture Accident assumes one train of PORV and PORV Block Valve is operable to reduce pressure in the event normal Pressurizer Spray Valves are not available. This is also reflected in site Emergency Operating Procedure (EOP) E-3, Steam Generator Tube Rupture, where Step 19.b verifies at least one PORV is available for depressurization.

Additionally, one block valve is verified operable prior to using a PORV for depressurization to ensure the flow path can be isolated should the PORV fail open.

The use of a single PORV train is also described in UFSAR Section 15.6.3.3.3.1 on page 174.

This strategy to reduce RCS pressure below Safety Injection Termination using a PORV and PORV Block Valve criteria aligns to the Tech Spec Basis discussion and is the basis for the proposed Tech Spec change as part of TSTF-505. To summarize, CEG agrees that one train of PORV and PORV Block valve must be operable to apply RMTS to an inoperable PORV or PORV Block Valve. This will ensure that the design basis function of the PORV and PORV Block valve is maintained and a LOF does not occur when applying RMTS.

Case 2: one PORV is inoperable and open (allowed by TS 3.4.11.B) and one PORV associated blocked valve is inoperable and open (allowed by TS 3.4.11.C).

Response - This configuration would not be allowed due to violation of LCO 3.4.13c.A.1, RCS Operational Leakage. With both the PORV and the block valve open, RCS leakage would far exceed 10 gpm. If the PORV and PORV Block valve are on opposite trains, the proposed language added to the Tech Spec would prevent the station from implementing RMTS. In Case 2, an operable train of PORV and PORV Block valve is not available and the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 7 day LCOs per TS 3.4.11B and 3.4.11C would be entered.

See Case 1 response for reference to the design basis accident which requires one train of PORV and PORV Block valve available. Any configuration that does not include one train of PORV and PORV Block valve able to perform its design basis function per Tech Specs is not eligible for RMTS. See also Ginna Tech Spec Basis page 3.4.11-2, bottom paragraph, which states By maintaining two PORVs and their associated block valves OPERABLE, the single failure criterion is satisfied.

Response to additional comment.

We have reviewed our procedures, and the Steam Generator Tube Rupture EOPs verify both an operable PORV and operable PORV Block Valve are available prior to their use for depressurization below Safety Injection Termination criteria. The Ginna submittal will be modified to reflect this position in the RAI-1 response for closure of this issue. The 3.4.11 Tech Specs will be modified to ensure that there will always be one OPERABLE PORV train, not relying on a block valve for pressure control, in order to implement RICT.

Response to NRC Audit Questions License Amendment Request to Adopt Page 4 of 6 Risk Informed Completion Times TSTF-505 Docket No. 50-244 The operators must verify a Train of PORV or PORV Block valve is operable or RICT cannot be used. The wording of Tech Spec as proposed is written to ensure as such. The use of action numbering and AND/OR logic per the tech spec conventions will require the operators to verify a train is operable before the RICT action can be entered. The Tech Spec Basis will be updated to reflect this requirement and RICT Note 2 also specifies that a LOF cannot occur while applying RICT. CEG is confident these levels of defense provide reasonable assurance that the operators will only apply RICT for the PORVs and PORV Block Valves if a LOF has not occurred.

SNSB-2 SNSB-2: TS 3.4.11.C.2 and TS 3.4.11.D.2 - Two PORV BLOCK Valves Inoperable The PORV block valves are used to terminate an SBLOCA in the event a pressurizer PORV fails to reclose following actuation. Page 4 of Attachment 1 to the LAR states that for TS 3.4.11.C.2 and TS 3.4.11.D.2 allowing two block valves inoperable the current completion time to terminate the loss of function (LOF) is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

Discuss whether the plant configuration for TS 3.4.11.C.2 and TS 3.4.11.D.2 would result in an LOF or not. If an LOF would not occur, discuss, and justify the determination. If an LOF would occur, discuss, and justify the eligibility of TS 3.4.11.C.2 and TS 3.4.11.D.2 for applying the RICT program in accordance with the guidelines of NRC-approved NEI 09. Specifically, Condition 3 in the SE approving NEI-06-09 imposes a restriction that when an LOF of specific safety function for the affected TS system occurs, the RMTS cannot be applied.

Additional Comment Initial SNSB2 response did not include information addressing the applicability of the RMTS to the following plant configurations which were discussed in the response to audit questions:

a. One (TS 3.4.11.C) or Both Block Valves Failed Open (and TS 3.4.11.D)

b. One PORV Failed Open (TS 3.4.11.B) and Two Block Valves Failed Open (TS 3.4.11.D)

c. One PORV Failed Closed (TS 3.4.11.B) and Two Block Valves Inoperable (with the One Associated with the Inoperable PORV Failed Open and the Second One on the Other Line Failed Closed (TS 3.4.11.D))

Response

If both block valves are inoperable and closed, pressurizer relief for a SGTR would not be available. This would constitute a loss of function, and RICT would not apply.

Response to additional comment

Response to NRC Audit Questions License Amendment Request to Adopt Page 5 of 6 Risk Informed Completion Times TSTF-505 Docket No. 50-244 Response a: One block valve Fail Open (FO) (3.4.11.C). RICT only applies if the opposite train PORV is OPERABLE and we verify that the opposite train block valve is OPERABLE (3.4.11.C.2.2.1)

Both block valves FO (3.4.11.D). The term with at least one being open should be deleted, and [INSERT RICT NOTE 2] should be deleted. RICT will not be applied.

Response b: One PORV FO (3.4.11.B) and both block valves FO (3.4.11.D). This configuration is a violation of TS 3.4.13c.A.1 and would not be permitted Response c: One PORV Fail Close (FC) and both block valves inoperable (3.4.11.D). With one PORV FC, and the opposite train block valve inoperable, the proposed Tech Spec wording would not allow RICT to be applied. In this case, the normal Tech Spec LCO times would apply per 3.4.11.

The basic premise of the revised proposed Tech Specs for 3.4.11 is to ensure that there will always be one OPERABLE PORV train available. Any configuration which does not support at least one OPERABLE train consisting of a PORV and associated PORV Block Valve will not be eligible for RICT as shown in the proposed Tech Spec wording.

SNSB-3 SNSB-3: TS 3.5.1.A.1 and TS 3.5.1.B.1 - One accumulator Inoperable Accumulators are part of the emergency core cooling system and provide injection of water for core cooling during an LOCA to meet the acceptance criteria of 10 CFR 5.46. Page 4 of to the LAR states for a large break cold leg LOCA, one accumulator is assumed to spill out the break, while the other provides the required core cooling. Therefore, TS 3.5.1.A.1 and TS 3.5.1.B.1 allowing one inoperable accumulator constitutes an LOF for the specified LOCA.

Since TS 3.5.1.A.1 and TS 3.5.1.B.1 would result in an LOF, discuss, and justify the eligibility of TS 3.5.1.A.1 and TS 3.5.1.B.1 for applying the RICT program in accordance with the guidelines of NRC-approved NEI-06-09. Specifically, Condition 3 in the SE approving NEI-06-09 imposes a restriction that when an LOF of specific safety function for the affected TS system occurs, the RMTS cannot be applied.

Response

CEG agrees that the proposed configuration would result in a loss of function, with one accumulator inoperable and the other accumulator flow bypassing the core. RICT should not be applied to these Technical Specification line items 3.5.1.A.1 and 3.5.1.B.1.

SNSB-4 SNPB-4: TS 3.7.1.A - One or more MSSVs inoperable Demonstrate that the limiting design basis UFSAR Ch. 15 transients have been analyzed, and shown that main steam pressure can be maintained below 110% of design pressure, assuming inoperability of MSSV(s).

Response to NRC Audit Questions License Amendment Request to Adopt Page 6 of 6 Risk Informed Completion Times TSTF-505 Docket No. 50-244

Response

Based on the methodology described in the Ginna UFSAR Ch.15, all 8 Main Steam Safety Valves (MSSVs) are required to mitigate the relevant Design Basis Accidents. Since the use of fewer than 8 MSSVs would constitute a loss of function, RICT should not be applied to Technical Specification line item 3.7.1.A.

SNSB-5 SNSB-5: TS 3.7.4 - Atmospheric Relief Valves (ARVs)

The design basis safety function for the ARVs is cooling the unit to the residual heat removal (RHR) entry conditions for various evets such as the steam generator tube rupture (SGTR). Ginna Final Safety Analysis Report (FSAR), Section 15.6.3 discussed the analysis of the SGTR showing that a loss of function (LOF) of the ARVs would not occur. Page 179 of FSAR Chapter 15 stated in particular for the dose release limiting case that Following termination of tube flow, the intact steam generators ARV is assumed to cool down the plant at the maximum allowable rate of 100 degrees F/hour to a residual heat removal system in-service temperature of 330 degrees F.

The licensee is proposed to apply the risk-informed competition time (RICT) program to TS 3.7.4 Condition A that allows one required ARV line inoperable. Condition A would result in only one required ARV line operable. If an SGTR occurs in the SG with the remaining operable ARV line, the unaffected SGs cannot cooldown the plant because it has no operable ARV and would not be bounded by the limiting case in FSAR, Section 15.6.3.

The NRC-approved NEI-06-09 Rev. 0-A provides guidelines for application of the RICT program. Specifically, Condition 3 in the NRC safety evaluation (Page 10 of 93 in ADAMS no. ML12286A322) approving NEI-06-09 imposes a applicability restriction that when an LOF of specific safety function for the affected TS system occurs, the RMTS cannot be applied.

Provide further analysis to demonstrate how the LCO 3.7.4 ARV safety function will be maintained during a SGTR event with the ARV on the unaffected steam generator inoperable.

Response

UFSAR Chapter 15.6.3 requires that an Atmospheric Relief Valve (ARV) to be available to manually depressurize the steam generator not affected by the SGTR. If the one inoperable ARV were on the steam generator not affected by the SGTR, this criterion could not be met; therefore constituting a loss of function. RICT should thus not be applied to Technical Specification line item 3.7.4.

ATTACHMENT 2 License Amendment Request R. E. Ginna Nuclear Power Plant Renewed Facility Operating License No. DPR-18 Docket No. 50-244 Revised Technical Specification Marked-Up Pages (Red Text)

Pressurizer PORVs 3.4.11 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)

LCO 3.4.11 Each PORV and associated block valve shall be OPERABLE.

APPLICABILITY:

MODES 1, 2, and 3.

ACTIONS

- NOTE -

1.

Separate entry into Condition A is allowed for each PORV.

2.

Separate entry into Condition C is allowed for each block valve.

CONDITION REQUIRED ACTION COMPLETION TIME A.

One or both PORVs OPERABLE and not capable of being automatically controlled.

A.1 Close and maintain power to associated block valve.

OR A.2 Place associated PORV in manual control.

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 1 hour B.

One PORV inoperable.

B.1 Close associated block valve.

AND B.2 Remove power from associated block valve.

AND B.3.1 Restore PORV to OPERABLE status.

OR B.3.2.1 Verify Opposite Train PORV and PORV Block Valve are OPERABLE AND B.3.2.2 Restore PORV to OPERABLE status 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 1 hour 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months 1 hour 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months INSERT RICT NOTE 2

C.

One block valve inoperable.

C.1 Place associated PORV in manual control.

AND C.2.1 Restore block valve to OPERABLE status.

OR C.2.2.1 Verify Opposite Train PORV and PORV Block Valve are OPERABLE AND C.2.2.2 Restore PORV Block Valve to OPERABLE status 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 7 days 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 7 days R.E. Ginna Nuclear Power Plant 3.4.11-1 Amendment 88 INSERT RICT NOTE 2

Pressurizer PORVs 3.4.11 CONDITION REQUIRED ACTION COMPLETION TIME D.

Both block valves inoperable.

D.1 Place associated PORVs in manual control.

AND D.2 Restore at least one block valve to OPERABLE status.

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 72 hours E.

Required Action and associated Completion Time of Condition A, B, C, or D not met.

Be in MODE 3. AND E.2 Be in MODE 4.

6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 12 hours F.

Two PORVs inoperable.

F.1 AND F.2 AND F.3 AND F.4 Initiate action to restore one PORV to OPERABLE status.

Close associated block valves.

Remove power from associated block valves.

Be in MODE 3 with Tavg

< 500°F.

Immediately 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months 1 hour 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months R.E. Ginna Nuclear Power Plant 3.4.11-2 Amendment 88

ATTACHMENT 3 License Amendment Request R. E. Ginna Nuclear Power Plant Renewed Facility Operating License No. DPR-18 Docket No. 50-244 Revised Technical Specification Bases Marked-Up Pages (Red Text)

RTS Instrumentation B 3.3.1 B 3.3.1-30 Revision 61 R.E. Ginna Nuclear Power Plant Bases - i A.1 Condition A applies to all RTS protection functions. Condition A addresses the situation where one required channel for one or more Functions is inoperable or if both source range channels are inoperable.

The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

When the number of inoperable channels in a trip Function exceed those specified in all related Conditions associated with a trip Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if the trip Function is applicable in the current MODE of operation. This essentially applies to the loss of more than one channel of any RTS Function except with respect to Condition H.

B.1 Condition B applies to the Manual Reactor Trip Function in MODE 1 or 2 and in MODES 3, 4, and 5 with the CRD system capable of rod withdrawal or all rods not fully inserted. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . In this Condition, the remaining OPERABLE channel is adequate to perform the required safety function.

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.

C.1, C.2, and C.3 If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time of Condition B, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , action must be initiated within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to ensure that all rods are fully inserted, and the Control Rod Drive System must be placed in a condition incapable of rod withdrawal within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . The Completion Times provide adequate time to exit the MODE of Applicability from full power operation in an orderly manner without challenging plant systems based on operating experience.

D.1 Condition D applies to the following reactor trip Functions:

Power Range Neutron Flux-High; Power Range Neutron Flux-Low;

B 3.3.1-32 Revision 102 R.E. Ginna Nuclear Power Plant RTS Instrumentation B 3.3.1 Overtemperature T; Overpower T; Pressurizer Pressure-High; Pressurizer Water Level-High; and SG Water Level-Low Low.

With one channel inoperable, the channel must be restored to OPERABLE status or placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program. Placing the channel in the tripped condition results in a partial trip condition. For the Power Range Neutron Flux-High, Power Range Neutron Flux-Low, Overtemperature T, and Overpower T functions, this results in a one-out-of-three logic for actuation. For the Pressurizer Pressure-High and Pressurizer Water Level-High Functions, this results in a one-out-of two logic for actuation. For the SG Water Level-Low Low Function, this results in a one-out-of-two logic per each affected SG for actuation. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition is consistent with References 11 and 13. Alternatively, a COMPLETION TIME can be determined in accordance with the Risk Informed Completion Time Program.

Troubleshooting, corrective maintenance, and post maintenance re-testing can be performed in bypass within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time specified for functions with installed bypass capability. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months clock starts as soon as the action statement is entered and does not include the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing in bypass.

The Required Actions have been modified by two Notes. Note 1 allows bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing for Functions 2a, 2b, 5, 6, 7b, 8, and 13. Note 2 allows placing the inoperable channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing surveillance testing of other channels. This includes placing the inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. This 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is applied to each of the remaining OPERABLE channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is consistent with References 11 and 13.

E.1 and E.2 Condition E applies to the Intermediate Range Neutron Flux trip Function when THERMAL POWER is below 6% RTP and one channel is inoperable.

Below the P-10 setpoint, the NIS intermediate range detector performs a monitoring and protection function. With one NIS intermediate range channel inoperable, 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is allowed to either reduce THERMAL POWER below 5E-11amps or increase THERMAL POWER above 8% RTP. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above 8% RTP or below 5E-11amps and take into account the redundant capability afforded by the redundant OPERABLE channel, and the

B 3.3.1-33 Revision 102 R.E. Ginna Nuclear Power Plant RTS Instrumentation B 3.3.1 low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel inoperability does not result in reactor trip.

Required Action E.2 is modified by a Note which states that the option to increase THERMAL POWER is not allowed if both intermediate range channels are inoperable or if THERMAL POWER is < 5E-11 amps. This prevents the plant from increasing THERMAL POWER when the trip capability of the Intermediate Range Neutron Flux trip Function is not available.

F.1, F.2, and F.3 Condition F applies to the Source Range Neutron Flux trip Function when in MODE 2 with both Intermediate Range Channels < 5E-11amps. In this Condition, the NIS source range performs the monitoring and protection functions. With two channels inoperable, the RTBs and RTBBs must be opened immediately. With the RTBs and RTBBs opened, the core is in a more stable condition.

With one channel inoperable, operations involving positive reactivity additions shall be suspended immediately. This will preclude any power escalation since with only one source range channel OPERABLE, core protection is severely reduced. The inoperable channel must also be restored within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

Required Action F.2 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.

G.1 If the Required Actions of Condition D, E, or F cannot be met within the specified Completion Times, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

H.1, H.2, and H.3 Condition H applies to an inoperable source range channel in MODE 3, 4, or 5 with the CRD System capable of rod withdrawal or all rods not fully inserted. In this Condition, the NIS source range performs the monitoring and protection functions. With two channels inoperable, at least one channel must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable considering the low probability of an event occurring during this interval.

B 3.3.1-33 Revision 61 R.E. Ginna Nuclear Power Plant RTS Instrumentation B 3.3.1 With one of the source range channels inoperable, operations involving positive reactivity additions must be suspended immediately and 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to restore it to OPERABLE status. The suspension of positive reactivity additions will preclude any power escalation.

Required Action H.2 is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.

I.1 and I.2 If the Source Range trip Function cannot be restored to OPERABLE status within the required Completion Time of Condition H, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, action must be immediately initiated to fully insert all rods. Additionally, the CRD System must be placed in a condition incapable of rod withdrawal within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is sufficient to accomplish the Required Action, and takes into account the low probability of an event occurring during this interval.

J.1 and J.2 Condition J applies when the required Source Range Neutron Flux channel is inoperable in MODE 3, 4, or 5 with the CRD System not capable of rod withdrawal and all rods are fully inserted. In this Condition, the NIS source range performs the monitoring function. With no source range channels OPERABLE, operations involving positive reactivity additions shall be suspended immediately.

Also, the SDM must be verified once within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter as per SR 3.1.1.1, SDM verification. With no source range channels OPERABLE, core protection is severely reduced. Verifying the SDM once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allows sufficient time to perform the calculations and determine that the SDM requirements are met and to ensure that the core reactivity has not changed. Required Action J.1 precludes any positive reactivity additions; therefore, core reactivity should not be increasing, and a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is adequate. The Completion Time of once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is based on operating experience in performing the Required Actions and the knowledge that plant conditions will change slowly.

Required Action J.1 is modified by a Note which permits plant temperature changes provided the temperature change is accounted for in the calculated SDM. Introduction of temperature changes, including temperature increases when a positive MTC exits, must be evaluated to ensure they do not result in a loss of required SDM.

B 3.3.1-38 Revision 10261 R.E. Ginna Nuclear Power Plant RTS Instrumentation B 3.3.1 K.1 Condition K applies to the following reactor trip Functions:

Pressurizer Pressure-Low; Reactor Coolant Flow-Low (Two Loops);

RCP Breaker Position (Two Loops);

Undervoltage-Bus 11A and 11B; and Underfrequency-Bus 11A and 11B.

With one channel inoperable, the inoperable channel must be restored to OPERABLE status or placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program.

Placing the channel in the tripped condition results in a partial trip condition requiring only one additional channel to initiate a reactor trip.

The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the channel in the tripped condition is consistent with References 11 and 13 if the inoperable channel cannot be restored to OPERABLE status.

Troubleshooting, corrective maintenance, and post maintenance re-testing can be performed in bypass within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time specified for functions with installed bypass capability. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months clock starts as soon as the action statement is entered and does not include the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing in bypass.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel(s),

and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition K.

For the Reactor Coolant Flow-Low (Two Loops) Function, Condition K applies on a per loop basis. For the RCP Breaker Position (Two Loops)

Function, Condition K applies on a per RCP basis. This Function (10b) measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Function (10b) requires both breakers to open to cause a reactor trip. However, each breaker position switch has two separate auxiliary contacts: one set of contacts feeds an A train logic relay and the other contact feeds the B train logic relay. Loss of Function is dependent on what component fails. If one reference breaker or one reference breaker position switch is failed, the function will be lost. But if only one set of contacts or one downstream logic component (e.g., relay) fails, then the other set of contacts and logic train will still be able to provide the function. For Undervoltage-Bus 11A and 11B and underfrequency-Bus 11A and 11B, Condition K applies on a per bus basis. This allows one inoperable channel from each loop, RCP, or bus to be considered on a separate condition entry basis.

B 3.3.1-39 Revision 10261 R.E. Ginna Nuclear Power Plant The Required Actions have been modified by two Notes. Note 1 allows bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing for Functions 7a and 9b. Note 2 allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing surveillance testing of the other channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is consistent with References 11 and 13. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is applied to each of the remaining OPERABLE channels.

L.1 If the Required Action and Completion Time of Condition K is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in MODE 1 < 8.5% RTP at which point the Function is no longer required. An alternative is not provided for increasing THERMAL POWER above the P-8 setpoint for the Reactor Coolant Flow-Low (Two Loops) and RCP Breaker Position (Two Loops) trip Functions since this places the plant in Condition M.

The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 1 < 8.5% RTP from full power conditions in an orderly manner and without challenging plant systems.

M.1 Condition M applies to the Reactor Coolant Flow-Low (Single Loop) reactor trip Function. Condition M applies on a per loop basis. With one channel per loop inoperable, the inoperable channel must be restored to OPERABLE status or placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to restore the channel to OPERABLE status or place in trip is consistent with References 11 and 13.

Troubleshooting, corrective maintenance, and post maintenance re-testing can be performed in bypass within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time specified for functions with installed bypass capability. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months clock starts as soon as the action statement is entered and does not include the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing in bypass.

The Required Actions have been modified by two Notes. Note 1 allows bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing for Function 9a. Note 2 allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing surveillance testing of the other channels. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is applied to each of the two OPERABLE channels. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit is consistent with References 11 and 13.

N.1 Condition N applies to the RCP Breaker Position (Single Loop) trip Function. Condition N applies on a per loop basis. This Function measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Each RCP breaker has a position switch. Function (10n) requires both breakers to open to cause a reactor trip. However, each breaker position switch has two separate auxiliary contacts: one set of contacts feeds an A train logic relay and the other set of contacts feeds the B train logic relay. Loss of Function depends on what component fails. If one RCP breaker or one RCP position switch is failed, the Function would be lost. But if only one set

B 3.3.1-40 Revision 10261 R.E. Ginna Nuclear Power Plant of contacts or one logic component (e.g., relay) fails, then the other set of contacts and logic train will still be able to provide the Function.

There is one breaker position device per RCP breaker. With one channel per RCP inoperable, the inoperable channel must be restored to OPERABLE status within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or within the RICT. The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowed to restore the channel to OPERABLE status is consistent with Reference 9.

O.1 If the Required Action and associated Completion Time of Condition M or N is not met, the plant must be placed in a MODE where the Functions are not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced to < 30% RTP within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is consistent with Reference 9.

P.1 Condition P applies to Turbine Trip on Low Autostop Oil Pressure or on Turbine Stop Valve Closure in MODE 1 above the P-9 setpoint. With one channel inoperable, the inoperable channel must be restored to OPERABLE status or placed in the tripped condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or in accordance with the Risk Informed Completion Time Program. If placed in the tripped Condition, this results in a partial trip condition requiring only one additional channel to initiate a reactor trip. The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowed to place the inoperable channel in the tripped condition is consistent with Reference 9. Alternatively, a COMPLETION TIME can be determined in accordance with the Risk Informed Completion Time Program.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months while performing surveillance testing of the other channels. The 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is applied to each remaining OPERABLE channel. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months time limit is consistent with Reference 9.

Q.1, Q.2.1, and Q.2.2 If the Required Action and Associated Completion Time of Condition P are not met, the plant must be placed in a MODE where the Turbine Trip Functions are no longer required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced to < 50% RTP within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is consistent with Reference 9.

The Steam Dump system must also be verified OPERABLE within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months or THERMAL POWER must be reduced to < 8% RTP. This ensures that either the secondary system or RCS is capable of handling the heat rejection following a reactor trip. The Completion Times are reasonable considering the need to perform the actions in an orderly manner and the low probability of an event occurring in this time.

R.1

B 3.3.1-41 Revision 10261 R.E. Ginna Nuclear Power Plant Condition R applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. With one train inoperable, 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or in accordance with the Risk Informed Completion Time Program is allowed to restore the train to OPERABLE status. These Completion Times of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to restore the train to OPERABLE status is are reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval.

The Required Action has been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing, provided the other train is OPERABLE.

S.1 and S.2 Condition S applies to the P-6, P-7, P-8, P-9, and P-10 permissives. With one channel inoperable, the associated interlock must be verified to be in its required state for the existing plant condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or the associated RTS channel(s) must be declared inoperable. These actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on operating experience and the minimum amount of time allowed for manual operator actions.

Troubleshooting, corrective maintenance, and post maintenance re-testing can be performed in bypass within the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time specified for functions with installed bypass capability. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months clock starts as soon as the action statement is entered and does not include the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing in bypass. The Required Actions have been modified by a Note that allows bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing for Functions 16c, 16d, and 16e. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months bypass time is consistent with Reference 13.

T.1 Condition T applies to the RTBs in MODES 1 and 2. With one train inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed to restore the train to OPERABLE status. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is based on operating experience and the minimum amount of time allowed for manual operator actions.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is consistent with WCAP-15376-P-A (Reference 12). Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

U.1 and U.2 Condition U applies to the RTB Undervoltage and Shunt Trip Mechanisms (i.e., diverse trip features) in MODES 1 and 2. Condition U applies on a RTB basis. This allows one diverse trip feature to be inoperable on each RTB. However, with two diverse trip features inoperable (i.e., one on each of two different RTBs), at least one diverse trip feature must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable considering the low probability of an event occurring during this time interval.

With one trip mechanism for one RTB inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or in accordance with the Risk

B 3.3.1-42 Revision 10261 R.E. Ginna Nuclear Power Plant Informed Completion Time Program. The affected RTB shall not be bypassed while one of the diverse trip features is inoperable except for the time required to perform maintenance to one of the diverse trip features. The allowable time for performing maintenance of the diverse trip features is 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for the reasons stated under Condition T. These Completion Times of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for Required Action U.2 is are reasonable considering that in this Condition there is one remaining diverse trip feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

V.1 If the Required Action and Associated Completion Time of Condition R, S, T, or U is not met, the plant must be placed in a MODE where the Functions are no longer required to be OPERABLE. To achieve this status, the plant must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner without challenging plant systems.

It should be noted that for inoperable channels of Functions 16a, 16b, 16c, and 16d, the MODE of Applicability will be exited before Required Action V.1 is completed. Therefore, the plant shutdown may be stopped upon exiting the MODE of Applicability per LCO 3.0.2.

W.1 and W.2 Condition W applies to the following reactor trip Functions in MODE 3, 4, or 5 with the CRD System capable of rod withdrawal or all rods not fully inserted:

RTBs; RTB Undervoltage and Shunt Trip Mechanisms; and Automatic Trip Logic.

With two trip mechanisms inoperable, at least one trip mechanism must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable considering the low probability of an event occurring during this time interval.

With one trip mechanism or train inoperable, the inoperable trip mechanism or train must be restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . For the trip mechanisms, Condition W applies on a RTB basis.

This allows one diverse trip feature to be inoperable on each RTB.

However, with two diverse trip features inoperable (i.e., one on each of two different RTBs), at least one diverse trip feature must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

R.E. Ginna Nuclear Power Plant B 3.3.1-39 Revision 61 RTS Instrumentation B 3.3.1 X.1 and X.2 If the Required Action and Associated Completion Time of Condition W is not met, the plant must be placed in a MODE where the Functions are no longer required. To achieve this status, action be must initiated immediately to fully insert all rods and the CRD System must be incapable of rod withdrawal within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . These Completion Times are reasonable, based on operating experience to exit the MODE of Applicability in an orderly manner.

SURVEILLANCE The SRs for each RTS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS. When testing Channel 1, Train A and Train B must be examined.

Similarly, Train A and Train B must be examined when testing Channel 2, Channel 3, and Channel 4 (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies (Ref. 8).

SR 3.3.1.1 A CHANNEL CHECK is required for the following RTS trip functions:

Power Range Neutron Flux-High; Power Range Neutron Flux-Low; Intermediate Range Neutron Flux; Source Range Neutron Flux; Overtemperature T; Overpower T; Pressurizer Pressure-Low; Pressurizer Pressure-High; Pressurizer Water Level-High; Reactor Coolant Flow-Low (Single Loop);

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-40 Revision 77 Reactor Coolant Flow-Low (Two Loops); and SG Water Level-Low Low Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of more serious instrument conditions. A CHANNEL CHECK will detect gross channel failure; thus, it is a verification that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel check acceptance criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.2 This SR compares the calorimetric heat balance calculation to the NIS Power Range Neutron Flux-High channel output. If the calorimetric exceeds the NIS channel output by > 2% RTP, the NIS is still OPERABLE but must be adjusted. If the NIS channel output cannot be properly adjusted, the channel is then declared inoperable.

This SR is modified by a Note which states that this Surveillance is required to be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after power is 50% RTP. At lower power levels, calorimetric data are inaccurate.

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-41 Revision 77 In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.3 This SR compares the incore system to the NIS channel output. If the absolute difference is 3%, the NIS channel is still OPERABLE, but must be readjusted. If the NIS channel cannot be properly readjusted, the channel is then declared inoperable. This surveillance is performed to verify the f(I) input to the Overtemperature T Function.

This SR is modified by two Notes. Note 1 clarifies that the Surveillance is required to be performed within 7 days after THERMAL POWER is 50%

RTP but prior to exceeding 90% RTP following each refueling and if it has not been performed within the last 31 EFPD. Note 2 states that performance of SR 3.3.1.6 satisfies this SR since it is a more comprehensive test.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.4 This SR is the performance of a TADOT of the RTB, and the RTB Undervoltage and Shunt Trip Mechanisms. This test shall verify OPERABILITY by actuation of the end devices.

The test shall include separate verification of the undervoltage and shunt trip mechanisms except for the bypass breakers which do not require separate verification since no capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR 3.3.1.11. However, the bypass breaker test shall include a local shunt trip. This test must be performed on the bypass breaker prior to placing it in service to take the place of a RTB.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-42 Revision 77 SR 3.3.1.5 This SR is the performance of an ACTUATION LOGIC TEST on the RTS Automatic Trip Logic. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. All possible logic combinations, with and without applicable permissives, are tested for each protection function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.6 This SR is a calibration of the excore channels to the incore channels. If the measurements do not agree, the excore channels are still OPERABLE but must be calibrated to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are then declared inoperable. This surveillance is performed to verify the f(I) input to the Overtemperature T Function.

A minimum of 2 thimbles per quadrant and sufficient movable incore detectors shall be operable during recalibration of the excore axial off-set detection system. To calibrate the excore detector channels, it is only necessary that the movable incore system be used to determine the gross power distribution in the core as indicated by the power balance between the top and bottom halves of the core.

This SR has been modified by a Note stating that this Surveillance is required to be performed within 7 days after THERMAL POWER is 50%

RTP but prior to exceeding 90% RTP following each refueling.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.7 This SR is the performance of a COT for the following RTS functions:

Power Range Neutron Flux-High; Source Range Neutron Flux (in MODE 3, 4, or 5 with CRD System capable of rod withdrawal or all rods not fully inserted);

Overtemperature T; Overpower T; Pressurizer Pressure-Low;

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-43 Revision 89 Pressurizer Pressurizer-High; Pressurizer Water Level-High; Reactor Coolant Flow-Low (Single Loop);

Reactor Coolant Flow-Low (Two Loops); and SG Water Level-Low Low A COT is performed on each required channel to ensure the channel will perform the intended Function. The as-found setpoints must be within the COT Acceptance Criteria specified within plant procedures. The as-left values must be consistent with the setting tolerance used in the setpoint methodology (Ref. 8).

This SR is modified by two Notes. Note 1 provides a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months delay in the requirement to perform this surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the plant is in MODE 3 with the RTBs closed for greater than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , this SR must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after entry into MODE 3.

Note 2 states that the RTS input relays are excluded from this surveillance for these Functions. These Functions have installed bypass test capability. For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.8 This SR is the performance of a COT as described in SR 3.3.1.7 for the Power Range Neutron Flux-Low, Intermediate Range Neutron Flux, and Source Range Neutron Flux (MODE 2), except that this test also includes verification that the P-6 and P-10 interlocks are in their required state for the existing plant condition. This SR is modified by three Notes. Notes 1 and 2 provide a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months delay in the requirement to perform this surveillance. These Notes allow a normal shutdown to be completed and the plant removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency is in accordance with the Surveillance Frequency Control Program if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after reducing power below P-10 or P-6.

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-44 Revision 89 Note 3 states that the RTS input relays are excluded from this surveillance for this Function. This Function has installed bypass test capability. For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

The MODE of Applicability for this surveillance is < 6% RTP for the power range low and intermediate range channels and < 5E-11amps for the Source range channels. Once the plant is in MODE 3, this surveillance is no longer required. If power is to be maintained < 6% RTP or < 5E-11amps for more than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months limit, unless performed in accordance with the Surveillance Frequency Control Program. Four hours is a reasonable time to complete the required testing or place the plant in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical or after reducing power into the applicable MODE (< 6% RTP or < 5E-11amps) for periods > 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.9 This SR is the performance of a TADOT for the Undervoltage-Bus 11A and 11B and Underfrequency-Bus 11A and 11B trip Functions.

This SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to Bus 11A and 11B undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION required by SR 3.3.1.10. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.10 This SR is the performance of a CHANNEL CALIBRATION for the following RTS Functions:

Power Range Neutron Flux-High; Power Range Neutron Flux-Low; Intermediate Range Neutron Flux; Source Range Neutron Flux; Overtemperature T; Overpower T; Pressurizer Pressure-Low; Pressurizer Pressure-High;

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-45 Revision 77 Pressurizer Water Level-High; Reactor Coolant Flow-Low (Single Loop);

Reactor Coolant Flow-Low (Two Loops);

Undervoltage-Bus 11A and 11B; Underfrequency-Bus 11A and 11B; SG Water Level-Low Low; Turbine Trip-Low Autostop Oil Pressure; and Reactor Trip System Interlocks.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the plant specific setpoint methodology (Ref. 8). The difference between the current as-found values and the previous test as-left values must be consistent with the drift allowance used in the setpoint methodology.

With respect to RTDs, whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors shall include an inplace qualitative assessment of sensor behavior and normal calibration of the remaining adjustable devices in the channel. This is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power calorimetric and flux map performed above 50% RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. This Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the plant must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-46 Revision 89 SR 3.3.1.11 This SR is the performance of a TADOT of the Manual Reactor Trip, RCP Breaker Position, and the SI Input from ESFAS trip Functions. This test independently verifies the OPERABILITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip Breakers and Reactor Trip Bypass Breakers.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.12 This SR is the performance of a TADOT for Turbine Trip Functions which is performed prior to reactor startup if it has not been performed within the last 31 days. This test shall verify OPERABILITY by actuation of the end devices.

The Frequency is based on the known reliability of the Functions and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

This SR is modified by a Note stating that verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to taking the reactor critical because portions of this test cannot be performed with the reactor at power.

SR 3.3.1.13 SR 3.3.1.13 is modified by a Note. The Note states that the RTS permissive input relays are excluded from this surveillance for the Functions specified. These Functions have installed bypass test capability. For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RTS Instrumentation B 3.3.1 R.E. Ginna Nuclear Power Plant B 3.3.1-47 Revision 102 REFERENCES

1.

Atomic Industry Forum (AIF) GDC 14, Issued for comment July 10, 1967.

2.

10 CFR 50.67.

3.

American National Standard, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants," N18.2-1973.

4.

UFSAR, Chapter 7.

5.

UFSAR, Chapter 6.

6.

UFSAR, Chapter 15.

7.

IEEE-279-1971.

8.

EP-3-S-0505, "Instrument Setpoint/Loop Accuracy Calculation Methodology".

9.

WCAP-10271-P-A, Supplement 2, Revision 1, June 1990.

10.

"Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna," WCAP-18298-P, September 2017.

11.

WCAP-14333-P-A, Revision 1, October 1998.

12.

WCAP-15376-P-A, Revision 1, March 2003.

13.

Ginna PRA Analysis for ESFAS/RTS AOT Extension, G1-LAR-005.

RTS Instrumentation B 3.3.1 B 3.3.1-48 Revision 61 R.E. Ginna Nuclear Power Plant Figure B 3.3.1-1

ESFAS Instrumentation B 3.3.2 B 3.3.2-1 Revision 42 R.E. Ginna Nuclear Power Plant B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND Atomic Industrial Forum (AIF) GDC 15 (Ref. 1) requires that protection systems be provided for sensing accident situations and initiating the operation of necessary engineered safety features.

The installed protection and monitoring systems have been designed to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as specifying LCOs with respect to these parameters and other reactor system parameters and equipment.

Technical specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytic Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytic Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytic Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The Calculated Trip Setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the Calculated Trip Setpoint accounts for uncertainties in setting the device (e.g. calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the Calculated Trip Setpoint plays an important role in ensuring that SLs are not exceeded. As such, the Calculated Trip Setpoint meets the definition of an LSSS and they are contained in the technical specifications.

Technical specifications contain requirements related to the OPERABILITY of equipment required for safe operation of the facility.

OPERABLE is defined in technical specifications as "...being capable of performing its safety functions(s)." For automatic protective devices, the

ESFAS Instrumentation B 3.3.2 B 3.3.2-2 Revision 42 R.E. Ginna Nuclear Power Plant required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 serves as the OPERABILITY limit for the nominal trip setpoint. However, use of the LSSS (Calculated Trip Setpoint) to define OPERABILITY in technical specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the as-found value of a protective device setting during a surveillance. This would result in technical specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the Calculated Trip Setpoint due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for determining the Calculated Trip Setpoint and thus the automatic protective action would still have ensured that the SL would not be exceeded with the as-found setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to within the tolerance band assumed in the determination of the Calculated Trip Setpoint to account for further drift during the next surveillance interval.

The Nominal Trip Setpoint is the desired setting specified within established plant procedures, and may be more conservative than the Calculated Trip Setpoint. The Nominal Trip Setpoint therefore may include additional margin to ensure that the SL would not be exceeded.

Use of the Calculated Trip Setpoint or Nominal Trip Setpoint to define as-found OPERABILITY, under the expected circumstances described above, would result in actions required by both the rule and technical specifications that are clearly not warranted. However, there is also some point beyond which the OPERABILITY of the device would be called into question, for example, greater than expected drift. This requirement needs to be specified in the technical specifications in order to define the OPERABILITY limit for the as-found trip setpoint and is designated as the Channel Operational Test (COT) Acceptance Criteria.

The COT Acceptance Criteria described in Table 3.3.2-1 serves as a confirmation of OPERABILITY, such that a channel is OPERABLE if the absolute difference between the as-found trip setpoint and the previously as-left trip setpoint does not exceed the assumed COT uncertainty during the performance of the COT. The COT uncertainty is primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a Safety Limit is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established Nominal Trip Setpoint calibration tolerance band, in accordance with the uncertainty assumptions stated in the referenced setpoint methodology

B 3.3.2-3 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned. If the actual setting of the device is found to have exceeded the COT Acceptance Criteria the device would be considered inoperable from a technical specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

The ESFAS instrumentation is segmented into two distinct but interconnected modules as described in UFSAR, Chapter 7 (Ref. 2):

Field transmitters or process sensors; and Signal processing equipment.

These modules are discussed in more detail below.

Field Transmitters and Process Sensors Field transmitters and process sensors provide a measurable electronic signal based on the physical characteristics of the parameter being measured. To meet the design demands for redundancy and reliability, two, three, and up to four field transmitters or sensors are used to measure required plant parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). To account for calibration tolerances and instrument drift, which is assumed to occur between calibrations, statistical allowances are provided. These statistical allowances provide the basis for determining acceptable as-left and as-found calibration values for each transmitter or sensor.

Signal Processing Equipment The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 6 (Ref. 3), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 4). If the measured value of a plant parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the logic relays.

B 3.3.2-4 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant Generally, three or four channels of process control equipment are used for the signal processing of plant parameters measured by the field transmitters and sensors. If a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are typically sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function can still be accomplished with a two-out-of-two logic. If one channel fails in a direction that a partial Function trip occurs, a trip will not occur unless a second channel fails or trips in the remaining one-out-of-two logic.

If a parameter is used for input to the protection system and a control function, four channels with a two-out-of-four logic are typically sufficient to provide the required reliability and redundancy.

This ensures that the circuit is able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Therefore, a single failure will neither cause nor prevent the protection function actuation. These requirements are described in IEEE-279-1971 (Ref. 5).

The actuation of ESF components is accomplished through master and slave relays. The protection system energizes the master relays appropriate for the condition of the plant. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, for that accident. An ESFAS Function may be the primary actuation LCO, AND signal for more than one type of accident. An ESFAS Function may also APPLICABILITY be a secondary, or backup, actuation signal for one or more other accidents. For example, SI-Pressurizer Pressure-Low is a primary actuation signal for small break loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as anticipatory actions to Functions that were credited in the accident analysis (Ref. 4).

This LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. A channel is considered OPERABLE when:

B 3.3.2-5 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant

a.

The nominal trip setpoint is equal to or conservative with respect to the LSSS;

b.

The absolute difference between the as-found trip setpoint and the previous as-left trip setpoint does not exceed the COT Acceptance Criteria; and

c.

The as-left trip setpoint is within the established calibration tolerance band about the nominal trip setpoint.

The channel is still operable even if the as-left trip setpoint is non-conservative with respect to the LSSS provided that the as-left trip setpoint is within the established calibration tolerance band as specified in the Ginna Instrument Setpoint Methodology. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of three or four channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single failure disables the ESFAS.

The LCO and Applicability of each ESFAS Function are provided in Table 3.3.2-1. Included on Table 3.3.2-1 are LSSS for all applicable ESFAS Functions. Setpoints in accordance with the LSSS ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the plant is operated within the LCOs, including any Required Actions that are in effect at the onset of the DBA and the equipment functions as designed.

The Calculated Trip Setpoints (which are equal to the LSSS) are based on the Analytical Limits stated in References 2, 3, and 4. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49, the LSSS specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the Analytical Limits. A detailed description of the methodology used to calculate the LSSS is provided in the "Instrument Setpoint/Loop Accuracy Calculation Methodology" (Ref. 6). The magnitudes of these uncertainties are factored into the determination of each trip setpoint and corresponding COT Acceptance Criteria.

However, it should be noted that the COT Acceptance Criteria does not include the instrument setting tolerance. The COT Acceptance Criteria serves as the technical specification OPERABILITY limit for the purpose of the COT. If the absolute difference between the as-found trip setpoint

B 3.3.2-6 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant and the previous as-left trip setpoint does not exceed the COT Acceptance Criteria, the bistable is considered OPERABLE.

The Nominal Trip Setpoint is the value at which the bistable is set and is the expected value to be achieved during calibration. The Nominal Trip Setpoint value ensures the LSSS and the safety analysis limits are met for surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the as-left trip setpoint is within the tolerance band assumed in the uncertainty analysis. The bistable is still operable even if the as-left trip setpoint is non-conservative with respect to the LSSS provided that the as-left trip setpoint is within the established calibration tolerance band as specified in the Ginna Instrument Setpoint Methodology.

Trip setpoints consistent with the requirements of the LSSS ensure that SLs are not violated during DBAs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOss at the onset of the DBA and the equipment functions as designed).

The required channels of ESFAS instrumentation provide plant protection in the event of any of the analyzed accidents. ESFAS protection functions provided in Table 3.3.2-1 are as follows:

1.

Safety Injection Safety Injection (SI) provides two primary functions:

1.

Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 2200ºF); and

2.

Boration to ensure recovery and maintenance of SDM (keff

< 1.0).

These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment.

The SI signal is also used to initiate other Functions such as:

Containment Isolation; Containment Ventilation Isolation; Reactor Trip; Feedwater Isolation; and Start of motor driven auxiliary feedwater (AFW) pumps.

B 3.3.2-7 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant These other functions ensure:

Isolation of nonessential systems through containment penetrations; Trip of the reactor to limit power generation; Isolation of main feedwater (MFW) to limit secondary side mass losses; and Start of AFW to ensure secondary side cooling capability.

a.

Safety Injection-Manual Initiation This LCO requires one channel per train to be OPERABLE in MODES 1, 2, 3, and 4. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. The operator can initiate SI at any time by using either of two pushbuttons on the main control board. This action will cause actuation of all components with the exception of Containment Isolation.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each channel consists of one pushbutton and the interconnecting wiring to the actuation logic cabinet. Each pushbutton actuates both trains. This configuration does not allow testing at power.

This function is not required to be OPERABLE in MODES 5, and 6 because there is adequate time for the operator to evaluate plant conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.

Plant pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of plant systems.

b.

Safety Injection-Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE in MODES 1, 2, 3, and 4. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Actuation logic consists of all circuitry housed within the actuation subsystems, including

B 3.3.2-8 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant the initiating relay contacts responsible for actuating the ESF equipment.

This Function is not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate plant conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.

Plant pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of plant systems.

c.

Safety Injection-Containment Pressure-High This signal provides protection against the following accidents:

SLB inside containment; LOCA; and Feed line break inside containment.

Containment Pressure-High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.

PT-945, PT-947, and PT-949 are the three channels required for this function. The transmitters and electronics are located outside of containment with the sensing lines passing through containment penetrations to sense the containment atmosphere in three different locations.

Thus, the high pressure Function will not experience any adverse environmental conditions and the LSSS reflects only steady state instrument uncertainties.

Containment Pressure-High must be OPERABLE in MODES 1, 2, 3, and 4 because there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 5 and 6, Containment Pressure-High is not required to be OPERABLE because there is insufficient energy in the primary or secondary systems to pressurize the containment.

B 3.3.2-9 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant

d.

Safety Injection-Pressurizer Pressure-Low This signal provides protection against the following accidents:

Inadvertent opening of a steam generator (SG) atmospheric relief or safety valve; SLB; Rod cluster control assembly ejection accidents (rod ejection);

Inadvertent opening of a pressurizer relief or safety valve; LOCAs; and SG Tube Rupture.

Since there are dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements. PT-429, PT-430, and PT-431 are the three channels required for this function.

The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Due to the rapid nature of the events, the LSSS reflects the inclusion of only steady state instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 (above the Pressurizer Pressure interlock) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the interlock setpoint. Automatic SI actuation below this interlock setpoint is performed by the Containment Pressure-High signal.

This function is not required to be OPERABLE in MODE 3 below the Pressurizer Pressure interlock setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

ESFAS Instrumentation B 3.3.2 B 3.3.2-10 Revision 42 R.E. Ginna Nuclear Power Plant

e.

Safety Injection-Steam Line Pressure-Low Steam Line Pressure-Low provides protection against the following accidents:

SLB; Feed line break; and Inadvertent opening of an SG atmospheric relief or an SG safety valve.

Steam line pressure transmitters provide control input, but the control function cannot initiate events that the Function acts to mitigate. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam line. PT-468, PT-469, and PT-482 are the three channels required for steam line A.

PT-478, PT-479, and PT-483 are the three channels required for steam line B. Each steam line is considered a separate function for the purpose of this LCO. The loss of inverter MQ-483 requires declaring PT-479 inoperable.

With the transmitters located in the Intermediate Building, it is possible for them to experience adverse environmental conditions during a secondary side break. Due to the rapid nature of the events, the LSSS reflects only steady state instrument uncertainties.

Steam Line Pressure-Low must be OPERABLE in MODES 1, 2, and 3 (above The Pressurizer Pressure interlock) when a secondary side break or stuck open SG atmospheric relief or safety valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the interlock setpoint. Below the interlock setpoint, a feed line break is not a concern. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the plant to cause an accident.

ESFAS Instrumentation B 3.3.2 B 3.3.2-11 Revision 42 R.E. Ginna Nuclear Power Plant

2.

Containment Spray (CS)

CS provides three primary functions:

1.

Lowers containment pressure and temperature after an HELB in containment;

2.

Reduces the amount of radioactive iodine in the containment atmosphere; and

3.

Adjusts the pH of the water in containment sump B after a large break LOCA.

These functions are necessary to:

Ensure the pressure boundary integrity of the containment structure; Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure; and Minimize corrosion of the components and systems inside containment following a LOCA.

CS is actuated manually or by Containment Pressure-High High.

The CS actuation signal starts the CS pumps and aligns the discharge of the pumps to the CS nozzle headers in the upper levels of containment. Water is initially drawn from the RWST by the CS pumps and mixed with a sodium hydroxide solution from the spray additive tank. During the recirculation phase of accident recovery, the spray pump suctions are manually shifted to containment sump B if continued CS is required.

a.

CS-Manual Initiation The operator can initiate CS at any time from the control room by simultaneously depressing two CS actuation pushbuttons.

Because an inadvertent actuation of CS could have serious consequences, two pushbuttons must be simultaneously depressed to initiate both trains of CS. Therefore, the inoperability of either pushbutton fails both trains of manual initiation.

Manual initiation of CS must be OPERABLE in MODES 1, 2, 3, and 4 because a DBA could cause a release of radioactive material to containment and an increase in containment temperature and pressure requiring the operation of the CS System.

ESFAS Instrumentation B 3.3.2 B 3.3.2-12 Revision 42 R.E. Ginna Nuclear Power Plant In MODES 5 and 6, this function is not required to be OPERABLE because the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. In MODES 5 and 6, there is also adequate time for the operators to evaluate plant conditions and respond to mitigate the consequences of abnormal conditions by manually starting individual components.

b.

CS-Automatic Actuation Logic and Actuation Relays Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Automatic initiation of CS must be OPERABLE in MODES 1, 2, 3, and 4 because a DBA could cause a release of radioactive material to containment and an increase in containment temperature and pressure requiring the operation of the CS System.

In MODES 5 and 6, this Function is not required to be OPERABLE because the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. In MODES 5 and 6, there is also adequate time for the operators to evaluate plant conditions and respond to mitigate the consequences of abnormal conditions by manually starting individual components.

c.

CS-Containment Pressure-High High This signal provides protection against a LOCA or an SLB inside containment. The transmitters are located outside of containment with the sensing lines passing through containment penetrations to sense the containment atmosphere in three different locations. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions and the LSSS reflects only steady state instrument uncertainties.

This is the only ESFAS Function that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate CS, since the consequences of an inadvertent actuation of CS could be serious.

B 3.3.2-13 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant The Containment Pressure-High High instrument function consists of two sets with three channels in each set. One set is comprised of PT-945, PT-947, and PT-949. The second set is comprised of PT-946, PT-948, and PT-950. Each set is a two-out-of-three logic where the outputs are combined so that both sets tripped initiates CS. Each set is considered a separate function for the purposes of this LCO. Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip. Containment Pressure-High High must be OPERABLE in MODES 1, 2, 3 and 4 because a DBA could cause a release of radioactive material to containment and an increase in containment temperature and pressure requiring the operation of the CS System. The loss of inverter MQ-483 requires declaring PT-950 inoperable.

In MODES 5 and 6, this Function is not required to be OPERABLE because the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. In MODES 5 and 6, there is also adequate time for the operators to evaluate plant conditions and respond to mitigate the consequences of abnormal conditions by manually starting individual components.

3.

Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and selected process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a LOCA.

Containment Isolation signals isolate all automatically isolatable process lines, except feedwater lines, main steam lines, and component cooling water (CCW). The main feedwater and steam lines are isolated by other functions since forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW is required to support RCP operation, not isolating CCW enhances plant safety by allowing operators to use forced RCS circulation to cool the plant. Isolating CCW may require the use of feed and bleed cooling, which could prove more difficult to control.

B 3.3.2-14 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant

a.

Containment Isolation-Manual Initiation Manual Containment Isolation is actuated by either of two pushbuttons on the main control board. Either pushbutton actuates both trains. Manual initiation of Containment Isolation also actuates Containment Ventilation Isolation.

Manual initiation of Containment Isolation must be OPERABLE in MODES 1, 2, 3 and 4, because there is a potential for an accident to occur.

In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Containment Isolation. There also is adequate time for the operator to evaluate plant conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

Containment Isolation-Manual Initiation is required to be OPERABLE during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, since it provides actuation of Containment Ventilation Isolation (LCO 3.3.5). Under these conditions, the potential exists for an accident that could release fission product radioactivity into containment.

b.

Containment Isolation-Automatic Actuation Logic and Actuation Relays Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Automatic initiation of Containment Isolation must be OPERABLE in MODES 1, 2, 3 and 4, because there is a potential for an accident to occur.

In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Containment Isolation. There also is adequate time for the operator to evaluate plant conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

B 3.3.2-15 Revision 42 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2

c.

Containment Isolation-Safety Injection Containment Isolation is also initiated by all Functions that automatically initiate SI. The Containment Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all applicable automatic initiating Functions and requirements.

4.

Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Closure of the main steam isolation valves (MSIVs) and their associated non-return check valves limits the accident to the blowdown from only the affected SG. For a SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize.

Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.

a.

Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two actuation devices (one pushbutton and one switch) on the main control board for each MSIV. Each device can initiate action to immediately close its respective MSIV. The LCO requires one channel (device) per loop to be OPERABLE. Each loop is not considered a separate function since there is only one required per loop.

Manual initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 because a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless both MSIVs are closed and de-activated. In MODES 4, 5, and 6, the steam line isolation function is not required to be OPERABLE because there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.

B 3.3.2-16 Revision 42 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2

b.

Steam Line Isolation-Automatic Actuation Logic and Actuation Relays Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 because a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless both MSIVs are closed and de-activated. In MODES 4, 5, and 6, the steam line isolation function is not required to be OPERABLE because there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.

c.

Steam Line Isolation-Containment Pressure-High High This Function actuates closure of both MSIVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters are located outside containment with the sensing lines passing through containment penetrations to sense the containment atmosphere in three different locations. Thus, they will not experience any adverse environmental conditions, and the LSSS reflects only steady state instrument uncertainties. Containment Pressure-High High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic. PT-946, PT-948, and PT-950 are the three channels required for this function.

The loss of inverter MQ-483 requires declaring PT-950 inoperable.

Containment Pressure-High High must be OPERABLE in MODES 1, 2, and 3, because there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The steam line isolation Function must be OPERABLE in MODES 2 and 3 unless both MSIVs are closed and de-activated. In MODES 4, 5, and 6 the steam line isolation Function is not required to be OPERABLE because there is not enough energy in the

B 3.3.2-17 Revision 42 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2 primary and secondary sides to pressurize the containment to the Containment Pressure-High High setpoint.

d.

Steam Line Isolation-High Steam Flow Coincident With Safety Injection and Coincident With Tavg-Low This Function provides closure of the MSIVs during an SLB or inadvertent opening of multiple SG atmospheric relief or safety valves to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

The specified Limiting Safety System Setting (LSSS) is based on steam line breaks occurring from no load conditions (1005 psig). Specifically, steam line breaks which result in a steam flow analytical limit of > 1.50E6 Ibm/hr are considered. The steam flow signal to this function's bistables are not pressure compensated (i.e.,

only the main control board indicators are compensated).

However, the high steam flow bistable setpoint is determined from the expected flow transmitter differential pressure under steam conditions of 1.50E6 Ibm/hr at 1005 psig. Steam breaks which result in higher flowrates or lower pressure generate larger differential pressures such that the high steam flow bistables would be tripped. Steam line breaks which result in < 1.50E6 Ibm/hr do not require automatic action to isolate. The high steam flow bistables are OPERABLE if they are placed in the tripped condition since the specified LSSS are met. However, all applicable surveillances related to the tripped channel must continue to be performed and met.

Two steam line flow channels per steam line are required to be OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. FT-464 and FT-465 are the two channels required for steam line A. FT-474 and FT-475 are the two channels required for steam line B. Each steam line is considered a separate function for the purpose of this LCO. The steam flow transmitters provide control inputs, but the control function cannot initiate events that the function acts to mitigate. Therefore, additional channels are not required to address control protection interaction issues. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.

B 3.3.2-18 Revision 42 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2 With the transmitters (d/p cells) located inside containment, it is possible for them to experience adverse environmental conditions during an SLB event. Due to the rapid nature of the event, the LSSS reflects only steady state instrument uncertainties.

The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all applicable initiating functions and requirements.

Two channels of Tavg per loop are required to be OPERABLE for this Function. TC-401 and TC-402 are the two channels required for RCS loop A. TC-403 and TC-404 are the two channels required for RCS loop B. Each loop is considered a separate Function for the purpose of this LCO. The Tavg channels are combined in a logic such that any two of the four Tavg channels tripped in conjunction with SI and one of the two high steam line flow channels tripped causes isolation of the steam line associated with the tripped steam line flow channels. The accidents that this Function protects against cause reduction of Tavg in the entire primary system.

Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single failure disables the Tavg-Low Function. The Tavg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate. Therefore, additional channels are not required to address control protection interaction issues.

This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless both MSIVs are closed and de-activated. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the plant to have an accident.

B 3.3.2-19 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant

e.

Steam Line Isolation-High High Steam Flow Coincident With Safety Injection This Function provides closure of the MSIVs during a large steam line break to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

The specified LSSS is based on steamline breaks occurring from full power steam conditions which result in 155% RTP analytical limit steam flow. The steam flow signal to this function's bistables are not pressure compensated (i.e., only the main control board indicators are compensated).

However, the high-high steam flow bistable setpoint is determined from the expected flow transmitter differential pressure under steam conditions of 4.53E6 Ibm/hr at 785 psig. Steam breaks which result in higher flowrates or lower pressure generate larger differential pressures such that the high-high steam flow bistables would be tripped.

Two steam line flow channels per steam line are required to be OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high-high steam flow in one steam line. FT-464 and FT-465 are the two channels required for steam line A. FT-474 and FT-475 are the two channels required for steam line B. Each steam line is considered a separate function for the purpose of this LCO.

The steam flow transmitters provide control inputs, but the control function cannot initiate events that the Function acts to mitigate. Therefore, additional channels are not required to address control protection interaction issues.

The main steam lines isolate only if the high-high steam flow signal occurs coincident with an SI signal. Steamline isolation occurs only for the steam line associated with the tripped steam flow channels. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all applicable initiating functions and requirements.

This Function must be OPERABLE in MODES 1, 2, and 3 because a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless both MSIV's are closed and de-activated. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the plant to have an accident.

ESFAS Instrumentation B 3.3.2 B 3.3.2-20 Revision 42 R.E. Ginna Nuclear Power Plant

5.

Feedwater Isolation The primary function of the Feedwater Isolation signals is to prevent and mitigate the effects of highwater level in the SGs which could cause carryover of water into the steam lines and result in excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows.

This Function is actuated by either a SG Water Level-High or an SI signal. The Function provides feedwater isolation by closing the Main Feedwater Regulating Valves (MFRVs) and the associated bypass valves. In addition, on an SI signal, the AFW System is automatically started, the MFIVs are closed, and the MFW pump breakers are opened which closes the MFW pump discharge valves. The SI signal was discussed previously.

a.

Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Automatic initiation must be OPERABLE in MODES 1, 2, and

3. The Feedwater Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MFRVs and associated bypass valves are closed and de-activated or isolated by a closed manual valve. In MODES 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

b.

Feedwater Isolation-Steam Generator Water Level-High The Steam Generator Water Level-High Function must be OPERABLE in MODES 1, 2, and 3. The Feedwater Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MFRVs and associated bypass valves are closed and de-activated or isolated by a closed manual valve. In MODES 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

ESFAS Instrumentation B 3.3.2 B 3.3.2-21 Revision 42 R.E. Ginna Nuclear Power Plant This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements. LT-461, LT-462, and LT-463 are the three channels required for SG A. LT-471, LT-472, and LT-473 are the three channels required for SG B. Each SG is considered a separate Function for the purpose of this LCO. The LSSS for SG Water Level-High is a percent of narrow range instrument span.

c.

Feedwater Isolation-Safety Injection The Safety Injection Function must be OPERABLE in MODES 1, 2, and 3. The Feedwater Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MFRVs and associated bypass valves are closed and de-activated or isolated by a closed manual valve. In MODES 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.

6.

Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available.

The preferred system has two motor driven pumps and a turbine driven pump, making it available during normal plant operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break (depending on break location). A Standby AFW (SAFW) System is also available in the event the preferred system is unavailable. The normal source of water for the AFW System is the condensate storage tank (CST) which is not safety related.

Upon a low level in the CST the operators can manually realign the pump suctions to the Service Water (SW) System which is the safety related water source. The SW System also is the safety related water source for the SAFW System. The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately while the SAFW System is only manually initiated and aligned.

ESFAS Instrumentation B 3.3.2 B 3.3.2-22 Revision 42 R.E. Ginna Nuclear Power Plant

a.

Auxiliary Feedwater-Manual Initiation The operator can initiate AFW or SAFW at any time by using control switches on the Main Control board (one switch for each pump in each system). This action will cause actuation of their respective pump.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained to ensure the operator has manual AFW and SAFW initiation capability.

The LCO requires one channel per pump in each system to be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. In MODE 4, AFW actuation is not required to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation. This Function is not required to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink.

b.

Auxiliary Feedwater-Automatic Actuation Logic and Actuation Relays Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Automatic initiation of Auxiliary Feedwater must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. In MODE 4, AFW actuation is not required to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation. This Function is not required to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink.

B 3.3.2-23 Revision 42 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2

c.

Auxiliary Feedwater-Steam Generator Water Level-Low Low SG Water Level-Low Low must be OPERABLE in MODES 1, 2, and 3 to provide protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water Level-Low Low in either SG will cause both motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level-Low Low in both SGs will cause the turbine driven pump to start. In MODE 4, AFW actuation is not required to be OPERABLE because either AFW or RHR will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation. This Function is not required to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink.

LT-461, LT-462, and LT-463 are the three channels required for SG A. LT-471, LT-472, and LT-473 are the three channels required for SG B. Each SG is considered a separate Function for the purpose of this LCO. The LSSS for SG Water Level - Low Low is a percent of narrow range instrument span.

With the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse environmental conditions (feed line break), the LSSS reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

d.

Auxiliary Feedwater-Safety Injection The SI function must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. In MODE 4, AFW actuation is not required to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.

This Function is not required to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink.

B 3.3.2-24 Revision 42 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2 An SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all applicable initiating functions and requirements.

e.

Auxiliary Feedwater-Undervoltage-Bus 11A and 11B The Undervoltage-Bus 11A and 11B Function must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. In MODE 4, AFW actuation is not required to be OPERABLE because either AFW or RHR will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation. This Function is not required to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink.

A loss of power to 4160 V Bus 11A and 11B will be accompanied by a loss of power to both MFW pumps and the subsequent need for some method of decay heat removal.

The loss of offsite power is detected by a voltage drop on each bus. Loss of power to both buses will start the turbine driven AFW pump to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. Each bus is considered a separate Function for the purpose of this LCO.

f.

Auxiliary Feedwater-Trip Of Both Main Feedwater Pumps A trip of both MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal. The MFW pumps are equipped with a breaker position sensing device. An open supply breaker indicates that the pump is not running. Two OPERABLE channels per MFW pump satisfy redundancy requirements with two-out-of-two logic. Each MFW pump is considered a Separate Function for the purpose of this LCO. A trip of both MFW pumps starts both motor driven AFW (MDAFW) pumps to ensure that at least one SG is available with water to act as the heat sink for the reactor. However, this actuation of the MDAFW pumps is not credited in the mitigation of any accident.

B 3.3.2-25 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant This Function must be OPERABLE in MODE 1. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES 2, 3, 4, 5, and 6 the MFW pumps may not be in operation, and thus pump trip is not indicative of a condition requiring automatic AFW initiation.

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

In the event a channel's trip setpoint is found nonconservative with respect to the COT Acceptance Criteria specified in plant procedures, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. As shown on Figure B 3.3.2-1, the ESFAS is comprised of multiple interconnected modules and components. For the purpose of this LCO, a channel is defined as including all related components from the field instrument to the Automatic Actuation Logic. Therefore, a channel may be inoperable due to the failure of a field instrument, loss of 120 VAC instrument bus power or a bistable failure which affects one or both ESFAS trains. The only exception to this are the Manual ESFAS and Automatic Actuation Logic Functions which are defined strictly on a train basis. The Automatic Actuation Logic consists of all circuitry housed within the actuation subsystem, including the master relays, slave relays, and initiating relay contacts responsible for activating the ESF equipment.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one channel or train for one or more Functions are inoperable. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

When the number of inoperable channels in an ESFAS Function exceed those specified in all related Conditions associated with an ESFAS Function, then the plant is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if the ESFAS function is applicable in the current MODE of operation.

B 3.3.2-26 Revision 42 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant B.1 Condition B applies to the AFW-Trip of Both MFW Pumps ESFAS Function (6f). Each MFW pump breaker is equipped a position sensing device. Both breakers need to trip to start both MDAFW pumps. The two-out-of-two logic requires both a MFW pump A breaker contact and a MFW pump B breaker contact to close. However, each breaker position switch has two separate auxiliary contacts: one set of contacts feeds one train of two-out-of-two logic and the other set of contacts feeds the second train of two-out-of-two logic. If one set of contacts or one downstream logic component (e.g., relay) fails, then the other set of contacts and logic train will provide the Function. If a channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or in accordance with the Risk Informed Completion Time Program is allowed to return it to OPERABLE status.

The specified Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is reasonable considering the nature of this Function, the available redundancy, and the low probability of an event occurring during this interval.

C.1 If the Required Action and Completion Time of Condition B is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion time is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

D.1 Condition D applies to the following ESFAS Functions:

Manual Initiation of SI; Manual Initiation of Steam Line Isolation; and AFW-Undervoltage-Bus 11A and 11B.

If a channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or in accordance with the Risk Informed Completion Time Program is allowed to restore it to OPERABLE status. The specified Completion Times of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months isare reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE for each manual initiation Function, additional AFW actuation channels available besides the Undervoltage-Bus 11A and 11B AFW Initiation Function, and the low probability of an event occurring during this interval.

E.1 Condition E applies to the automatic actuation logic and actuation relays for the following ESFAS Functions:

Steam Line Isolation; Feedwater Isolation; and AFW.

B 3.3.2-27 Revision 102 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2 Condition E addresses the train orientation of the protection system and the master and slave relays. If one train is inoperable, a Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed to restore the train to OPERABLE status. This Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this time interval. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is consistent with Reference 7. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

F.1 Condition F applies to the following Functions:

Steam Line Isolation-Containment Pressure-High High; Steam Line Isolation-High Steam Flow Coincident With Safety Injection and Coincident With Tavg -Low; Steam Line Isolation-High-High Steam Flow Coincident With Safety Injection; Feedwater Isolation-SG Water Level-High; and AFW-SG Water Level-Low Low.

Condition F applies to Functions that typically operate on two-out-of-three logic. Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.

If one channel is inoperable, a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program is allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Placing the channel in the Tripped condition conservatively compensates for the inoperability, restores capability to accommodate a single failure, and allows operation to continue.

Troubleshooting, corrective maintenance, and post maintenance re-testing can be performed in bypass within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time specified for functions with installed bypass capability. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months clock starts as soon as the action statement is entered and does not include the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing in bypass.

The Required Actions are modified by two Notes. Note 1 allows bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing for Functions 4c, 5b, and 6c. Note 2 allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. This 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months applies to each of the remaining OPERABLE channels.

The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to restore the channel to OPERABLE status or to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for testing, are justified in Reference

9. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

B 3.3.2-28 Revision 42 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2 G.1 If the Required Actions and Completion Times of Conditions D, E, or F are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

H.1 Condition H applies to the following ESFAS functions:

Manual Initiation of CS; and Manual Initiation of Containment Isolation.

If a channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or in accordance with the Risk Informed Completion Time Program is allowed to restore it to OPERABLE status. These specified Completion Times of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months isare reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE for each Function (except for CS Function (2a)) and the low probability of an event occurring during this interval. Because manual actuation of CS requires operation of 2/2 pushbuttons, RICT cannot be applied to that function.

I.1 Condition I applies to the automatic actuation logic and actuation relays for the following Functions:

SI; CS; and Containment Isolation.

Condition I addresses the train orientation of the protection system and the master and slave relays. If one train is inoperable, a Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is allowed to restore the train to OPERABLE status. This Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is consistent with Reference 7.

Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

B 3.3.2-29 Revision 102 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2 J.1 Condition J applies to the following Functions:

SI-Containment Pressure-High; and CS-Containment Pressure-High High.

Condition J applies to Functions that operate on a two-out-of-three logic (for CS-Containment Pressure-High High there are two sets of this logic).

Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.

If one channel is inoperable, a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program is allowed to restore the channel to OPERABLE status or place it in the tripped condition. Placing the channel in the tripped condition conservatively compensates for the inoperability, restores capability to accommodate a single failure, and allows operation to continue.

Troubleshooting, corrective maintenance, and post maintenance re-testing can be performed in bypass within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time specified for functions with installed bypass capability. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months clock starts as soon as the action statement is entered and does not include the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing in bypass.

The Required Action is modified by two Notes. Note 1 allows bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing for Function 1c. Note 2 allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months applies to each of the remaining OPERABLE channels.

The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the inoperable channel or place it in trip, and the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing is justified in Reference 10. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

K.1 If the Required Actions and Completion Times of Conditions H, I, or J are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

L.1 Condition L applies to the following Functions:

SI-Pressurizer Pressure-Low; and SI-Steam Line Pressure-Low.

ESFAS Instrumentation B 3.3.2 B 3.3.2-30 Revision 102 R.E. Ginna Nuclear Power Plant Condition L applies to Functions that operate on a two-out-of-three logic.

Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.

If one channel is inoperable, a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program is allowed to restore the channel to OPERABLE status or place it in the tripped condition. Placing the channel in the tripped condition conservatively compensates for the inoperability, restores capability to accommodate a single failure, and allows operation to continue.

Troubleshooting, corrective maintenance, and post maintenance re-testing can be performed in bypass within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time specified for functions with installed bypass capability. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months clock starts as soon as the action statement is entered and does not include the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing in bypass.

The Required Action is modified by two Notes. Note 1 allows bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing for Functions 1d and 1e.

Note 2 allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months applies to each of the remaining OPERABLE channels.

The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the inoperable channel or place it in trip, and the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for surveillance testing is justified in References 9 and 10. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

M.1 If the Required Actions and Completion Times of Condition L are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to < 2000 psig within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

N.1 Condition N applies if an AFW Manual Initiation channel is inoperable. If a manual initiation switch is inoperable, the associated AFW or SAFW pump must be declared inoperable and the applicable Conditions of LCO 3.7.5, "Auxiliary Feedwater (AFW) System" must be entered immediately.

Each AFW manual initiation switch controls one AFW or SAFW pump.

Declaring the associated pump inoperable ensures that appropriate action is taken in LCO 3.7.5 based on the number and type of pumps involved.

ESFAS Instrumentation B 3.3.2 B 3.3.2-31 Revision 77 R.E. Ginna Nuclear Power Plant SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs column REQUIREMENTS of Table 3.3.2-1. Each channel of process protection supplies both trains of the ESFAS. When testing Channel 1, Train A and Train B must be examined. Similarly, Train A and Train B must be examined when testing Channel 2, Channel 3, and Channel 4 (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

SR 3.3.2.1 This SR is the performance of a CHANNEL CHECK for the following ESFAS Functions:

SI-Containment Pressure-High; SI-Pressurizer Pressure-Low; SI-Steam Line Pressure-Low; CS-Containment Pressure-High High; Steam Line Isolation-Containment Pressure-High High; Steam Line Isolation-High Steam Flow Coincident with SI and Tavg-Low; Steam Line Isolation-High-High Steam Flow Coincident with SI; Feedwater Isolation-SG Water Level-High; and AFW-SG Water Level-Low Low.

Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of more serious instrument conditions. A CHANNEL CHECK will detect gross channel failure; thus, it is a verification the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

ESFAS Instrumentation B 3.3.2 B 3.3.2-32 Revision 89 R.E. Ginna Nuclear Power Plant CHANNEL CHECK acceptance criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.2 SR 3.3.2.2 Is modified by a Note. The Note states that the ESFAS input relays are excluded from this surveillance for the Functions specified.

These Functions have installed bypass test capability. For the Functions with installed bypass test capability, the channel is tested in a bypass versus a tripped condition. To preclude placing the channel in a tripped condition, the input relays are excluded from this surveillance.

This SR is the performance of a COT every 92 days for the following ESFAS functions:

SI-Containment Pressure-High; SI-Pressurizer Pressure-Low; SI-Steam Line Pressure-Low; CS-Containment Pressure-High High; Steam Line Isolation-Containment Pressure-High High; Steam Line Isolation-High Steam Flow Coincident with SI and Tavg-Low; Steam Line Isolation-High-High Steam Flow Coincident with SI; Feedwater Isolation-SG Water Level-High; and AFW-SG Water Level-Low Low.

A COT is performed on each required channel to ensure the channel will perform the intended Function. Setpoints must be found to be within the COT Acceptance Criteria specified in plant procedures. The as-left values must be consistent with the drift allowance used in the setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

B 3.3.2-33 Revision 77 R.E. Ginna Nuclear Power Plant ESFAS Instrumentation B 3.3.2 SR 3.3.2.3 This SR is the performance of a TADOT. This test is a check of the AFW-Undervoltage-Bus 11A and 11B Function.

The test includes trip devices that provide actuation signals directly to the protection system. The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.4 This SR is the performance of a TADOT. This test is a check of the SI, CS, Containment Isolation, Steam Line Isolation, and AFW Manual Initiations, and the AFW-Trip of Both MFW Pumps Functions. Each Function is tested up to, and including, the master transfer relay coils.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Manual Initiations, and AFW-Trip of Both MFW Pumps Functions have no associated setpoints.

SR 3.3.2.5 This SR is the performance of a CHANNEL CALIBRATION of the following ESFAS Functions:

SI-Containment Pressure-High; SI-Pressurizer Pressure-Low; SI-Steam Line Pressure-Low; CS-Containment Pressure-High High; Steam Line Isolation-Containment Pressure-High High; Steam Line Isolation-High Steam Flow Coincident with SI and Tavg-Low; Steam Line Isolation-High-High Steam Flow Coincident with SI; Feedwater Isolation-SG Water Level-High; AFW-SG Water Level-Low Low; and AFW-Undervoltage-Bus 11A and 11B.

B 3.3.2-34 Revision 77 ESFAS Instrumentation B 3.3.2 R.E. Ginna Nuclear Power Plant CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the plant specific setpoint methodology. The "as left" values must be consistent with the drift allowance used in the setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.6 This SR ensures the SI-Pressurizer Pressure-Low and SI-Steam Line Pressure-Low Functions are not bypassed when pressurizer pressure

> 2000 psig while in MODES 1, 2, and 3. Periodic testing of the pressurizer pressure channels is required to verify the setpoint to be less than or equal to the limit.

The difference between the current as-found values and the previous test as-left values must be consistent with the drift allowance used in the setpoint methodology (Ref. 6). The setpoint shall be left set consistent with the assumptions of the current plant specific setpoint methodology.

If the pressurizer pressure interlock setpoint is nonconservative, then the Pressurizer Pressure-Low and Steam Line Pressure-Low Functions are considered inoperable. Alternatively, the pressurizer pressure interlock can be placed in the conservative condition (nonbypassed). If placed in the nonbypassed condition, the SR is met and the Pressurizer Pressure-Low and Steam Line Pressure-Low Functions would not be considered inoperable. The Surveillance Frequency is controlled under Surveillance Frequency Control Program.

SR 3.3.2.7 This SR is the performance of an ACTUATION LOGIC TEST on all ESFAS Automatic Actuation Logic and Actuation Relays Functions. This test includes the application of various simulated or actual input combinations in conjunction with each possible interlock state and verification of the required logic output. Relay and contact operation is verified by a continuance check or actuation of the end device.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

ESFAS Instrumentation B 3.3.2 B 3.3.2-35 Revision 102 R.E. Ginna Nuclear Power Plant REFERENCES

1.

Atomic Industrial Forum (AIF) GDC 15, Issued for Comment July 10, 1967.

2.

UFSAR, Chapter 7.

3.

UFSAR, Chapter 6.

4.

UFSAR, Chapter 15.

5.

IEEE-279-1971.

6.

EP-3-S-0505, "Instrument Setpoint/Loop Accuracy Calculation Methodology".

7.

WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.

8.

"Power Range Nuclear Instrumentation System Bypass Test Instrumentation for R. E. Ginna," WCAP-18298-P, September 2017.

9.

WCAP-14333-P-A, Revision 1, October 1998.

10.

Ginna PRA Analysis for ESFAS/RTS AOT Extension, G1-LAR-005.

ESFAS Instrumentation B 3.3.2 B 3.3.2-36 Revision 42 R.E. Ginna Nuclear Power Plant Figure B 3.3.2-1

Containment Ventilation Isolation Instrumentation B 3.3.5 B 3.3.5-1 Revision 42 R.E. Ginna Nuclear Power Plant B 3.3 INSTRUMENTATION B 3.3.5 Containment Ventilation Isolation Instrumentation BASES BACKGROUND Containment ventilation isolation instrumentation closes the containment isolation valves in the Mini-Purge System and the Shutdown Purge System. This action isolates the containment atmosphere from the environment to minimize releases of radioactivity in the event of an accident. The Mini-Purge System may be used in all MODES while the Shutdown Purge System may only be used with the reactor shutdown.

Containment ventilation isolation initiates on a containment radiation signal, manual actuation of containment isolation, manual actuation of containment spray (CS), or by any safety injection (SI) signal. The Bases for LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS)

Instrumentation," discuss the manual containment isolation, manual containment spray, and safety injection modes of initiation.

Two containment radiation monitoring channels are provided as input to the containment ventilation isolation. The two radiation detectors are of different types: gaseous (R-12), and particulate (R-11). Both detectors will respond to most events that release radiation to containment.

However, analyses have not been conducted to demonstrate that all credible events will be detected by more than one monitor. Therefore, for the purposes of this LCO the two channels are not considered redundant.

Instead, they are treated as two one-out-of-one Functions except for a LOCA, during which both monitors will activate within their required time limits. Since the radiation monitors constitute a sampling system, various components such as sample line valves, sample line heaters, sample pumps, and filter motors are required to support monitor OPERABILITY.

The Mini-Purge System has inner and outer containment isolation valves in its supply and exhaust ducts while the Shutdown Purge System only has one valve located outside containment since the inside valve was replaced by a blind flange that is used during MODES 1, 2, 3, and 4. A high radiation signal from any one of the two channels initiates containment ventilation isolation, which closes all isolation valves in the Mini-Purge System and the Shutdown Purge System. These systems are described in the Bases for LCO 3.6.3, "Containment Isolation Boundaries."

Technical specifications are required by 10 CFR 50.36 to contain limiting safety system settings (LSSS). The Analytic Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytic Limit to account for instrument loop uncertainties related

Containment Ventilation Isolation Instrumentation B 3.3.5 B 3.3.5-2 Revision 42 R.E. Ginna Nuclear Power Plant to the setting at which the automatic protective action would actually occur.

The Calculated Trip Setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit. As such, the Calculated Trip Setpoint accounts for uncertainties in setting the device (e.g. calibration),

uncertainties in how the device might actually perform (e.g.,

repeatability), changes in the point of action of the device over time (e.g.,

drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). As such, the Calculated Trip Setpoint meets the definition of an LSSS and they are contained in the technical specifications.

Technical specifications contain requirements related to the OPERABILITY of equipment required for safe operation of the facility.

OPERABLE is defined in technical specifications as "...being capable of performing its safety functions(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 serves as the OPERABILITY limit for the nominal trip setpoint. However, use of the LSSS (Calculated Trip Setpoint) to define OPERABILITY in technical specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the as-found value of a protective device setting during a surveillance. This would result in technical specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the Calculated Trip Setpoint due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for determining the Calculated Trip Setpoint and thus the automatic protective action would still have been ensured with the as-found setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to within the tolerance band assumed in the determination of the Calculated Trip Setpoint to account for further drift during the next surveillance interval.

The Nominal Trip Setpoint is the desired setting specified within established plant procedures, and may be more conservative than the Calculated Trip Setpoint. The Nominal Trip Setpoint therefore may include additional margin to ensure that the SL would not be exceeded.

Use of the Calculated Trip Setpoint or Nominal Trip Setpoint to define as-found OPERABILITY, under the expected circumstances described above, would result in actions required by both the rule and technical specifications that are clearly not warranted. However, there is also some point beyond which the OPERABILITY of the device would be called into question, for example, greater than expected drift. This requirement needs to be specified in the technical specifications in order

B 3.3.5-3 Revision 42 Containment Ventilation Isolation Instrumentation B 3.3.5 R.E. Ginna Nuclear Power Plant to define the OPERABILITY limit for the as-found trip setpoint and is designated as the Channel Operational Test (COT) Acceptance Criteria.

The COT Acceptance Criteria described in SR 3.3.5-1 serves as a confirmation of OPERABILITY, such that a channel is OPERABLE if the absolute difference between the as-found trip setpoint and the previously as-left trip setpoint does not exceed the assumed uncertainty during the performance of the COT. The assumed uncertainty is primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition, as long as the device has not drifted beyond that expected during the surveillance interval. Note that, although the channel is "OPERABLE " under these circumstances, the trip setpoint should be left adjusted to a value within the established Nominal Trip Setpoint calibration tolerance band, in accordance with the uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned. If the actual setting of the device is found to have exceeded the COT Acceptance Criteria the device would be considered inoperable from a technical specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

APPLICABLE SAFETY ANALYSES The safety analyses assume that the containment remains intact with penetrations unnecessary for accident mitigation functions isolated early in the event, within approximately 60 seconds. The isolation of the purge valves has not been analyzed mechanistically in the dose calculations, although its rapid isolation is assumed. The containment ventilation isolation radiation monitors act as backup to the containment isolation signal to ensure closing of the ventilation valves. They are also the primary means for automatically isolating containment in the event of a fuel handling accident during shutdown even though containment isolation is not specifically credited for this event. Containment isolation in turn ensures meeting the containment leakage rate assumptions of the safety analyses, and ensures that the calculated accident offsite radiological doses are below 10 CFR 50.67 (Ref. 1) limits.

The containment ventilation isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement.

B 3.3.5-4 Revision 42 Containment Ventilation Isolation Instrumentation B 3.3.5 R.E. Ginna Nuclear Power Plant LCO The LCO requirements ensure that the instrumentation necessary to initiate Containment Ventilation Isolation, listed in Table 3.3.5-1, is OPERABLE.

1.

Automatic Actuation Logic and Actuation Relays The LCO requires two trains of Automatic Actuation Logic and Actuation Relays OPERABLE to ensure that no single random failure can prevent automatic actuation.

Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Table 3.3.2-1 Function 1, Safety Injection, ESFAS Function 2.a, Containment Spray-Manual Initiation, and ESFAS Function 3.a Containment Isolation-Manual Initiation. The applicable MODES and specified conditions for the containment ventilation isolation portion of these Functions are different and less restrictive than those for their respective ESFAS Table 3.3.2-1 roles. If one or more of the ESFAS Functions becomes inoperable in such a manner that only the Containment Ventilation Isolation Function is affected, the Conditions applicable to their respective isolation Functions in LCO 3.3.2 need not be entered. The less restrictive Actions specified for inoperability of the Containment Ventilation Isolation Functions specify sufficient compensatory measures for this case.

2.

Containment Radiation The LCO specifies two required channels of radiation monitors (R-11 and R-12) to ensure that the radiation monitoring instrumentation necessary to initiate Containment Ventilation Isolation remains OPERABLE.

For sampling systems, channel OPERABILITY involves more than OPERABILITY of the channel electronics. OPERABILITY may also require correct valve lineups, sample pump operation, and filter motor operation, as well as detector OPERABILITY, if these supporting features are necessary for trip to occur.

3.

Containment Isolation-Manual Initiation Refer to LCO 3.3.2, Function 3.a, for all initiating Functions and requirements. This Function provides the manual initiation capability for containment ventilation isolation.

B 3.3.5-5 Revision 42 Containment Ventilation Isolation Instrumentation B 3.3.5 R.E. Ginna Nuclear Power Plant

4.

Containment Spray-Manual Initiation Refer to LCO 3.3.2, Function 2.a, for all initiating Functions and requirements. This Function provides the manual initiation capability for containment ventilation isolation.

5.

Safety Injection Refer to LCO 3.3.2, Function 1, for all initiating Functions and requirements. This Function provides both manual and automatic initiation capability for containment ventilation isolation.

APPLICABILITY The Automatic Actuation Logic and Actuation Relays, Containment Isolation-Manual Initiation, and Containment Radiation Functions are required to be OPERABLE in MODES 1, 2, 3, and 4, and during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment. Under these conditions, the potential exists for an accident that could release fission product radioactivity into containment.

Therefore, the containment ventilation isolation instrumentation must be OPERABLE in these MODES.

The Containment Spray-Manual Initiation and Safety Injection Functions are required to be OPERABLE in MODES 1,2,3, and 4. Due to the potential negative affects of system actuations, and the redundancy provided by the alternate Functions, these Functions are not required during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment.

While in MODES 5 and 6 without fuel handling in progress, the containment ventilation isolation instrumentation need not be OPERABLE since the potential for radioactive releases is minimized and operator action is sufficient to ensure post accident offsite doses are maintained within the limits of Reference 1.

B 3.3.5-6 Revision 42 Containment Ventilation Isolation Instrumentation B 3.3.5 R.E. Ginna Nuclear Power Plant ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the tolerance allowed by plant specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a COT, when the process instrumentation is set up for adjustment to bring it within specification. A channel is considered OPERABLE when:

a.

The nominal trip setpoint is equal to or conservative with respect to the LSSS;

b.

The absolute difference between the as-found trip setpoint and the previous as-left trip setpoint does not exceed the COT Acceptance Criteria; and

c.

The as-left trip setpoint is within the established calibration tolerance band about the nominal trip setpoint.

The channel is still operable even if the as-left trip setpoint is non-conservative with respect to the LSSS provided that the as-left trip setpoint is within the established calibration tolerance band as specified in the Ginna Instrument Setpoint Methodology.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.5-1. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies to the failure of one containment ventilation isolation radiation monitor channel. These radiation monitors are of different design (R-11 in particulate and R-12 in gaseous) and R-11 is more sensitive to reactor coolant leakage. These are important distinctions for normal and off normal operating conditions, such as credit for minimal RCS leak detection. However, for purposes of post-LOCA containment ventilation isolation of the mini-purge valves, their TS 3.3.5 Function, the response of both detectors is timely and effective. Both detectors will isolate the mini-purge valves within the time constraints assumed in the accident analysis; they are therefore redundant when performing their TS Function. Since the two containment radiation monitors measure different parameters, failure of a single channel may result in loss of the radiation monitoring Function for certain events.

Consequently, the failed channel must be restored to OPERABLE status.

The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time, or in accordance with the Risk Informed

B 3.3.5-7 Revision 42 Containment Ventilation Isolation Instrumentation B 3.3.5 R.E. Ginna Nuclear Power Plant Completion Time Program, allowed to restore the affected channel is justified by the low likelihood of events occurring during this interval, and recognition that one or more of the remainingboth channels will respond to most limiting events.

B.1 Condition B applies to all Containment Ventilation Isolation Functions and addresses the train orientation of the system and the master and slave relays for these Functions. It also addresses the failure of multiple radiation monitoring channels, or the inability to restore a single failed channel to OPERABLE status in the time allowed for Required Action A.1.

If a train is inoperable, multiple channels are inoperable, or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the Required Action for the applicable Conditions of LCO 3.6.3 is met for each mini-purge isolation valve made inoperable by failure of isolation instrumentation. For example, if R-11 and R-12 were both inoperable, then all four mini-purge isolation valves must be declared inoperable. If CVI Train A were inoperable, then the two mini-purge valves which receive a Train A isolation signal must be declared inoperable.

A Note is added stating that Condition B is only applicable in MODE 1, 2, 3, or 4.

C.1 and C.2 Condition C applies to all Containment Ventilation Isolation Functions and addresses the train orientation of the system and the master and slave relays for these Functions. It also addresses the failure of multiple radiation monitoring channels, or the inability to restore a single failed channel to OPERABLE status in the time allowed for Required Action A.1.

If a train is inoperable, multiple channels are inoperable, or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the Required Action to place each purge isolation valve in its closed position or the applicable Conditions of LCO 3.9.3, "Containment Penetrations," are met for each purge isolation valve made inoperable by failure of isolation instrumentation. The Completion Time for these Required Actions is Immediately.

A Note states that Condition C is applicable during CORE ALTERATIONS and during movement of irradiated fuel assemblies within containment.

Containment Ventilation Isolation Instrumentation B 3.3.5 B 3.3.5-8 Revision 77 R.E. Ginna Nuclear Power Plant SURVEILLANCE REQUIREMENTS A Note has been added to the SR Table to clarify that Table 3.3.5-1 determines which SRs apply to which Containment Ventilation Isolation Functions.

SR 3.3.5.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred and the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The CHANNEL CHECK agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2 A COT is performed on each required channel to ensure the channel will perform the intended Function. The Frequency is based on the staff recommendation for increasing the availability of radiation monitors according to NUREG-1366 (Ref. 2). This test verifies the capability of the instrumentation to provide the containment ventilation system isolation. The setpoint shall be left consistent with the current plant specific calibration procedure tolerance. The Surveillance Frequency is controlled under Surveillance Frequency Program.

SR 3.3.5.3 This SR is the performance of an ACTUATION LOGIC TEST. All possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay is tested for continuity. This verifies that the logic modules are OPERABLE and there is an intact voltage signal path to the master relay coils. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Containment Ventilation Isolation Instrumentation B 3.3.5 B 3.3.5-9 Revision 77 R.E. Ginna Nuclear Power Plant SR 3.3.5.4 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

10 CFR 50.67.

2.

NUREG-1366.

Pressurizer PORVs B 3.4.11 B 3.4.11-1 Revision 58 R.E. Ginna Nuclear Power Plant B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)

BASES BACKGROUND The pressurizer is equipped with two types of devices for pressure relief:

pressurizer safety valves and PORVs. The PORVs (430 and 431C) are air operated valves that are controlled to open at a specific set pressure when the pressurizer pressure increases and close when the pressurizer pressure decreases. The PORVs may also be manually operated from the control room.

Motor operated block valves (515 and 516), which are normally open, are located between the pressurizer and the PORVs. The block valves are used to isolate the PORVs in case of excessive leakage or a stuck open PORV. Block valve closure is accomplished manually using controls in the control room. A stuck open PORV is, in effect, a small break loss of coolant accident (LOCA). As such, block valve closure terminates the RCS depressurization and coolant inventory loss.

The PORVs and their associated block valves may be used by plant operators to depressurize the RCS to recover from certain transients if normal pressurizer spray is not available. Additionally, the series arrangement of the PORVs and their block valves permit performance of surveillances on the valves during power operation.

The PORVs may also be used for feed and bleed core cooling in the case of multiple equipment failure events that are not within the design basis, such as a total loss of feedwater and auxiliary feedwater. The PORVs are also used to mitigate the effects of an anticipated transient without scram (ATWS) event which is also not within the design basis.

The PORVs, their block valves, and their controls are powered from the vital buses that normally receive power from offsite power sources, but are also capable of being powered from emergency power sources in the event of a loss of offsite power. The two PORVs (in manual operation only) and their associated block valves are powered from two separate safety trains.

The plant has two PORVs, each having a relief capacity of 179,000 lb/hr at 2335 psig. The PORVs are normally opened by using instrument air which is supplied through separate solenoid operated valves (8620A and 8620B). The safety related source of motive air is from two separate nitrogen accumulators that are normally isolated from the PORVs by solenoid operated valves 8619A and 8619B; however, solenoid operated valves 8620A and 8620B must be in the vent position to close the PORVs regardless of which motive air source is used.

Pressurizer PORVs B 3.4.11 B 3.4.11-2 Revision 58 R.E. Ginna Nuclear Power Plant The functional design of the PORVs is based on maintaining pressure below the pressurizer high pressure reactor trip setpoint following a step reduction of 50% of full load with steam dump. In addition, the PORVs minimize challenges to the pressurizer safety valves and also may be used for low temperature overpressure protection (LTOP). See LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System."

APPLICABLE SAFETY ANALYSES Plant operators employ the PORVs to depressurize the RCS in response to certain plant transients if normal pressurizer spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual operator actions are required to mitigate the event.

A loss of offsite power is assumed to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS pressure. The PORVs are assumed to be used for RCS depressurization, which is one of the steps performed to equalize the primary and secondary pressures in order to terminate the primary to secondary break flow and the radioactive releases from the affected steam generator.

The PORVs are also used in safety analyses for events that result in increasing RCS pressure for which departure from nucleate boiling ratio (DNBR) criteria are critical. By assuming PORV manual actuation, the primary pressure remains below the pressurizer high pressure trip and pressurizer safety valve setpoints; thus the DNBR calculation is more conservative assuming the same initial RCS temperature since the pressurizer pressure is limited. Events that assume this condition include a loss of external electrical load and other transients which result in a decrease in heat removal by the secondary system (Ref. 1).

Pressurizer PORVs satisfy Criterion 3 of the NRC Policy Statement.

LCO The LCO requires the PORVs and their associated block valves to be OPERABLE for manual operation by the nitrogen accumulators to mitigate the effects associated with an SGTR. PORV OPERABILITY requires the associated nitrogen accumulator to be maintained at a pressure 400 psig. PORV leakage is addressed by LCO 3.4.13, "RCS Operational LEAKAGE;" however, a PORV with a leakage rate 10 gpm must also be declared inoperable per this LCO. This restriction is based on the potential need for operators to open the leaking PORV and associated block valve during accident mitigation. If the block valve then fails to re-close, the PORV leakage rate is outside the accident analysis assumptions.

By maintaining two PORVs and their associated block valves OPERABLE, the single failure criterion is satisfied. The block valves are available to isolate the flow path through either a failed open PORV or a

B 3.4.11-3 Revision 58 R.E. Ginna Nuclear Power Plant Pressurizer PORVs B 3.4.11 PORV with excessive leakage. Satisfying the LCO helps minimize challenges to fission product barriers.

APPLICABILITY In MODES 1, 2, and 3, the PORV is required to be OPERABLE to mitigate the effects associated with an SGTR and its block valve must be OPERABLE to limit the potential for a small break LOCA through the flow path. The most likely cause for a PORV small break LOCA is a result of a pressure increase transient that causes the PORV to automatically open with a subsequent failure to close. Imbalances in the energy output of the core and heat removal by the secondary system can cause the RCS pressure to increase to the PORV opening setpoint. The most rapid increases will occur at the higher operating power and pressure conditions of MODES 1 and 2. Pressure increases are less prominent in MODE 3 because the core input energy is reduced, but the RCS pressure is high.

The PORVs are also required to be OPERABLE in MODES 1, 2, and 3 to minimize challenges to the pressurizer safety valves by manually opening the PORVs. Therefore, the LCO is applicable in MODES 1, 2, and 3.

The LCO is not applicable in MODE 4 when both pressure and core energy are decreased and the pressure surges become much less significant. The PORV setpoint is reduced for LTOP in MODES 4, 5, and 6 with the reactor vessel head in place. LCO 3.4.12 addresses the PORV requirements in these MODES.

ACTIONS Note 1 has been added to clarify that both pressurizer PORVs are treated as separate entities, each with separate Completion Times (i.e., the Completion Time is on a component basis) for Condition A.

Note 2 has been added to clarify that both block valves are treated as separate entities, each with separate Completion Times, for Condition C.

A.1 and A.2 With the PORVs OPERABLE and not capable of being automatically controlled, either the PORVs must be restored or the flow path isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Although a PORV may not be capable of being automatically controlled, it may be able to be manually opened and closed, and therefore, able to perform its function. A PORV is considered not capable of being automatically controlled for any problem which prevents the PORV from automatically closing once it has automatically opened. This may be due to instrumentation problems. Not capable of automatic control does not include problems which only prevent the PORV from automatically opening (e.g., loss of instrument air to the PORV). It also does not include problems which prevent the PORV from

B 3.4.11-4 Revision 58 Pressurizer PORVs B 3.4.11 R.E. Ginna Nuclear Power Plant Pressurizer PORVs B 3.4.11 both automatically opening and automatically closing. For these reasons, the block valve may either be closed to isolate the flowpaths or isolated by placing the PORV control switch in the closed position.

However, if the block valve is closed to isolate the flowpath, the Action requires power be maintained to the valve. This Condition is only intended to permit operation of the plant for a limited period of time not to exceed the next refueling outage (MODE 6) so that maintenance can be performed on the PORVs to eliminate the problem. Normally, the PORVs should be available for automatic mitigation of overpressure events and should be returned to OPERABLE status prior to entering startup (MODE 2). Seat leakage problems are controlled by LCO 3.4.13, "RCS Operational LEAKAGE."

Quick access to the PORV for pressure control can be made when power remains on the closed block valve. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on plant operating experience that has shown that minor problems can be corrected or closure accomplished in this time period.

B.1, B.2, and B.3 If one PORV is not capable of being manually cycled, it is inoperable and must be either restored or isolated by closing the associated block valve and removing the power to the associated block valve. PORV inoperability includes (but is not limited to) the inability of the solenoid operated isolation valve from the nitrogen accumulator to open or the solenoid operated isolation valve from instrument air to vent. The Completion Times of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months are reasonable, based on challenges to the PORVs during this time period, and provide the operator adequate time to correct the situation. If the inoperable valve cannot be restored to OPERABLE status, it must be isolated within the specified time.

Because there is a second PORV that is OPERABLE, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is provided to restore the inoperable PORV to OPERABLE status, OR the provisions of the RICT program can be implemented if both the second PORV and its associated block valve can be determined to be OPERABLE. If the PORV cannot be restored within this time, and RICT cannot be implemented, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition E.

C.1 and C.2 If one block valve is inoperable, then it is necessary to either restore the block valve to OPERABLE status within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or place the associated PORV in manual control. The prime importance for the capability to close the block valve is to isolate a stuck open PORV. Therefore, if the block valve cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. Manual control is accomplished by placing

B 3.4.11-5 Revision 58 Pressurizer PORVs B 3.4.11 R.E. Ginna Nuclear Power Plant the PORV control board switch in the closed position. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Because the PORV is not capable of automatically opening and the small potential for an SGTR or other event requiring Manual operation, the operator is permitted a Completion Time of 7 days, OR the time determined using the RICT process if both the opposite PORV and its associated block valve can be verified OPERABLE, to restore the inoperable block valve to OPERABLE status. The time allowed to restore the block valve is limited to 7 days since the PORVs are not capable of automatically mitigating an overpressure event when placed in manual control. If the block valve is restored within the allowed Completion Time of 7 days, the PORV will again be capable of automatically responding to an overpressure event, and the block valves capable of isolating a stuck open PORV which may result from the overpressure event. If it cannot be restored within this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition E.

D.1 and D.2 If both block valves are inoperable, then it is necessary to either restore at least one block valve to OPERABLE status within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or place the PORVs in manual control. The prime importance for the capability to close the block valve is to isolate a stuck open PORV.

Therefore, if the block valves cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the Required Action is to place the PORVs in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. Manual control is accomplished by placing the PORV control board switch in the closed position. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Because the PORV is not capable of automatically opening and the small potential for an SGTR or other event requiring Manual operation, the operator is permitted a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore at least one inoperable block valve to OPERABLE status. The time allowed to restore one block valve is limited to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months since the PORVs are not capable of automatically mitigating an overpressure event when placed in manual control. If at least one block valve is restored within the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , at least one PORV will again be capable of automatically responding to an overpressure event, and the associated block valve capable of isolating a stuck open PORV which may result from the overpressure event. If it cannot be restored within this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition E.

E.1 and E.2 If the Required Action of Condition A, B, C, or Dis not met, then the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months

B 3.4.11-6 Revision 58 Pressurizer PORVs B 3.4.11 R.E. Ginna Nuclear Power Plant and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In MODES 4 and 5, maintaining PORV OPERABILITY may be required. See LCO 3.4.12.

F.1, F.2, F.3, and F.4 If both PORVs are not capable of being manually cycled, they are inoperable and it is necessary to initiate action to restore one PORV to OPERABLE status immediately since no relief valve is available to mitigate the effects associated with an SGTR. Therefore, operators must either restore at least one valve within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or isolate the flow path by closing and removing the power to the associated block valves. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on the small potential for challenges to the system during this time and provides the operator time to correct the situation.

If one PORV is restored and one PORV remains inoperable, then the plant will be in Condition B with the time clock started at the original declaration of having two PORVs inoperable. If no PORVs are restored within the Completion Time, then the plant must be brought to a MODE which does not require manual PORV operation. To achieve this status, the plant must be brought to MODE 3 with Tavg < 500ºF within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

In MODE 3 with the RCS average temperature < 500ºF, the saturation pressure of the reactor coolant is below the setpoint of the main steam safety valves. Since the RWST contains a larger volume of water than the secondary side of an SG, the leak through the ruptured tube will stop after the SG is filled to capacity. Therefore, an SGTR can be mitigated under these conditions without any release of radioactive fluid through the main steam safety valves. Entering a lower MODE is not desirable with both PORVs inoperable and not capable of being manually cycled since the PORVs are also required for low temperature overpressure protection. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Pressurizer PORVs B 3.4.11 B 3.4.11-7 Revision 77 R.E. Ginna Nuclear Power Plant SURVEILLANCE REQUIREMENTS SR 3.4.11.1 Block valve cycling verifies that the valve(s) can be closed if needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If the block valve is closed to isolate a PORV that is OPERABLE and is not leaking in excess of the limits of LCO 3.4.13, "RCS Operational LEAKAGE," then opening the block valve is necessary to verify that the PORV can be used for manual control of reactor pressure. If the block valve is closed to isolate an otherwise inoperable PORV, the maximum Completion Time to restore the PORV and open the block valve is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , which is well within the allowable limits (25%) to extend the block valve Frequency. Furthermore, these test requirements would be completed by the reopening of a recently closed block valve upon restoration of the PORV to OPERABLE status (i.e., completion of the Required Actions fulfills the SR).

The Note modifies this SR by stating that it is not required to be performed with the block valve closed per LCO 3.4.13. This prevents the need to open the block valve when the associated PORV is leaking > 10 gpm creating the potential for a plant transient.

SR 3.4.11.2 This SR requires a complete cycle of each PORV using the nitrogen accumulators. Operating a PORV through one complete cycle ensures that the PORV can be manually actuated for mitigation of an SGTR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

UFSAR, Section 15.2.

2.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

AFW System B 3.7.5 B 3.7.5-1 Revision 75 R.E. Ginna Nuclear Power Plant B 3.7 PLANT SYSTEMS B 3.7.5 Auxiliary Feedwater (AFW) System BASES BACKGROUND The AFW System supplies feedwater to the steam generators (SGs) to remove decay heat from the Reactor Coolant System (RCS) upon the loss of normal feedwater supply. The SGs function as a heat sink for core decay heat. The heat load is dissipated by releasing steam to the atmosphere from the SGs via the main steam safety valves (MSSVs) or atmospheric relief valves (ARVs). If the main condenser is available, steam may be released via the steam dump valves. The AFW System is comprised of two separate systems, a preferred AFW System and a Standby AFW (SAFW) System (Ref. 1).

AFW System The preferred AFW System consists of two motor driven AFW (MDAFW) pumps and one turbine driven AFW (TDAFW) pump configured into three separate trains which are all located in the Intermediate Building (see Figure B 3.7.5-1). The pumps are equipped with independent recirculation lines to the condensate storage tanks (CSTs). Each MDAFW train is powered from an independent Class 1E power supply and feeds one SG, although each pump has the capability to be realigned from the control room to feed the other SG via cross-tie lines containing normally closed motor operated valves (4000A and 4000B). The two MDAFW trains will actuate automatically on a low-low level signal in either SG, opening of the main feedwater (MFW) pump breakers, a safety injection (SI) signal, or the ATWS mitigation system actuation circuitry (AMSAC). The pumps can also be manually started from the control room.

The TDAFW pump receives steam from each main steam line upstream of the two main steam isolation valves. Either of the steam lines will supply 100% of the requirements of the TDAFW pump. The TDAFW pump supplies a common header capable of feeding both SGs by use of normally maintained open, air-operated control valves (4297 and 4298). The TDAFW pump will actuate automatically on a low-low level signal in both SGs, loss of voltage on 4160 V Buses 11A and 11B, or the ATWS mitigation system actuation circuitry (AMSAC). The pump can also be manually started from the control room.

The normal source of water for the AFW System is the CSTs which are located in the non-seismic Service Building. The Service Water (SW) System (LCO 3.7.8) can also be used to supply a safety-

B 3.7.5-2 Revision 78 AFW System B 3.7.5 R.E. Ginna Nuclear Power Plant related source of water through normally closed motor operated valves (4013, 4027, and 4028) which supply each AFW train.

SAFW System The SAFW System consists of two motor driven pumps configured into two separate trains (see Figure B 3.7.5-2). Each motor driven SAFW train supplies one SG through the use of a normally open motor-operated stop check valve. Each pump has the capability to be realigned from the control room to feed the other SG via normally closed motor operated valves (9703A and 9703B). Each pump is powered from an independent Class 1E power supply and can be powered from the diesel generators provided that the breaker for the associated MDAFW pump is opened. The safety-related source of water for the SAFW System is the SW System through two normally closed motor operated valves (9629A and 9629B). Condensate can also be supplied by a 160,000 gallon DI water storage tank and the yard fire hydrant yard loop.

The SAFW System is manually actuated in the event that the preferred AFW System has failed due to a high energy line break (HELB) in the Intermediate Building, a seismic or fire event. The SAFW trains are located in the SAFW Pump Building located adjacent to the Auxiliary Building.

The SAFW Pump Building environment is controlled by room coolers which are supplied by the same SW header as the pump trains. These coolers are required to ensure the SAFW Pump Building remains 120ºF during accident conditions.

The AFW System is designed to supply sufficient water to the SG(s) to remove decay heat with SG pressure at the lowest MSSV set pressure plus 1%. Subsequently, the AFW System supplies sufficient water to cool the plant to RHR entry conditions, with steam released through the ARVs.

APPLICABLE SAFETY ANALYSES The design basis of the AFW System is to supply water to the SG(s) to remove decay heat and other residual heat by delivering at least the minimum required flow rate to the SGs at pressures corresponding to the lowest MSSV set pressure plus 1%.

The AFW System mitigates the consequences of any event with the loss of normal feedwater. The limiting Design Basis Accidents (DBAs) and transients for the AFW System are as follows (Ref. 2):

a.

Feedwater Line Break (FWLB);

AFW System B 3.7.5 B 3.7.5-3 Revision 75 R.E. Ginna Nuclear Power Plant

b.

Loss of MFW (with and without offsite power);

c.

Steam Line Break (SLB);

d.

Small break loss of coolant accident (LOCA);

e.

Steam generator tube rupture (SGTR); and AFW is also used to mitigate the effects of an ATWS event (which is a beyond design basis event) and external events (tornados and seismic events) all of which are not addressed by this LCO.

The AFW System design is such that any of the above DBAs can be mitigated using the preferred AFW System or SAFW System. For the FWLB and SLB, (items a and c), the worst case scenario is the loss of all three preferred AFW trains due to a HELB in the Intermediate or Turbine Building. For these events, the use of the SAFW System within 14.5 minutes is assumed by the accident analyses. Since a single failure must also be assumed in addition to the HELB, the capability of the SAFW System to supply flow to an intact SG could be compromised if the SAFW cross-tie or intact SG flowpath is not available. For HELBs within containment, use of either the SAFW System (within 14.5 minutes) or the AFW System (within 1 minute) to the intact SG is assumed.

For the SGTR events (item e), the accident analyses assume that one AFW train is available upon a SI signal or low-low SG level signal.

Additional inventory is being added to the ruptured SG as a result of the SGTR such that AFW flow is not a critical feature for this DBA.

The loss of MFW (item b) is a Condition 2 event (Ref. 3) which places limits on the response of the RCS from the transient (e.g., no challenge to the pressurizer power operated relief valves due to a water solid pressurizer is allowed). This analysis has been performed assuming no AFW flow is available until 1 minute with acceptable results. The most limiting small break LOCA (item d) analysis has also been performed assuming no AFW flow with no adverse impact on peak cladding temperature.

In addition to its accident mitigation function, the energy and mass addition capability of the AFW System is also considered with respect to HELBs within containment. For SLBs and FWLBs within containment, maximum pump flow from all three AFW pumps is assumed for 10 minutes until operations can isolate the flow by tripping the AFW pumps or by closing the respective pump discharge flow path(s). Therefore, the motor operated discharge isolation valves for the motor MDAFW pump trains (4007 and 4008) are designed to limit flow to 235 gpm to limit the energy and mass addition so that containment remains within design limits for items a and c. The TDAFW train is assumed to be at runout conditions (i.e., 630 gpm).

B 3.7.5-4 Revision 75 R.E. Ginna Nuclear Power Plant AFW System B 3.7.5 The AFW System satisfies the requirements of Criterion 3 of the NRC Policy Statement.

LCO This LCO provides assurance that the AFW System will perform its design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary or containment.

The AFW System is comprised of two systems which are configured into five trains. The AFW System is considered OPERABLE when the components and flow paths required to provide redundant AFW flow to the SGs are OPERABLE (see Figures B 3.7.5-1 and B 3.7.5-2). This requires that the following be OPERABLE:

a.

Two MDAFW trains taking suction from the CSTs as required by LCO 3.7.6 (and capable of taking suction from the SW system within 14.5 minutes), and capable of supplying their respective SG with 170 gpm (recirculation valve open) or 195 gpm (recirculation valve closed) within 1 minute and 235 gpm upon AFW actuation (on a per pump basis);

b.

The TDAFW train taking suction from the CSTs as required by LCO 3.7.6 (and capable of taking suction from the SW system within 14.5 minutes), provided steam is available from both main steam lines upstream of the MSIVs, and capable of supplying 170 gpm to either SG within 1 minute and 235 gpm to either SG within 14.5 minutes; and

c.

Two motor driven SAFW trains capable of being initiated either locally or from the control room within 14.5 minutes, taking suction from the SW System, and supplying their respective SG and the opposite SG through the SAFW cross-tie line with 215 gpm.

The piping, valves, instrumentation, and controls in the required flow paths are also required to be OPERABLE. The pump recirculation lines are required to be OPERABLE for this LCO. Valves in the recirculation line must be open, or able to open to be OPERABLE. The TDAFW train is comprised of a common pump and two flow paths. A TDAFW train flow path is defined as the steam supply line and the SG injection line from/to the same SG. The failure of the pump or both flow paths renders the TDAFW train inoperable.

The cross-tie line for the preferred MDAFW pumps is not required for this LCO. However, since the accident analyses have been performed assuming a 14.5 minute delay for AFW for a HELB, and there are two separate systems, the use of this cross-tie line is allowed in MODES 1, 2, and 3.

B 3.7.5-5 Revision 75 R.E. Ginna Nuclear Power Plant AFW System B 3.7.5 The SAFW Pump Building room coolers are required to be OPERABLE.

If one room cooler is inoperable, the associated SAFW train is inoperable.

APPLICABILITY In MODES 1, 2, and 3, the AFW System is required to be OPERABLE in the event that it is called upon to function when the MFW System is lost.

In addition, the AFW System is required to supply enough makeup water to replace the lost SG secondary inventory as the plant cools to MODE 4 conditions.

In MODE 4, 5, or 6, the SGs are not normally used for heat removal, and the AFW System is not required.

ACTIONS A.1 If one of the TDAFW train flow paths is inoperable, action must be taken to restore the flow path to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. These 7 day Completion Times is are reasonable, based on the following reasons:

a.

The redundant OPERABLE turbine driven AFW pump flow path;

b.

The availability of redundant OPERABLE MDAFW and SAFW pumps; and

c.

The low probability of an event occurring that requires the inoperable TDAFW pump flow path.

A TDAFW train flow path is defined as the steam supply line and SG injection line from/to the same SG.

B.1 If one MDAFW train is inoperable, action must be taken to restore the train to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. These 7 day Completion Times is are reasonable, based on the following reasons:

a.

The redundant OPERABLE MDAFW train;

b.

The availability of redundant OPERABLE TDAFW and SAFW pumps; and

c.

The low probability of an event occurring that requires the inoperable MDAFW train.

B 3.7.5-6 Revision 75 R.E. Ginna Nuclear Power Plant AFW System B 3.7.5 C.1 With the TDAFW train inoperable, or both MDAFW trains inoperable, or one TDAFW train flow path and one MDAFW train inoperable to opposite SGs, action must be taken to restore OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program. If the inoperable MDAFW train supplies the same SG as the inoperable TDAFW flow path, Condition D must be entered.

The combination of failures which requires entry into this Condition all result in the loss of one train (or one flow path) of preferred AFW cooling to each SG such that redundancy is lost. These 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Times is are reasonable, based on redundant capabilities afforded by the SAFW System, time needed for repairs, and the low probability of a DBA occurring during this time period.

Condition C is modified by a Note which prohibits the application of LCO 3.0.4.b with a TDAFW train inoperable, or both MDAFW trains inoperable, or one TDAFW train flow path and one MDAFW train inoperable to opposite SGs. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with a TDAFW train inoperable, or both MDAFW trains inoperable, or one TDAFW train flow path and one MDAFW train inoperable to opposite SGs consequently the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in these circumstances.

D.1 With all MD and TD (preferred) AFW trains to one or both SGs inoperable, action must be taken to restore at least one train or TDAFW flow path to each affected SG to OPERABLE status within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or in accordance with the Risk Informed Completion Time Program.

The combination of failures which require entry into this Condition all result in the loss of preferred AFW cooling to at least one SG. If a SGTR were to occur in this condition, preferred AFW is potentially unavailable to the unaffected SG. If AFW is unavailable to both SGs, the accident analyses for small break LOCAs and loss of MFW would not be met.

The two MDAFW trains of the preferred AFW System are normally used for decay heat removal during low power operations since air operated bypass control valves are installed in each train to better control SG level (see Figure B 3.7.5-1). Since a feedwater transient is more likely during reduced power conditions, 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is provided to restore at least one train of additional preferred AFW before requiring a controlled cooldown. This will also provide time to find a condensate source other than the SW System for the SAFW System if all three AFW trains are inoperable.

These 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Times is are reasonable, based on redundant capabilities afforded by the SAFW System, time needed for repairs, and the low probability of a DBA occurring during this time period.

B 3.7.5-7 Revision 75 R.E. Ginna Nuclear Power Plant AFW System B 3.7.5 Condition D is modified by a Note which prohibits the application of LCO 3.0.4.b with all preferred AFW trains to one or both SGs inoperable. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with all AFW trains to one or both SGs inoperable and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in these circumstances.

E.1 With one SAFW train inoperable, action must be taken to restore OPERABLE status within 14 days or in accordance with the Risk Informed Completion Time Program. This Condition includes the inoperability of one of the two SAFW cross-tie valves which requires declaring the associated SAFW train inoperable (e.g., failure of 9703B would result in declaring SAFW train D inoperable). However, the inoperability of either flow path downstream of the SAFW cross-tie is addressed by Condition F. These 14 day Completion Times is are reasonable, based on redundant capabilities afforded by the AFW System, time needed for repairs, and the low probability of a HELB or other event which would require the use of the SAFW System during this time period.

F.1 With both SAFW trains inoperable, action must be taken to restore at least one SAFW train to OPERABLE status within 7 days. This Condition includes the inoperability of both of the SAFW cross-tie valves (9703A and 9703B) or the inoperability of either flow path down stream of the SAFW cross-tie. The 7 day Completion Time is reasonable, based on redundant capabilities afforded by the AFW System, time needed for repairs, and the low probability of a HELB or other event which would require the use of the SAFW System during this time period.

G.1 and G.2 When Required Action A.1, B.1, C.1, D.1, E.1, or F.1 cannot be completed within the required Completion Time, the plant must be placed in a MODE in which the LCO does not apply. To achieve this status, the plant must be placed in at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and in MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant condition from full power conditions in an orderly manner and without challenging plant systems.

H.1 If all three preferred AFW trains and both SAFW trains are inoperable the plant is in a seriously degraded condition with no safety related means for conducting a cooldown, and only limited means for conducting a cooldown with nonsafety related equipment. In such a condition, the

B 3.7.5-8 Revision 81 R.E. Ginna Nuclear Power Plant AFW System B 3.7.5 plant should not be perturbed by any action, including a power change, that might result in a trip. The seriousness of this condition requires that action be started immediately to restore one MDAFW, TDAFW, or SAFW train to OPERABLE status. For the purposes of this Required Action, only one TDAFW train flow path and the pump must be restored to exit this Condition.

Required Action H.1 is modified by a Note indicating that all required MODE changes or power reductions are suspended until one MDAFW, TDAFW, or SAFW train is restored to OPERABLE status. In this case, LCO 3.0.3 is not applicable because it could force the plant into a less safe condition.

SURVEILLANCE REQUIREMENTS SR 3.7.5.1 Verifying the correct alignment for manual, power operated, and automatic valves in the AFW and SAFW System water and steam supply flow paths provides assurance that the proper flow paths will exist for AFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification, through a system walkdown, that those valves capable of being mispositioned are in the correct position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.5.2 Periodically comparing the reference differential pressure and flow of each AFW pump in accordance with the inservice testing requirements of the ASME Code (Ref. 4) detects trends that might be indicative of an incipient failure. The Frequency of this surveillance is specified in the INSERVICE TESTING PROGRAM, which encompasses the ASME Code. The ASME Code provides the activities and Frequencies necessary to satisfy this requirement.

This SR is modified by a Note indicating that the SR is only required to be met prior to entering MODE 1 for the TDAFW pump since suitable test conditions have not been established. This deferral is required because there is insufficient steam pressure to perform the test.

B 3.7.5-9 Revision 81 R.E. Ginna Nuclear Power Plant AFW System B 3.7.5 SR 3.7.5.3 Periodically comparing the reference differential pressure and flow of each SAFW pump in accordance with the inservice testing requirements of the ASME Code (Ref. 4) detects trends that might be indicative of an incipient failure. Because it is undesirable to introduce SW into the SGs while they are operating, this testing is performed using the test condensate tank. The Frequency of this surveillance is specified in the INSERVICE TESTING PROGRAM, which encompasses the ASME Code. The ASME Code provides the activities and Frequencies necessary to satisfy this requirement.

SR 3.7.5.4 This SR verifies that each AFW and SAFW motor operated suction valve from the SW System (4013, 4027, 4028, 9629A, and 9629B), each AFW and SAFW discharge motor operated valve (4007, 4008, 9701A, 9701B, 9704A, 9704B, and 9746), and each SAFW cross-tie motor operated valve (9703A and 9703B) can be operated when required. The Frequency of this Surveillance is specified in the INSERVICE TESTING PROGRAM and is consistent with the ASME Code (Ref. 4). The TDAFW discharge motor operated valve (3996) is maintained open and not required to be closed for the DBA's and transients described within the Applicable Safety Analyses section. Therefore, testing of the TDAFW discharge motor operating valve is not required.

SR 3.7.5.5 This SR verifies that AFW can be delivered to the appropriate SG in the event of any accident or transient that generates an actuation signal, by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal. This Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.5.6 This SR verifies that the AFW pumps will start in the event of any accident or transient that generates an actuation signal by demonstrating that each AFW pump starts automatically on an actual or simulated actuation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

AFW System B 3.7.5 B 3.7.5-10 Revision 77 R.E. Ginna Nuclear Power Plant This SR is modified by a Note indicating that the SR is only required to be met prior to entering MODE 1 for the TDAFW pump since suitable test conditions may have not been established. This deferral is required because there is insufficient steam pressure to perform the test.

SR 3.7.5.7 This SR verifies that the SAFW System can be actuated and controlled from the control room. The SAFW System is assumed to be manually initiated within 14.5 minutes in the event that the preferred AFW System is inoperable. This Surveillance includes the verification of the automatic response of the motor operated discharge valves (9701A and 9701B) and the recirculation valves (9710A and 9710B). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

UFSAR, Section 10.5.

2.

UFSAR Chapter 15.

3.

American National Standard, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants," N18.2-1973.

4.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

AFW System B 3.7.5 B 3.7.5-11 Revision 75 R.E. Ginna Nuclear Power Plant Figure B 3.7.5-1 Preferred AFW System r*.. 4019 4017 Service Water MDAFWA 4027 Lube Oil

"-----L___J Cooler CSTA CSTB 4074 I

~*IXJ-*r*IXJ-~

I 4071 I 4070 L,,_,,_,,_,,_,,_,,_;

-I 4015 4014 For illustration only NOTE

FT*2001, FT*2002 are also addressed by LCO 3.3.3.

FT *2006, FT*2007, LT*2022A, and LT*2022B are not addressed by this LCO, but are addressed by LCO 3.3.3.

4018 4016

£ 4344 4028 LEGEND:

Flow path not required for LCO Addressed in LCO 3.7.6 TDAFW flowpath AFW Train (Note* TDAFW train includes both steam and both injection flowpaths)

Service Water 4098 4013 Service Water TDAFW Lube Oil Cooler MDAFWB Lube Oil Cooler 4009 4010 4007 4000C 4011 Steam Generator A

,.:l"....... : '***~ ;***~

- - - ~

~* *foat3***~~*

FT 2006 4357 4000A 4356 4082 4310A 4310 3505A 3505B

~ 3505

- - lA**~ ***N **

ToMSIV 3517 4000B To MSIV 3516 *

."?.

..... v,.. -,,..**t><l***'

3504B 3504A 3504

~

..,t-...... : ****t><l****{9(]****N N --*M

4000 4298 4002 4004 4006 4008 4000D 4012 4481 4485 Steam Generator B

B 3.9.6-Revision 77 R.E. Ginna Nuclear Power Plant SAFW PUMP C

~

SERVICE WATER ---- --IC><J---;'-..J---r--... ~-"T""----(

,.1------c~-*'r T - ~

- -cx:J- - -t----J- -

-cx:J- -

9626A 9627A 9629A 9701A 9704A 9702A 9705A 9706A SAFWPUMP ROOM COOLING UNIT1A SAFWPUMP ROOM COOLING UNIT 1B t

9708A I

I

~ 9707A I

W---a---

1 9781 9780 I

~ 9707B f

9708B SAFWPUMPD 9710A 9768 9765 9710B I

I I t 9702C I

I I em,a t

97020 I

~

II t------r-~-----o'<~

..J. ~

-t1/4- --l><l- - -t----J- -

-cx:J- -

SERVICE WATER ---- -~<l----f'~--"--"'4-....,'-----f' 9626B 9627B 9629B

)

LEGEND:

FLOW PATH NOT REQUIRED FOR LCO SAFWTRAIN AFFECTS BOTH SAFW TRAINS 9700B 9701B 9746 9704B 9702B 9705B 9706B

/FOR ILLUSTRATION ONLY I STEAM GENERATOR A

STEAM GENERATOR B

v t e Letter Sequence Supplement
EPID:L-2021-LLA-0091, TSTF-505, TSTF-505 (Approved, Closed)
Initiation Request, Request, Request Acceptance, Acceptance Supplement, Supplement, Supplement, Supplement Administration Questions Answers Results Approval, Approval, Approval Other: ML21222A114
MONTHYEAR2022-04-28 [Table View]

ML22118B143

Text

Subject:

References:

References:

Response

Response

Response

Response

Response

Navigation menu

Search