Text

Changes Related to AP1000 Gts Subsection 3.3.8, Engineered Safety Features Actuation System (ESFAS) Instrumentation
	ML22240A043
Person / Time
Issue date:	06/29/2015
From:	; NRC/NRR/DSS/STSB
To:	;
	Craig Harbuck NRR/DSS 301-415-3140
Shared Package
ML22240A001	List: ML22240A003; ML22240A005; ML22240A006; ML22240A007; ML22240A008; ML22240A010; ML22240A011; ML22240A012; ML22240A013; ML22240A014; ML22240A015; ML22240A016; ML22240A017; ML22240A018; ML22240A019; ML22240A020; ML22240A021; ML22240A022; ML22240A023; ML22240A024; ML22240A026; ML22240A027; ML22240A028; ML22240A030; ML22240A031; ML22240A033; ML22240A035; ML22240A036; ML22240A037; ML22240A038; ML22240A040; ML22240A041; ML22240A042; ML22240A043; ML22240A044; ML22240A045; ML22240A046; ML22240A047; ML22240A049; ML22240A050; ML22240A051; ML22240A052; ML22240A053; ML22240A054; ML22240A056; ML22240A057; ML22240A058; ML22240A059; ML22240A060; ML22240A061; ... further results
References
	Download: ML22240A043 (197)
	v • d • e

GTST AP1000-O61-3.3.8, Rev. 1 Advanced Passive 1000 (AP1000)

Generic Technical Specification Traveler (GTST)

Title:

Changes Related to LCO 3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation I. Technical Specifications Task Force (TSTF) Travelers, Approved Since Revision 2 of STS NUREG-1431, and Used to Develop this GTST TSTF Number and

Title:

TSTF-411-A, Rev 1, Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376-P)

TSTF-418-A, Rev 2, RPS and ESFAS Test Times and Completion Times (WCAP-14333)

TSTF-444-T, Rev 1, ESFAS Interlocks P-4, P-11 & P-12 LCO Actions and Surveillance Requirements Revisions TSTF-483-T, Rev 1, Delete TS 3.3.1, Condition D, Power Range Neutron Flux - High Channel Inoperable TSTF-519-T, Rev 0, Increase Standardization in Condition and Required Action Notes STS NUREGs Affected:

TSTF-411-A, Rev 1: NUREG 1431 TSTF-418-A, Rev 2: NUREG 1431 TSTF-444-T, Rev 1: NUREG 1431 TSTF-483-T, Rev 1: NUREG 1431 TSTF-519-T, Rev 0: NUREG 1430 and 1431 NRC Approval Date:

TSTF-411-A, Rev 1: 30-Aug-02 TSTF-418-A, Rev 2: 02-Apr-03 TSTF-444-T, Rev 1: 15-Oct-03 TSTF Approved for Use TSTF-483-T, Rev 1: 19-Dec-05 TSTF-519-T, Rev 0: 16-Oct-09 (TSTF Review)

TSTF Classification:

TSTF-411-A, Rev 1: Technical Change TSTF-418-A, Rev 2: Technical Change TSTF-444-T, Rev 1: Technical Change TSTF-483-T, Rev 1: Technical Change TSTF-519-T, Rev 0: NUREG Only Change Date report generated:

Monday, June 29, 2015 Page 1

GTST AP1000-O61-3.3.8, Rev. 1 II. Reference Combined License (RCOL) Standard Departures (Std. Dep.), RCOL COL Items, and RCOL Plant-Specific Technical Specifications (PTS) Changes Used to Develop this GTST RCOL Std. Dep. Number and

Title:

There are no Vogtle Electric Generating Plant Units 3 and 4 (Vogtle or VEGP) departures applicable to GTS 3.3.2.

RCOL COL Item Number and

Title:

There are no Vogtle COL items applicable to GTS 3.3.2.

RCOL PTS Change Number and

Title:

The VEGP License Amendment Request (LAR) proposed the following changes to the initial version of the PTS (referred to as the current TS by the VEGP LAR). These changes include Administrative Changes (A), Detail Removed Changes (D), Less Restrictive Changes (L), and More Restrictive Changes (M). These changes are discussed in Sections VI and VII of this GTST.

VEGP LAR DOC A028: Reformat of GTS 3.3.2 into Nine Parts; 3.3.8 through 3.3.16; note that this maps GTS 3.3.2 requirements into interim A028-modified TS (MTS) Subsection 3.3.8, to which the other changes are applied.

VEGP LAR DOC A025: SR text phrase change from the prescribed values to within limits.

VEGP LAR DOC A031: Revision of Various MTS 3.3.8 Required Action statements VEGP LAR DOC A032: Elimination of duplicate instrumentation Function listings in MTS Table 3.3.8-1 VEGP LAR DOC A033: Elimination of entries that merely reference other Functions in MTS Table 3.3.8-1 VEGP LAR DOC A034: Revision of Modes or Other Specified Conditions and footnotes in MTS Table 3.3.8-1 VEGP LAR DOC A035: Deletion of design-related details - coincident VEGP LAR DOC A036: Revision of footnotes in MTS Table 3.3.8-1 VEGP LAR DOC M02: Provision for Two or More Inoperable Divisions or Channels VEGP LAR DOC L01: TS Definition for Actuation Device Test is deleted; Equivalent SRs are added in individual specifications using phrasing consistent with NUREG-1431 VEGP LAR DOC L10: Delete PTS 3.3.2 Function 18, ESFAS Interlocks except reactor trip, P-4 VEGP LAR DOC L12: Actions related to Functions that result in valve isolation actuations are revised Date report generated:

Monday, June 29, 2015 Page 2

GTST AP1000-O61-3.3.8, Rev. 1 III. Comments on Relations Among TSTFs, RCOL Std. Dep., RCOL COL Items, and RCOL PTS Changes This section discusses the considered changes that are: (1) applicable to operating reactor designs, but not to the AP1000 design; (2) already incorporated in the GTS; or (3) superseded by another change.

TSTF-411-A, Rev.1 provides justification to (1) increase the required action completion time and the bypass test time allowance for the reactor trip breakers and (2) increase the surveillance test intervals for the reactor trip breakers, master relays, logic cabinets, and analog channels based on analysis provided in WCAP-15376-P, Rev. 0, Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times.

WCAP-15376-P, Rev. 0 did not specifically consider the AP1000 design. The AP1000 GTS completion times and surveillance frequencies for instrumentation functions and reactor trip breakers were justified by APP-GW-GSC-020 (WCAP-16787), which is listed as Reference 6 in the GTS Subsection 3.3.2 Bases. Therefore, TSTF-411-A is not applicable to the AP1000 STS, and is not discussed further in this GTST.

TSTF-418-A adjusts the WOG STS (NUREG-1431) required action completion times for the conventional Westinghouse Plant Protection System instrumentation design for which the WOG STS instrumentation requirements are applicable. The changes in TSTF-418 are based on the analysis in WCAP-14333-P, which did not consider the AP1000 protection and safety monitoring system (PMS) instrumentation design. The AP1000 GTS required action completion times (and surveillance frequencies) for the PMS were justified by APP-GW-GSC-020 (WCAP-16787),

which is listed as Reference 6 in the GTS Subsection 3.3.2 Bases. APP-GW-GSC-020 does not reference WCAP-14333-P, but notes, the AP1000 protection and safety monitoring system (PMS) redundancy is as good as or better than that of the conventional Westinghouse Plant Protection System. Although the PMS equipment reliability is considered to be equivalent to or better than that of the conventional Westinghouse Plant Protection System, a common basis for comparison to the digital portion of the PMS is not readily available.

TSTF-444-T is not applicable to the AP1000 GTS. The AP1000 design for the P-4, P-11, and P-12 interlocks is different than the NUREG-1431 design regarding the number of required channels and the implementation hardware. TSTF-444-T provides for elimination of an SR to perform a TADOT on the P-11 and P-12 interlocks. The AP1000 GTS do not require a TADOT for the P-11 and P-12 interlocks. Therefore, TSTF-444-T is not applicable to the AP1000 STS.

TSTF-483-T is not applicable to the AP1000 GTS. TSTF-483-T is follow-on to TSTF-418-A, which relaxed TS completion times based on WCAP-14333-P. WCAP-14333-P did not consider the AP1000 design in the analysis. The AP1000 TS completion times and surveillance frequencies were justified by APP-GW-GSC-020 (WCAP-16787). TSTF-483-T revised a reference in NUREG-1431 LCO 3.3.2, ESFAS Instrumentation, which does not appear in the AP1000 GTS.

TSTF-519-T has already been incorporated into the AP1000 GTS regarding the Writer's Guide for Improved Standard Technical Specifications (Reference 4) placement of Notes in TS Actions tables.

Date report generated:

Monday, June 29, 2015 Page 3

GTST AP1000-O61-3.3.8, Rev. 1 IV. Additional Changes Proposed as Part of this GTST (modifications proposed by NRC staff and/or clear editorial changes or deviations identified by preparer of GTST)

In the MTS 3.3.8 Actions section of the Bases, the phrase ...then all affected Functions provided by that channel must be declared inoperable... is revised to ...then all affected protection Functions supported by or dependent on that channel must be declared inoperable...

The VEGP TS Upgrade LAR added functional initiation signals in the MTS 3.3.8 Applicable Safety Analyses, LCO, and Applicability section of the bases. Additional cross references to the source of the signal (LCO and Function) were added for operational robustness. In addition, several sentences or paragraphs recommended for deletion in the VEGP LAR Bases (provided for information purposes, but not as a part of the LAR) were retained with modifications for clarity.

The phrase trip Function was replaced with instrument Function in several places in the Bases because this language is more appropriate for the LCO title, Engineered Safety Feature Actuation System (ESFAS) Instrumentation. In addition, several editorial changes were made throughout the bases for clarity.

In the ASA, LCO, and Applicability section of the Bases under the heading Reactor Trip, P-4, insert a comma after Function 17 in the first sentence of the last paragraph. In the first paragraph, first bullet, append the list of actuated components on a turbine trip: (closes turbine stop valves, control valves, reheat stop valves, intercept valves, extraction steam shutoff and non-return valves, and opens automatic steam line drain valves) Under the heading Intermediate Range Neutron Flux, P-6, revise the paragraph as indicated for consistency with proposed edits to Bases for Subsections 3.3.1, 3.3.2, and 3.3.3:

The Intermediate Range Neutron Flux, P-6 interlock is automatically enabled actuated when the respective PMS division NIS intermediate range Intermediate Range Neutron Flux channel increases to approximately one decade above the channel lower range limit. Below the setpoint, the P-6 interlock is automatically disabled, which unblocks the Source Range Neutron Flux Doubling instrument Function, permitting the automatic block of boron dilution.

Normally, this Function is blocked by the main control room operator during reactor startup after the Intermediate Range Neutron Flux instrument indicates that reactor power exceeds the P-6 setpoint because above the setpoint the block of boron dilution is not needed. The P-6 interlock is required to be OPERABLE in MODE 2 to support the Source Range Neutron Flux Doubling instrument Function to initiate CVS makeup isolation and align the boric acid tank to the CVS makeup pumps, which terminates a boron dilution event. This Function is required to be OPERABLE in MODE 2.

Under the heading Pressurizer Pressure, P-11, revise the first paragraph as indicated for consistency and clarity:

The P-11 interlock permits a normal unit cooldown and depressurization without Safeguards Actuation or main steam line and feedwater isolation. With pressurizer pressure channels less than the P-11 setpoint, the operator can manually block the following listed ESFAS instrument Functions, which initiate these ESF actuation and isolation Functions, by manually blocking the initiation signal from the ESFAS instrument channel in at least three PMS divisions:

Date report generated:

Monday, June 29, 2015 Page 4

GTST AP1000-O61-3.3.8, Rev. 1

Safeguards Actuation on manually block initiation the Pressurizer Pressure pressure - Low (Table 3.3.8-1, Function 5),

Steam Line Pressure - Low (Table 3.3.8-1, Function 24), and or Tcold - Low (Table 3.3.8-1, Function 11).by manually block initiation Safeguards Actuation signals and

Steam Line Isolation on the Steam Line Pressure - Low (Table 3.3.8-1, Function 24) and or Tcold - Low (Table 3.3.8-1, Function 11).

Manually blocking steam line isolation signals When the Steam Line Pressure - Low ESFAS instrument channels is manually blocked, a main steam isolation enables the ESF Function of Main Steam Isolation signal on Steam Line Pressure-Negative Rate - High (Table 3.3.8-1, Function 25) is enabled. This provides protection for an SLB by closure of the main steam isolation valves. Manual block of

Feedwater Isolation feedwater isolation on Tavg - Low 1 (Table 3.3.8-1, Function 12),

Tavg - Low 2 (Table 3.3.8-1, Function 13), and Tcold - Low (Table 3.3.8-1, Function 11).is also permitted below P-11.

With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Safeguards Actuation signals on Pressurizer Pressure - Low, Steam Line Pressure - Low, and Tcold - Low, Safeguards Actuation signals and the Steam Line Isolation signals on Steam Line Pressure - Low and Tcold - Low, steam line isolation signals are automatically enabled. The and the Feedwater Isolation feedwater isolation signals on Tcold - Low, Tavg - Low 1, and Tavg - Low 2 are also automatically enabled above P-11. The operator can also manually enable these signals by use of the respective PMS division manual reset buttons for these ESFAS instrument Functions. With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Steam Line Isolation signal on Steam Line Pressure-Negative Rate - High is automatically blocked.

Under the heading RCS Pressure, P-19, revise the second sentence in the first paragraph as indicated for consistency and clarity:

With RCS pressure below the P-19 setpoint, the operator can manually block CVS isolation on Pressurizer Water Level - High 2 (Table 3.3.8-1, Function 9) pressurizer water level, and block Passive RHRPRHR actuation and Pressurizer Heater Trip on Pressurizer Water Level - High 3 (Table 3.3.8-1, Function 10) pressurizer water level.

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under heading Pressurizer Water Level - High 2, the third paragraph should be revised for added clarity:

This Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when above the P-19 interlock with and the RCS is not being cooled by the RNS. This Function is not required to be OPERABLE in MODE 4either below the P-19 setpoint or with the RCS being cooled by the RNS, or bothand in MODES 5 and 6. Because it The CVS Makeup Isolation on Date report generated:

Monday, June 29, 2015 Page 5

GTST AP1000-O61-3.3.8, Rev. 1 Pressurizer Water Level - High 2 ESFAS Function is not required to mitigate a DBA in these conditions MODES.

In the Surveillance Requirements section of the Bases for STS Subsection 3.3.8 under the heading SR 3.3.8.2, revise paragraphs one, three, six, and ten to state:

SR 3.3.8.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A test subsystem is provided with the protection and safety monitoring system PMS to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features.

Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

To the extent possible, protection and safety monitoring system PMS functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

During the COT, the protection and safety monitoring system PMS cabinets in the division under test may be placed in bypass.

Under the heading SR 3.3.8.2, revise the first paragraph as indicated:

SR 3.3.8.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the IPC. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.

This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further Date report generated:

Monday, June 29, 2015 Page 6

GTST AP1000-O61-3.3.8, Rev. 1 evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

APOG Recommended Changes to Improve the Bases In the ASA, LCO, and Applicability section of the Bases, change +/- to plus or minus in the third paragraph. APOG indicates that this change aligns with Writer's Guide convention. NRC staff notes that the Writer's Guide is actually silent regarding this convention and this change does not conform to the convention of NUREG-1431, Rev. 4. (Internal Comment # 127)

In the Background section of the Bases for STS Subsection 3.3.8, change the tense of the verb assure from assured to assures in the fourth paragraph, next to last sentence. (Internal Comment # 127, # 166)

In the Background section of the Bases for STS Subsection 3.3.8 under the heading Plant Protection Subsystem, the word bases should be changed to basis in the second paragraph, last sentence. The verb should also be changed to match the single subject. (Internal Comment

170)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8, the third paragraph, last sentence, includes the phrase ...values must be confirmed to be operating within the assumptions... The word operating is incorrect, as the values should be within the assumptions. Delete the word operating. (Internal Comment # 171)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Steam Generator Blowdown Isolation, the first paragraph, states: The primary Function of the steam generator blowdown isolation is to ensure that sufficient water inventory is present in the steam generators to remove the excess heat... For clarity and to be more accurate, the statement should be changed to read: The primary Function of the steam generator blowdown isolation is to preserve water inventory in the steam generators to support removing the excess heat... The blowdown isolation by itself does not ensure sufficient water inventory. (Internal Comment # 173)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Passive Containment Cooling Actuation, the first paragraph, last sentence states Heat removal is initiated ... This sentence is discussing PCS heat removal. The modifier PCS should be added because there is more than one type of heat removal method. Add PCS in front of the word Heat and de-capitalize the word heat. (Internal Comment # 174)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Containment Radioactivity - High 1, the discussion in the last paragraph states that the Function is not required under certain conditions because any DBA release of radioactivity into the containment in these MODES would not require containment isolation. For clarity and to be more correct, the statement should be a new sentence that reads Any DBA release of radioactivity into the containment in these conditions would not require this containment isolation function. The conditions described are not all MODES and the discussion is about this specific containment isolation function, not all containment isolations. Additional NRC staff edits to this sentence are included (Internal Comment # 175):

This Function is not required to be OPERABLE in MODE 4 with the RCS being cooled by the RNS, or MODES 5, and MODE 6., because any Any DBA release of radioactivity into the containment in these MODESconditions would not Date report generated:

Monday, June 29, 2015 Page 7

GTST AP1000-O61-3.3.8, Rev. 1 require the containment isolationContainment Air Filtration System Isolation Function.

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Pressurizer Water Level - High 2, the first paragraph should be revised to correct a typographical error regarding the automatic blocking. The TS Bases reference to the P-11 permissive (saying that it is automatically blocked) should be the P-19 permissive (saying that it can be manually blocked) per FSAR Section 7.3.1.2.15. Note that in the TS itself, the Function (TS 3.3.8, Function 9) has footnote (g), which indicates Above the P-19 (RCS Pressure) interlock... Change the phrase is automatically to can be manually and the interlock number from 11 to 19 Revise the third and fourth sentences in the first paragraph as follows.

Additional NRC staff edits to these sentences are included (Internal Comment # 176):

. . . This Function is automatically can be manually blocked when the pressurizer pressure is below the P-11 permissive P-19 (RCS Pressure) setpoint to permit pressurizer water solid conditions with the plant cold and to permit level makeup during plant cooldowns. This Function is automatically unblocked when RCS pressure is above the P-19 (RCS Pressure) setpoint.

In the Surveillance Requirements section of the Bases for STS Subsection 3.3.8 under the heading SR 3.3.8.2, the next to last paragraph, last line uses the phrase integrated protection cabinets. The Bases for SR 3.3.8.3, first paragraph uses the term IPC, which is the acronym for integrated protection cabinets. The SR 3.3.8.2 Bases should be changed from integrated protection cabinets to integrated protection cabinets (IPCs). This change also applies to Section 3.3.10 (SR 3.3.10.2), Section 3.3.11 (SR 3.3.11.2), Section 3.3.13 (SR 3.3.13.2), and Section 3.3.14 (SR 3.3.14.2). Add the acronym (IPCs) after the words integrated protection cabinets in SR 3.3.8.2 (and other SRs identified above). (Internal Comment # 178)

Throughout the Bases, references to Sections and Chapters of the FSAR do not include the FSAR clarifier. Since these Section and Chapter references are to an external document, it is appropriate to include the FSAR modifier. (DOC A003) (Internal Comment # 3)

Date report generated:

Monday, June 29, 2015 Page 8

GTST AP1000-O61-3.3.8, Rev. 1 V. Applicability Affected Generic Technical Specifications and Bases:

Section 3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation Changes to the Generic Technical Specifications and Bases:

GTS 3.3.2, Engineered Safety Feature Actuation System (ESFAS) Instrumentation, is reformatted by DOC A028 into multiple Specifications including interim A028-modified TS (MTS) 3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation. As a result of the reformatting, GTS 3.3.2 Functions 1.b, 1.c, 1.d, 1.e, 2.b, 2.c, 2.d, 3.b, 3.c, 4.b, 4.c, 4.d, 5.a, 5.b, 5.c, 6.b, 6.c, 6.d, 7.a, 7.b, 7.c, 7.d, 8.a, 8.b, 8.c, 8.d, 9.b, 10.a, 10.b, 11.a, 11.b, 11.c, 11.d, 11.e, 12.b, 13.b, 13.c, 13.d, 13.e, 13.f, 14.a, 14.b, 15.a, 15.b, 16.a, 16.b, 16.c, 16.d, 16.f, 16.g, 17.a, 17.b, 18.a, 18.c, 18.d, 18.e, 18.f, 19.a, 19.b, 21.a, 21.b, 22.b, 23.b, 27.a, 27.b, 29.b, 30.a, and 31.a are grouped together in MTS 3.3.8 and renumbered as Functions 1 through 26, as shown in the following list. As depicted in Section XI, each MTS 3.3.8 function title includes all of the content of the titles of the associated GTS functions. MTS 3.3.8 Functions 1 through 25 match the numbering of STS Functions 1 through 25. In the following list, only the STS 3.3.8 Function title is given for MTS 3.3.8 Functions 1 through 25. The MTS format is depicted as the reference case in the attached markup in Section XI. A number of items in the GTS 3.3.2 function list are provided with bracketed identifiers ([0], [1], [2]) which have been added to facilitate cross referencing of these items to their disposition in STS 3.3.8 through 3.3.16, later in this GTST Section.

MTS/STS 3.3.8 Function No. & STS Title GTS 3.3.2 Function(s)

1. Containment Pressure - Low 31. Containment Vacuum Relief Valve Actuation

a. Containment Pressure - Low

2. Containment Pressure - High 2 1. Safeguards Actuation

b. Containment Pressure - High 2

4. Steam Line Isolation

b. Containment Pressure - High 2

12. Passive Containment Cooling Actuation

b. Containment Pressure - High 2

3. Containment Radioactivity - High 1 19. Containment Air Filtration System Isolation

a. Containment Radioactivity - High 1

4. Containment Radioactivity - High 2 16. Chemical Volume and Control System Makeup Isolation

d. Containment Radioactivity - High 2

17. Normal Residual Heat Removal System (RNS) Isolation

a. Containment Radioactivity - High 2

5. Pressurizer Pressure - Low 1. Safeguards Actuation

c. Pressurizer Pressure - Low Date report generated:

Monday, June 29, 2015 Page 9

GTST AP1000-O61-3.3.8, Rev. 1 MTS/STS 3.3.8 Function No. & STS Title GTS 3.3.2 Function(s)

6. Pressurizer Water Level - Low 1 21. Auxiliary Spray and Purification Line Isolation

a. Pressurizer Water Level - Low 1

7. Pressurizer Water Level - Low 2 2. CMT Actuation

b. Pressurizer Water Level - Low 2

11. Reactor Coolant Pump Trip

d. Pressurizer Water Level - Low 2

8. Pressurizer Water Level - High 1 16. Chemical Volume and Control System Makeup Isolation

b. Pressurizer Water Level - High 1 Coincident with Safeguards Actuation

9. Pressurizer Water Level - High 2 16. Chemical Volume and Control System Makeup Isolation

c. Pressurizer Water Level - High 2

10. Pressurizer Water Level - High 3 13. Passive Residual Heat Removal Heat Exchanger Actuation

f. Pressurizer Water Level - High 3

27. Pressurizer Heater Trip

b. Pressurizer Water Level - High 3

11. RCS Cold Leg Temperature 1. Safeguards Actuation (Tcold) - Low e. Reactor Coolant System (RCS)

Cold Leg Temperature (Tcold) - Low

4. Steam Line Isolation

d. Tcold - Low

8. Startup Feedwater Isolation

b. Tcold - Low

12. Reactor Coolant Average 6. Main Feedwater Control Valve Isolation Temperature (Tavg) - Low 1 d. [0] Reactor Coolant Average Temperature (Tavg) - Low 1

[1] Coincident with Reactor Trip, P-4

13. Reactor Coolant Average 7. Main Feedwater Pump Trip and Valve Temperature (Tavg) - Low 2 Isolation

d. [0] Reactor Coolant Average Temperature (Tavg) - Low 2

[1] Coincident with Reactor Trip

14. RCS Wide Range Pressure - Low 10. Automatic Depressurization System (ADS)

Stage 4 Actuation

a. [0] Manual Initiation

[1] Coincident with RCS Wide Range Pressure - Low, or

[2] [Coincident with] ADS Stages 1, 2 & 3 Actuation Date report generated:

Monday, June 29, 2015 Page 10

GTST AP1000-O61-3.3.8, Rev. 1 MTS/STS 3.3.8 Function No. & STS Title GTS 3.3.2 Function(s)

b. [0] CMT Level - Low 2

[1] Coincident with RCS Wide Range Pressure - Low, and

[2] Coincident with ADS Stages 1, 2 & 3 Actuation

15. CMT Level - Low 1 9. Automatic Depressurization System (ADS)

Stages 1, 2, & 3 Actuation

b. [0] CMT Level - Low 1

[1] Coincident with CMT Actuation

16. CMT Level - Low 2 10. Automatic Depressurization System (ADS)

Stage 4 Actuation

b. [0] CMT Level - Low 2

[1] Coincident with RCS Wide Range Pressure - Low, and

[2] Coincident with ADS Stages 1, 2 & 3 Actuation

17. Source Range Neutron Flux 15. Boron Dilution Block Doubling a. Source Range Neutron Flux Doubling

16. CVS Makeup Isolation

f. Source Range Neutron Flux Doubling

18. IRWST Level - Low 3 23. IRWST Containment Recirculation Valve Actuation

b. [0] ADS Stage 4 Actuation

[1] Coincident with IRWST Level -

Low 3

19. Reactor Coolant Pump (RCP) 11. Reactor Coolant Pump Trip Bearing Water Temperature - High b. RCP Bearing Water Temperature -

High

30. Component Cooling Water System Containment Isolation Valve Closure

a. RCP Bearing Water Temperature -

High

20. SG Narrow Range Water 13. Passive Residual Heat Removal Heat Level - Low Exchanger Actuation

b. [0] SG Narrow Range Water Level -

Low

[1] Coincident with Startup Feedwater Flow - Low

14. SG Blowdown Isolation

b. SG Narrow Range Water Level - Low

21. SG Wide Range Water 13. Passive Residual Heat Removal Heat Level - Low Exchanger Actuation

c. SG Wide Range Water Level - Low Date report generated:

Monday, June 29, 2015 Page 11

GTST AP1000-O61-3.3.8, Rev. 1 MTS/STS 3.3.8 Function No. & STS Title GTS 3.3.2 Function(s)

22. SG Narrow Range Water 8. Startup Feedwater Isolation Level High d. [0] SG Narrow Range Water Level High

[1] Coincident with Reactor Trip (P-4)

16. CVS Makeup Isolation

g. [0] SG Narrow Range Water Level High

[1] Coincident with Reactor Trip (P-4)

23. SG Narrow Range Water 5. Turbine Trip Level - High 2 b. SG Narrow Range Water Level - High 2

6. Main Feedwater Control Valve Isolation

b. SG Narrow Range Water Level - High 2

7. Main Feedwater Pump Trip and Valve Isolation

b. SG Narrow Range Water Level - High 2

8. Startup Feedwater Isolation

a. SG Narrow Range Water Level - High 2

16. CVS Makeup Isolation

a. SG Narrow Range Water Level - High 2

24. Steam Line Pressure - Low 1. Safeguards Actuation

d. Steam Line Pressure - Low

4. Steam Line Isolation c.(1) Steam Line Pressure - Low

29. Steam Generator Power Operated Relief Valve and Block Valve Isolation

b. Steam Line Pressure - Low

25. Steam Line Pressure - Negative 4. Steam Line Isolation Rate - High c.(2)Steam Line Pressure - Negative Rate - High MTS 3.3.8 Function 26 is not included in the STS 3.3.8 Function list as explained by DOC L10.

MTS 3.3.8 Function No. & MTS Title GTS 3.3.2 Function(s)

26. ESFAS Interlocks 18. ESFAS Interlocks Reactor Trip Breaker Open, P-3 a. Reactor Trip Breaker Open, P-3 Reactor Trip, P-4 b. Reactor Trip, P-4 Intermediate Range Neutron Flux, P-6 c. Intermediate Range Neutron Flux, P-6 Pressurizer Pressure, P-11 d. Pressurizer Pressure, P-11 Pressurizer Level, P-12 e. Pressurizer Level, P-12 RCS Pressure, P-19 f. RCS Pressure, P-19 References 2, 3, and 6 provide details showing the correspondence of GTS 3.3.2 Functions and STS 3.3.8 through 3.3.16 Functions.

GTS 3.3.2 Conditions A, B, I, J, L, M, N, O, P, Q, R, S, T, V, X, Y, Z, and CC are reordered and relabeled as MTS 3.3.8 Conditions A through T and as changed become STS 3.3.8 Conditions A through P, as follows (applicability footnote references are listed except for STS 3.3.8 Conditions A, B, and C). (DOC A028)

Date report generated:

Monday, June 29, 2015 Page 12

GTST AP1000-O61-3.3.8, Rev. 1 GTS MTS STS STS 3.3.8 Functions B, I A A 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 B, I B B 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 A C C 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 The following ESFAS interlock function list illustrates how the applicable Modes and action requirements of the interlock Functions (GTS 3.3.2, Functions 18.a - 18.f) are superseded by the STS requirements of the supported STS 3.3.8 Functions, which implicitly require operability of the associated interlock(s). The STS Conditions apply to the STS 3.3.8 Function(s) listed to the right; but the GTS Conditions apply to the interlocks. Other than lining out MTS 3.3.8 Function 26, the MTS 3.3.8 markup in Section XI does not show how each interlock Function MTS Condition is superseded by the supported ESFAS Functions Condition. STS 3.3.8 Functions 8, 14, 15, 16, 18, 19, 20, 21 and 23 do not depend upon ESFAS interlocks.

Actions Conditions Interlocks [GTS 3.3.2 Function 18 Applicable Modes] and GTS MTS STS Supported STS 3.3.8 Functions [Applicable Modes] (DOC A028)

D, M --- P P-3 [1,2,3]: 1 [1,2,3,4,5(a),6(a)]

D, M --- E P-3 [1,2,3]: 5 [1,2,3(c)] 11 [1,2,3(c)]

D, M --- G P-3 [1,2,3]: 24 [1,2,3,4]

D, M --- D P-4 [1,2,3]: 12 [1,2] 13 [1,2]

D, M --- I P-4 [1,2,3]: 22 [1,2,3,4]

J, L --- I P-6 [2]: 17 [2(j),3(j),4,5]

J, M --- H P-11 [1,2,3]: 2 [1,2,3,4]

J, M --- I P-11 [1,2,3]: 4 [1,2,3]

J, M --- E P-11 [1,2,3]: 5 [1,2,3(c)]

J, M --- E P-11 [1,2,3]: 11 [1,2,3(c)]

J, M --- D P-11 [1,2,3]: 13 [1,2]

J, M --- G P-11 [1,2,3]: 24 [1,2,3,4(b)]

J, M --- I P-11 [1,2,3]: 25 [3(k)]

J, M --- F P-12 [1,2,3]: 7 [1,2,3,4(b)]

J, M --- D P-12 [1,2,3]: 6 [1,2]

J, M --- I P-12 [1,2,3]: 3 [1,2,3,4(b)]

BB, Y --- J P-12 [4,5,6]: 7 [4(d),5(e)(f)]

J, N --- I P-19 [1,2,3,4]: 9 [1,2,3,4(g)]

J, N --- F P-19 [1,2,3,4]: 10 [1,2,3,4(g)]

In the following list, STS 3.3.8 Functions 22 and 23 appear more than once for the same applicability because the corresponding GTS 3.3.2 Functions do not all have the same Conditions specified.

GTS MTS STS STS 3.3.8 Functions [Applicable MODES; Required Interlocks]

L E D 6 [1,2; P-4] 12 [1,2; P-4] 13 [1,2; P-4, P-11]

23[1,2]

R K D 23[1,2]

M F E 5 [1,2,3(c); P-3, P-11] 11 [1,2,3(c); P-3, P-11]

N G F 7 [1,2,3,4(b); P-12] 10 [1,2,3,4(g); P-19] 18 [1,2,3,4(b)]

20 [1,2,3,4(b)] 21 [1,2,3,4(b)]

M, N G G 24 [1,2,3,4(b); P-3, P-11]

O H H 2 [1,2,3,4; P-11] 14 [1,2,3,4]

Date report generated:

Monday, June 29, 2015 Page 13

GTST AP1000-O61-3.3.8, Rev. 1 For STS 3.3.8 Functions 3, 4, 8, 9, 17, 22, 23, and 25, STS 3.3.8 Condition I replaces MTS 3.3.8 Conditions G, I, J, K, L, M, and S (DOC L12); for STS 3.3.8 Function 19, STS 3.3.8 Condition O replaces MTS 3.3.8 Condition M (DOC L12):

GTS MTS STS STS 3.3.8 Functions [Applicable MODES; Required Interlocks]

M G I 25 [3(k); P-11]

P I I 17 [5; P-6]

Q J I 4 [1,2,3; P-11] 8 [1,2,3]

R K I 22 [1,2,3,4; P-4]

S L I 22 [1,2,3,4; P-4] 23 [3,4]

T M I 9 [1,2,3,4(g); P-19] 17 [2(j),3(j),4; P-6]

Z S I 3 [1,2,3,4(b); P-12]

T M O 19 [1,2,3,4]

V N J 7 [4(d),5(e)(f); P-12] 15 [5(i)]

X O K 14 [5; P-3]

X P L 14 [6(h); P-3]

Y Q M 18 [4(d),5]

Y R N 18 [6(h)]

CC T P 1 [1,2,3,4,5(a),6(a); P-3]

GTS Table 3.3.2-1 footnotes a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, and r, are reordered and relabeled as MTS Table 3.3.8-1 footnotes a, b, c, d, e, f, g, h, i, j, k, l, m, and n, and as changed become STS Table 3.3.8-1 footnotes a, b, c, d, e, f, g, h, i, j, and k, as follows:

GTS MTS STS STS Table 3.3.8-1 footnote (r) (a) (a) Without an open containment air flow path 6 inches in diameter.

(h) (b) --- Not applicable if all MSIVs are closed. (deleted) (DOC L12)

(b) (c) (b) With the RCS not being cooled by the Normal Residual Heat Removal System (RNS).

(e) (d) --- Not applicable for valve isolation Functions whose associated flow path is isolated. (deleted) (DOC L12)

(a) (e) (c) Above the P-11 (Pressurizer Pressure) interlock, when the RCS boron concentration is below that necessary to meet SDM requirements at an RCS temperature of 200 degrees F.

(c) (f) (d) With the RCS being cooled by the RNS.

(d) (g) (e) With the RCS pressure boundary intact.

(l) (h) (f) With the RCS not being cooled by the RNS and with pressurizer level 20%. (DOC A036)

(m) (i) (g) Above the P-19 (RCS Pressure) interlock with the RCS not being cooled by RNS. (DOC A036)

(j) (j) --- Not applicable when the required ADS valves are open. See LCO 3.4.12 and LCO 3.4.13 for ADS valve and equivalent relief area requirements.

(deleted) (DOC A034)

Date report generated:

Monday, June 29, 2015 Page 14

GTST AP1000-O61-3.3.8, Rev. 1 GTS MTS STS STS Table 3.3.8-1 footnote (k) (k) (h) With upper internals in place.

--- --- (i) With RCS pressure boundary intact and with pressurizer level 20%.

(n) (l) (j) Not applicable when critical or during intentional approach to criticality (i) (m) --- Not applicable when the startup feedwater flow paths are isolated.

(deleted) (DOC L12)

(g) (n) (k) Below the P-11 (Pressurizer Pressure) interlock.

(f) --- --- With decay heat > 6.0 MWt. (STS 3.3.9)

(o) --- --- During movement of irradiated fuel assemblies. (STS 3.3.13)

(p) --- --- Below the P-12 (Pressurizer Level) interlock. (STS 3.3.10)

(q) --- --- With the water level < 23 feet above the top of the reactor vessel flange.

(STS 3.3.10)

MTS Table 3.3.8-1 footnote (b) is deleted, which affects the applicability of MTS Table 3.3.8-1 Functions 2, 11, 24, and 25 (GTS Table 3.3.2-1 Functions 4.b, 4.c.1, 4.c.2, and 4.d; and footnote (h)). (DOC L12)

MTS Table 3.3.8-1 footnote (d) is deleted, which affects the applicability of MTS Table 3.3.8-1 Functions 4, 8, 9, 17, 20, 22, and 23 (GTS Table 3.3.2-1 Functions 6b, 7b, 8a, 8d, 11a, 11c, 11e, 13b, 14b, 15a, 15b, 16a, 16b, 16c, 16d, 16f, 16g, 17a, and 22b; and footnote (e)).

(DOC L12)

MTS Table 3.3.8-1 footnote (j) is deleted, which affects MTS Table 3.3.8-1 Functions 14, 15, 16, and 18 (GTS Table 3.3.2-1 Functions 9.b, 10.a, 10.b, and 23.b; and footnote (j)). (DOC A034)

MTS Table 3.3.8-1 footnote (m) is deleted, which affects MTS Table 3.3.8-1 Functions 22, 23 (GTS Table 3.3.2-1 Functions 8.a and 8.d; and footnote (i)). (DOC L12)

STS Table 3.3.8-1 footnote (i) is added; it states With RCS pressure boundary intact and with pressurizer level 20%. One can also view this added footnote as a combination of GTS footnotes (d) and (l). (DOC A034)

GTS Table 3.3.2-1 footnote (b) and footnote (l) are combined to create a revised GTS Table 3.3.2-1 footnote (l) (MTS Table 3.3.8-1 footnote (h) and STS Table 3.3.8-1 footnote (f)).

The PTS presentation of two footnotes is confusing in that it may not be readily apparent to the user that the subject footnotes require an AND relationship. (DOC A036)

GTS Table 3.3.2-1 footnote (b) and footnote (m) are combined to create a revised GTS Table 3.3.2-1 footnote (m) (MTS Table 3.3.8-1 footnote (i) and STS Table 3.3.8-1 footnote (g)).

The PTS presentation of two footnotes is confusing in that it may not be readily apparent to the user that the subject footnotes require an AND relationship. (DOC A036)

GTS SR 3.3.2.1, SR 3.3.2.4, SR 3.3.2.5, SR 3.3.2.6, SR 3.3.2.7, SR 3.3.2.8, and SR 3.3.2.9 are retained and renumbered as MTS SR 3.3.8.1 through SR 3.3.8.7, respectively.

Date report generated:

Monday, June 29, 2015 Page 15

GTST AP1000-O61-3.3.8, Rev. 1 MTS 3.3.8 Condition C is revised by adding a second condition statement for the condition one or more Functions with three or more channels inoperable. Otherwise, LCO 3.0.3 would apply when the LCO is not met and the associated Actions are not met or an associated Action is not provided. (DOC M02)

MTS 3.3.8 Condition D is deleted and MTS 3.3.8 Function 26 (PTS 3.3.2 Function 18), except the P-4 interlock which is relocated to MTS 3.3.12, is removed from MTS 3.3.8 Table 3.3.8-1.

The interlock operability is adequately addressed by each related Functions requirement to be Operable and the requirement for actuation logic operability. (DOC L10)

A new Condition G is inserted into MTS 3.3.8 to consolidate the required actions of GTS 3.3.2 Condition M (for GTS 3.3.2 Function 1.d, Safeguards Actuation on Steam Line Pressure - Low, and Function 4.c(1), Steam Line Isolation on Steam Line Pressure - Low) and GTS 3.3.2 Condition N (for GTS 3.3.2 Function 29.b, SG PORV and Block Valve Isolation on Steam Line Pressure - Low) to retain the most restrictive action requirements of these Conditions in Condition G of MTS 3.3.8/STS 3.3.8 for Function 24, Steam Line Pressure - Low. (DOCs A028 and A032)

Duplicate instrument Function listings, which are shown in the STS-GTS function list in the beginning of this GTST section, are included in MTS Table 3.3.8-1; but where such listings refer the operator to another function in the table for its applicability, operability, action, and surveillance requirements, such reference statements are omitted. (DOC A033) For instances where the duplicate function listing explicitly specifies one or more of these requirements, such requirements are included in Table MTS 3.3.8-1 to illustrate how they compare with the requirements for the function specified elsewhere in the table (in general, the STS retains the most restrictive of the listed requirements for each instrument function). GTS Table 3.3.2-1 often requires operability of the same instrumentation channels in more than one ESFAS function. It is confusing and excessively complex to separately specify requirements for an instrument function in multiple table entries, requiring the operator to enter all specified Actions concurrently. (DOC A032) In addition, the listed coincidences among multiple instrument and logic actuation signals in GTS Table 3.3.2-1 (and listed in the beginning of this GTST section),

which are removed by DOC A028, are deleted in MTS Table 3.3.8-1, but are shown in the GTST Section V for STS 3.3.15 and 3.3.16 (marked with an *), since they are details of the ESF Coincidence Logic that are implicitly required by STS LCO 3.3.15.a and LCO 3.3.16.a.

(DOC A035)

GTS 3.3.2 Actions Conditions M, P, Q, R, S, T, and Z (MTS 3.3.8 Conditions G, I, J, K, L, M, and S, respectively), which are related to Functions that result in valve isolation actuations, specify inconsistent required actions for inoperable channels of such instrument functions.

These inconsistencies are removed by revising the associated action requirements and applicability footnotes in MTS Table 3.3.8-1, as follows (DOC L12):

(1) MTS 3.3.8 Conditions G, I, J, K, L, and S, which are related to Functions that result in valve isolation actuations and which specify required actions to isolate affected flow paths, are replaced by STS 3.3.8 Condition I. Required Action I.1 requires immediately declaring affected isolation valves inoperable. Condition I applies to STS 3.3.8 Functions 3, 4, 8, 9, 17, 22, 23, and 25. (DOC L12)

(2) MTS 3.3.8 Condition M, which is also related to a Function that results in valve isolation actuations and which specifies required actions to isolate affected flow paths, is replaced by STS 3.3.8 Condition O. Required Action O.1 requires immediately declaring affected isolation valves inoperable, and Required Action O.2 requires being in Mode 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Condition O applies to STS 3.3.8 Function 19. (DOC L12)

Date report generated:

Monday, June 29, 2015 Page 16

GTST AP1000-O61-3.3.8, Rev. 1 STS 3.3.8 Function STS Actuated System Function No. - ACTION No. and Title LCO - ACTIONS GTS 3.3.2 MTS 3.3.8 STS 3.3.8

3. Containment Radioactivity - High 1 3.6.3 - A, B, C 19a - Z 3-S 3-I

4. Containment Radioactivity - High 2 3.1.9 - A, B 16d - Q 4-J 4-I 3.6.3 - A, B, C 17a - Q 4-J 4-I

8. Pressurizer Water Level - High 1 3.1.9 - A, B 16b - Q 8-J 8-I

9. Pressurizer Water Level - High 2 3.1.9 - A, B 16c - T 9-M 9-I

17. Source Range Neutron Flux 3.1.9 - A, B 15a - T, P 17 - M 17 - I Doubling 3.1.9 - A, B 16f - T, P 17 - M 17 - I

19. Reactor Coolant Pump Bearing 3.6.3 - A, B, C 30a - T 19 - M 19 - O Water Temperature - High

22. Steam Generator (SG) Narrow 3.7.7 - A, B, C 8d - S 22 - J 22 - I Range Water Level High 3.1.9 - A, B 16g - R 22 - K 22 - I

23. Steam Generator (SG) Narrow 3.7.3 - A, B, C 6b (7b) - R 23 - K 23 - I Range Water Level - High 2 3.1.9 - A, B 6b (16a) - R 23 - K 23 - I 3.7.7 - A, B, C 8a - S 23 - L 23 - I

25. Steam Line Pressure - Negative 3.7.2 - D, E, F 4c(2) - M 25 - G 25 - I Rate - High MTS 3.3.8 Action O.2 lead in phrase: If in MODE 5 with RCS open and < 20% pressurizer level... is deleted. MTS Table 3.3.8-1 footnote and Mode revisions make this phrase unnecessary. (DOC A034)

MTS 3.3.8 Action O.2 phrase is revised from initiate action to be in MODE 5 with RCS open and 20% pressurizer level, to Initiate action to open RCS pressure boundary and establish 20% pressurizer level. This change is made for clarity and consistency. (DOC A031)

MTS 3.3.8 Action P.2 lead in phrase: If in MODE 6 with upper internals in place... is deleted.

MTS Table 3.3.8-1 footnote and Mode revisions make this phrase unnecessary. (DOC A034)

MTS 3.3.8 Action P.2 phrase is revised from initiate action to be MODE 6 with the upper internals removed, to Initiate action to remove the upper internals. This change is made for clarity and consistency. (DOC A031)

MTS 3.3.8 Action R.2 phrase is revised from initiate action to be MODE 6 with the water level 23 feet above the top of the reactor vessel flange, to Initiate action to establish water level 23 feet above the top of the reactor vessel flange. This change is made for clarity and consistency. (DOC A031)

MTS SR 3.3.8.3 Note is revised from ...adjusted to the prescribed values. to ... adjusted to within limits. This change is made for clarity and consistency. (DOC A025)

MTS SR 3.3.8.5, SR 3.3.8.6, and SR 3.3.8.7 are deleted. Failure of an Actuation Device Test results in inappropriate Actions relative to the actuated equipment inoperability. These SR requirements are relocated to equivalent SRs in the individual equipment specifications, or in STS Specifications 3.3.15 and 3.3.16, if no specification exists for the required actuated equipment. (DOC L01) These specifications provide appropriate action requirements for the affected inoperable actuated equipment.

Date report generated:

Monday, June 29, 2015 Page 17

GTST AP1000-O61-3.3.8, Rev. 1 Functions in MTS Table 3.3.8-1 that merely reference other functions are eliminated. DOC A028 reformats GTS Table 3.3.2-1 and the referencing functions are no longer necessary.

(DOC A033)

Design-related details such as coincident in MTS Table 3.3.8-1 Functions 18 and 20 (GTS Table 3.3.2-1 Functions 13.b and 23.b) are deleted. DOC A028 reformats GTS Table 3.3.2-1.

Because the new (reformatted) functions now refer to the instrumentation in lieu of the system actuations, discussion of coincidence is no longer required. (DOC A035)

The following tables are provided as an aid to tracking the various changes to GTS 3.3.2 Conditions, Required Actions, Functions, Applicability Footnotes, and Surveillance Requirements that result in interim A028-modified TS (MTS) 3.3.8 and as further changed, STS 3.3.8.

Changes to Conditions GTS 3.3.2 MTS 3.3.8 STS 3.3.8 Other STS Subsections Additional Condition Condition Condition Addressing the Listed Condition DOC Changes A C C 3.3.9, 3.3.10 M02 B A A GTS Condition B split into 2 Conditions ---

B B B GTS Condition B split into 2 Conditions ---

C 3.3.10 ---

D 3.3.12, 3.3.15 ---

E 3.3.9 ---

F 3.3.13 ---

G 3.3.9, 3.3.13, 3.3.16 ---

H 3.3.11, 3.3.14 ---

I B B, C Eliminated ---

J D --- Eliminated L10 K 3.3.13 ---

L E D --- ---

M F E 3.3.12 ---

GTS 3.3.2 Function 4.c.2 covered by STS 3.3.8 Condition I and STS 3.7.2 N G F 3.3.9, 3.3.11 ---

--- --- G New Condition added A032 O H H 3.3.9, 3.3.13, 3.3.15 ---

P I I 3.3.14, 3.1.9 L12 Q J I 3.3.9, 3.7.2 L12 R K --- Eliminated - Also in 3.3.9 L12 S L I 3.3.9, 3.7.7 L12 T M O or I --- L12 U STS 3.3.9 ---

V N J --- ---

W 3.3.16 ---

GTS 3.3.2 Condition X actions are split between 2 Conditions in STS 3.3.8 X O K 3.3.9 A031 A034 X P L 3.3.9 A031 A034 GTS 3.3.2 Condition Y actions are split between 2 Conditions in STS 3.3.8 Y Q M 3.3.9. 3.3.10 ---

Y R N 3.3.9. 3.3.10 A031 Z S I 3.6.3 L12 AA 3.3.10 ---

BB 3.3.10 ---

CC T P 3.3.9 ---

Changes to Functions

Function [Modes(footnote)] ----------- STS 3.3.8 Other STS Subsections Additional GTS 3.3.2 MTS 3.3.8 STS 3.3.8 Conditions and Additional Changes DOC Changes 1.a [1,2,3,4] 3.3.9 ---

1.a [5] 3.3.9 ---

1.b [1,2,3,4] 2 [1,2,3,4] 2 [1,2,3,4] H Combined with 4.b,12.b A032 1.c [1,2,3(a)] 5 [1,2,3(a)] 5 [1,2,3(c)] E --- ---

1.d [1,2,3(a)] --- 24 [1,2,3,4(b)] G Combined with 4.c.1,29.b A032 Date report generated:

Monday, June 29, 2015 Page 18

GTST AP1000-O61-3.3.8, Rev. 1

Function [Modes(footnote)] ----------- STS 3.3.8 Other STS Subsections Additional GTS 3.3.2 MTS 3.3.8 STS 3.3.8 Conditions and Additional Changes DOC Changes 1.e [1,2,3(a)] 11 [1,2,3(c)] 11 [1,2,3(c)] E Combined with 4.d,8.b A032 2.a [1,2,3,4(b)] 3.3.9 ---

2.a [4(c),5(d)] 3.3.9 ---

2.b [1,2,3,4(b)] 7 [1,2,3,4 (c)] 7 [1,2,3,4(b)] F --- A032 2.b [4(c),5(d)] 7 [4(f),5(g)] 7 [4(d),5(e,f)] J Combined with 11.d A032 2.c [1,2,3,4,5(d) --- --- --- Deleted A033 2.d [1,2,3,4,5(d) --- --- --- Deleted A033 3.a [1,2,3,4] 3.3.9 ---

3.a [5(e),6(e)] 3.3.9 ---

3.b [1,2,3,4,5(e,f),6(e,f)] --- --- --- Deleted A033 3.c [1,2,3,4,5(e)] --- --- --- Deleted A033 4.a [1,2(h),3(h),4(h)] 3.3.9 ---

4.b [1,2(h),3(h),4(h)] --- 2 [1,2,3,4] H Combined with 1.b,12.b A032 4.c.1 [1,2(h),3(a,h)] --- 24 [1,2,3,4(b)] G Combined with 1.d,29.b A032 4.c.2 [3(g,h)] 25 [3(b,n)] 25 [3(k)] I --- L12 4.d [1,2(h),3(a,h)] --- 11 [1,2,3(c)] E Combined with 1.e,8.b A032 5.a [1,2] --- --- --- Deleted A033 5.b [1,2] 23 [1,2] 23 [1,2] D Combined with 6.b,7.b,8.a,16.a A032 5.c [1,2] --- --- --- Deleted A033 6.a [1,2,3,4(e)] 3.3.9 ---

6.b [1,2,3,4(b,e)] --- 23 [1,2] D Combined with 5.b,7.b,8.a,16.a A032 6.c [1,2,3,4(e)] --- --- --- Deleted A033 6.d [1,2] 12 [1,2] 12 [1,2] D --- ---

6.d [Func 18.b] --- --- --- Deleted A033 7.a [Func 6.a] --- --- --- Deleted A033 7.b [1,2,3,4(b,e)] --- 23 [1,2] D Combined with 5.b,6.b,8.a,16.a A032 7.c [1,2,3,4(e)] --- --- --- Deleted A033 7.d [1,2] 13 [1,2] 13 [1,2] D --- ---

7.d [Func 18.b] --- --- --- Deleted A033 8.a [1,2,3,4(i)] 23 [3,4(m)] 23 [3,4] I Combined with 5.b,6.b,7.b,16.a A032 L12 8.b [1,2,3(a)] --- 11 [1,2,3(c)] E Combined with 1.e,4.b A032 8.c [Func 6.a] --- --- --- Deleted A033 8.d [1,2,3,4(i)] 22 [1,2,3,4(m)] 22 [1,2,3,4] I 3.3.12, combined with 16.g A032 L12 8.d [Func 18.b] --- --- --- Deleted A033 9.a [1,2,3,4] 3.3.9 ---

9.b [1,2,3,4] 15 [1,2,3,4] 15 [1,2,3,4] H --- ---

9.b [5(j,l)] 15 [5(h,j)] 15 [5(i)] J --- A034 9.b [Func 2] --- --- --- Deleted A033 10.a.0 [1,2,3,4] 3.3.9 ---

10.a.0 [5(j),6(j,k)] 3.3.9 ---

10.a.1 [1,2,3,4] 14 [1,2,3,4] 14 [1,2,3,4] H Combined with 10.b A032 10.a.1 [5(i)] 14 [5(j)] 14 [5] K Combined with 10.b A032 A034 10.a.1 [6(j,k)] 14 [6(j,k)] 14 [6(h)] L Combined with 10.b A032 A034 10.a.2 [Func 9] --- --- --- Deleted A033 10.b.0 [1,2,3,4] 16 [1,2,3,4] 16 [1,2,3,4] H --- ---

10.b.0 [5(j,l)] 16 [5(h,j)] 16 [5] J --- A034 10.b.1 [1,2,3,4] --- 14 [1,2,3,4] H Combined with 10.a A032 10.b.1 [5(j,l)] --- 14 [5] K Combined with 10.a A032 A034 10.b.2 [Func 9] --- --- --- Deleted A033 10.c [4(c),5(j),6(j)] 3.3.10 ---

11.a [Func 9] --- --- --- --- A033 11.b [1,2] --- 19 [1,2,3,4] O Combined with 30.a A032 11.c [Func 2.a] --- --- --- Deleted A033 11.d [1,2,3,4(b)] --- 7 [1,2,3,4(b)] F Combined with 2.b A032 11.d [4(c),5(b,l)] 7 [4(f),5(c,h)] 7 [4(d),5(e,f)] J --- A032 A036 11.e [Func 1] --- --- --- Deleted A033 12.a [1,2,3,4] 3.3.9 ---

12.a [5(f),6(f)] 3.3.9 ---

12.b [1,2,3,4] --- 2 [1,2,3,4] H Combined with 1.b,4.b A032 13.a [1,2,3,4] 3.3.9 ---

13.a [5(d)] 3.3.9 ---

13.b [1,2,3,4(b)] 20 [1,2,3,4(c)] 20 [1,2,3,4(b)] F 3.3.11, combined with 14.b A032 L12 13.b [1,2,3,4(b)] --- --- --- Coincidence deleted A035 13.c [1,2,3,4(b)] 21 [1,2,3,4(c)] 21 [1,2,3,4(b)] F --- ---

13.d [1,2,3,4,5(d)] --- --- --- Deleted A033 13.e [Func 2] --- --- --- Deleted A033 13.f [1,2,3,4(b,m)] 10 [1,2,3,4(c,i)] 10 [1,2,3,4(g)] F Combined with 27.b A032 A036 14.a [1,2,3,4(b,e)] --- --- --- Deleted A033 14.b [1,2,3,4(b,e)] --- 20 [1,2,3,4(b)] F Combined with 13.b A032 L12 15.a [2(n),3(n),4(e)] 17 [2(l),3(l),4(d)] 17 [2(j),3(j),4] I --- L12 15.a [5(e)] 17 [5] 17 [5] I --- L12 15.b [Func 18.b] --- --- --- Deleted A033 Date report generated:

Monday, June 29, 2015 Page 19

GTST AP1000-O61-3.3.8, Rev. 1

Function [Modes(footnote)] ----------- STS 3.3.8 Other STS Subsections Additional GTS 3.3.2 MTS 3.3.8 STS 3.3.8 Conditions and Additional Changes DOC Changes 16.a [1,2,3(e),4(b,e)] --- 23 [1,2] D Combined with 5.b,6.b,7.b,8.a A032 16.b [1,2,3(e)] 8 [1,2,3(d)] 8 [1,2,3] I --- L12 16.b [Func 1] --- --- --- --- A033 16.c [1,2,3,4(b,e,m)] 9 [1,2,3,4(c,d,i)] 9 [1,2,3,4(g)] I --- A036 L12 16.d [1,2,3(e)] 4 [1,2,3(d)] 4 [1,2,3] I Combined with 17.a A032 L12 16.e [1,2,3(e),4(b,e)] 3.3.9 ---

16.f [Func 15.a] --- --- --- Deleted A033 16.g [1,2,3(e),4(b,e)] --- 22 [1,2,3,4] I Combined with 8.d A032 16.g [Func 18.b] --- --- --- Deleted A033 17.a [1,2,3(e)] --- 4 [1,2,3] I Combined with 16.d A032 L12 17.b [Func 1] --- --- --- Deleted A033 17.c [1,2,3(e) 3.3.9 ---

18.a [1,2,3] --- --- --- Deleted L10 18.b [1,2,3] 3.3.12 ---

18.c [2] --- --- --- Deleted L10 18.d [1,2,3] --- --- --- Deleted L10 18.e [1,2,3] --- --- --- Deleted L10 18.f [1,2,3,4(b)] --- --- --- Deleted L10 19.a [1,2,3,4(b)] 3 [1,2,3,4(c)] 3 [1,2,3,4(b)] I --- L12 19.b [Func 3] --- --- --- Deleted A033 20.a [1,2,3,4] 3.3.13 ---

21.a [1,2] 6 [1,2] 6 [1,2] D --- ---

21.b [Func 16.e] --- --- --- Deleted A033 22.a [1,2,3,4(b)] 3.3.9 ---

22.b [Func 10] --- --- --- Deleted A033 23.a [1,2,3,4(b)] 3.3.9 ---

23.b [Func 10] --- --- --- Deleted A033 23.b [1,2,3,4(b)] 18 [1,2,3,4(c)] 18 [1,2,3,4(b)] F --- A035 23.b [4(c),5(j)] 18 [4(f),5(j)] 18 [4(d),5] M --- A035 23.b [6(j)] 18 [6(j)] 18 [6(h)] N --- A034 A035 24.a [6] 3.3.14 ---

25.a [1,2,3,4] 3.3.15, 3.3.16 ---

25.a [5,6] 3.3.15, 3.3.16 ---

26.a [1,2,3,4] 3.3.15, 3.3.16 L01 26.a [5,6] 3.3.15, 3.3.16 L01 27.a [Func 2] --- --- --- Deleted A033 27.b [1,2,3,4(b,m)] --- 10 [1,2,3,4(g)] F Combined with 13.f A032 A036 28.a [4(c,p),5(p),6(p,q)] 3.3.10 ---

29.a [1,2,3,4(b)] 3.3.9 ---

29.b [1,2,3,4(b)] 24 [1,2,3,4(b)] 24 [1,2,3,4(b)] G Combined with 1.d,4.c.1 A032 30.a [1,2,3,4] 19 [1,2,3,4] 19 [1,2,3,4] O Combined with 11.b L12 31.a [1,2,3,4,5(r),6(r)] 1 [1,2,3,4,5(a),6(a)] 1 [1,2,3,4,5(a),6(a)] P --- ---

31.b [1,2,3,4,5(r),6(r)] 3.3.9 ---

Changes to Applicability Footnotes GTS 3.3.2 MTS 3.3.8 STS 3.3.8 STS 3.3.8 STS Subsections Additional Changes Footnote Footnote Footnote Function Addressing Listed footnote DOC Number a e c 5, 11 --- ---

b c b 3, 7, 18, 20, 21, 24 3.3.9 ---

c f d 7, 18 3.3.9, 3.3.10 ---

d g e 7 3.3.9 ---

e d --- --- Deleted, 3.3.9 L12 f o --- --- Deleted, 3.3.9 A033 g n k 25 --- ---

h b --- --- Deleted, 3.3.9 L12 i m --- --- Deleted L12 j j --- --- Deleted, 3.3.9, 3.3.10 A034 k k h 14, 18 3.3.9, 3.3.10 A034 l h i 15 3.3.9 A034 l --- f 7 Combination of GTS A036

--- --- --- --- footnote b and l ---

m i g 9, 10 Combination of GTS A036

--- --- --- --- footnote b and m ---

n l j 17 --- ---

o 3.3.13 ---

p 3.3.10 ---

q 3.3.10 ---

r a a 1 3.3.9 ---

Date report generated:

Monday, June 29, 2015 Page 20

GTST AP1000-O61-3.3.8, Rev. 1 Changes to Surveillance Requirements GTS 3.3.2 MTS 3.3.8 STS 3.3.8 STS Subsections Also Example Surveillance No.,

SR SR SR Addressing the Listed SR Surveillance Description 3.3.2.1 3.3.8.1 3.3.8.1 3.3.10, 3.3.11, 3.3.13, 3.3.14 3.3.8.1 CHANNEL CHECK 3.3.2.2 3.3.15, 3.3.16 3.3.15.1 ACTUATION LOGIC TEST 3.3.2.3 3.3.9, 3.3.12 3.3.9.1 TRIP ACTUATING DEVICE OPERATIONAL TEST 3.3.2.4 3.3.8.3 3.3.8.3 3.3.10, 3.3.11, 3.3.13, 3.3.14 3.3.8.3 CHANNEL CALIBRATION 3.3.2.5 3.3.8.2 3.3.8.2 3.3.10, 3.3.11, 3.3.13, 3.3.14 3.3.8.2 CHANNEL OPERATIONAL TEST 3.3.2.6 3.3.8.4 3.3.8.4 3.3.10, 3.3.11, 3.3.13, 3.3.14 3.3.8.4 ESF RESPONSE TIME 3.3.2.7 3.3.8.5 3.1.9, 3.5.2, 3.5.4, 3.5.6 ACTUATION DEVICE TEST*

3.6.10, 3.7.7 3.3.2.8 3.3.8.6 3.4.11, 3.4.13 Squib Valve ACTUATION DEVICE TEST 3.3.2.9 3.3.8.7 3.3.15, 3.3.16 Pressurizer Heater ACTUATION DEVICE TEST

Typically, the associated STS system specification or STS 3.3.15 or 3.3.16, will include a SR for the actuation device, as follows: Verify [tested required component] actuates to the [required position or state] on an actual or simulated actuation signal. Such SRs overlap with the Actuation Logic Test for complete testing of the actuation device. (DOC L01)

The ASA, LCO, and Applicability section of the Bases is revised to replace +/- with plus or minus. (APOG Comment, Internal Comment # 127))

The Background section of the Bases is corrected for proper grammar. (APOG Comment, Internal Comment # 166)

The ASA, LCO, and Applicability section of the Bases is revised to delete the word operating to make the statement correct. (APOG Comment, Internal Comment # 171)

The interlock discussions in the ASA, LCO, and Applicability section of the Bases are revised for consistency and clarity. (NRC Staff Comment, Internal Comment # 172)

The ASA, LCO, and Applicability section of the Bases under the heading Steam Generator Blowdown Isolation, is revised for clarity and to be more accurate. The blowdown isolation by itself does not ensure sufficient water inventory. (APOG Comment, Internal Comment # 173)

The ASA, LCO, and Applicability section of the Bases under the heading Passive Containment Cooling Actuation, is revised to more accurately describe the heat removal method. (APOG Comment, Internal Comment # 174)

The discussion in the last paragraph of the ASA, LCO, and Applicability section of the Bases under the heading Containment Radioactivity - High 1, is revised for clarity and to be more correct. (APOG Comment and NRC Staff Edit, Internal Comment # 175)

The discussion in the ASA, LCO, and Applicability section of the Bases under the heading Pressurizer Water Level - High 2, is revised for clarity and to correct a typographical error.

(APOG Comment and NRC Staff Edit, Internal Comment # 176)

The discussion in the Surveillance Requirements section of the Bases under the headings SR 3.3.8.2 and SR 3.3.8.3 are revised for clarity and consistency. (APOG Comment and NRC Staff Edit, Internal Comment # 178)

Date report generated:

Monday, June 29, 2015 Page 21

GTST AP1000-O61-3.3.8, Rev. 1 The acronym FSAR is added to modify Section and Chapter in references to the FSAR throughout the Bases. (DOC A003) (APOG Comment, Internal Comment # 3)

Date report generated:

Monday, June 29, 2015 Page 22

GTST AP1000-O61-3.3.8, Rev. 1 VI. Traveler Information Description of TSTF changes:

Not Applicable Rationale for TSTF changes:

Not Applicable Description of changes in RCOL Std. Dep., RCOL COL Item(s), and RCOL PTS Changes:

The Vogtle Electric Generating Plant Units 3 and 4 (VEGP) technical specifications upgrade (TSU) License Amendment Request (VEGP TSU LAR) (Reference 2) proposed changes to the initial version of the VEGP PTS (referred to as the current TS by the VEGP TSU LAR). As detailed in VEGP TSU LAR Enclosure 1, administrative change number 28 (DOC A028) reformats PTS 3.3.2 into multiple Specifications as follows:

3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation,

3.3.9, Engineered Safety Feature Actuation System (ESFAS) Manual Initiation,

3.3.10, Engineered Safety Feature Actuation System (ESFAS) Reactor Coolant System (RCS) Hot Leg Level Instrumentation,

3.3.11, Engineered Safety Feature Actuation System (ESFAS) Startup Feedwater Flow Instrumentation,

3.3.12, Engineered Safety Feature Actuation System (ESFAS) Reactor Trip Initiation,

3.3.13, Engineered Safety Feature Actuation System (ESFAS) Control Room Air Supply Radiation Instrumentation,

3.3.14, Engineered Safety Feature Actuation System (ESFAS) Spent Fuel Pool Level Instrumentation,

3.3.15, Engineered Safety Feature Actuation System (ESFAS) Actuation Logic -

Operating, and

3.3.16, Engineered Safety Feature Actuation System (ESFAS) Actuation Logic -

Shutdown.

Since PTS 3.3.2, Engineered Safety Feature Actuation System (ESFAS) Instrumentation, is identical to GTS 3.3.2, it is appropriate for this GTST to consider the proposed changes to PTS 3.3.2 as changes to GTS 3.3.2 for incorporation in AP1000 STS 3.3.8. DOC A028 is extensive, but retains the intention of PTS 3.3.2 while improving operational use of the TS. The numerous Functions, Conditions and extensive bases discussion associated with PTS 3.3.2 are repackaged into nine smaller parts. Therefore, the changes implemented by DOC A028 are presented in the Subsection 3.3.8 markup in Section XI of this GTST as the clean starting point and are identified as interim A028-modified TS (MTS) 3.3.8. The specific details of the reformatting for MTS 3.3.8 can be found in VEGP TSU LAR (Reference 2), in Enclosure 2 (markup) and Enclosure 4 (clean). The NRC staff safety evaluation regarding DOC A028 can be found in Reference 3, VEGP LAR SER. The VEGP TSU LAR was modified in response to NRC staff RAIs in Reference 5 and the Southern Nuclear Operating Company RAI Response in Reference 6.

Date report generated:

Monday, June 29, 2015 Page 23

GTST AP1000-O61-3.3.8, Rev. 1 DOC A025 revises MTS 3.3.8 SR 3.3.8.3 Note to change the phrase the prescribed values to within limits.

DOC A031 revises MTS 3.3.8 Required Action O.2 from initiate action to be MODE 5 with RCS open and 20% pressurizer level, to Initiate action to open RCS pressure boundary and establish 20% pressurizer level. MTS 3.3.8 Required Action P.2 is revised from initiate action to be in MODE 6 with the upper internals removed, to Initiate action to remove the upper internals. MTS 3.3.8 Required Action R.2 is revised from initiate action to be in MODE 6 with the water level 23 feet above the top of the reactor vessel flange, to Initiate action to establish water level 23 feet above the top of the reactor vessel flange.

DOC A032 revises MTS Table 3.3.8-1 to eliminate duplicate instrument Function listings.

DOC A033 revises MTS Table 3.3.8-1 to eliminate entries that merely reference other Functions.

DOC A034 deletes MTS 3.3.8 Action O.2 lead in: If in MODE 5 with RCS open and < 20%

pressurizer level... MTS 3.3.8 Action P.2 lead in: If in MODE 6 with upper internals in place...

is deleted. MTS Table 3.3.8-1 footnote (j) is eliminated and footnote (h) is revised to incorporate footnote (j) by stating With RCS pressure boundary intact and with pressurizer level 20%.

STS Table 3.3.8-1 indicates the footnote combination as footnote (i).

DOC A035 deletes design-related details such as coincident in MTS Table 3.3.8-1 Functions 18 and 20 (GTS Table 3.3.2-1 Functions 13.b and 23.b).

DOC A036 combines MTS Table 3.3.8-1 footnote (c) and footnote (h) into a single footnote (GTS Table 3.3.2-1 footnotes b and l). MTS Table 3.3.8-1 footnote (h) is the combined footnote and MTS Table 3.3.8-1 footnote (c) is also retained with the original text as a separate footnote.

STS Table 3.3.8-1 indicates the footnote combination as footnote (f). MTS Table 3.3.8-1 footnote (c) and footnote (i) are combined into a single footnote (GTS Table 3.3.2-1 footnotes b and m). MTS Table 3.3.8-1 footnote (i) is the combined footnote. STS Table 3.3.8-1 indicates the footnote combination as footnote (g).

DOC M02 addresses the fact that MTS 3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation, does not specify Actions for inoperability of more than two inoperable automatic initiation channels. This results in entry into LCO 3.0.3 when three or more channels are inoperable.

DOC L01 deletes MTS SR 3.3.8.5 (Perform ACTUATION DEVICE TEST) and SR 3.3.8.6 (Perform ACTUATION DEVICE TEST for squib valves) from MTS TS 3.3.8. The equivalent requirement (using phrasing generally consistent with NUREG-1431) is included in individual Specifications for the actuated devices with the same 24 month Frequency as the deleted SRs.

MTS SR 3.3.8.7 becomes MTS SR 3.3.15.2 for verifying that pressurizer heater circuit breakers trip open on an actual or simulated actuation signal. Similar SRs are added to STS 3.3.15 and 3.3.16, as follows: SR 3.3.15.3 and SR 3.3.16.2 (Verify reactor coolant pump breakers trip open on an actual or simulated actuation signal.); SR 3.3.15.4 and SR 3.3.16.3 (Verify CVS letdown isolation valves actuate to the isolation position on an actual or simulated actuation signal.); SR 3.3.15.5 (Verify main feedwater and startup feedwater pump breakers trip open on an actual or simulated actuation signal.); SR 3.3.15.6 (Verify auxiliary spray and purification line isolation valves actuate to the isolation position on an actual or simulated actuation signal); and SR 3.3.16.4 (Verify Spent Fuel Pool Cooling System containment isolation valves actuate to the isolation position on an actual or simulated actuation signal).

Date report generated:

Monday, June 29, 2015 Page 24

GTST AP1000-O61-3.3.8, Rev. 1 DOC L10 deletes explicit requirements for MTS Table 3.3.8-1, Function 26, ESFAS Interlocks, (with the exception of Function 26.b, Reactor Trip, P-4, which is moved to MTS 3.3.12). MTS Table 3.3.8-1, Function 26 is the same as GTS Table 3.3.2-1, Function 18. Associated MTS 3.3.8 Action D (GTS 3.3.2 Action J) is deleted.

DOC L12 revises Actions related to functions that result in valve isolation actuations. MTS 3.3.8 Actions I, J, K, L, M, and S (GTS 3.3.2 Actions P, Q, R, S, T, and Z), are revised to Declare affected isolation valve(s) inoperable. MTS Table 3.3.8-1 footnotes b, d, and m (GTS Table 3.3.2-1 footnotes e, h, and i) are deleted.

A more detailed description of the changes by each of the above DOCs can be found in Reference 2, VEGP TSU LAR in Enclosure 1; the NRC staff safety evaluation can be found in Reference 3, VEGP LAR SER. The VEGP TSU LAR was modified in response to NRC staff RAIs (Reference 5) by Southern Nuclear Operating Companys RAI Response in Reference 6.

Rationale for changes in RCOL Std. Dep., RCOL COL Item(s), and RCOL PTS Changes:

The reformatting per DOC A028, except where addressed in other DOCs, addresses inconsistencies in formatting and approach between PTS 3.3.1 and PTS 3.3.2, respectively.

Simplification and clarification are proposed for each Specification. In breaking down each PTS Specification into specific subsets of the Protection and Safety Monitoring System (PMS) function, improved human factored operator usability results.

These improvements also reflect the general approach currently in use in the Improved Standard Technical Specifications (STS) for Babcock and Wilcox Plants, NUREG-1430, Rev. 4.

That is to separate the functions for [sensor] instrumentation, Manual Actuation, Trip/Actuation Logic, and Trip Actuation Devices (e.g., Reactor Trip Breakers (RTBs)) into separate Specification subsections. Furthermore, the Actions for some ESFAS Functions generally involve a more complex presentation than needed for other Functions, such that simple common Actions are not reasonable. Such Functions are also provided with separate Specification subsections.

When TS instrument function tables are utilized to reference Actions, the generally preferred format of the Actions for an instrumentation Specification in NUREG-1430 is to provide the initial Actions that would be common to all of the specified functions (typically for bypassing and/or tripping one or two inoperable channels), then the default Action would direct consulting the function table for follow-on Actions applicable to the specific affected function. These follow-up Actions generally reflect the actions to exit the Applicability for that function.

This format also allows splitting the default Actions from the initial preferred actions. This general approach is the standard format for other Specifications and for Instrumentation Specifications for other vendors Improved STS.

DOC A025 is consistent with similar requirements elsewhere in the AP1000 GTS and STS (NUREG-1431).

DOC A031 is consistent with the TS Writer's Guide (Reference 4).

DOC A032 greatly reduces the potential for an operator to misinterpret or overlook an instrument functions requirements by eliminating the need for multiple table entries for same function.

Date report generated:

Monday, June 29, 2015 Page 25

GTST AP1000-O61-3.3.8, Rev. 1 DOC A033 acknowledges that DOC A028 revises GTS subsection 3.3.2, including Table 3.3.2-1, by breaking the subsection into nine subsections corresponding to specific subsets of the Protection and Safety Monitoring System (PMS) function. The referencing of another instrument function by a duplicate listing of that function in GTS Table 3.3.2-1, in order to specify, without repetition, the requirements for that function, is not necessary with the revised format for ESFAS instrumentation in the AP1000 STS; therefore, such reference statements for duplicate listings of instrument functions may be deleted.

DOC A034 acknowledges that DOC A028 revises GTS subsection 3.3.2, including Table 3.3.2-1, by breaking the subsection into nine subsections corresponding to specific subsets of the PMS function. This reformatting entails combining function table applicability footnotes and removing Condition and Required Action lead-in phrases that reference a specific operational mode or applicability condition in order to establish context for the action requirement. Such phrases are no longer necessary to establish context for the Action because the Actions table has been suitably revised to make the context of each action requirement clear.

DOC A035 acknowledges that DOC A028 revises GTS subsection 3.3.2, including PTS Table 3.3.2-1, by breaking the subsection into nine subsections corresponding to specific subsets of the PMS function. This reformatting simplifies the instrumentation function tables in the AP1000 STS by deleting ESFAS automatic function names that describe ESF system actuations but retaining the supporting functions, which have names describing the associated process sensor instrumentation and the associated trip or actuation settings. Because the STS function listings now refer to the instrumentation from which the system actuation functions are derived, discussion of coincidence of instrument and actuation signals is no longer required.

Therefore, the explicit design-related details of which signals are combined in coincident logic for initiating a system actuation may be omitted in the AP1000 STS ESFAS instrumentation subsections.

DOC A036 acknowledges that GTS TS 3.3.2, including PTS Table 3.3.2-1, is being revised (DOC A028) by breaking the Specification into specific subsets of the PMS function. These changes support the reformatting by combining footnotes. The PTS presentation of two footnotes is confusing in that it may not be readily apparent to the user that the subject footnotes represent an And requirement. The revised footnotes clearly present the requirements, consistent with the description of the affected functions in the associated Bases.

DOC M02 directly provides for the default Actions of LCO 3.0.3 without allowing for the additional hour that LCO 3.0.3 permits prior to initiating shutdown. This provides clarity for the operator and is more restrictive than LCO 3.0.3.

DOC L01 deletes MTS SR 3.3.8.5 and SR 3.3.8.6, and the related ACTUATION DEVICE TEST, because these SRs are inconsistent with the intent of applying Actions specific to the equipment inoperability. MTS SR 3.3.8.7 currently requires Perform ACTUATION DEVICE TEST for pressurizer heater circuit breakers. Since the actuated equipment of pressurizer heater circuit breakers do not have a separate Specification for their operability and testing, it is appropriate to retain a Surveillance for the actuated device. Therefore, this SR is relocated to the MTS for ESFAS actuation logic under operating conditions.

DOC L10 notes that Interlock Operability is adequately addressed by each related Functions requirement to be Operable and the requirement for actuation logic operability. Interlock functions do not directly trip the reactor or initiate an ESFAS function, and as such are removed from the actuation instrumentation listing in TS.

Date report generated:

Monday, June 29, 2015 Page 26

GTST AP1000-O61-3.3.8, Rev. 1 DOC L12 notes that GTS 3.3.2 Actions related to Functions that result in valve isolation actuations have Actions for inoperable instrumentation channels that vary in consistency. These nuances result in increased complexity and introduce an increased potential for confusion and misapplication.

Description of additional changes proposed by NRC staff/preparer of GTST:

In the second paragraph of the MTS 3.3.8 Actions section of the Bases, the phrase ...then all affected Functions provided by that channel must be declared inoperable... is revised to ...then all affected protection Functions supported by or dependent on that channel must be declared inoperable...

The VEGP TS Upgrade LAR added functional initiation signals in the MTS 3.3.8 Applicable Safety Analyses, LCO, and Applicability section of the bases. Additional cross references to the source of the signal (LCO and Function) were added. In addition, several sentences or paragraphs recommended for deletion were retained with modifications.

The phrase trip Function was replaced with instrument Function in several places in the bases because this language is more appropriate for the LCO title, Engineered Safety Feature Actuation System (ESFAS) Instrumentation. In addition, several editorial changes were made throughout the bases for clarity.

In the ASA, LCO, and Applicability section of the Bases, +/- is revised to plus or minus in the third paragraph. (APOG Comment)

The verb assure is revised from assured to assures in the fourth paragraph, next to last sentence of the Background section of the Bases. (APOG Comment)

In the Background section of the Bases for STS Subsection 3.3.8 under the heading Plant Protection Subsystem, the phrase bases ... are is revised to basis ... is in the second paragraph, last sentence. (APOG Comment and NRC Staff Edit)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8, the third paragraph, last sentence, is revised to delete the word operating. (APOG Comment)

In the ASA, LCO, and Applicability section of the Bases under the heading Reactor Trip, P-4, a comma is inserted after Function 17 in the first sentence of the last paragraph. In the first paragraph, first bullet, the list of actuated components on a turbine trip is revised to include:

(closes turbine stop valves, control valves, reheat stop valves, intercept valves, extraction steam shutoff and non-return valves, and opens automatic steam line drain valves) (NRC Staff Comment)

In the ASA, LCO, and Applicability section of the Bases under the heading Intermediate Range Neutron Flux, P-6, the paragraph is revised to state:

The Intermediate Range Neutron Flux, P-6 interlock is automatically enabled actuated when the respective PMS division NIS intermediate range Intermediate Range Neutron Flux channel increases to approximately one decade above the channel lower range limit. Below the setpoint, the P-6 interlock is automatically disabled, which unblocks the Source Range Neutron Flux Doubling instrument Function, permitting the automatic block of boron dilution.

Normally, this Function is blocked by the main control room operator during reactor startup after the Intermediate Range Neutron Flux instrument Date report generated:

Monday, June 29, 2015 Page 27

GTST AP1000-O61-3.3.8, Rev. 1 indicates that reactor power exceeds the P-6 setpoint because above the setpoint the block of boron dilution is not needed. The P-6 interlock is required to be OPERABLE in MODE 2 to support the Source Range Neutron Flux Doubling instrument Function to initiate CVS makeup isolation and align the boric acid tank to the CVS makeup pumps, which terminates a boron dilution event. This Function is required to be OPERABLE in MODE 2.

(NRC Staff Comment)

In the ASA, LCO, and Applicability section of the Bases under the heading Pressurizer Pressure, P-11, the first paragraph is revised to state:

The P-11 interlock permits a normal unit cooldown and depressurization without Safeguards Actuation or main steam line and feedwater isolation. With pressurizer pressure channels less than the P-11 setpoint, the operator can manually block the following listed ESFAS instrument Functions, which initiate these ESF actuation and isolation Functions, by manually blocking the initiation signal from the ESFAS instrument channel in at least three PMS divisions:

Safeguards Actuation on manually block initiation the Pressurizer Pressure pressure - Low (Table 3.3.8-1, Function 5),

Steam Line Pressure - Low (Table 3.3.8-1, Function 24), and or Tcold - Low (Table 3.3.8-1, Function 11).by manually block initiation Safeguards Actuation signals and

Steam Line Isolation on the Steam Line Pressure - Low (Table 3.3.8-1, Function 24) and or Tcold - Low (Table 3.3.8-1, Function 11).

Manually blocking steam line isolation signals When the Steam Line Pressure - Low ESFAS instrument channels is manually blocked, a main steam isolation enables the ESF Function of Main Steam Isolation signal on Steam Line Pressure-Negative Rate - High (Table 3.3.8-1, Function 25) is enabled. This provides protection for an SLB by closure of the main steam isolation valves. Manual block of

Feedwater Isolation feedwater isolation on Tavg - Low 1 (Table 3.3.8-1, Function 12),

Tavg - Low 2 (Table 3.3.8-1, Function 13), and Tcold - Low (Table 3.3.8-1, Function 11).is also permitted below P-11.

With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Safeguards Actuation signals on Pressurizer Pressure - Low, Steam Line Pressure - Low, and Tcold - Low, Safeguards Actuation signals and the Steam Line Isolation signals on Steam Line Pressure - Low and Tcold - Low, steam line isolation signals are automatically enabled. The and the Feedwater Isolation feedwater isolation signals on Tcold - Low, Tavg - Low 1, and Tavg - Low 2 are also automatically enabled above P-11. The operator can also manually enable these signals by use of the respective PMS division manual reset buttons for these ESFAS instrument Functions. With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Steam Line Isolation signal on Steam Line Pressure-Negative Rate - High is automatically blocked. (NRC Staff Comment)

Date report generated:

Monday, June 29, 2015 Page 28

GTST AP1000-O61-3.3.8, Rev. 1 In the ASA, LCO, and Applicability section of the Bases under the heading RCS Pressure, P-19, the second sentence in the first paragraph is revised to state:

With RCS pressure below the P-19 setpoint, the operator can manually block CVS isolation on Pressurizer Water Level - High 2 (Table 3.3.8-1, Function 9) pressurizer water level, and block Passive RHRPRHR actuation and Pressurizer Heater Trip on Pressurizer Water Level - High 3 (Table 3.3.8-1, Function 10) pressurizer water level. (NRC Staff Comment)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Steam Generator Blowdown Isolation, the first paragraph is revised from: The primary Function of the steam generator blowdown isolation is to ensure that sufficient water inventory is present in the steam generators to remove the excess heat... to: The primary Function of the steam generator blowdown isolation is to preserve water inventory in the steam generators to support removing the excess heat...(APOG Comment)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Passive Containment Cooling Actuation, the first paragraph, last sentence is revised from Heat removal is initiated ... to PCS heat removal is initiated ... (APOG Comment)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Containment Radioactivity - High 1, the discussion in the last paragraph is revised to state:

This Function is not required to be OPERABLE in MODE 4 with the RCS being cooled by the RNS, or MODES 5, and MODE 6., because any Any DBA release of radioactivity into the containment in these MODESconditions would not require the containment isolationContainment Air Filtration System Isolation Function. (APOG Comment and NRC Staff Edit)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Pressurizer Water Level - High 2, the third and fourth sentences in the first paragraph are revised to state:

. . . This Function is automatically can be manually blocked when the pressurizer pressure is below the P-11 permissive P-19 (RCS Pressure) setpoint to permit pressurizer water solid conditions with the plant cold and to permit level makeup during plant cooldowns. This Function is automatically unblocked when RCS pressure is above the P-19 (RCS Pressure) setpoint. (APOG Comment and NRC Staff Edit)

In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Pressurizer Water Level - High 2, the third paragraph should be revised for added clarity:

This Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when above the P-19 interlock with and the RCS is not being cooled by the RNS. This Function is not required to be OPERABLE in MODE 4either below the P-19 setpoint or with the RCS being cooled by the RNS, or bothand in MODES 5 and 6. Because it The CVS Makeup Isolation on Pressurizer Water Level - High 2 ESFAS Function is not required to mitigate a DBA in these conditions MODES. (NRC Staff Comment)

Date report generated:

Monday, June 29, 2015 Page 29

GTST AP1000-O61-3.3.8, Rev. 1 In the Surveillance Requirements section of the Bases for STS Subsection 3.3.8 under the heading SR 3.3.8.2, paragraphs one, three, six, nine, and ten are revised to state:

SR 3.3.8.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A test subsystem is provided with the protection and safety monitoring system PMS to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features.

Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

To the extent possible, protection and safety monitoring system PMS functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

The 92 day Frequency is based on Reference 5 and the use of continuous diagnostic test features, such as deadman timers, crosscheck of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets (IPCs) to the operator.

During the COT, the protection and safety monitoring system PMS cabinets in the division under test may be placed in bypass.

Under the heading SR 3.3.8.3, revise the first paragraph as indicated:

SR 3.3.8.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the IPC. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR.

This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, Date report generated:

Monday, June 29, 2015 Page 30

GTST AP1000-O61-3.3.8, Rev. 1 then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

The acronym FSAR is added to modify Section and Chapter in references to the FSAR throughout the Bases. (DOC A003) (APOG Comment)

Rationale for additional changes proposed by NRC staff/preparer of GTST:

The change in the second paragraph of the Bases Actions section was requested by the NRC staff in an RAI (Reference 5) concerning the VEGP LAR 12-002. Southern Nuclear Operating Company declined to make this change in its plant-specific TS Bases for VEGP, as documented in its RAI response (Reference 6), because it had not proposed to revise this paragraph as part of its VEGP LAR; and because the paragraph is unchanged from the GTS Bases paragraph adopted as part of the COL plant-specific TS Bases. However, the NRC staff is proposing this GTS Bases change to clarify the AP1000 STS Bases.

Additional cross references to the source of the listed signals (LCO and Function) were added in the MTS 3.3.8 Applicable Safety Analyses, LCO, and Applicability section of the bases for operational robustness. In addition, several sentences or paragraphs recommended for deletion were retained with modifications for clarity.

The phrase trip Function was replaced with instrument Function in several places in the bases because this language is more appropriate for the LCO title, Engineered Safety Feature Actuation System (ESFAS) Instrumentation. In addition, several editorial changes were made throughout the bases for clarity.

In the ASA, LCO, and Applicability section of the Bases, +/- is revised to plus or minus based on APOG evaluation of Writer's Guide convention. NRC staff notes that the Writer's Guide is actually silent regarding this convention and this change does not conform to the convention of NUREG-1431, Rev. 4. However, the expression of the symbol in word form is acceptable.

The Background section of the Bases is revised to provide proper grammar.

The ASA, LCO, and Applicability section of the Bases is revised to correct an error.

The interlock discussions in the ASA, LCO, and Applicability section of the Bases are revised for consistency and clarity.

The ASA, LCO, and Applicability section of the Bases under the heading Steam Generator Blowdown Isolation, is revised for clarity and to be more accurate. The blowdown isolation by itself does not ensure sufficient water inventory.

The ASA, LCO, and Applicability section of the Bases under the heading Passive Containment Cooling Actuation, is revised to more accurately describe the heat removal method using the PCS.

Date report generated:

Monday, June 29, 2015 Page 31

GTST AP1000-O61-3.3.8, Rev. 1 The discussion in the last paragraph of the ASA, LCO, and Applicability section of the Bases under the heading Containment Radioactivity - High 1, is revised for clarity and to be more correct.

The discussion in the ASA, LCO, and Applicability section of the Bases under the heading Pressurizer Water Level - High 2, is revised for clarity and to correct a typographical error.

The discussion in the Surveillance Requirements section of the Bases under the headings SR 3.3.8.2 and SR 3.3.8.3 are revised for clarity and consistency.

Since Bases references to FSAR Sections and Chapters are to an external document, it is appropriate to include the FSAR modifier.

Date report generated:

Monday, June 29, 2015 Page 32

GTST AP1000-O61-3.3.8, Rev. 1 VII. GTST Safety Evaluation Technical Analysis:

AP1000 GTS LCO 3.0.3 is only applicable in MODES 1, 2, 3, and 4, and states:

When an LCO is not met and the associated ACTIONS are not met, an associated ACTION is not provided, or if directed by the associated ACTIONS, the unit shall be placed in a MODE or other specified condition in which the LCO is not applicable. Action shall be initiated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to place the unit, as applicable,

a. MODE 3 within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months ; and

b. MODE 4 within 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months ; and

c. MODE 5 within 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months .

GTS 3.3.1 and 3.3.2 Functions with applicability statements that include MODE 1, 2, 3, or 4, generally have no Actions specified for addressing a loss of function condition, such as when all required channels are inoperable. Upon discovery of such a condition, LCO 3.0.3 would apply.

The intent of LCO 3.0.3 (as stated in the TS Bases) is to impose time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS.

The Actions for inoperable RTS and ESFAS instrumentation provide restoration time and/or compensatory action allowances (e.g., place the inoperable channel in trip); but only for inoperability of some of the channels (e.g., 1 or 2 out of 4 required channels, typically). If these restoration and/or compensatory actions cannot be met in the required time, default actions are provided, which are designed to place the unit in a safe MODE or other specified condition -

typically, actions that result in exiting the Applicability for that Function.

The shutdown actions of LCO 3.0.3 are typical of default actions throughout the TS that direct plant shutdown to exit the Applicability, with the exception that LCO 3.0.3 includes an additional 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months before the shutdown is required to be initiated.

The revisions described in DOC M02 address multiple-channel inoperability. The revisions will immediately impose the default Actions for that Function - without allowance for the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months delay that is provided in LCO 3.0.3. Furthermore, the Function-specific default actions (currently, or proposed to be, specified for some Functions) impose requirements intended to establish safe operation that are not necessarily required by LCO 3.0.3. Since each Function-specific default action is specifically considering that Functions safety-basis, such default actions necessarily result in more appropriate actions than the general default actions of LCO 3.0.3. Specifically, the Actions for each new Condition associated with DOC M02 for RTS and ESFAS Functions applicable in MODES1, 2, 3, or 4, are compared to LCO 3.0.3, and in each case, the new Actions are equivalent to or more restrictive than the actions of LCO 3.0.3.

STS 3.3.8, Condition C leads to new default Actions D, E, G, H, O, and P, which have one or more of the actions to be in Mode 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , Mode 4 in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and Mode 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

Action C also leads to new default Action F that in requires Mode 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , which is more restrictive than the time allowed by LCO 3.0.3, and Mode 4 with the Reactor Coolant System (RCS) cooling provided by the Normal Residual Heat Removal System (RNS) in 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The specific RNS alignment and RCS heat removal requirement is not a requirement found in LCO 3.0.3. Additionally, Action C leads to new default Action I, which requires Declare affected isolation valve(s) inoperable - Immediately. New Action I is discussed in DOC L12. For Date report generated:

Monday, June 29, 2015 Page 33

GTST AP1000-O61-3.3.8, Rev. 1 Functions with Applicability in Mode 4 (i.e., overlapping with the applicability of LCO 3.0.3), this Condition leads to a new default Actions M and J. New Action M requires being in Mode 5 in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , which is more restrictive than the time allowed by LCO 3.0.3, and requires suspending positive reactivity additions and initiating action to establish pressurizer level 20% with RCS pressure boundary intact within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , which are actions not required by LCO 3.0.3. New Action J requires being in Mode 5 in 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months if three or more channels are inoperable, which is equivalent to the time allowed by LCO 3.0.3, and requires initiating action to establish pressurizer level 20% with RCS pressure boundary open within 180 hours0.00208 days 0.05 hours 2.97619e-4 weeks 6.849e-5 months , which is an action not required by LCO 3.0.3.

GTS 3.3.1 and 3.3.2 actions do not specify conditions that explicitly address multiple inoperable channels (that is, more than two inoperable channels or divisions, in most cases), and therefore default to LCO 3.0.3. In each instance, the proposed actions to address these conditions are more restrictive than the LCO 3.0.3 actions because completion times for reaching lower operational modes are shorter by 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . In addition, Function-specific actions, where specified, are more appropriate for the affected Function than the unit-shutdown actions of LCO 3.0.3 alone. Therefore, the changes specified by DOC M02 do not introduce any adverse impact on public health and safety.

DOC L01 deletes MTS SR 3.3.8.5 (Perform ACTUATION DEVICE TEST) and SR 3.3.8.6 (Perform ACTUATION DEVICE TEST for squib valves) from MTS TS 3.3.8. The equivalent requirement (using phrasing generally consistent with NUREG-1431) is included in individual Specifications for the actuated devices with the same 24 month Frequency as the deleted SRs.

MTS SR 3.3.8.7 becomes STS SR 3.3.15.2. In accordance with the defined term, an actuation device test is a test of the actuated equipment. And as discussed in the TS Bases, performance of an actuation device test demonstrates that the actuated device responds to a simulated actuation signal. As such, Surveillances associated with the testing of the actuated equipment should be addressed in the actuated equipment Specifications, where failures of the surveillance would lead to entering the Actions for the inoperable actuated equipment.

Currently, the only Surveillances that utilize this defined term are in GTS 3.3.2, Engineered Safety Feature Actuation System (ESFAS) Instrumentation; as SRs 3.3.2.7, 3.3.2.8, and 3.3.2.9. GTS SRs 3.3.2.7 and 3.3.2.8 provide the actuation device test for Engineered Safety Features (ESF) that are actuated by GTS Table 3.3.2-1, Function 26. As such, failures of SR 3.3.2.7 and SR 3.3.2.8 (i.e., failures in the actuated equipment) would inappropriately result in applying the Actions of LCO 3.3.2 for Function 26. This is inconsistent with the intent of applying Actions specific to the equipment inoperability. Therefore SRs 3.3.2.7 and 3.3.2.8 are deleted from GTS 3.3.2 and Table 3.3.2-1, Function 26, ESF Actuation. In conjunction with this deletion, each Specification for ESF actuated equipment is provided with Surveillance(s) that appropriately address the testing of the actuated devices consistent with these SRs and the definition being removed. In certain actuated device Specifications, there is currently an appropriate actuated device test and no new SR is added. Where an actuated device test is not specified in a PTS actuated equipment Specification, a new MTS SR is added as listed below.

SR 3.1.9.3 Verify each CVS demineralized water isolation valve actuates to the isolation position on an actual or simulated actuation signal (24 months).

SR 3.3.15.3 Verify reactor coolant pump breakers trip open on an actual or simulated actuation signal (24 months).

SR 3.3.15.4 Verify CVS letdown isolation valves actuate to the isolation position on an actual or simulated actuation signal - Note: Only required to be met in MODE 4 with the RCS being cooled by the RNS or below the P-12 (Pressurizer Level) interlock (24 months).

SR 3.3.15.5 Verify main feedwater and startup feedwater pump breakers trip open on an actual or simulated actuation signal (24 months).

Date report generated:

Monday, June 29, 2015 Page 34

GTST AP1000-O61-3.3.8, Rev. 1 SR 3.3.15.6 Verify auxiliary spray and purification line isolation valves actuate to the isolation position on an actual or simulated actuation signal - Note: Only required to be met in MODES 1 and 2 (24 months).

SR 3.3.16.2 Verify reactor coolant pump breakers trip open on an actual or simulated actuation signal - Note: Only required to be met in MODE 5 (24 months).

SR 3.3.16.3 Verify CVS letdown isolation valves actuate to the isolation position on an actual or simulated actuation signal - Note: (1) Not required to be met in MODE 5 above the P-12 (Pressurizer Level) interlock and (2) Not required to be met in MODE 6 above the P-12 (Pressurizer Level) interlock and water level > 23 feet above the top of the reactor vessel flange (24 months).

SR 3.3.16.4 Verify Spent Fuel Pool Cooling System containment isolation valves actuate to the isolation position on an actual or simulated actuation signal - Note: Only required to be met in MODE 6 (24 months).

SR 3.4.11.4 Verify each stage 1, 2, and 3 ADS valve actuates to the open position on an actual or simulated actuation signal (24 months).

SR 3.4.11.5 Verify continuity of the circuit from the Protection Logic Cabinets to each stage 4 ADS valve - Note: Squib actuation may be excluded (24 months).

SR 3.5.2.7 Verify each CMT outlet isolation valve actuates to the open position on an actual or simulated actuation signal (24 months).

SR 3.5.4.8 Verify both PRHR HX air operated outlet isolation valves actuate to the open position and both IRWST gutter isolation valves actuate to the isolation position on an actual or simulated actuation signal (24 months).

SR 3.5.6.9 Verify continuity of the circuit from the Protection Logic Cabinets to each IRWST injection and containment recirculation squib valve on an actual or simulated actuation signal - Note: Squib actuation may be excluded (24 months).

SR 3.6.9.3 Verify each vacuum relief valve actuates to relieve vacuum on an actual or simulated signal (24 months).

SR 3.7.7.2 Verify each startup feedwater isolation and control valve actuates to the isolation position on an actual or simulated actuation signal (24 months).

In addition, two PTS SRs are revised to include a reference to one of the new SRs.

SR 3.4.13.2 SR is revised to include a reference to SR 3.4.11.5.

SR 3.5.8.4 SR is revised to include a reference to SR 3.5.6.9.

GTS SR 3.3.2.9 is revised to eliminate ACTUATION DEVICE TEST and moved to MTS LCO 3.3.15 as SR 3.3.15.2.

SR 3.3.15.2 Verify pressurizer heater circuit breakers trip open on an actual or simulated actuation signal - Note: Only required to be met in MODE 4 above the P-19 (RCS Pressure) interlock with the RCS not being cooled by RNS (24 months).

The effect of moving the requirement for the actuated device test from GTS 3.3.2 to the individual equipment Specifications is for less restrictive actions when the device is inoperable.

As an SR associated with TS 3.3.2, Table 3.3.2-1, Function 26 for Modes 1, 2, 3, and 4, would impose a 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months restoration (GTS 3.3.2 Action D) prior to a required plant shutdown (GTS 3.3.2 Action O). Each of the individual equipment Specifications with SRs added to address actuation device testing has a 72-hour or 7-day restoration allowance. These specifications include:

MTS 3.1.9 Only required to be met in MODE 4 above the P-19 (RCS Pressure) interlock with the RCS not being cooled by RNS.

MTS 3.4.11 Automatic Depressurization System (ADS) - Operating MTS 3.5.2 Core Makeup Tanks (CMTs) - Operating MTS 3.5.4 Passive Residual Heat Removal Heat Exchanger (PRHR HX) - Operating Date report generated:

Monday, June 29, 2015 Page 35

GTST AP1000-O61-3.3.8, Rev. 1 MTS 3.5.6 In-containment Refueling Water Storage Tank (IRWST) - Operating MTS 3.6.9 Vacuum Relief Valves MTS 3.7.7 Startup Feedwater Isolation and Control Valves This is followed in some cases by additional flexibility to isolate associated flow paths in lieu of plant shutdown. These less restrictive actions are currently approved in the GTS as appropriate for the inoperable devices. The more restrictive actions imposed by GTS 3.3.2 are therefore deemed excessively restrictive. The change maintains the same level of safety provided by the separate GTS Actions for inoperability of the specific actuated devices.

GTS SR 3.3.2.9 requires Perform ACTUATION DEVICE TEST for pressurizer heater circuit breakers. Since the actuated equipment of pressurizer heater circuit breakers do not have a separate Specification for their operability and testing, it is appropriate to retain a Surveillance for the actuated device. However, GTS SR 3.3.2.9 is editorially revised (as STS SR 3.3.15.2-see description of changes associated with DOC A028) to require Verify pressurizer heater circuit breakers trip open on an actual or simulated actuation signal. This phrasing is consistent with similar Surveillances in NUREG-1431 for actuated devices, and is consistent with the editorial presentation preference presented for similar actuated device testing. The presentation in STS 3.3.15 results in conservative actions in the event of an inoperable pressurizer heater breaker; for example the inability to trip on an actuation signal, which is a 6-hour to restore provision by STS 3.3.15, Action A followed by a required plant shutdown in STS 3.3.15, Action B. This is less restrictive than the LCO 3.0.3 entry that would be required in GTS 3.3.2.

Failing GTS SR 3.3.2.9 would result in Division A and Division C actuation subsystem being inoperable; for example two channels of GTS Function 26.a being inoperable. GTS 3.3.2 Actions D and G do not provide for more than one inoperable division, which results in the LCO 3.0.3 entry.

Similar to the pressurizer heater circuit breaker actuated device discussed above, there are a few other actuated devices that are required by the GTS 3.3.2 and its Actuation Device Tests, which do not have a separate Specification for operability of the actuated device. As such, in eliminating the Actuation Device Test definition and PTS SRs, SRs are added to the ESFAS Actuation Logic Specifications STS 3.3.15 and STS 3.3.16. The effect is a simple reformatting of the PTS Actuation Device Test SR to a more device-specific SR. Consistent with the Applicability for the instrument functions that actuate the devices; each new Surveillance Requirement includes one or more Notes stating when the Surveillance is required to be met.

No technical change results.

This less restrictive change results in closer alignment with NUREG Standard TS presentation of actuated device testing, and associated required actions for inoperability of actuated devices.

While certain actions for inoperability of actuated devices are made less restrictive by eliminating entry into ESFAS Actuation and Instrumentation inoperability actions, no action is made less restrictive than currently approved for any device inoperability. As such there is no adverse impact to public health and safety.

DOC L10 deletes MTS Table 3.3.8-1, Function 26, ESFAS Interlocks (GTS Table 3.3.2-1 Function 18) with the exception of MTS Table 3.3.8-1, Function 26.b (GTS Table 3.3.2-1 Function 18.b), Reactor Trip, P-4 requirements, which are retained as MTS 3.3.12. As a part of this change, MTS 3.3.8 Action D (GTS 3.3.2 Action J) is deleted. ESFAS interlocks are provided to ensure ESFAS Functions are in the correct configuration for the current plant status. The ESFAS interlocks backup unit operator manual actions to ensure that ESFAS Functions, which can be bypassed, are not bypassed, but are operable during the unit conditions assumed in the safety analyses. ESFAS interlocks permit a unit operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur.

Date report generated:

Monday, June 29, 2015 Page 36

GTST AP1000-O61-3.3.8, Rev. 1 The interlocks, as separate RTS and ESFAS Functions, except for GTS Table 3.3.2-1, Function 18.b, Reactor Trip, P-4, are removed from the STS and the associated Actions are deleted. The reactor trip interlock is addressed in STS 3.3.12, Engineered Safety Feature Actuation System (ESFAS) Reactor Trip Initiation. Interlock Operability is adequately addressed by each related Functions requirement to be Operable and the requirement for actuation logic operability.

For these RTS trip and ESFAS actuation Functions to be Operable, the associated RTS and ESFAS interlock Functions would have to be in the required state as a support feature for operability. These RTS and ESFAS interlock functions do not directly trip the reactor or actuate ESFAS, and as such are removed from the actuation instrumentation listing in TS. The role of the interlocks, and their support for the operability of RTS trip and ESFAS actuation Functions, are described in the TS Bases, as well as in Final Safety Analysis Report (FSAR) Chapter 7, Instrumentation and Controls.

Furthermore, each RTS trip and ESFAS actuation Function is required to be operable during the stated TS Applicability. The Applicability for certain trip or actuation Functions is based on transitioning above or below an interlock; while other Functions are not directly supported by an interlock. For Functions supported by an interlock, while operating within the TS required Applicability for that Function, its associated supporting interlock is not required to automatically change state. The interlock status must be established in conjunction with assuring supported Functions operability prior to entering the required Applicability. In addition, LCO 3.0.4 requires the operators to ensure RTS trip and ESFAS operability prior to entering their Applicability.

These TS requirements remain in effect and impose the necessary operability requirements related to the removed interlock Functions. As such, interlocks are adequately addressed by each related Functions requirement to be operable and the requirement for actuation logic operability.

Certain Actions being deleted for inoperable interlock functions, such as GTS 3.3.1 Required Action M.1 for RTS interlocks and GTS 3.3.2 Required Action J.1 for ESFAS interlocks, provide an optional allowance: Verify the interlocks are in the required state for the existing plant conditions within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This verification is essentially the operability evaluation for the supported functions. If interlocks are not in the required state for the existing plant conditions, then the affected supported Functions would be inoperable and their Actions would apply. The GTS one hour allowance provides time for the operator to manually place the interlock in the state that accomplishes the interlock function necessary to support RTS and ESFAS actuation Function operability. Once this Required Action is completed, unlimited operation is allowed. As such, the provision provides an acceptable alternative to reliance on the automatic interlock function - allowing the operator to manually assure the required interlock state. With this action deleted, the determination of supported function operability is immediate and the actions for any inoperable supported Functions are immediately entered; thereby making this portion of the change more restrictive.

Instrument channel Functions with interlocks implicitly required to support the Function's operability, are also addressed by the COT and Channel Calibration Surveillance Requirements.

Actuation logic with interlocks implicitly required to support operability of the logic is also addressed by the Actuation Logic Test Surveillance Requirements. The applicable COT, Channel Calibration, and Actuation Logic Test Bases will include the following discussion supporting this change (CHANNEL CALIBRATION is replaced with COT or ACTUATION LOGIC TEST as appropriate):

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be Date report generated:

Monday, June 29, 2015 Page 37

GTST AP1000-O61-3.3.8, Rev. 1 enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

Related actions being deleted are GTS 3.3.2 Action J.2.1 and J.2.2 for ESFAS interlocks, which are to trip and/or bypass inoperable channels. These actions also have an additional 1-hour greater allowance than specified for associated inoperable actuation Functions. Therefore, removal of these actions in the STS is more restrictive than the GTS.

The remaining actions referenced for GTS interlocks supporting ESFAS actuation Functions being removed, specifically GTS 3.3.2, Actions D, L, M, N, Y, and BB, are equivalent to, or more restrictive than the PTS actions for inoperable supported ESFAS Functions.

DOC L12 revises Actions related to Functions that result in valve isolation actuations. MTS 3.3.8 Actions I, J, K, L, M, and S (GTS 3.3.2 Actions P, Q, R, S, T, and Z), are revised to Declare affected isolation valve(s) inoperable. MTS Table 3.3.8-1 footnotes b, d, and m (GTS Table 3.3.2-1 footnotes e, h, and i) are deleted. GTS 3.3.2 Actions related to Functions that result in valve isolation actuations have Actions for inoperable instrumentation channels that vary in consistency. Functions that provide the Applicability modifier Footnotes that allow isolation of the affected valve(s) and exiting the Applicability, specifically GTS Table 3.3.2-1 footnotes (e), (h), and (i), are often associated with GTS Actions P, R, S, and T that retain periodic verification of the isolated status, which would no longer be applicable. Some GTS Required Actions such as P.2.1, Q.1, Z.1, and AA.1.2.1 provide a specific list of acceptable isolation devices while other Required Actions such as R.2.1.1 and S.2.1.2 simply assure the isolated condition is established. GTS Action T uniquely allows either a simple requirement of flow path isolation and periodic verification of the isolated condition imposed by GTS Required Actions T.1.1 and T.1.2.2, or an initial simple isolation condition followed later by requiring one of a specific list of acceptable isolation devices with no periodic verification imposed by GTS Required Actions T.1.1 and T.1.2.1.

Additionally, GTS Actions Q, R, S, T, and Z contain optional default Required Actions for compensatory measures such as unit shutdown that may be elected in lieu of any requirement to isolate flow paths.

These nuances result in increased complexity and introduce an increased potential for confusion and misapplication. Since each of these instrument functions support Operability of the actuated valves, the impact of instrumentation inoperability should be consistent with Actions for the inoperability of the actuated supported system. The simplest approach to achieve this desired result is to allow the supported system Actions for inoperable valves to dictate the required measures. Therefore, each of the instrument Function Actions associated with this change is revised to Declare affected isolation valve(s) inoperable. This approach is in accordance with LCO 3.0.6.

DOC A032 revises MTS Table 3.3.8-1 to eliminate duplicate instrument Function listings.

GTS 3.3.2-1 often requires Operability of the same instrumentation channels in more than one Function. For example, Containment Pressure - High 2; is used as an actuation signal for GTS Function 1, Safeguards Actuation, GTS Function 4, Steam Line Isolation and GTS Function 12, Passive Containment Cooling Actuation.

Date report generated:

Monday, June 29, 2015 Page 38

GTST AP1000-O61-3.3.8, Rev. 1 Engineered safety features are initiated by the Protection and Safety Monitoring System (PMS).

Four sensors normally monitor each variable used for an engineered safety feature actuation.

Therefore, a trip condition generated for one variable can result in actuating multiple safeguards components. For example, upon detection of Containment Pressure - High 2 condition, the PMS would generate an actuation signal for GTS Function 1, GTS Function 4, and GTS Function 12.

The same instrumentation is used by the PMS to determine if an actuation condition exists.

Therefore, it is confusing and excessively complex to separately specify requirements for an instrument Function in multiple table entries, requiring the operator to enter all specified Actions concurrently. As such, the monitored parameter and associated actuation Function is only listed once in STS Table 3.3.8-1. The various actuated systems are not retained as part of the nomenclature for each monitored parameter. As a further administrative and human-factored improvement, the STS Functions are rearranged to consecutively list Functions associated with the same variable; for example the pressurizer parameters are listed sequentially.

DOC A033 revises MTS Table 3.3.8-1 to eliminate entries that merely reference other Functions. GTS 3.3.2, including GTS Table 3.3.2-1, is revised by breaking the Specification into specific subsets of the Protection and Safety Monitoring System (PMS) function. The reformatting of GTS 3.3.2 and GTS Table 3.3.2-1 are discussed in DOC A028. The referencing Functions are not necessary as a result of the reformatting and are deleted.

Some of the referencing GTS Functions refer to the referenced Function for all Applicable Modes or Other Specified Conditions, Required Channels, Conditions, and SRs. As such, there are no requirements being conveyed. The listing serves solely as information related to the design, which is appropriate for, and already provided in, the GTS Bases. Deleting these Functions is administrative because no technical changes result.

The remaining deleted GTS Functions are provided with a specific Applicable Modes or Other Specified Conditions entry that differs from the referenced GTS Function, while continuing to provide a cross-reference for Required Channels, Conditions, and SRs. These Applicable Modes or Other Specified Conditions were compared to the referenced Function Applicable Modes or Other Specified Conditions to provide assurance that the referenced STS Function requirements encompass the deleted GTS Function requirements.

The remaining changes, including those made by DOC A028, are editorial, clarifying, grammatical, or otherwise considered administrative. These changes do not affect the technical content, but improve the readability, implementation, and understanding of the requirements, and are therefore acceptable.

Having found that this GTSTs proposed changes to the GTS and Bases are acceptable, the NRC staff concludes that AP1000 STS Subsection 3.3.8 is an acceptable model Specification for the AP1000 standard reactor design.

Date report generated:

Monday, June 29, 2015 Page 39

GTST AP1000-O61-3.3.8, Rev. 1 References to Previous NRC Safety Evaluation Reports (SERs):

None Date report generated:

Monday, June 29, 2015 Page 40

GTST AP1000-O61-3.3.8, Rev. 1 VIII. Review Information Evaluator Comments:

None Randy Belles Oak Ridge National Laboratory 865-574-0388 bellesrj@ornl.gov Review Information:

Availability for public review and comment on Revision 0 of this traveler approved by NRC staff on 5/29/2014.

APOG Comments (Ref. 7) and Resolutions:

1. (Internal # 3) Throughout the Bases, references to Sections and Chapters of the FSAR do not include the FSAR clarifier. Since these Section and Chapter references are to an external document, it is appropriate (DOC A003) to include the FSAR modifier. This is resolved by adding the FSAR modifier as appropriate.

2. (Internal # 6) The GTST sections often repeat VEGP LAR DOCs, which reference existing and current requirements. The inclusion in the GTST of references to existing and current, are not always valid in the context of the GTS. Each occurrence of existing and current should be revised to be clear and specific to GTS, MTS, or VEGP COL TS (or other), as appropriate. Noted ambiguities are corrected in the GTST body.

3. (Internal # 7)Section VII, GTST Safety Evaluation, inconsistently completes the subsection References to Previous NRC Safety Evaluation Reports (SERs) by citing the associated SE for VEGP 3&4 COL Amendment 13. It is not clear whether there is a substantive intended difference when omitting the SE citation. This is resolved by removing the SE citation in Section VII of the GTST and ensuring that appropriate references to the consistent citation of this reference in Section X of the GTST are made.

4. (Internal # 116 and 165) In GTST for Subsection 3.3.8,Section VI, under the heading Rationale for changes in RCOL Std. Dep., RCOL COL Item(s), and RCOL PTS Changes, the first paragraph mentions DOC A024. This DOC is for changes to RTS Instrumentation and does not affect Subsection 3.3.8. Note that it is not mentioned anywhere else in this Subsection. This is also stated in Subsections 3.3.9 through 3.3.16. Change DOCs A024 and A028 to DOC A028 in GTST 3.3.8 through GTST 3.3.16. This is resolved by making the recommended change. Note that comment # 116 is actually directed at removing DOC A028 in Subsections 3.3.1 through 3.3.7, but the opposite is true for DOC A024 in Subsections 3.3.8 through 3.3.16 as stated above.

5. (Internal # 127) In the ASA, LCO, and Applicability section of the Bases, change +/- to plus or minus in the third paragraph. Per APOG, this change aligns with Writer's Guide convention when no value follows the symbol. This is resolved by making the recommended change. However, NRC staff notes that the Writer's Guide is actually silent Date report generated:

Monday, June 29, 2015 Page 41

GTST AP1000-O61-3.3.8, Rev. 1 regarding this convention and this change does not conform to the convention of NUREG-1431, Rev. 4.

6. (Internal # 163) In GTST Section V under the heading Changes to the Generic Technical Specifications and Bases:, the first paragraph on page 12 states that Condition C is revised by adding a second condition that states one or more Functions with more than two channels inoperable. The Condition actually reads one or more Functions with three or more channels inoperable. Change sentence to read ...one or more Functions with three or more channels inoperable. This is resolved by making the recommended change.

7. (Internal # 164) In GTST Section V under the heading Changes to the Generic Technical Specifications and Bases:, in the Changes to Functions Table, Function 13.b (first entry) -

Additional DOC column should specify A032 and L12, just like Function 14.b. Add A032 and L12 to column. This is resolved by making the recommended change. In addition, add a closing square bracket to applicable mode list for this function.

8. (Internal # 166) In the Background section of the Bases for STS Subsection 3.3.8, the tense of the verb assure should be changed to be assures not assured in the fourth paragraph, next to last sentence. This is resolved by making the recommended change.

9. (Internal # 167) Table 3.3.8-1 first page number states (page -2 of 2); it should be (page 1 of 2); and second page states (page -1 of 2); it should be (page 2 of 2) Correct page Table 3.3.8-1 page numbering. This is resolved by making the recommended change.

10. (Internal # 168) Table 3.3.8-1, Function 7, APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS states 4(d), 5(e), whereas VEGP TSU Amendment page states 4(d),

5(e)(f). Bases support the (e) and the (f) footnotes, as do the GTS (i.e., with footnotes (b) and (l)). There is no GTST discussion that evaluates the revised Applicability; it therefore, appears to be a typographical oversight. Include footnote (f) for Function 7 MODE 5 Applicability. This is resolved by making the recommended change.

11. (Internal # 169) Table 3.3.8-1, Function 17, APPLICABLE MODES OR OTHER SPECIFIED CONDITIONS has parentheses after 4 with no corresponding note. VEGP TSU Amended page has no parenthetical note after 4. The mark up on page 47 deletes the footnote, but failed to mark out the parentheses. Delete parentheses on page 47 and 122. This is resolved by making the recommended change.

12. (Internal #170) In the Background section of the Bases for STS Subsection 3.3.8 under the heading Plant Protection Subsystem, the word bases should be basis in the second paragraph, last sentence. This is resolved by making the recommended change, but also requires that the verb be changed to match the single subject.

13. (Internal # 171) In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8, the third paragraph, last sentence, includes the phrase ...values must be confirmed to be operating within the assumptions... The word operating is incorrect, as the values should be within the assumptions. Delete the word operating This is resolved by making the recommended change.

14. (Internal # 172) In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8, the discussion for the interlock functions includes Applicability and operability requirements. However, DOC L10 relocated Applicability and operability requirements. The appropriate discussion of the Applicability and operability requirements is found in the Bases for the COT (SR 3.3.8.2, eighth paragraph). Delete the last two paragraphs for P-4 interlock Bases discussion; delete the last sentence for the P-6 Date report generated:

Monday, June 29, 2015 Page 42

GTST AP1000-O61-3.3.8, Rev. 1 interlock Bases discussion; delete the last paragraph for interlock P-11 Bases discussion; delete the last sentence of the P-12 interlock Bases discussion; and delete the next to last sentence of the first paragraph for the P-19 interlock Bases discussion. This is resolved by making the recommended changes.

Although the GTS 3.3.2 Bases material included in the MTS 3.3.8 Bases, which APOG proposes for deletion, does not detract from the Bases discussion and serves to better inform the operator, NRC staff agreed to omit this material from the STS 3.3.8 Bases, but may propose adding such material back into these interlock descriptions in STS 3.3.8 Bases in a fututre revision of the AP1000 STS. In the following markups, where this operability/applicability language is quoted, the edited material is completely lined out; the same approach is taken in the Section XI markup. Additional clarifying changes are recommended by NRC staff for the Bases discussion on interlocks. In the ASA, LCO, and Applicability section of the Bases under the heading Reactor Trip, P-4, insert a comma after Function 17 in the first sentence of the last paragraph. In the first paragraph, first bullet, append the list of actuated components on a turbine trip: (closes turbine stop valves, control valves, reheat stop valves, intercept valves, extraction steam shutoff and non-return valves, and opens automatic steam line drain valves) Under the heading Intermediate Range Neutron Flux, P-6, revise the paragraph as indicated for consistency with proposed edits to Bases for Subsections 3.3.1, 3.3.2, and 3.3.3:

The Intermediate Range Neutron Flux, P-6 interlock is automatically enabled actuated when the respective PMS division NIS intermediate range Intermediate Range Neutron Flux channel increases to approximately one decade above the channel lower range limit. Below the setpoint, the P-6 interlock is automatically disabled, which unblocks the Source Range Neutron Flux Doubling instrument Function, permitting the automatic block of boron dilution. Normally, this Function is blocked by the main control room operator during reactor startup after the Intermediate Range Neutron Flux instrument indicates that reactor power exceeds the P-6 setpoint because above the setpoint the block of boron dilution is not needed. The P-6 interlock is required to be OPERABLE in MODE 2 to support the Source Range Neutron Flux Doubling instrument Function to initiate CVS makeup isolation and align the boric acid tank to the CVS makeup pumps, which terminates a boron dilution event.

This Function is required to be OPERABLE in MODE 2.

Under the heading Pressurizer Pressure, P-11, revise the first paragraph as indicated for consistency and clarity:

The P-11 interlock permits a normal unit cooldown and depressurization without Safeguards Actuation or main steam line and feedwater isolation.

With pressurizer pressure channels less than the P-11 setpoint, the operator can manually block the following listed ESFAS instrument Functions, which initiate these ESF actuation and isolation Functions, by manually blocking the initiation signal from the ESFAS instrument channel in at least three PMS divisions:

Safeguards Actuation on manually block initiation the Pressurizer Pressure pressure - Low (Table 3.3.8-1, Function 5),

Steam Line Pressure - Low (Table 3.3.8-1, Function 24), and or Tcold - Low (Table 3.3.8-1, Function 11).by manually block initiation Safeguards Actuation signals and Date report generated:

Monday, June 29, 2015 Page 43

GTST AP1000-O61-3.3.8, Rev. 1

Steam Line Isolation on the Steam Line Pressure - Low (Table 3.3.8-1, Function 24) and or Tcold - Low (Table 3.3.8-1, Function 11).

Manually blocking steam line isolation signals When the Steam Line Pressure - Low ESFAS instrument channels is manually blocked, a main steam isolation enables the ESF Function of Main Steam Isolation signal on Steam Line Pressure-Negative Rate - High (Table 3.3.8-1, Function 25) is enabled. This provides protection for an SLB by closure of the main steam isolation valves. Manual block of

Feedwater Isolation feedwater isolation on Tavg - Low 1 (Table 3.3.8-1, Function 12),

Tavg - Low 2 (Table 3.3.8-1, Function 13), and Tcold - Low (Table 3.3.8-1, Function 11).is also permitted below P-11.

With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Safeguards Actuation signals on Pressurizer Pressure -

Low, Steam Line Pressure - Low, and Tcold - Low, Safeguards Actuation signals and the Steam Line Isolation signals on Steam Line Pressure -

Low and Tcold - Low, steam line isolation signals are automatically enabled.

The and the Feedwater Isolation feedwater isolation signals on Tcold - Low, Tavg - Low 1, and Tavg - Low 2 are also automatically enabled above P-11.

The operator can also manually enable these signals by use of the respective PMS division manual reset buttons for these ESFAS instrument Functions. With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Steam Line Isolation signal on Steam Line Pressure-Negative Rate - High is automatically blocked.

Under the heading RCS Pressure, P-19, revise the second sentence in the first paragraph as indicated for consistency and clarity:

With RCS pressure below the P-19 setpoint, the operator can manually block CVS isolation on Pressurizer Water Level - High 2 (Table 3.3.8-1, Function 9) pressurizer water level, and block Passive RHRPRHR actuation and Pressurizer Heater Trip on Pressurizer Water Level - High 3 (Table 3.3.8-1, Function 10) pressurizer water level.

15. (Internal # 173) In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Steam Generator Blowdown Isolation, the first paragraph, states: The primary Function of the steam generator blowdown isolation is to ensure that sufficient water inventory is present in the steam generators to remove the excess heat... For clarity and to be more accurate, the statement should be changed to read: The primary Function of the steam generator blowdown isolation is to preserve water inventory in the steam generators to support removing the excess heat... The blowdown isolation by itself does not ensure sufficient water inventory. This is resolved by making the recommended change.

16. (Internal #174) In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Passive Containment Cooling Actuation, the first paragraph, last sentence states Heat removal is initiated ... This sentence is discussing PCS heat removal. The modifier PCS should be added because there is more than one Date report generated:

Monday, June 29, 2015 Page 44

GTST AP1000-O61-3.3.8, Rev. 1 type of heat removal method. Add PCS in front of the word Heat and de-capitalize the word heat. This is resolved by making the recommended change.

17. (Internal # 175) In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Containment Radioactivity - High 1, the discussion in the last paragraph states that the Function is not required under certain conditions because any DBA release of radioactivity into the containment in these MODES would not require containment isolation. For clarity and to be more correct, the statement should be a new sentence that reads Any DBA release of radioactivity into the containment in these conditions would not require this containment isolation function. The conditions described are not all MODES and the discussion is about this specific containment isolation function, not all containment isolations. This is resolved by making the recommended change with additional edits for added clarity. Revise the last sentence of the last paragraph as follows:

This Function is not required to be OPERABLE in MODE 4 with the RCS being cooled by the RNS, or MODES 5, and MODE 6., because any Any DBA release of radioactivity into the containment in these MODESconditions would not require the containment isolationContainment Air Filtration System Isolation Function.

18. (Internal # 176) In the ASA, LCO, and Applicability section of the Bases for STS Subsection 3.3.8 under the heading Pressurizer Water Level - High 2, the first paragraph should be revised to correct a typographical error regarding the automatic blocking. The TS Bases reference to the P-11 permissive (saying that it is automatically blocked) should be the P-19 permissive (saying that it can be manually blocked) per FSAR Section 7.3.1.2.15.

Note that in the TS itself, the Function (TS 3.3.8, Function 9) has footnote (g), which indicates Above the P-19 (RCS Pressure) interlock... Change the phrase is automatically to can be manually and the interlock number from 11 to 19 This is resolved by making the recommended change with additional edits for added clarity. Revise the third and fourth sentences in the first paragraph as follows:

. . . This Function is automatically can be manually blocked when the pressurizer pressure is below the P-11 permissive P-19 (RCS Pressure) setpoint to permit pressurizer water solid conditions with the plant cold and to permit level makeup during plant cooldowns. This Function is automatically unblocked when RCS pressure is above the P-19 (RCS Pressure) setpoint.

Revise the third paragraph as follows:

This Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when above the P-19 interlock with and the RCS is not being cooled by the RNS. This Function is not required to be OPERABLE in MODE 4either below the P-19 setpoint or with the RCS being cooled by the RNS, or bothand in MODES 5 and 6. Because it The CVS Makeup Isolation on Pressurizer Water Level - High 2 ESFAS Function is not required to mitigate a DBA in these conditions MODES.

19. (Internal # 177) In the Actions section of the Bases for STS Subsection 3.3.8, Actions F.1 and F.2 are typographically mis-identified as FG.1 and FG.2. Revise the heading to F.1 and F.2 This is resolved by making the recommended change.

20. (Internal # 178) In the Surveillance Requirements section of the Bases for STS Subsection 3.3.8 under the heading SR 3.3.8.2, the next to last paragraph, last line uses Date report generated:

Monday, June 29, 2015 Page 45

GTST AP1000-O61-3.3.8, Rev. 1 the phrase integrated protection cabinets. The Bases for SR 3.3.8.3, first paragraph uses the term IPC, which is the acronym for integrated protection cabinets. The SR 3.3.8.2 Bases should be changed from integrated protection cabinets to integrated protection cabinets (IPCs). This change also applies to Section 3.3.10 (SR 3.3.10.2), Section 3.3.11 (SR 3.3.11.2), Section 3.3.13 (SR 3.3.13.2), and Section 3.3.14 (SR 3.3.14.2). Add the acronym (IPCs) after the words integrated protection cabinets in SR 3.3.8.2 (and other SRs identified above). This is resolved by making the recommended change with additional edits for added clarity. Use PMS everywhere following its definition in the Background section of the Bases. Revise paragraphs one, three, six, nine, and ten as indicated:

SR 3.3.8.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A test subsystem is provided with the protection and safety monitoring system PMS to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

To the extent possible, protection and safety monitoring system PMS functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

The 92 day Frequency is based on Reference 5 and the use of continuous diagnostic test features, such as deadman timers, crosscheck of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets (IPCs) to the operator.

During the COT, the protection and safety monitoring system PMS cabinets in the division under test may be placed in bypass.

Under the heading SR 3.3.8.3, revise the first paragraph as indicated:

Date report generated:

Monday, June 29, 2015 Page 46

GTST AP1000-O61-3.3.8, Rev. 1 SR 3.3.8.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the IPC.

The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology. The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

NRC Final Approval Date: June 29, 2015 NRC

Contact:

C. Craig Harbuck United States Nuclear Regulatory Commission 301-415-3140 Craig.Harbuck@nrc.gov Date report generated:

Monday, June 29, 2015 Page 47

GTST AP1000-O61-3.3.8, Rev. 1 IX. Evaluator Comments for Consideration in Finalizing Technical Specifications and Bases Final production of files for Subsections 3.3.1, 3.3.8, and 3.3.9 will require reformatting of footnotes for Table 3.3.1-1, Table 3.3.8-1, and Table 3.3.9-1 to conform to Writers Guide (Ref.

4) Sections 2.1.2 and 2.1.9; in particular [with clarification]:

2.1.2 Page Format

d. The suggested font is Arial 11 point for all type. Reduced footnote, table, or figure font sizes may occasionally be required, but to ensure readability, these fonts should be no smaller than [Arial] 8 point 2.1.9 Figure and Table Footnote Format Footnotes are restricted for use in figures and tables. Footnotes are not used in Specifications or Bases except in figures and tables.

a. Use superscript, lower-case letters enclosed within parentheses as footnote designators where it modifies an item. Order them alphabetically.

b. If the same footnote is repeated in a figure or table, use the same footnote designator for each repeated reference. Do so even if the continued figure and table span several pages.

c. Place the footnote key on each page the footnote appears. Include in the key only those footnotes appearing on that page. For tables, the key is placed two blank lines below the table. For figures, the key is two blank lines below the figure and one blank line above the title.

d. Footnote designators in the key should not be superscript. Text in the key should be indented two [en] spaces from the footnote designator.

e. On occasion, table width may preclude the use of the normal size font. When this occurs, regardless of the font [size] used, use the same font [size] for all facets of the figure or table: [except title], column headings, body text, and footnotes.

The above corrections will require moving Table entries from page to page to make room for the necessary footnotes. Note that these changes are necessary on the LCO mark-up and on the LCO clean version.

Date report generated:

Monday, June 29, 2015 Page 48

GTST AP1000-O61-3.3.8, Rev. 1 X. References Used in GTST

1. AP1000 DCD, Revision 19, Section 16, Technical Specifications, June 2011 (ML11171A500).

2. Southern Nuclear Operating Company, Vogtle Electric Generating Plant, Units 3 and 4, Technical Specifications Upgrade License Amendment Request, February 24, 2011 (ML12065A057).

3. NRC Safety Evaluation (SE) for Amendment No. 13 to Combined License (COL) No.

NPF-91 for Vogtle Electric Generating Plant (VEGP) Unit 3, and Amendment No. 13 to COL No. NPF-92 for VEGP Unit 4, September 9, 2013, ADAMS Package Accession No. ML13238A337, which contains:

ML13238A355 Cover Letter - Issuance of License Amendment No. 13 for Vogtle Units 3 and 4 (LAR 12-002).

ML13238A359 Enclosure 1 - Amendment No. 13 to COL No. NPF-91 ML13239A256 Enclosure 2 - Amendment No. 13 to COL No. NPF-92 ML13239A284 Enclosure 3 - Revised plant-specific TS pages (Attachment to Amendment No. 13)

ML13239A287 Enclosure 4 - Safety Evaluation (SE), and Attachment 1 - Acronyms ML13239A288 SE Attachment 2 - Table A - Administrative Changes ML13239A319 SE Attachment 3 - Table M - More Restrictive Changes ML13239A333 SE Attachment 4 - Table R - Relocated Specifications ML13239A331 SE Attachment 5 - Table D - Detail Removed Changes ML13239A316 SE Attachment 6 - Table L - Less Restrictive Changes The following documents were subsequently issued to correct an administrative error in Enclosure 3:

ML13277A616 Letter - Correction To The Attachment (Replacement Pages) - Vogtle Electric Generating Plant Units 3 and 4-Issuance of Amendment Re:

Technical Specifications Upgrade (LAR 12-002) (TAC No. RP9402)

ML13277A637 Enclosure 3 - Revised plant-specific TS pages (Attachment to Amendment No. 13) (corrected)

4. TSTF-GG-05-01, Writer's Guide for Plant-Specific Improved Technical Specifications, June 2005.

5. RAI Letter No. 01 Related to License Amendment Request (LAR)12-002 for the Vogtle Electric Generating Plant Units 3 and 4 Combined Licenses, September 7, 2012 (ML12251A355).

6. Southern Nuclear Operating Company, Vogtle Electric Generating Plant, Units 3 and 4, Response to Request for Additional Information Letter No. 01 Related to License Amendment Request LAR-12-002, ND-12-2015, October 04, 2012 (ML12286A363 and ML12286A360)

Date report generated:

Monday, June 29, 2015 Page 49

GTST AP1000-O61-3.3.8, Rev. 1

7. APOG-2014-008, APOG (AP1000 Utilities) Comments on AP1000 Standardized Technical Specifications (STS) Generic Technical Specification Travelers (GTSTs), Docket ID NRC-2014-0147, September 22, 2014 (ML14265A493).

Date report generated:

Monday, June 29, 2015 Page 50

GTST AP1000-O61-3.3.8, Rev. 1 XI. MARKUP of the Applicable GTS Subsection for Preparation of the STS NUREG The entire section of the Specifications and the Bases associated with this GTST is presented next.

Changes to the Specifications and Bases are denoted as follows: Deleted portions are marked in strikethrough red font, and inserted portions in bold blue font.

Date report generated:

Monday, June 29, 2015 Page 51

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 3.3 INSTRUMENTATION 3.3.8 Engineered Safety Feature Actuation System (ESFAS) Instrumentation LCO 3.3.8 The ESFAS instrumentation channels for each Function in Table 3.3.8-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8-1.

ACTIONS

NOTE-----------------------------------------------------------

Separate Condition entry is allowed for each Function.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions A.1 Place inoperable channel in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with one channel bypass or trip.

inoperable.

B. One or more Functions B.1 Place one inoperable 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with two channels channel in bypass.

inoperable.

AND B. 2 Place one inoperable 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months channel in trip.

AP1000 STS 3.3.8-1 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 52

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. Required Action and C.1 Enter the Condition Immediately associated Completion referenced in Table 3.3.8-1 Time of Condition A or B for the channel(s).

not met.

OR One or more Functions with three or more channels inoperable.

D. One or two interlock D.1 Verify the interlocks are in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months channels inoperable. the required state for the existing plant conditions.

OR D.2.1 Place the Functions 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months associated with one inoperable interlock channel in bypass or trip.

AND D.2.2 With two interlock channels 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months inoperable, place the Functions associated with one inoperable interlock channel in bypass and with one inoperable interlock channel in trip.

DE. As required by Required DE.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in Table 3.3.8-1.

AP1000 STS 3.3.8-2 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 53

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME EF. As required by Required EF.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

EF.2 Be in MODE 4. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months FG.As required by Required FG.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

FG.2 Be in MODE 4 with the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Reactor Coolant System (RCS) cooling provided by the Normal Residual Heat Removal System (RNS).

G. As required by G.1 Be in MODE 3 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Required Action C.1 and referenced in AND Table 3.3.8-1.

G.2 Be in MODE 4. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND G.3 Establish RCS cooling 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months provided by the RNS.

H. As required by Required H.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

H.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months AP1000 STS 3.3.8-3 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 54

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME I. As required by Required -------------------NOTE-------------------

Action C.1 and Flow path(s) may be unisolated referenced in intermittently under administrative Table 3.3.8-1. controls.

I.1 Isolate the affected flow 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months path(s).

AND I.2.1 Isolate the affected flow 7 days path(s) by use of at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured.

OR I.2.2 Verify the affected flow path Once per 7 days is isolated.

AP1000 STS 3.3.8-4 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 55

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME IJ. As required by Required IJ.1 Declare affected isolation Immediately Action C.1 and valve(s) inoperable.

referenced in --------------NOTE-------------

Table 3.3.8-1. Flow path(s) may be unisolated intermittently under administrative controls.

Isolate the affected flow 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months path(s) by use of at least one closed manual or closed and de-activated automatic valve.

OR J.2.1 Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND J.2.2 Be in MODE 4. 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months K. As required by Required K.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

NOTE-------------------

Flow path(s) may be unisolated intermittently under administrative controls.

K.2.1.1 Isolate the affected flow 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months path(s).

AND AP1000 STS 3.3.8-5 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 56

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME K. (continued) K.2.1.2 Verify the affected flow path Once per 7 days is isolated.

OR K.2.2 Be in MODE 4 with the 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months RCS cooling provided by the RNS.

L. As required by Required L.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

L.2.1.1 Be in MODE 4 with the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months RCS cooling provided by the RNS.

AND

NOTE-------------------

Flow path(s) may be unisolated intermittently under administrative controls.

L.2.1.2 Isolate the affected flow 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months path(s).

AND L.2.1.3 Verify the affected flow path Once per 7 days is isolated.

OR L.2.2 Be in MODE 5. 42 hours4.861111e-4 days 0.0117 hours 6.944444e-5 weeks 1.5981e-5 months AP1000 STS 3.3.8-6 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 57

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME JN. As required by Required JN.1 Be in MODE 5. 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months with three Action C.1 and or more inoperable referenced in channels Table 3.3.8-1.

AND 180 hours0.00208 days 0.05 hours 2.97619e-4 weeks 6.849e-5 months AND JN.2 Initiate action to open the 180 hours0.00208 days 0.05 hours 2.97619e-4 weeks 6.849e-5 months RCS pressure boundary and establish a pressurizer level 20%.

KO. As required by KO.1 Suspend positive reactivity Immediately Required Action C.1 and additions.

referenced in Table 3.3.8-1. AND KO.2 If in MODE 5 with RCS Immediately open and < 20%

pressurizer level, Iinitiate action to be in MODE 5 with RCS open RCS pressure boundary and establish 20% pressurizer level.

LP. As required by Required LP.1 Suspend positive reactivity Immediately Action C.1 and additions.

referenced in Table 3.3.8-1. AND LP.2 If in MODE 6 with upper Immediately internals in place, Iinitiate action to remove be in MODE 6 with the upper internals removed.

AP1000 STS 3.3.8-7 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 58

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME MQ. As required by MQ.1 Suspend positive reactivity Immediately Required Action C.1 and additions.

referenced in Table 3.3.8-1. AND MQ.2 Be in MODE 5. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND MQ.3 Initiate action to establish a 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months pressurizer level 20%

with the RCS pressure boundary intact.

NR. As required by NR.1 Suspend positive reactivity Immediately Required Action C.1 and additions.

referenced in Table 3.3.8-1. AND NR.2 Initiate action to establish Immediately be in MODE 6 with the water level 23 feet above the top of the reactor vessel flange.

AP1000 STS 3.3.8-8 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 59

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME S. As required by Required S.1 --------------NOTE-------------

Action C.1 and Flow path(s) may be referenced in unisolated intermittently Table 3.3.8-1. under administrative controls.

Isolate the affected flow 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months path(s) by use of at least one closed manual or closed and de-activated automatic valve.

OR S.2.1 Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND S.2.2 Be in MODE 4 with the 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months RCS cooling provided by the RNS.

OM. As required by OM.1 Declare affected isolation Immediately Required Action C.1 and valve(s) inoperable.

referenced in Table 3.3.8-1. AND

NOTE-------------------

Flow path(s) may be unisolated intermittently under administrative controls.

O.2 Be in MODE 3. Isolate the 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months M.1.1 affected flow path(s).

AND AP1000 STS 3.3.8-9 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 60

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME OM. (continued) M.1.2.1 Isolate the affected flow 7 days path(s) by use of at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured.

OR M.1.2.2 Verify the affected flow path Once per 7 days is isolated.

OR M.2.1 Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND M.2.2 Be in MODE 5. 42 hours4.861111e-4 days 0.0117 hours 6.944444e-5 weeks 1.5981e-5 months PT. As required by Required PT.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

PT.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months AND PT.3 Open a containment air 44 hours5.092593e-4 days 0.0122 hours 7.275132e-5 weeks 1.6742e-5 months flow path 6 inches in diameter.

AP1000 STS 3.3.8-10 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 61

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months SR 3.3.8.2 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.

SR 3.3.8.3 --------------------------------NOTE--------------------------------

This surveillance shall include verification that the time constants are adjusted to within limits the prescribed values.

Perform CHANNEL CALIBRATION in accordance with 24 months Setpoint Program.

SR 3.3.8.4 Verify ESF RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS SR 3.3.8.5 ---------------------------------NOTE-------------------------------

This surveillance shall include verification that the time constants are adjusted to the prescribed values.

Perform ACTUATION DEVICE TEST. 24 months SR 3.3.8.6 Perform ACTUATION DEVICE TEST for squib valves. 24 months SR 3.3.8.7 Perform ACTUATION DEVICE TEST for pressurizer 24 months heater circuit breakers.

AP1000 STS 3.3.8-11 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 62

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 Table 3.3.8-1 (page 1 of 5)

Engineered Safeguards Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED CHANNELS CONDITIONS

1. Containment Vacuum Relief Valve Actuation 1,2,3,4,5(a),6(a) 4 PT Containment Pressure - Low 2

2. Safeguards Actuation Containment Pressure - 1,2,3,4 4 H High 2 Steam Line Isolation 1,2(b),3(b),4(b) 4 G Containment Pressure - High 2 Passive Containment Cooling Actuation 1,2,3,4 4 H Containment Pressure - High 2

3. Containment Air Filtration System Isolation 1,2,3,4(bc) 4 IS Containment Radioactivity - High 1

4. Chemical Volume and Control System Makeup 1,2,3 4 IJ Isolation Containment Radioactivity - High 2 Normal Residual Heat Removal System 1,2,3(d) 4 J Isolation Containment Radioactivity - High 2

5. Safeguards Actuation Pressurizer Pressure - 1,2,3(ce) 4 EF Low

6. Auxiliary Spray and Purification Line Isolation 1,2 4 DE Pressurizer Water Level - Low 1

7. Core Makeup Tank Actuation Pressurizer 1,2,3,4(bc) 4 FG Water Level - Low 2 4(df), 5(eg)(fh) 4 JN Reactor Coolant Pump Trip 1,2,3,4(c) 4 G Pressurizer Water Level - Low 2 4(f), 5(f)(h) 4 JN

8. Chemical Volume and Control System Makeup 1,2,3(d) 4 IJ Isolation Pressurizer Water Level - High 1 Coincident with Safeguards Actuation 1,2,3(d)

9. Chemical Volume and Control System Makeup 1,2,3,4(gc)(d)(i) 4 IM Isolation Pressurizer Water Level - High 2 AP1000 STS 3.3.8-12 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 63

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 Table 3.3.8-1 (page 2 of 5)

Engineered Safeguards Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED CHANNELS CONDITIONS

10. Passive Residual Heat Removal Heat 1,2,3,4(gc)(i) 4 FG Exchanger Actuation Pressurizer Water Level -

High 3 Pressurizer Heater Trip 1,2,3,4(c)(i) 4 G Pressurizer Water Level - High 3

11. Safeguards Actuation RCS Cold Leg 1,2,3(c) 4 per loop EF Temperature (Tcold) - Low SteamLine Isolation 1,2(b),3(b)(e) 4 per loop F RCS Cold Leg Temperature (Tcold) - Low Startup Feedwater Isolation 1,2,3(e) 4 per loop F RCS Cold Leg Temperature (Tcold) - Low

12. Main Feedwater Control Valve Isolation 1,2 4 DE Reactor Coolant Average Temperature (Tavg) -

Low 1 Coincident with Reactor Trip 1,2

13. Main Feedwater Pump Trip and Valve Isolation 1,2 4 DE Reactor Coolant Average Temperature (Tavg) -

Low 2 Coincident with Reactor Trip 1,2

14. ADS Stage 4 Actuation Manual Initiation 1,2,3,4 4 H Coincident with RCS Wide Range Pressure -

Low, or ADS Stages 1, 2 & 3 Actuation 5 4 KO 6(hj)(k) 4 LP ADS Stage 4 Actuation 1,2,3,4 4 H CMT Level - Low 2 Coincident with RCS Wide Range Pressure -

Low, and 5(h)(j) 4 N Coincident with ADS Stages 1, 2 & 3 Actuation 1,2,3,4,5(h)(j)

AP1000 STS 3.3.8-13 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 64

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 Table 3.3.8-1 (page 3 of 5)

Engineered Safeguards Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED CHANNELS CONDITIONS

15. ADS Stages 1, 2 & 3 Actuation Core Makeup 1,2,3,4 4 per tank H Tank (CMT) Level - Low 1 5(ij)(m) 4 per OPERABLE tank JN Coincident with CMT Actuation

16. ADS Stage 4 Actuation CMT Level - Low 2 1,2,3,4 4 per tank H 5(h)(j) 4 per OPERABLE tank JN

17. Boron Dilution Block Source Range Neutron 2(jl),3(jl),4(l) 4 IM Flux Doubling 5(d) 4 I

18. IRWST Containment Recirculation Valve 1,2,3,4(bc) 4 FG Actuation ADS Stage 4 Actuation Coincident with IRWST Level - Low 3 4(df),5 4 MQ 6(hj) 4 NR

19. Component Cooling Water System 1,2,3,4 4 per RCP OM Containment Isolation Valve Closure Reactor Coolant Pump Bearing Water Temperature -

High Reactor Coolant Pump Trip 1,2 4 per RCP E Reactor Coolant Pump Bearing Water Temperature - High

20. Passive Residual Heat Removal Heat 1,2,3,4(bc) 4 per SG FG Exchanger Actuation SG Narrow Range Water Level - Low Coincident with Startup Feedwater Flow - Low 1,2,3,4(b) 2 per feedwater line G SG Blowdown Isolation 1,2,3,4(c)(d) 4 per SG K SG Narrow Range Water Level - Low

21. Passive Residual Heat Removal Heat 1,2,3,4(bc) 4 per SG FG Exchanger Actuation SG Wide Range Water Level - Low AP1000 STS 3.3.8-14 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 65

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 Table 3.3.8-1 (page 4 of 5)

Engineered Safeguards Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED CHANNELS CONDITIONS

22. Startup Feedwater Isolation SG Narrow Range 1,2,3,4(m) 4 per SG IJ Water Level - High Coincident with Reactor Trip Chemical Volume and Control System Makeup 1,2,3(d),4(c)(d) 4 per SG K Isolation SG Narrow Range Water Level - High Coincident with Reactor Trip

23. Turbine Trip SG Narrow Range Water Level - 1,2 4 per SG DE High 2 Main Feedwater Control Valve Isolation 1,2,3,4(c)(d) 4 per SG K SG Narrow Range Water Level - High 2 Main Feedwater Pump Trip and Valve Isolation 1,2,3,4(c)(d) 4 per SG K SG Narrow Range Water Level - High 2 Startup Feedwater Isolation 1,2,3,4(m) 4 per SG IL SG Narrow Range Water Level - High 2 Chemical Volume and Control System Makeup 1,2,3,4(c)(d) 4 per SG K Isolation SG Narrow Range Water Level - High 2

24. SG Power Operated Relief Valve and Block 1,2,3,4(bc) 4 per steam line G Valve Isolation Steam Line Pressure - Low Safeguards Actuation 1,2,3(e) 4 per steam line F Steam Line Pressure - Low Steam Line Isolation 1,2(b),3(b)(e) 4 per steam line F Steam Line Pressure Steam Line Pressure - Low

25. Steam Line Isolation Steam Line Pressure 3(kb)(n) 4 per steam line IF Steam Line Pressure - Negative Rate - High

26. ESFAS Interlocks

a. Reactor Trip breaker Open, P-3 1,2,3 3 divisions F

b. Reactor Trip, P-4 1,2,3 3 divisions F AP1000 STS 3.3.8-15 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 66

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 Table 3.3.8-1 (page 5 of 5)

Engineered Safeguards Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED CHANNELS CONDITIONS

c. Intermediate Range Neutron Flux, P-6 2 4 E

d. Pressurizer Pressure, P-11 1,2,3 4 F

e. Pressurizer Level, P-12 1,2,3 4 F 4,5,6 4 Q

f. RCS Pressure, P-19 1,2,3,4(c) 4 G (a) Without an open containment air flow path 6 inches in diameter.

(b) Not applicable if all MSIVs are closed.

(bc)With the RCS not being cooled by the Normal Residual Heat Removal System (RNS).

(d) Not applicable for valve isolation Functions whose associated flow path is isolated.

(ce)Above the P-11 (Pressurizer Pressure) interlock, when the RCS boron concentration is below that necessary to meet the SDM requirements at an RCS temperature of 200°F.

(df) With the RCS being cooled by the RNS.

(eg)With the RCS pressure boundary intact.

(fh) With RCS not being cooled by the RNS and with pressurizer level 20%.

(gi) Above the P-19 (RCS Pressure) interlock with the RCS not being cooled by RNS.

(j) Not applicable when the required ADS valves are open. See LCO 3.4.12 and LCO 3.4.13 for ADS valve and equivalent relief area requirements.

(hk)With upper internals in place.

(i) With RCS pressure boundary intact and with pressurizer level 20%.

(jl) Not applicable when critical or during intentional approach to criticality.

(m) Not applicable when the startup feedwater flow paths are isolated.

(kn)Below the P-11 (Pressurizer Pressure) interlock.

AP1000 STS 3.3.8-16 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 67

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded. The Safety Analysis Limit (SAL) is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that an SL is not exceeded.

However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Safety Analysis Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The LSSS values are identified and maintained in the Setpoint Program (SP) and are controlled by 10.CFR.50.59.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded. The Safety Analysis Limit (SAL) is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to assure that a SL is not exceeded.

However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Safety Analysis Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The LSSS values are identified and maintained in the Setpoint Program (SP) and are controlled by 10 CFR 50.59.

AP1000 STS B 3.3.8-1 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 68

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

The Nominal Trip Setpoint (NTS) specified in the SP is a predetermined field setting for a protection channel chosen to initiate automatic actuation prior to the process variable reaching the Safety Analysis Limit and, thus, assures that the SL is not exceeded. As such, the NTS accounts for uncertainties in setting the channel (e.g., calibration),

uncertainties in how the channel might actually perform (e.g.,

repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the NTS assures assured that the SLs are not exceeded.

Therefore, the NTS meets the 10 CFR 50.36 definition of an LSSS.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as ...being capable of performing its safety functions(s). Relying solely on the NTS to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the as-found value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule that are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the NTS due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the NTS, and thus, the automatic protective action would still have ensured that the SL would not be exceeded with the as-found setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function. If the as-found condition of the channel is near the as-found tolerance, recalibration is considered appropriate to allow for drift during the next surveillance interval.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);

AP1000 STS B 3.3.8-2 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 69

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

2. Fuel centerline melt shall not occur; and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, Safety Limits (SLs), also maintains the above values and assures that offsite doses are within the acceptance criteria during AOOs.

Design Basis Accidents (DBA) are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of the limits. Different accident categories are allowed a different fraction of these limits, based on the probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The ESFAS instrumentation is segmented into distinct but interconnected modules.

Field Transmitters and Sensors Normally, four redundant measurements using four separate sensors, are made for each variable used for actuation of Engineered Safety Features (ESF). The use of four channels for protection Functions is based on a minimum of two channels being required for a trip or actuation, one channel in test or bypass, and a single failure on the remaining channel. The signal selector in the Plant Control System will function correctly with only three channels. This includes two channels properly functioning and one channel having a single failure. Minimum requirements for protection and control are achieved only with three channels OPERABLE. The fourth channel is provided to increase plant availability, and permits the plant to run for an indefinite time with a single channel out of service. The circuit design is able to withstand both an input failure to the control system, which may then require the protection Function actuation, and a single failure in the other channels providing the protection Function actuation. Again, a single failure will neither cause nor prevent the protection Function actuation. These requirements are described in IEEE-603 (Ref. 3). The actual number of channels provided for each plant parameter is specified in Reference 1.

AP1000 STS B 3.3.8-3 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 70

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

Engineered Safety Features Channel An ESF channel extends from the sensor to the output of the associated ESF subsystem and shall include the sensor (or sensors), the signal conditioning, any associated data links, and the associated ESF subsystem. For ESF channels containing nuclear instrumentation, the ESF channel shall also include the nuclear instrument signal conditioning and the associated Nuclear Instrumentation Signal Processing and Control (NISPAC) subsystem. Any manual ESF controls that are associated with a particular ESF channel are also included in that ESF channel.

Plant Protection Subsystem The Protection and Safety Monitoring System cabinets contain the necessary equipment to:

Permit acquisition and analysis of the sensor inputs, including plant process sensors and nuclear instrumentation, required for reactor trip and ESF calculations;

Perform computation or logic operations on variables based on these inputs;

Provide trip signals to the reactor trip switchgear and ESF actuation data to the ESF coincidence logic as required;

Permit manual trip or bypass of each individual reactor trip Function and permit manual actuation or bypass of each individual voted ESF Function;

Provide data to other systems in the Instrumentation and Control (I&C) architecture;

Provide separate input circuitry for control Functions that require input from sensors that are also required for protection Functions.

Each of the four divisions provides signal conditioning, comparable output signals for indications in the main control room, and comparison of measured input signals with established setpoints. The basis bases of the setpoints is are described in References 2 and 6. If the measured value of a unit parameter exceeds the predetermined setpoint, an output AP1000 STS B 3.3.8-4 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 71

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued) is generated which is transmitted to the ESF coincidence logic for logic evaluation.

Within the Protection and Safety Monitoring System (PMS), redundancy is generally provided for active equipment such as processors and communication hardware. This redundancy is provided to increase plant availability and facilitate surveillance testing. A division or channel is OPERABLE if it is capable of performing its specified safety function(s) and all the required supporting functions or systems are also capable of performing their related support functions. Thus, a division or channel is OPERABLE as long as one set of redundant components within the division or channel is capable of performing its specified safety function(s).

ESF Coincidence Logic The ESF coincidence logic contains the necessary equipment to:

Permit reception of the data supplied by the four divisions of plant protection and perform voting on the trip outputs;

Perform system level logic using the input data from the plant protection subsystems and transmit the output to the ESF actuation subsystems; and

Provide redundant hardware capable of providing system level commands to the ESF actuation subsystems.

ESF Actuation Subsystems The ESF actuation subsystems contain the necessary equipment to:

Receive automatic system level signals supplied by the ESF coincidence logic;

Receive and transmit data to/from main control room multiplexers;

Receive and transmit data to/from other PLCs on the same logic bus; AP1000 STS B 3.3.8-5 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 72

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

Receive status data from component position switches (such as limit switches and torque switches); and

Perform logic computations on received data, generate logic commands for final actuators (such as START, STOP, OPEN, and CLOSE).

ESF Coincidence Logic and ESF Actuation Subsystem OPERABILITY

Background

Each ESF coincidence logic and ESF actuation subsystem has two subsystems that communicate by means of redundant halves of the logic bus. This arrangement is provided to facilitate testing. If one subsystem is removed from service, the remaining subsystem continues to function and the ESF division continues to provide full protection. At least one of these redundant halves is connected to the battery backed portion of the power system. This provides full functionality of the ESF division even when all ac power sources are lost. As long as one battery subsystem within an ESF coincidence logic or ESF actuation subsystem continues to operate, the ESF division is unaffected. An ESF division is only affected when all battery backed subsystems within that divisions ESF coincidence logic or ESF actuation subsystem are not OPERABLE.

Nominal Trip Setpoints (NTSs)

The NTS is the nominal value at which the trip output is set. Any trip output is considered to be properly adjusted when the as-left value is within the band for CHANNEL CALIBRATION, i.e., +/- rack calibration accuracy.

The trip setpoints used in the trip output are based on the Safety Analysis Limits stated in Reference 2. The determination of these NTSs is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 4), the NTSs specified in the SP are conservative with respect to the Safety Analysis Limits. A detailed description of the methodology used to calculate the NTSs, including their explicit uncertainties, is provided in the Westinghouse Setpoint Methodology for Protection Systems (Ref. 6). The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found AP1000 STS B 3.3.8-6 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 73

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

OPERABILITY limit for the purpose of the CHANNEL OPERATIONAL TEST (COT) is defined as the as-left limit about the NTS (i.e., +/- rack calibration accuracy).

The NTSs listed in the SP are based on the methodology described in Reference 6, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTS. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.

The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The basis of the setpoints is described in References 2 and 6. Trending of calibration results is required by the program description in Technical Specification 5.5.14.d.

Note that the as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION, CHANNEL OPERATIONAL TEST, or a TRIP ACTUATING DEVICE OPERATIONAL TEST that requires trip setpoint verification.

The protection and safety monitoring system testing features are designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded. For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing. To the extent possible, protection and safety monitoring system functional testing will be accomplished with continuous system self-checking features and the continuous functional testing features.

AP1000 STS B 3.3.8-7 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 74

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

The protection and safety monitoring system incorporates continuous system self-checking features wherever practical. Self-checking features include on-line diagnostics for the computer system and the hardware and communications tests. These self-checking tests do not interfere with normal system operation.

In addition to the self-checking features, the system includes functional testing features. Functional testing features include continuous functional testing features and manually initiated functional testing features. To the extent practical, functional testing features are designed not to interfere with normal system operation.

In addition to the system self-checking features and functional testing features, other test features are included for those parts of the system which are not tested with self-checking features or functional testing features. These test features allow for instruments/sensor checks, calibration verification, response time testing, setpoint verification and component testing. The test features again include a combination of continuous testing features and manual testing features.

All of the testing features are designed so that the duration of the testing is as short as possible. Testing features are designed so that the actual logic is not modified. To prevent unwanted actuation, the testing features are designed with either the capability to bypass a Function during testing and/or limit the number of signals allowed to be placed in test at one time.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure - Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment. Functions such as manual initiation not specifically credited in the accident safety analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. These Functions may provide protection for conditions which do not require dynamic transient analysis to demonstrate Function performance. These AP1000 STS B 3.3.8-8 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 75

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 2).

Permissive and interlock functions are based upon the associated protection function instrumentation. Because they do not have to operate in adverse environmental conditions, the trip settings of the permissive and interlock functions use the normal environment, steady-state instrument uncertainties of the associated protection function instrumentation. This results in OPERABILITY criteria (i.e., as-found tolerance and as-left tolerance) that are the same as the associated protection function sensor and process rack modules. The NTSs for permissives and interlocks are based on the associated protection function OPERABILITY requirements; i.e., permissives and interlocks performing enabling functions must be set to occur prior to the specified trip setting of the associated protection function.

The LCO requires all instrumentation performing an ESFAS Function, listed in Table 3.3.8-1 in the accompanying LCO, to be OPERABLE. The as-left and as-found tolerances specified in the SP define the OPERABILITY limits for a channel during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the as-left and as-found tolerances differ from the NTS by plus or minus +/- the PMS rack calibration accuracy and envelope the expected calibration accuracy and drift. In this manner, the actual setting of the channel (NTS) prevents exceeding an SL at any given point in time as long as the channel has not drifted beyond the expected tolerances during the surveillance interval. Note that the as-left and as-found recorded values must be confirmed to be operating within the assumptions of the statistical uncertainty calculations.

If the actual setting of the channel is found outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance) and evaluating the channels response. If the channel is functioning as required and expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

AP1000 STS B 3.3.8-9 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 76

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

A trip setpoint may be set more conservative than the NTS as necessary in response to plant conditions. However, in this case, the OPERABILITY of this instrument must be verified based on the actual field setting and not the NTS. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

ESFAS Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlocks backup manual actions to ensure bypassable Functions are in operation under the conditions assumed in the safety analyses. Proper operation of these interlocks supports OPERABILITY of the associated TS Functions and/or the requirement for actuation logic OPERABILITY. Interlocks must be in the required state, as appropriate, to support OPERABILITY of ESFAS.

Reactor Trip Breaker Open, P-3 The P-3 interlock is provided to permit the block of automatic Safeguards Actuation after a predetermined time interval following automatic Safeguards Actuation.

The reactor trip breaker position switches that provide input to the P-3 interlock only function to energize or de-energize (open or close) contacts. Therefore, this interlock Function does not have an adjustable trip setpoint.

Reactor Trip, P-4 There are eight reactor trip breakers with two breakers in each division.

The P-4 interlock is enabled when the breakers in two-out-of-four divisions are open. Additionally, the P-4 interlock is enabled by all Automatic Reactor Trip Actuations. Once enabled, the The Functions of the P-4 interlock initiates the following actions are:

Main Trip the main turbine trip (closes turbine stop valves, control valves, reheat stop valves, intercept valves, extraction steam shutoff and non-return valves, and opens automatic steam line drain valves)

AP1000 STS B 3.3.8-10 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 77

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Boron Block boron dilution block (closes the two isolation valves in the demineralized water system supply line to the makeup pump suction control valve)

CVS makeup isolation (closes the two makeup line containment isolation motor-operated valves) if coincident with a steam generator (SG) narrow range water level high voting logic output signal (Table 3.3.8-1, Function 22) for either SG to limit primary-to-secondary leakage to the affected SG following a SGTR event

Startup feedwater isolation (closes control and isolation valves and trips startup feedwater pump) if coincident with a SG narrow range water level high voting logic output signal (Table 3.3.8-1, Function 22) for either SG

Isolate main feedwater coincident with a low reactor coolant system average temperature - Low 2 voting logic output signal (Table 3.3.8-1, Function 13) (Even though this This function is not assumed in safety analysis therefore, it is not included in the technical specifications.)

The reactor trip breaker position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this RTB position switch function Function has no adjustable trip setpoint.

Three divisions of this This interlock Function must be OPERABLE and in the correct (disabled) state in MODES 1, 2, 3, and 4 3 when the reactor may be critical or approaching criticality. This ensures that a single failure will not cause an actuation or prevent an actuation.

These MODES (MODES 1, 2, 3, and 4) are also consistent with the Applicability of the various ESFAS Instrument Functions to which the P-4 interlock provides input. This Function does not have to be OPERABLE in MODE 4, 5, or 6 to trip the main turbine, because the main turbine is not in operation.

The P-4 interlock does not have to be OPERABLE in MODE 4 or 5 to block boron dilution, because Function 17 15.a, Source Range Neutron Flux Doubling, provides the required block. In MODE 6, the P-4 interlock with the Boron Dilution Block Function is not required, since the AP1000 STS B 3.3.8-11 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 78

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) unborated water source flow path isolation valves are locked closed in accordance with LCO 3.9.2.

Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is automatically enabled actuated when the respective PMS division Intermediate Range Neutron Flux NIS intermediate range channel increases to approximately one decade above the channel lower range limit. Below the setpoint, the P-6 interlock is automatically disabled, which unblocks the Source Range Neutron Flux flux Doubling doubling instrument Function function, permitting the automatic block of boron dilution.

Normally, this Function is blocked by the main control room operator during reactor startup after the Intermediate Range Neutron Flux instrument indicates that reactor power exceeds the P-6 setpoint because above the setpoint the block of boron dilution is not needed. The P-6 interlock is required to be OPERABLE in MODE 2 to support the Source Range Neutron Flux Doubling instrument Function to initiate CVS makeup isolation and align the boric acid tank to the CVS makeup pumps, which terminates a boron dilution event. This Function is required to be OPERABLE in MODE 2.

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without Safeguards Actuation or main steam line and feedwater isolation.

With pressurizer pressure channels less than the P-11 setpoint, the operator can manually block the following listed ESFAS instrument Functions, which initiate these ESF actuation and isolation Functions, by manually blocking the initiation signal from the ESFAS instrument channel in at least three PMS divisions:

Safeguards Actuation on

- Pressurizer Pressure pressure - Low (Table 3.3.8-1, Function 5),

- Steam Line Pressure - Low (Table 3.3.8-1, Function 24), or and

- Tcold - Low (Table 3.3.8-1, Function 11). Safeguards Actuation signals and the AP1000 STS B 3.3.8-12 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 79

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Isolation on

- Steam Line Pressure - Low (Table 3.3.8-1, Function 24) or and

- Tcold - Low (Table 3.3.8-1, Function 11) steam line isolation signals.

Manually blocking When the Steam Line Pressure - Low ESFAS instrument channels enables the ESF Function of Main Steam Isolation is manually blocked, a main steam isolation signal on Steam Line Pressure-Negative Rate - High (Table 3.3.8-1, Function 25) is enabled. This provides protection for an SLB by closure of the main steam isolation valves. Manual block of feedwater isolation

Feedwater Isolation on

- Tavg - Low 1 (Table 3.3.8-1, Function 12),

- Tavg - Low 2 (Table 3.3.8-1, Function 13), and

- Tcold - Low (Table 3.3.8-1, Function 11) is also permitted below P-11.

With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Safeguards Actuation signals on Pressurizer Pressure -

Low, Steam Line Pressure - Low, and Tcold - Low, Safeguards Actuation signals and the Steam Line Isolation signals on Steam Line Pressure Low and Tcold - Low, Feedwater Isolation steam line isolation signals are automatically enabled. The feedwater isolation signals on Tcold - Low, Tavg - Low 1 and Tavg - Low 2 are also automatically enabled above P-11.

The operator can also manually enable these signals by use of the respective PMS division manual reset buttons for these ESFAS instrument Functions. With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Steam Line Isolation signal on Steam Line Pressure-Negative Rate - High is automatically blocked.

When the Steam Line Pressure - Low and Tcold - Low steam line isolation signals are enabled, the main steam isolation on Steam Line Pressure-Negative Rate - High is disabled. The Containment Pressure - High 2 and Containment Radioactivity - High 2 channels are automatically unblocked above the P-11 setpoint, with manual block permitted below the P-11 setpoint. The P-11 setpoint Setpoint reflects only steady state instrument uncertainties.

AP1000 STS B 3.3.8-13 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 80

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This interlock Function must be OPERABLE and in the correct state (enabled above P-11 setpoint, disabled below) in MODES 1, 2, and 3 to protect against a main steam line break or feedwater line break, or an event requiring safeguards actuation, and to allow an orderly cooldown and depressurization of the unit without a safeguards actuation the Safeguards Actuation or main steam or feedwater isolation. This interlock Function does not have to be OPERABLE in MODE 4, 5, or 6, because plant pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

Pressurizer Level, P-12 The P-12 interlock is provided to permit midloop operation without core makeup tank actuation, reactor coolant pump trip, CVS letdown isolation, or purification line isolation. With pressurizer level channels less than the P-12 setpoint, the operator can manually block the Pressurizer Water Level - Low 1 and Pressurizer Water Level - Low 2 signals low pressurizer level signal used for these actuations. Concurrent with blocking CMT actuation on low pressurizer level on Pressurizer Water Level - Low 2, ADS 4th Stage actuation on Low 2 RCS hot leg level is enabled. Also CVS letdown isolation on Low 1 RCS hot leg level is enabled. When the pressurizer level is above the P-12 setpoint, the Pressurizer Water Level - Low 2 pressurizer level signal is automatically enabled and a confirmatory open signal is issued to the isolation valves on the CMT cold leg balance lines. This interlock Function is required to be OPERABLE in MODES 1, 2, 3, 4, 5, and 6.

RCS Pressure, P-19 The P-19 interlock is provided to permit water solid conditions (i.e., when the pressurizer water level is > 92%) in lower MODES without automatic isolation of the CVS makeup pumps. With RCS pressure below the P-19 setpoint, the operator can manually block CVS isolation on Pressurizer Water Level - High 2 (Table 3.3.8-1, Function 9) pressurizer water level, and block Passive PRHR actuation and Pressurizer Heater Trip on Pressurizer Water Level - High 3 (Table 3.3.8-1, Function 10) pressurizer water level. When RCS pressure is above the P-19 setpoint, these Functions are automatically unblocked. This interlock Function is required to be OPERABLE IN MODES 1, 2, 3, and 4 with the RCS not being cooled by the RNS. When the RNS is cooled by the RNS, the AP1000 STS B 3.3.8-14 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 81

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

RNS suction relief valve provides the required overpressure protection (LCO 3.4.14).

The LCO generally requires OPERABILITY of four channels in each instrumentation/logic Function and two devices for each manual initiation Function. The two-out-of-four configurations allow one channel to be bypassed during maintenance or testing without causing an ESFAS initiation. Two manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide plant protection in the event of any of the analyzed accidents. ESFAS protective functions are as follows:

Safeguards Actuation The Safeguards Actuation signal actuates the alignment of the Core Makeup Tank (CMT) valves for passive injection to the RCS. The Safeguards Actuation signal provides two primary Functions:

Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal and clad integrity, peak clad temperature < 2200°F); and

Boration to ensure recovery and maintenance of SHUTDOWN MARGIN (keff < 1.0).

These Functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The Safeguards Actuation signal is also used to initiate other Functions such as:

Containment Isolation;

Reactor Trip;

Close Main Feedwater Control Valves;

Trip Main Feedwater Pumps and Closure of Isolation and Crossover Valves; and AP1000 STS B 3.3.8-15 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 82

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Coolant Pump Trip.

These other Functions ensure:

Isolation of nonessential systems through containment penetrations;

Trip of the turbine and reactor to limit power generation;

Isolation of main feedwater to limit secondary side mass losses;

Trip of the reactor coolant pumps to ensure proper CMT actuation;

Enabling automatic depressurization of the RCS on CMT Level -

Low 1 to ensure continued safeguards actuated injection.

Safeguards Actuation is initiated by the following signals:

Containment Pressure - High 2 (LCO 3.3.8, Function 2);

Pressurizer Pressure - Low (LCO 3.3.8, Function 5);

RCS Cold Leg Temperature (Tcold) - Low (LCO 3.3.8, Function 11);

Steam Line Pressure - Low (LCO 3.3.8, Function 24); and

Safeguards Actuation - Manual Initiation (LCO 3.3.9, Function 1).

Core Makeup Tank (CMT) Actuation CMT Actuation provides the passive injection of borated water into the RCS. Injection provides RCS makeup water and boration during transients or accidents when the normal makeup supply from the Chemical and Volume Control System (CVS) is lost or insufficient. Two tanks are available to provide passive injection of borated water. CMT injection mitigates the effects of high energy line breaks by adding primary side water to ensure maintenance or recovery of reactor vessel water level following a LOCA, and by borating to ensure recovery or maintenance of SHUTDOWN MARGIN following a steam line break.

CMT Valve Actuation is initiated by the Safeguards Actuation signal, Pressurizer Level - Low 2, ADS Stages 1, 2 and 3 Actuation, or manually.

AP1000 STS B 3.3.8-16 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 83

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

CMT Valve Actuation is initiated by the following signals:

Safeguards Actuation;

Pressurizer Water Level - Low 2 (LCO 3.3.8, Function 7);

ADS Stages 1, 2, and 3 Actuation; and

CMT Actuation - Manual Initiation (LCO 3.3.9, Function 2).

Containment Vacuum Relief Valve Actuation The purpose of the vacuum relief lines is to protect the containment vessel against damage due to a negative pressure (i.e., a lower pressure inside than outside). Containment Vacuum Relief Valve Actuation is actuated by the following signals:

Containment Pressure - Low 2 (LCO 3.3.8, Function 1); and

Containment Vacuum Relief Valve Actuation - Manual Initiation (LCO 3.3.9, Function 15).

Containment Isolation Containment Isolation provides isolation of the containment atmosphere and selected process systems which penetrate containment from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

Containment Isolation is actuated by the Safeguards Actuation signal, manual actuation of containment cooling, or manually.

Containment Isolation is actuated by the following signals:

Safeguards Actuation;

Passive Containment Cooling Actuation - Manual Initiation (LCO 3.3.9, Function 8); and

Containment Isolation - Manual Initiation (LCO 3.3.9, Function 3).

AP1000 STS B 3.3.8-17 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 84

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Containment Air Filtration System Isolation Some DBAs such as a LOCA may release radioactivity into the containment where the potential would exist for the radioactivity to be released to the atmosphere and exceed the acceptable site dose limits.

Isolation of the Containment Air Filtration System provides protection to prevent radioactivity inside containment from being released to the atmosphere.

Containment Air Filtration System Isolation is actuated by the following signals:

Containment Radioactivity - High 1 (LCO 3.3.8, Function 3); and

Containment Isolation Actuation.

Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one steam generator (SG) at most. For an SLB upstream of the isolation valves, inside or outside of containment, closure of the isolation valves limits the accident to the blowdown from only the affected SG. For a SLB downstream of the isolation valves, closure of the isolation valves terminates the accident as soon as the steam lines depressurize.

Closure of the turbine stop and control valves and the main steam branch isolation valves is initiated by this Function. Closure of these valves limits the accidental depressurization of the main steam system associated with an inadvertent opening of a single steam dump, relief, safety valve, or a rupture of a main steam line. Closure of these valves also supports a steam generator tube rupture event by isolating the faulted steam generator.

AP1000 STS B 3.3.8-18 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 85

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Isolation is actuated by the following signals:

Containment Pressure - High 2 (LCO 3.3.8, Function 2);

RCS Cold Leg Temperature (Tcold) - Low (LCO 3.3.8, Function 11);

Steam Line Pressure - Low (LCO 3.3.8, Function 24);

Steam Line Pressure - Negative Rate - High (LCO 3.3.8, Function 25); and

Steam Line Isolation - Manual Initiation (LCO 3.3.9, Function 4).

SG Power Operated Relief Valve and Block Valve Isolation The Function of the SG Power Operated Relief Valve and Block Valve Isolation is to ensure that the SG PORV flow paths can be isolated during a SG tube rupture (SGTR) event. The PORV flow paths must be isolated following a SGTR to minimize radiological releases from the ruptured steam generator into the atmosphere. The PORV flow path is assumed to open due to high secondary side pressure, during the SGTR. Dose analyses take credit for subsequent isolation of the PORV flow path by the PORV and/or the block valve which receive a close signal on low steam line pressure. Additionally, the PORV flow path can be isolated manually.

SG Power Operated Relief Valve and Block Valve Isolation is actuated by the following signals:

Steam Line Pressure - Low (LCO 3.3.8, Function 24); and

SG Power Operated Relief Valve and Block Valve Isolation -

Manual Initiation (LCO 3.3.9, Function 14).

AP1000 STS B 3.3.8-19 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 86

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Generator Blowdown Isolation The primary Function of the steam generator blowdown isolation is to preserve ensure that sufficient water inventory is present in the steam generators to support removing remove the excess heat being generated until the decay heat has decreased to within the PRHR HX capability.

This Function closes the isolation valves of the Steam Generator Blowdown System in both steam generators when a signal is generated from the PRHR HX Actuation or Steam Generator NR Water Level - Low.

Steam Generator Blowdown Isolation is actuated by the following signals:

PRHR HX Actuation; and

SG Narrow Range Water Level - Low (LCO 3.3.8, Function 20).

Turbine Trip The primary Function of the Turbine Trip is to prevent damage to the turbine due to water in the steam lines. This Function is necessary in MODES 1 and 2, and 3 above the P-11 pressurizer pressure interlock setpoint to mitigate the effects of a large SLB or a large Feedline Break (FLB). Failure to trip the turbine following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment. This Function is actuated by SG Water Level - High 2, by a Safeguards Actuation signal, or manually. The Reactor Trip Signal also initiates a turbine trip signal whenever a reactor trip (P-4) is generated.

Turbine Trip is actuated by the following signals:

SG Narrow range Water Level - High 2 (LCO 3.3.8, Function 23);

Reactor Trip Signal (P-4) (LCO 3.3.12); and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

AP1000 STS B 3.3.8-20 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 87

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Main Feedwater Control Valve Isolation The primary Function of Main Feedwater Control Valve Isolation is to prevent damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs. This Function is actuated by Steam Generator Narrow Range Water Level - High 2, by a Safeguards Actuation signal, or manually. The Reactor Trip Signal also initiates closure of the main feedwater control valves coincident with a low RCS average temperature (Tavg) signal whenever a reactor trip (P-4) is generated.

Main Feedwater Control Valve Isolation is actuated by the following signals:

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

Safeguards Actuation;

Reactor Coolant Average Temperature (Tavg) - Low 1 (LCO 3.3.8, Function 12) coincident with Reactor Trip Signal (P-4)

(LCO 3.3.12); and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

Main Feedwater Pump Trip and Valve Isolation The primary function of the Main Feedwater Pump Trip and Isolation is to prevent damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs. Valve isolation includes closing the main feedwater isolation and crossover valves. Isolation of main feedwater is necessary to prevent an increase in heat removal from the reactor coolant system in the event of a feedwater system malfunction. Addition of excessive feedwater causes an increase in core power by decreasing reactor coolant temperature. This Function is actuated by Steam Generator Water Level - High 2, by a Safeguards Actuation signal, or manually. The Reactor Trip Signal also initiates a turbine trip signal whenever a reactor trip (P-4) is generated.

AP1000 STS B 3.3.8-21 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 88

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Main Feedwater Pump Trip and Valve Isolation is actuated by the following signals:

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

Safeguards Actuation;

Reactor Coolant Average Temperature (Tavg) - Low 2 (LCO 3.3.8, Function 13) coincident with Reactor Trip Signal (P-4)

(LCO 3.3.12); and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

Startup Feedwater Isolation The primary Function of the Startup Feedwater Isolation is to stop the excessive flow of feedwater into the SGs. This Function is necessary in MODES 1, 2, 3, and 4 to mitigate the effects of a large SLB or a large FLB. Failure to isolate the startup feedwater system following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment.

Startup Feedwater Isolation is actuated by the following signals:

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

RCS Cold Leg Temperature (Tcold) - Low (LCO 3.3.8, Function 11);

SG Narrow Range Water Level - High (LCO 3.3.8, Function 22) coincident with Reactor Trip Signal (P-4) (LCO 3.3.12); and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

AP1000 STS B 3.3.8-22 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 89

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

ADS Stages 1, 2, & 3 Actuation The Automatic Depressurization System (ADS) provides a sequenced depressurization of the reactor coolant system to allow passive injection from the CMTs, accumulators, and the in-containment refueling water storage tank (IRWST) to mitigate the effects of a LOCA. The depressurization is accomplished in four stages, with the first three stages discharging into the IRWST and the last stage discharging into containment. Each of the first three stages consists of two parallel paths with each path containing an isolation valve and a depressurization valve.

The first stage isolation valves open on any ADS Stages 1, 2, and 3 actuation. The first stage depressurization valves are opened following a preset time delay after the actuation of the isolation valves. The second stage isolation valves are opened following a preset time delay after actuation of the first stage depressurization valves open. The second stage depressurization valves are opened following a preset time delay after the second stage isolation valves are actuated, similar to stage one.

Similar to the second stage, the third stage isolation valves are opened following a preset time delay after the actuation of the second stage depressurization valves. The third stage depressurization valves are opened following a preset time delay after the third stage isolation valves are actuated.

ADS Stages 1, 2, & 3 is actuated on the following signals:

CMT Level - Low 1 (LCO 3.3.8, Function 15) coincident with CMT Actuation; and

ADS Stages 1, 2, & 3 Actuation - Manual Initiation (LCO 3.3.9, Function 6).

ADS Stage 4 Actuation The ADS provides a sequenced depressurization of the reactor coolant system to allow passive injection from the CMTs, accumulators, and the IRWST to mitigate the effects of a LOCA. The depressurization is accomplished in four stages, with the first three stages discharging into the IRWST and the fourth stage discharging into containment.

AP1000 STS B 3.3.8-23 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 90

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The fourth stage of the ADS consists of four parallel paths. Each of these paths consists of a normally open isolation valve and a depressurization valve. The four paths are divided into two groups with two paths in each group. Within each group, one path is designated to be substage A and the second path is designated to be substage B.

The substage A depressurization valves are opened following a preset time delay after the substage A isolation valve confirmatory open signal.

The sequence is continued with substage B. A confirmatory open signal is provided to the substage B isolation valves following a preset time delay after the substage A depressurization valve has been opened. The signal to open the substage B depressurization valve is provided following a preset time delay after the substage B isolation valves confirmatory open signal.

ADS Stage 4 is actuated on the following signals:

CMT Level - Low 2 (LCO 3.3.8, Function 16) coincident with both ADS Stage 1, 2, & 3 Actuation and RCS Wide Range Pressure - Low (LCO 3.3.8, Function 14);

Hot Leg Loop 1 Level - Low 2 coincident with Hot Leg Loop 2 Level - Low 2 (LCO 3.3.10, Function 1, Hot Leg Level - Low 2);

ADS Stage 4 Actuation - Manual Initiation (LCO 3.3.9, Function 6) coincident with ADS Stages 1, 2, & 3 Actuation; and

ADS Stage 4 Actuation - Manual Initiation (LCO 3.3.9, Function 6) coincident with RCS Wide Range Pressure - Low (LCO 3.3.8, Function 14).

Reactor Coolant Pump Trip Reactor Coolant Pump (RCP) Trip allows the passive injection of borated water into the RCS. Injection provides RCS makeup water and boration during transients or accidents when the normal makeup supply from the CVS is lost or insufficient. Two tanks provide passive injection of borated water by gravity when the reactor coolant pumps are tripped. CMT injection mitigates the effects of high energy line breaks by adding primary side water to ensure maintenance or recovery of reactor vessel water level following a LOCA, and by borating to ensure recovery or maintenance of SHUTDOWN MARGIN following a steam line break.

AP1000 STS B 3.3.8-24 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 91

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

RCP trip on high bearing water temperature protects the RCP coast down. A high bearing water temperature trip signal will result in the tripping of all the RCPs. RCP trip is actuated by High RCP bearing water temperature, ADS Stages 1, 2, and 3 Actuation, Manual CMT Actuation, Pressurizer Water Level - Low 2, and Safeguards Actuation.

RCP trip is actuated on the following signals:

Safeguards Actuation;

ADS Stages 1, 2, and 3 Actuation;

Reactor Coolant Pump Bearing Water Temperature - High (LCO 3.3.8, Function 19);

Pressurizer Water Level - Low 2 (LCO 3.3.8, Function 7); and

CMT Injection Actuation - Manual Initiation (LCO 3.3.9, Function 2).

Component Cooling Water System Containment Isolation Valve Closure The function of the Component Cooling Water System (CCS) containment isolation valve closure is to ensure that the CCS flow paths can be isolated during an RCP heat exchanger tube rupture event. The CCS flow paths must be isolated following an RCP heat exchanger tube rupture event to minimize radiological releases from the ruptured tube into the turbine building. The CCS flow path is isolated by the closure of the CCS containment isolation valves, which receive a close signal on high RCP bearing water temperature. CCS Containment Isolation Valve Closure is actuated by Reactor Coolant Pump Bearing Water Temperature - High (LCO 3.3.8, Function 19).

Passive Containment Cooling Actuation The Passive Containment Cooling System (PCS) transfers heat from the reactor containment to the environment. This Function is necessary to prevent the containment design pressure and temperature from being exceeded following any postulated DBA (such as LOCA or SLB). PCS heat Heat removal is initiated automatically in response to a Containment Pressure - High 2 signal or manually.

AP1000 STS B 3.3.8-25 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 92

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

A Passive Containment Cooling Actuation signal initiates water flow by gravity by opening the isolation valves. The water flows onto the containment dome, wetting the outer surface. The path for natural circulation of air along the outside walls of the containment structure is always open.

Passive Containment Cooling is actuated on the following signals:

Containment Pressure - High 2 (LCO 3.3.8, Function 2); and

Passive Containment Cooling Actuation - Manual Initiation (LCO 3.3.9, Function 8).

Passive Residual Heat Removal (PRHR) Heat Exchanger Actuation The PRHR Heat Exchanger (HX) provides emergency core decay heat removal when the Startup Feedwater System is not available to provide a heat sink. PRHR is actuated when the discharge valves are opened in response to SG Narrow Range (NR) Level - Low coincident with Startup Feedwater Flow - Low, SG Wide Range Level - Low, ADS Stages 1, 2, and 3 Actuation, CMT Actuation, Pressurizer Water Level - High 3, or Manual Initiation.

PRHR is actuated on the following signals:

SG Narrow Range Water Level - Low (LCO 3.3.8, Function 20) coincident with Startup Feedwater Flow - Low (LCO 3.3.11);

SG Wide Range Water Level - Low (LCO 3.3.8, Function 21);

ADS Stages 1, 2, and 3 Actuation;

CMT Actuation;

Pressurizer Water Level - High 3 (LCO 3.3.8, Function 10); and

PRHR Heat Exchanger Actuation - Manual Initiation (LCO 3.3.9, Function 9).

AP1000 STS B 3.3.8-26 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 93

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Boron Dilution Block The block of boron dilution is accomplished by closing the CVS makeup pump suction valves to demineralized water storage tanks, and aligning the boric acid tank to the CVS makeup pump suction pumps. This Function is actuated by Source Range Neutron Flux Doubling and Reactor Trip.

Boron Dilution Block is actuated on the following signals:

Source Range Neutron Flux Doubling (LCO 3.3.8, Function 17);

and

Reactor Trip Signal (P-4) (LCO 3.3.12).

Chemical and Volume and Control System Makeup Line Isolation The CVS makeup line is isolated following certain events to prevent overfilling of the RCS. In addition, this line is isolated on High 2 containment radioactivity to provide containment isolation following an accident. This line is not isolated on a containment isolation signal, to allow the CVS makeup pumps to perform their defense-in-depth functions. However, if very high containment radioactivity exists (above the High 2 setpoint) this line is isolated.

A signal to isolate the CVS is derived from two-out-of-four high steam generator levels on either steam generator, two-out-of-four channels of pressurizer level indicating high or two-out-of-four channels of containment radioactivity indicating high. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

Chemical and Volume Control System Makeup Line Isolation is actuated on the following signals:

Containment Radioactivity - High 2 (LCO 3.3.8, Function 4);

Pressurizer Water Level - High 2 (LCO 3.3.8, Function 9);

Pressurizer Water Level - High 1 (LCO 3.3.8, Function 8) coincident with unlatched Safeguards Actuation; AP1000 STS B 3.3.8-27 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 94

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Source Range Neutron Flux Doubling (LCO 3.3.8, Function 17);

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

SG Narrow Range Water Level - High (LCO 3.3.8, Function 22) coincident with Reactor Trip Signal (P-4) (LCO 3.3.12); and

Chemical and Volume Control System Makeup Isolation -

Manual Initiation (LCO 3.3.9, Function 10).

Chemical and Volume Control System Letdown Isolation The CVS provides letdown to the liquid radwaste system to maintain the pressurizer level. To help maintain RCS inventory in the event of a LOCA, the CVS Letdown Isolation is actuated on line is isolated on a Low 1 Hot Leg Level - Low 1 (LCO 3.3.10, Function 2) signal in either of the RCS hot leg loops.

Auxiliary Spray and Purification Line Isolation The CVS maintains the RCS fluid purity and activity level within acceptable limits. The CVS purification line receives flow from the discharge of the RCPs. The CVS also provides auxiliary spray to the pressurizer. To preserve the reactor coolant pressure in the event of a break in the CVS loop piping, the purification line and the auxiliary spray line are isolated to help on a pressurizer water level Low 1 setpoint.

This helps maintain reactor coolant system inventory.

Auxiliary Spray and Purification Line Isolation is actuated on the following signals:

Pressurizer Water Level - Low 1 (LCO 3.3.8, Function 6); and

Chemical and Volume Control System Makeup Isolation -

Manual Initiation (LCO 3.3.9, Function 10).

AP1000 STS B 3.3.8-28 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 95

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Pressurizer Heater Trip Pressurizer heaters are automatically tripped upon receipt of a core makeup tank operation signal or a Pressurizer Water Level - High 3 signal. This pressurizer heater trip reduces the potential for SG overfill and automatic ADS Stages 1, 2, and 3 actuation for a SG tube rupture event. Automatically tripping the pressurizer heaters reduces the pressurizer level swell for certain non-LOCA events such as loss of normal feedwater, inadvertent CMT operation, and CVS malfunction resulting in an increase in RCS inventory. For small break LOCA analysis, tripping the pressurizer heaters supports depressurization of the RCS following actuation of the CMTs.

Pressurizer Heater Trip is actuated on the following signals:

CMT Actuation; and

Pressurizer Water Level - High 3 (LCO 3.3.8, Function 10).

Normal Residual Heat Removal System (RNS) Isolation The RNS suction line is isolated by closing the containment isolation valves on High 2 containment radioactivity to provide containment isolation following an accident. This line is isolated on a safeguards actuation signal. However, the valves may be reset to permit the RNS pumps to perform their defense-in-depth functions post accident. Should a high containment radiation signal (above the High 2 setpoint) develop following the containment isolation signal, the RNS valves would re-close. A high containment radiation signal is indicative of a high RCS source term and the valves would re-close to assure offsite doses do not exceed regulatory limits.

RNS Isolation is actuated on the following signals:

Containment Radioactivity - High 2 (LCO 3.3.8, Function 4);

Safeguards Actuation; and

Normal Residual Heat Removal System Isolation - Manual Initiation (LCO 3.3.9, Function 11).

AP1000 STS B 3.3.8-29 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 96

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

IRWST Injection Line Valve Actuation The PXS provides core cooling by gravity injection and recirculation for decay heat removal following an accident. The IRWST has two injection flow paths. Each injection path includes a normally open motor operated isolation valve and two parallel lines, each isolated by one check valve and one squib valve in series. Manual initiation or automatic actuation on an ADS Stage 4 actuation signal or a coincident RCS Loops 1 and 2 Hot Leg Level-Low will generate a signal to open the IRWST injection line and actuate IRWST injection.

IRWST Injection Line Valve Actuation is actuated on the following signals:

ADS Stage 4 Actuation; and

IRWST Injection Line Valve Actuation - Manual Initiation (LCO 3.3.9, Function 12).

IRWST Containment Recirculation Valve Actuation The PXS provides core cooling by gravity injection and recirculation for decay heat removal following an accident. The PXS has two containment recirculation flow paths. Each path contains two parallel flow paths, one path is isolated by a motor operated valve in series with a squib valve and one path is isolated by a check valve in series with a squib valve. Manual initiation or automatic actuation on a Safeguards Actuation signal coincident with a Low 3 level signal in the IRWST will open these valves.

IRWST Containment Recirculation Valve Actuation opens the recirculation valves on the following signals:

ADS Stage 4 Actuation coincident with IRWST Level - Low 3 (LCO 3.3.8, Function 18); and

IRWST Containment Recirculation Valve Actuation - Manual Initiation (LCO 3.3.9, Function 13).

AP1000 STS B 3.3.8-30 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 97

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Main Control Room Isolation and Air Supply Initiation Isolation of the main control room and initiation of the air supply provides a protected environment from which operators can control the plant following an uncontrolled release of radioactivity. Main Control Room Isolation and Air Supply Initiation is actuated on a Control Room Air Supply Radiation - High 2 signal (LCO 3.3.13).

Refueling Cavity Isolation The containment isolation valves in the lines between the refueling cavity and the Spent Fuel Pool Cooling System are isolated on a Spent Fuel Pool Level - Low signal (LCO 3.3.14)Low spent fuel pool level.

ESF Logic LCO 3.3.15 and LCO 3.3.16 require four sets of ESF coincidence logic, each set with one battery backed logic group OPERABLE to support automatic actuation. These logic groups are implemented as processor based actuation subsystems. The ESF coincidence logic provides the system level logic interfaces for the divisions. The ESF coincidence logic includes both the voting logic for the divisional signals from each ESF instrument function, and the coincidence logic of ESF actuation and ESF instrument function divisional signals needed to generate an ESF actuation signal for some ESFAS protective functions.

ESF Actuation LCO 3.3.15 and LCO 3.3.16 require that for each division of ESF actuation, one battery backed logic group be OPERABLE to support both automatic and manual actuation. The ESF actuation subsystems provide the logic and power interfaces for the actuated components.

The following are descriptions of the individual instrument Functions required by this LCO as presented in Table 3.3.8-1. Each Function description also provides the ESFAS protective functions actuated by the instrumentation.

AP1000 STS B 3.3.8-31 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 98

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. Containment Pressure - Low 2 This signal provides protection against a negative pressure in containment due to loss of ac power or inadvertent actuation of containment cooling and a low outside ambient air temperature in combination with limited containment heating that reduces the atmospheric temperature (and hence pressure) inside containment.

Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function.

The Containment Vacuum Relief Valve Actuation ESFAS protective function is actuated by Containment Pressure - Low 2.

Automatic Containment Vacuum Relief Valve actuation must be OPERABLE in MODES 1 through 4 and in MODES 5 and 6 without an open containment air flow path 6 inches in diameter. With a 6-inch diameter or equivalent containment air flow path, the vacuum relief function is not needed to mitigate a low pressure event.

2. Containment Pressure - High 2 This signal provides protection against the following accidents:

SLB inside containment;

LOCA; and

Feed line break inside containment.

The ESFAS protective functions actuated by Containment Pressure

- High 2 are:

Safeguards Actuation;

Steam Line Isolation; and

Passive Containment Cooling Actuation.

AP1000 STS B 3.3.8-32 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 99

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The transmitters (d/p cells) and electronics are located outside of containment. Since the transmitters and electronics are located outside of containment, they will not experience adverse environmental conditions. The Containment Pressure - High 2 setpoint has been specified as low as reasonable, without creating potential for spurious trips during normal operations, consistent with the TMI action item (NUREG-0933, Item II.E.4.2) guidance.

The LCO requires four channels of Containment Pressure - High 2 to be OPERABLE in MODES 1, 2, 3, and 4. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function. In MODES 5 and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure - High 2 setpoint.

3. Containment Radioactivity - High 1 This signal to isolate Containment Air Filtration System results from the coincidence of containment radioactivity above the High 1 setpoint in any two of the four divisions.

The Containment Air Filtration System Isolation ESFAS protective function is actuated by Containment Radioactivity - High 1.

Four channels of Containment Radioactivity - High 1 are required to be OPERABLE in MODES 1, 2, and 3, and MODE 4 with the RCS not being cooled by the RNS, when the potential exists for a LOCA, to protect against radioactivity inside containment being released to the atmosphere. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function.

This Function is not required to be OPERABLE in MODE 4 with the RCS being cooled by the RNS, or MODES 5 and MODE 6.,

because any Any DBA release of radioactivity into the containment in these conditions MODES would not require the Containment Air Filtration System Isolation Function containment isolation.

AP1000 STS B 3.3.8-33 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 100

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

4. Containment Radioactivity - High 2 This signal to isolate CVS makeup and to isolate the normal residual heat removal system results from the coincidence of containment radioactivity above the High 2 setpoint in any two of the four divisions.

The ESFAS protective functions actuated by Containment Radioactivity - High 2 are:

Chemical and Volume and Control System Makeup Isolation; and

Normal Residual Heat Removal System Isolation.

Four channels of Containment Radioactivity - High 2 are required to be OPERABLE in MODES 1, 2, and 3 when the potential exists for a LOCA, to ensure that the radioactivity inside containment is not released to the atmosphere. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is no credible release of radioactivity into the containment in these MODES that would result in a High 2 actuation.

5. Pressurizer Pressure - Low This signal provides protection against the following accidents:

Inadvertent opening of a steam generator safety valve;

SLB;

A spectrum of rod cluster control assembly ejection accidents (rod ejection);

Inadvertent opening of a pressurizer safety valve;

LOCAs; and AP1000 STS B 3.3.8-34 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 101

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Generator Tube Rupture (SGTR).

The Safeguards Actuation ESFAS protective function is actuated by Pressurizer Pressure - Low. The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment). Therefore, the NTS reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

The LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1, 2, and 3 (above P-11, when the RCS boron concentration is below that necessary to meet the SDM requirements at an RCS temperature of 200°F), to mitigate the consequences of a high energy line rupture inside containment.

Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic actuation below this pressure is then performed by the Containment Pressure - High 2 signal.

This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF Functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

6. Pressurizer Water Level - Low 1 A signal to isolate the purification line and the auxiliary spray line is generated upon the coincidence of pressurizer level below the Low 1 setpoint in any two-out-of-four divisions.

The Auxiliary Spray and Purification Line Isolation ESFAS protective function is actuated by Pressurizer Water Level - Low 1.

Four channels of Pressurizer Water Level - Low 1 are required to be OPERABLE in MODES 1 and 2 to help maintain RCS inventory. In MODES 3, 4, 5, and 6, this instrument Function is not needed for accident detection and mitigation.

AP1000 STS B 3.3.8-35 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 102

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

7. Pressurizer Water Level - Low 2 This instrument Function initiates CMT Valve Actuation and tripping of the RCPs from the coincidence of pressurizer level below the Low 2 Setpoint in any two of the four divisions.

The ESFAS protective functions actuated by Pressurizer Water Level - Low 2 are:

CMT Actuation; and

Reactor Coolant Pump Trip.

This function can be manually blocked when the pressurizer water level is below the P-12 Setpoint. This Function is automatically unblocked when the pressurizer water level is above the P-12 Setpoint. The Setpoint reflects both steady state and adverse environmental instrument uncertainties as the detectors provide protection for an event that results in a harsh environment.

This Function is required to be OPERABLE in MODES 1, 2, 3, and 4. This Function is also required to be OPERABLE in MODE 5 with pressurizer level 20%, when the RCS is not being cooled by the RNS.

8. Pressurizer Water Level - High 1 Four channels of pressurizer level are provided on the pressurizer.

Two-out-of-four channels on indicating level greater than the High 1 setpoint coincident with a Safeguards Actuation signal will close the containment isolation valves for the CVS. This instrument Function prevents the pressurizer level from reaching a level that could lead to water relief through the pressurizer safety valves during some DBAs.

The Chemical and Volume and Control System Makeup Isolation ESFAS protective function is actuated by Pressurizer Water Level -

High 1.

AP1000 STS B 3.3.8-36 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 103

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function is required to be OPERABLE in MODES 1, 2, and 3.

This Function function is not required to be OPERABLE in MODES 4, 5, and 6, because it is not required to mitigate a DBA in these MODES. This Function is not applicable in MODE 3, if the CVS makeup flow path is isolated.

9. Pressurizer Water Level - High 2 A signal to close the CVS isolation valves is generated on Pressurizer Water Level - High 2. This instrument Function results from the coincidence of pressurizer level above the High 2 setpoint in any two of the four divisions. This Function can be manually is automatically blocked when the pressurizer pressure is below the P-1911 (RCS Pressure) permissive setpoint to permit pressurizer water solid conditions with the plant cold and to permit level makeup during plant cooldowns. This Function is automatically unblocked when RCS pressure is above the P-19 (RCS Pressure) setpoint.

The Chemical and Volume and Control System Makeup Isolation ESFAS protective function is actuated by Pressurizer Water Level -

High 2.

This Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when above the P-19 interlock with and the RCS is not being cooled by the RNS. This Function is not required to be OPERABLE in MODE 4either below the P-19 setpoint or with the RCS being cooled by the RNS, or bothand in MODES 5 and 6. The CVS Makeup Isolation on Pressurizer Water Level -

High 2 ESFAS Function because it is not required to mitigate a DBA in these conditions MODES.

10. Pressurizer Water Level - High 3 PRHR is actuated and the pressurizer heaters are tripped when the pressurizer water level reaches its High 3 setpoint. This signal provides protection against a pressurizer overfill following an inadvertent core makeup tank actuation with consequential loss of offsite power. This instrument Function is automatically unblocked when RCS pressure is above the P-19 (RCS pressure) setpoint.

AP1000 STS B 3.3.8-37 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 104

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The ESFAS protective functions actuated by Pressurizer Water Level - High 3 are:

PRHR Heat Exchanger Actuation; and

Pressurizer Heater Trip.

This Function is required to be OPERABLE in MODES 1, 2, and 3, and in MODE 4 when the RCS is not being cooled by the RNS and RCS Pressure is above the P-19 interlock setpoint. This Function is not required to be OPERABLE in MODES 5 and 6 because it is not required to mitigate a DBA in these MODES.

11. RCS Cold Leg Temperature (Tcold) - Low This signal provides protection against the following accidents:

SLB;

Feed line break; and

Inadvertent opening of an SG relief valve or an SG safety valve.

The ESFAS protective functions actuated by RCS Cold Leg Temperature (Tcold) - Low are:

Safeguards Actuation;

Steam Line Isolation; and

Startup Feedwater Isolation.

This Function provides closure of the MSIVs during a SLB or inadvertent opening of a SG relief or a safety valve to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment. This Function also closes the startup feedwater control and isolation valves and trips the startup feedwater pumps if reactor coolant system cold leg temperature is below the Tcold - Low setpoint in any loop.

AP1000 STS B 3.3.8-38 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 105

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires four channels of Tcold - Low to be OPERABLE in MODES 1 and 2, and in MODE 3 with any main steam isolation valve open and above P-11 when the RCS boron concentration is below that necessary to meet the SDM requirements at an RCS temperature of 200°F. At these conditions, a secondary side break or stuck open valve could result in the rapid cooldown of the primary side. Four channels are provided in each loop to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation because the cold leg temperature is reduced below the actuation setpoint.

12. Tavg - Low 1 This signal provides protection against excessive feedwater flow by closing the main feedwater control valves. This signal results from a coincidence of two of the four divisions of reactor loop average temperature below the Low 1 setpoint coincident with the Reactor Trip (P-4) permissive. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument trip Function.

The Main Feedwater Control Valve Isolation ESFAS protective function is actuated by Tavg - Low 1 provided a P-4 signal is present indicating that a reactor trip has occurred or has been initiated.

Closing the Main Feedwater Control Valves on Tavg - Low 1 coincident with Reactor Trip (P-4) is required to be OPERABLE in MODES 1 and 2. Failure to close the main feedwater control valves following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment.

AP1000 STS B 3.3.8-39 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 106

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

13. Tavg - Low 2 This signal provides protection against excessive feedwater flow by closing the main feedwater isolation and crossover leg valves, and tripping of the main feedwater pumps. This signal results from a coincidence of two out of four divisions of reactor loop average temperature below the Low 2 setpoint coincident with the P-4 permissive (which initiates main turbine trip).

Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument trip Function. This Function may be manually blocked when the pressurizer pressure is below the P-11 setpoint. The block is automatically removed when the pressurizer pressure is above the P-11 setpoint.

The Main Feedwater Pump Trip and Valve Isolation ESFAS protective function is actuated by Tavg - Low 2.

This Function is required to be OPERABLE in MODES 1 and 2 to mitigate the effects of a large SLB or a large FLB. Failure to trip the turbine or isolate the main feedwater system following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment.

14. RCS Wide Range Pressure - Low The fourth stage depressurization valves open on manual actuation, but are is interlocked to actuate coincident with the presence of either a Low the low RCS pressure signal or an with the ADS Stages 1, 2, & 3 actuation signal. These interlocks minimize the potential for inadvertent opening actuation of the ADS Stage 4 depressurization valves this Function. This consideration is important in PRA modeling to improve the reliability of reducing the RCS pressure following a small-break LOCA or transient event.

The ADS Stage 4 Actuation ESFAS protective function is actuated by RCS Wide Range Pressure - Low.

AP1000 STS B 3.3.8-40 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 107

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function must be OPERABLE in MODES 1, 2, 3, 4, and 5. This Function must also be OPERABLE in MODE 6 with the upper internals in place.

15. CMT Level - Low 1 This Function ensures continued passive injection or borated water to the RCS following a small break LOCA. ADS Stages 1, 2 and 3 actuation is initiated when the CMT Level reaches its Low 1 setpoint coincident with any CMT Actuation signal. Four channels are provided in each CMT to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function.

The ADS Stages 1, 2, & 3 Actuation ESFAS protective function is actuated by CMT Level - Low 1.

This Function must be OPERABLE in MODES 1, 2, 3, and 4. This Function must also be OPERABLE in MODE 5 with the RCS pressure boundary intact and pressurizer level 20%. In MODE 5, only one CMT is required to be OPERABLE in accordance with LCO 3.5.3, CMTs - Shutdown, RCS Intact; therefore, CMT level channels are only required on an OPERABLE CMT.

16. CMT Level - Low 2 The fourth stage depressurization valves open on CMT Level -

Low 2 in two-out-of-four channels in either CMT. Actuation of the fourth stage depressurization valves is interlocked with the third stage depressurization signal such that the fourth stage is not actuated unless the third stage has been previously actuated following a preset time delay. Actuation of the fourth stage ADS valves is are further interlocked with a low RCS pressure signal such that the ADS Stage 4 actuation is not actuated unless the RCS pressure is below a predetermined setpoint.

Four channels of CMT level instrumentation are provided per tank to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function.

AP1000 STS B 3.3.8-41 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 108

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The ADS Stage 4 Actuation ESFAS protective function is actuated by CMT Level - Low 2.

This Function must be OPERABLE in MODES 1, 2, 3, 4, and 5. In MODE 5, only one CMT is required to be OPERABLE in accordance with LCO 3.5.3, CMTs - Shutdown, RCS Intact; therefore, CMT level channels are only required on an OPERABLE CMT.

17. Source Range Neutron Flux Doubling The source range neutron detectors are used for this instrument Function. A signal to block boron dilution is derived from source range neutron flux flow increasing at an excessive rate (source range neutron flux doubling). The LCO requires four divisions to be OPERABLE. There are four divisions and two-out-of-four logic is used. On a coincidence of excessively increasing source range neutron flux in two of the four divisions, demineralized water is isolated from the makeup pumps and reactor coolant makeup is isolated from the reactor coolant system to preclude a boron dilution event.

The Boron Dilution Block ESFAS protective function is actuated by Source Range Neutron Flux Doubling.

The signal to block boron dilution on source range neutron flux flow increasing at an excessive rate (source range neutron flux doubling) must be OPERABLE in MODES 2 and or 3, when not critical or during an intentional approach to criticality, and in MODES 4 and or 5. This Function is not applicable in MODES 4 and 5 if the demineralized water makeup flow path is isolated. In MODE 6, a dilution event is precluded by the requirement in LCO 3.9.2 to close, lock and secure at least one valve in each unborated water source flow path.

18. IRWST Level - Low 3 A low IRWST level coincident with a ADS Stage 4 Actuation signal will open the containment recirculation valves. Four channels of IRWST Level - Low 3 instrumentation are provided to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument trip Function.

AP1000 STS B 3.3.8-42 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 109

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The IRWST Containment Recirculation Valve Actuation ESFAS protective function is actuated by IRWST Level - Low 3.

Four channels of IRWST Level - Low 3 are required to be OPERABLE in MODES 1, 2, 3, 4, and 5, and MODE 6 with the upper internals in place.

19. Reactor Coolant Pump Bearing Water Temperature - High The CCS containment isolation valves are closed and the RCPs are tripped if two-out-of-four sensors on any RCP indicate high bearing water temperature.

The ESFAS protective functions actuated by Reactor Coolant Pump Bearing Water Temperature - High are:

Reactor Coolant Pump Trip; and

Component Cooling Water System Containment Isolation Valve Closure.

This Function is required to be OPERABLE in MODES 1, 2, 3, and 4. Four channels are provided for each RCP to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function.

20. SG Narrow Range Water Level - Low PRHR is actuated when the SG Narrow Range Water Level reaches its low setpoint coincident with an indication of low Startup Feedwater Flow. The LCO requires four channels per steam generator to be OPERABLE to satisfy the requirements with a two-out-of-four logic. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function. The Setpoint reflects both steady state and adverse environmental instrument uncertainties as the detectors provide protection for an event that results in a harsh environment.

AP1000 STS B 3.3.8-43 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 110

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The ESFAS protective functions actuated by SG Narrow Range Water Level - Low are:

PRHR Heat Exchanger Actuation; and

SG Blowdown Isolation The SG Narrow Range Water Level - Low Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when the RCS is not being cooled by the Normal Residual Heat Removal System (RNS). This ensures that PRHR can be actuated in the event of a loss of the normal heat removal systems. In MODE 4 when the RCS is being cooled by the RNS, and in MODES 5 and 6, the SGs are not required to provide the normal RCS heat sink. Therefore, startup feedwater flow is not required, and PRHR actuation on low steam generator narrow range water level is not required.

21. SG Wide Range Water Level - Low PRHR is also actuated when the SG Wide Range Water Level reaches its Low Setpoint. There are four wide range level channels for each steam generator and a two-out-of-four logic is used. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function.

The PRHR Heat Exchanger Actuation ESFAS protective function is actuated by SG Narrow Range Water Level - Low.

This Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when the RCS is not being cooled by the RNS. This ensures that PRHR can be actuated in the event of a loss of the normal heat removal systems. In MODE 4 when the RCS is being cooled by the RNS, and in MODES 5 and 6, the SGs are not required to provide the normal RCS heat sink. Therefore, SG Wide Range Water Level is not required, and PRHR actuation on low wide range SG level is not required.

AP1000 STS B 3.3.8-44 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 111

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

22. SG Narrow Range Water Level - High If steam generator narrow range water level reaches the High setpoint in either steam generator coincident with a Reactor Trip (P-4), then all startup feedwater control and isolation valves are closed, the startup feedwater pumps are tripped, and the isolation valves for the CVS are closed. This instrument Function prevents adding makeup water to the RCS during an SGTR. Four channels are provided in each steam generator to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this function.

The ESFAS protective functions actuated by SG Narrow Range Water Level - High are:

Startup Feedwater Isolation; and

Chemical and Volume and Control System Makeup Isolation.

This Function is required to be OPERABLE in MODES 1, 2, 3, and 4. This Function is not required to be OPERABLE in MODES 5 and 6 because the RCS pressure and temperature are reduced and a steam generator tube rupture event is not credible.

23. SG Narrow Range Water Level - High 2 This signal provides protection against excessive feedwater flow by closing the main feedwater control, isolation and crossover valves, tripping of the main feedwater pumps, and tripping the turbine. The signal also prevents adding makeup water to the RCS during a SGTR by closing the isolation valves for the CVS. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument trip Function.

AP1000 STS B 3.3.8-45 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 112

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The ESFAS protective functions actuated by SG Narrow Range Water Level - High 2 Pressurizer Water Level - Low 2 are:

Turbine Trip;

Main Feedwater Control Valve Isolation;

Main Feedwater Pump Trip and Valve Isolation;

Startup Feedwater Isolation, and

Chemical and Volume and Control System Makeup Isolation.

The transmitters (d/p cells) are located inside containment.

However, the events which this Function protect against cannot cause severe environment in containment. Therefore, the Setpoint reflects only steady state instrument uncertainties. The LCO requires four channels of SG Narrow Range Water Level - High 2 instrumentation per steam generator to be OPERABLE in MODES 1, 2, 3, and 4 when there is significant mass and energy in the RCS and the steam generators. In MODES 5 and 6, the energy in the RCS and the steam generators is low and this Function is not required to be OPERABLE.

24. Steam Line Pressure - Low Steam Line Pressure - Low provides protection against the following accidents:

SLB;

Feed line break; and

Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - Low provides closure of the PORV flow paths in the event of SGTR in which the PORV(s) open, to limit the radiological releases from the ruptured steam generator into the atmosphere. Steam Line Pressure - Low also provides closure of the MSIVs in the event of an SLB to limit the mass and energy release to containment and limit blowdown to a single SG.

AP1000 STS B 3.3.8-46 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 113

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels are provided in each steam line to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument Function.

This Function is anticipatory in nature and has a typical leading/lag ratio of 50/5. It is possible for the transmitters to experience adverse environmental conditions during a secondary side break. Therefore, the NTS reflects both steady state and adverse environmental instrument uncertainties.

The ESFAS protective functions actuated by Steam Line Pressure -

Low are:

Safeguards Actuation;

Steam Line Isolation; and

SG Power Operated Relief Valve and Block Valve Isolation.

The LCO requires four channels per steam line of Steam Line Pressure - Low Function to be OPERABLE in MODES 1, 2, and 3, and MODE 4 with the RCS cooling not being provided by the RNS.

25. Steam Line Pressure-Negative Rate - High Steam Line Pressure-Negative Rate - High provides closure of the MSIVs for an SLB, when less than the P-11 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low when less than the P-11 setpoint, the Steam Line Pressure-Negative Rate - High signal is automatically enabled.

The Steam Line Isolation ESFAS protective function is actuated by Steam Line Pressure-Negative Rate - High.

The LCO requires four channels of Steam Line Pressure-Negative Rate - High instrumentation per steam line to be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). Four channels are provided in each steam line to permit one channel to be in trip or bypass indefinitely and still AP1000 STS B 3.3.8-47 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 114

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) ensure no single random failure will disable this trip instrument Function. In MODES 1 and 2, and in MODE 3 when above the P-11 setpoint with the RCS boron concentration below that necessary to meet the SDM requirements at an RCS temperature of 200°F, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled.

In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

While the transmitters may experience elevated ambient temperatures due to a steam line break, the instrument trip Function is on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the NTS reflects only steady state instrument uncertainties.

ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this specification may be entered independently for each Function listed on Table 3.3.8-1. The Completion Time(s) of the inoperable equipment of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

In the event a channels as-found condition is outside the as-found tolerance described in the SP, or the channel is not functioning as required, or the transmitter, or the Protection and Safety Monitoring System Division, associated with a specific Function is found inoperable, then all affected protection Functions provided supported by or dependent on that channel must be declared inoperable and the LCO Condition(s) entered for the particular protection Function(s) affected.

When the Required Channels are specified only on a per steam line, per loop, per SG, basis, then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

AP1000 STS B 3.3.8-48 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 115

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

A.1 Condition A is applicable to the ESFAS protection Functions listed in Table 3.3.8-1. Condition A addresses the situation where one channel for one or more functions is inoperable. With one channel inoperable, the affected channel must be placed in a bypass or trip condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If one channel is bypassed, the logic becomes two-out-of-three, while still meeting the single failure criterion. (A failure in one of the three remaining channels will not prevent the protective function.) If one channel is tripped, the logic becomes one-out-of-three, while still meeting the single failure criterion. (A failure in one of the three remaining channels will not prevent the protective function.) The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowed to place the inoperable channel(s) in the bypassed or tripped condition is justified in Reference 5.

B.1 and B.2 With one or more functions with two channels inoperable, one affected channel must be placed in bypass and one affected channel must be placed in trip within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If one channel is bypassed and one channel is tripped, the logic becomes one-out-of-two, while still meeting the single failure criterion. The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowed to place one inoperable channel(s) in bypass and one inoperable channel(s) in trip is justified in Reference 5.

C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.8-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A or B are not met or if three or more channels for one or more Functions are inoperable Condition C is entered to provide for transfer to the appropriate subsequent Condition.

D.1, D.2.1, and D.2.2 Condition D applies to the P-6, P-11, P-12, and P-19 interlocks. With one or two required channel(s) inoperable, the associated interlock must be verified to be in its required state for the existing plant condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , or any Function channel associated with the inoperable interlock(s) placed in a bypassed condition within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . Verifying the interlock state manually accomplishes the interlock role.

AP1000 STS B 3.3.8-49 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 116

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

If one interlock channel is inoperable, the associated Function(s) must be placed in a bypass or trip condition within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . If one channel is bypassed, the logic becomes two-out-of-three, while still meeting the single failure criterion. (A failure in one of the three remaining channels will not prevent the protective function.) If one channel is tripped, the logic becomes one-out-of-three, while still meeting the single failure criterion. (A failure in one of the three remaining channels will not prevent the protective function.)

If two interlock channels are inoperable, one channel of the associated Function(s) must be bypassed and one channel of the associated Function(s) must be tripped. In this state, the logic becomes one-out-of-two, while still meeting the single failure criterion. The 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months allowed to place the inoperable channel(s) in the bypassed or tripped condition is justified in Reference 5.

DE.1 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels for one or more Functions are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

EF.1 and EF.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

AP1000 STS B 3.3.8-50 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 117

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

FG.1 and FG.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 4 with the RCS being cooled by the RNS within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed time is reasonable, based on operating experience, to reach the required plant conditions in an orderly manner without challenging plant systems.

G.1, G.2, and G.3 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and establishing RNS cooling of the RCS within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

H.1 and H.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

I.1, I.2.1, and I.2.2 If the Required Action and associated Completion Time of the first Condition listed in Table 3.3.8-1 cannot be met, the plant must be placed in a condition where the instrumentation Function for valve isolation is no longer needed. This is accomplished by isolating the affected flow path(s) within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . By isolating the flow path from the demineralized AP1000 STS B 3.3.8-51 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 118

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued) water storage tank to the RCS, the need for automatic isolation is eliminated.

To assure that the flow path remains closed, the flow path shall be isolated by the use of one of the specified means (I.2.1) or the flow path shall be verified to be isolated (I.2.2). A means of isolating the affected flow path(s) includes at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured within 7 days. If one of the I.2.1 specified isolation means is not used, the affected flow path shall be verified to be isolated once per 7 days.

This action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way the flow path can be rapidly isolated when a need for flow path isolation is indicated.

IJ.1, J.2.1, and J.2.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the affected isolation valve(s) must be declared inoperable immediately.

Declaring the affected isolation valve inoperable allows the supported system Actions (i.e., for inoperable valves) to dictate the required measures. The respective isolation valve LCO provides appropriate actions for the inoperable components. This action is in accordance with LCO 3.0.6, which requires that the applicable Conditions and Required Actions for the isolation valves declared inoperable shall be entered in accordance with LCO 3.0.2. the first Condition listed in Table 3.3.8-1 is not met, the plant must be placed in a condition where the instrumentation Function for valve isolation is no longer needed. This is accomplished by isolating the affected flow path by the use of at least one closed manual or closed and deactivated automatic valve within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

If the flow path is not isolated within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months .

AP1000 STS B 3.3.8-52 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 119

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

This action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way the flow path can be rapidly isolated when a need for flow path isolation is indicated.

K.1, K.2.1.1, K.2.1.2, and K.2.2 If the Required Action and associated Completion Time of the first Condition given in Table 3.3.8-1 is not met the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and isolating the affected flow path(s) within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . To assure that the flow path remains closed, the affected flow path shall be verified to be isolated once per 7 days.

If the flow path is not isolated within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 4 with the RCS cooling provided by the RNS within 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

This action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way the flow path can be rapidly isolated when a need for flow path isolation is indicated.

L.1, L.2.1.1, L.2.1.2, L.2.1.3, and L.2.2 If the Required Action and associated Completion Time of the first Condition listed in Table 3.3.8-1 is not met, the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 4 with the RCS cooling provided by the RNS within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Once the plant has been placed in MODE 4 the affected flow path must be isolated within 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . To assure that the flow path remains closed, the affected flow path shall be verified to be isolated once per 7 days.

AP1000 STS B 3.3.8-53 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 120

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

If the flow path is not isolated within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 5 within 42 hours4.861111e-4 days 0.0117 hours 6.944444e-5 weeks 1.5981e-5 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

This action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way the flow path can be rapidly isolated when a need for flow path isolation is indicated.

M.1.1, M.1.2.1, M.1.2.2, M.2.1, and M.2.2 If the Required Action and associated Completion Time of the first Condition listed in Table 3.3.8-1 is not met, the plant must be placed in a Condition in which the likelihood and consequences of an event are minimized. This is accomplished by isolating the affected flow path within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and isolating the affected flow path(s) by the use of at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured within 7 days or verify the affected flow path is isolated once per 7 days.

If the flow path is not isolated within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 5 within 42 hours4.861111e-4 days 0.0117 hours 6.944444e-5 weeks 1.5981e-5 months .

The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

This action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way the flow path can be rapidly isolated when a need for flow path isolation is indicated.

AP1000 STS B 3.3.8-54 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 121

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

JN.1 and JN.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. Required Action JN.1 requires that the plant shall be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by placing the plant in MODE 5. Once in MODE 5, action shall be initiated to open the RCS pressure boundary and establish 20% pressurizer level. Opening the RCS pressure boundary assures that cooling water can be injected without ADS operation. Filling the RCS to provide 20% pressurizer level minimizes the consequences of a loss of decay heat removal event.

The Completion Time to be in MODE 5 (Required Action JN.1) is 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months with three or more channels for the affected Function inoperable.

This time is based on the time provided in LCO 3.0.3 to reach MODE 5.

The 180 hour0.00208 days 0.05 hours 2.97619e-4 weeks 6.849e-5 months Completion Time is based on the ability of the two remaining OPERABLE channels to provide the protective Function.

KO.1 and KO.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by immediately initiating action to open the RCS pressure boundary and establish 20%

pressurizer level. Additionally, action is required to immediately suspend positive reactivity additions. These requirements minimize the consequences of the loss of decay heat removal by maximizing RCS inventory and maintaining RCS temperature as low as practical.

Additionally, the potential for a criticality event is minimized by suspension of positive reactivity additions.

LP.1and LP.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by immediately initiating action to suspend positive reactivity additions. This requirement minimizes the consequences of the loss of decay heat removal by AP1000 STS B 3.3.8-55 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 122

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued) maximizing RCS inventory and maintaining RCS temperature as low as practical. The potential for a criticality event is also minimized by suspension of positive reactivity additions. Additionally, Required Action LP.2 requires that action be immediately initiated to remove the upper internals.

MQ.1, MQ.2, and MQ.3 If the Required Action and associated Completion Time of Condition A or B is not met, the plant must be placed in a MODE in which the likelihood and consequences of an event are minimized. This is accomplished by placing the plant in MODE 5 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is a reasonable time to reach MODE 5 from MODE 4 with RCS cooling provided by the RNS (approximately 350°F) in an orderly manner without challenging plant systems. Required Action MQ.3 requires initiation of action within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to close the RCS pressure boundary and establish 20% pressurizer level. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time allows transition to MODE 5 in accordance with MQ.2, if needed, prior to initiating action to open the RCS pressure boundary.

Required Action MQ.1 minimizes the potential for a criticality event by suspension of positive reactivity additions. Required Actions MQ.2 and MQ.3 minimize the consequences of a loss of decay heat removal event by optimizing conditions for RCS cooling in MODE 5 using the PRHR HX. Additionally, maximizing RCS inventory and maintaining RCS temperature as low as practical further minimize the consequences of a loss of decay heat removal event. Closing the RCS pressure boundary in MODE 5 assures that PRHR HX cooling is available.

NR.1 and NR.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by immediately initiating action to establish the reactor cavity water level 23 feet above the top of the reactor vessel flange and immediately suspending positive reactivity additions.

AP1000 STS B 3.3.8-56 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 123

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

Required Action NR.2 minimizes the consequences of a loss of decay heat removal event by maximizing RCS inventory and maintaining RCS temperature as low as practical further minimizes the consequences of a loss of decay heat removal event. Additionally, the potential for a criticality event is minimized by suspension of positive reactivity additions in a accordance with Required Action NR.1.

S.1, S.2.1, and S.2.2 If the Required Action and associated Completion Time of Condition A or B is not met, the plant must be placed in a condition where the instrumentation Function for valve isolation is no longer needed. This is accomplished by isolating the affected flow path by the use of at least one closed manual or closed and deactivated automatic valve within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

If the flow path is not isolated within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 with RCS cooling provided by the RNS within 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

This Action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room.

In this way the flow path can be rapidly isolated when a need for flow path isolation is indicated.

O.1 and O.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the affected isolation valve(s) must be declared inoperable immediately. Declaring the affected isolation valve inoperable allows the supported system Actions (i.e., for inoperable valves) to dictate the required measures. The respective isolation valve LCOs provide appropriate actions for the inoperable components. This action is in accordance with LCO 3.0.6, which requires that the applicable Conditions and Required Actions for the isolation valves declared inoperable shall be entered in AP1000 STS B 3.3.8-57 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 124

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued) accordance with LCO 3.0.2. Additionally, Required Action O.2 requires that the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

PT.1, PT.2, and PT.3 If the Required Action and associated Completion Time of Condition A or B is not met, the plant must be placed in a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

A containment air flow path 6 inches in diameter shall be opened within 44 hours5.092593e-4 days 0.0122 hours 7.275132e-5 weeks 1.6742e-5 months from Condition entry. Opening any flow path (or paths) with an area equivalent to 6 inches in diameter provides the required vacuum relief path in the event of a low pressure event.

The primary means of opening a containment air flow path is by establishing a VFS air flow path into containment. Manual actuation and maintenance as necessary to open a purge supply, purge exhaust, or vacuum relief flow path are available means to open a containment air flow path. In addition, opening of a spare penetration is an acceptable means to provide the necessary flow path. Opening of an equipment hatch or a containment airlock is acceptable. Containment air flow paths opened must comply with LCO 3.6.7, Containment Penetrations.

The 44 hour5.092593e-4 days 0.0122 hours 7.275132e-5 weeks 1.6742e-5 months Completion Time is reasonable for opening a containment air flow path in an orderly manner.

SURVEILLANCE The following SRs apply to each ESFAS Instrumentation Function in REQUIREMENTS Table 3.3.8-1.

AP1000 STS B 3.3.8-58 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 125

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.8.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.

The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.

SR 3.3.8.2 SR 3.3.8.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP.

If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended ESF Function.

AP1000 STS B 3.3.8-59 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 126

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)

A test subsystem is provided with the PMS protection and safety monitoring system to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, PMS protection and safety monitoring system functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

AP1000 STS B 3.3.8-60 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 127

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)

The 92 day Frequency is based on Reference 5 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets (IPCs) to the operator.

During the COT, the PMS protection and safety monitoring system cabinets in the division under test may be placed in bypass.

SR 3.3.8.3 SR 3.3.8.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the IPC. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology.

The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION.

This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not AP1000 STS B 3.3.8-61 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 128

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued) supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

The Frequency is based on operating experience and consistency with the refueling cycle.

This Surveillance Requirement is modified by a Note. The Note states that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.8.4 This SR ensures the individual channel ESF RESPONSE TIME is less than or equal to the maximum value assumed in the accident analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the NTS value at the sensor, to the point at which the equipment reaches the required functional state (e.g., valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate FSAR Chapter 7 (Ref. 1) response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values.

The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,

vendor) test measurements, or (3) utilizing vendor engineering AP1000 STS B 3.3.8-62 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 129

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued) specifications. WCAP-13632-P-A, Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements (Ref. 7), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be demonstrated by test.

ESF RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Testing of the devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 24 months. The 24 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

SR 3.3.8.5 SR 3.3.8.5 is the performance of an ACTUATION DEVICE TEST. This test, in conjunction with the ACTUATION LOGIC TEST, demonstrates that the actuated device responds to a simulated actuation signal. This Surveillance Requirement is applicable to the equipment which is actuated by the Protection Logic Cabinets except squib valves. The OPERABILITY of the actuated equipment is checked by exercising the equipment on an individual basis.

The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation.

This Surveillance Requirement is modified by a Note that states that actuated equipment, that is included in the Inservice Test (IST) Program, is exempt from this surveillance. The IST Program provides for exercising of the safety related valves on a more frequent basis. The results from the IST Program can therefore be used to verify OPERABILITY of the final actuated equipment.

AP1000 STS B 3.3.8-63 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 130

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.8.6 SR 3.3.8.6 is the performance of an ACTUATION DEVICE TEST, similar to that performed in SR 3.3.8.5, except this Surveillance Requirement is specifically applicable to squib valves. This test, in conjunction with the ACTUATION LOGIC TEST, demonstrates that the actuated device responds to a simulated actuation signal. The OPERABILITY of the squib valves is checked by performing a continuity check of the circuit from the Protection Logic Cabinets to the squib valve.

The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any additional risks associated with inadvertent operation of the squib valves.

SR 3.3.8.7 SR 3.3.8.7 is the performance of an ACTUATION DEVICE TEST. This test, in conjunction with the ACTUATION LOGIC TEST, demonstrates that the actuated device responds to a simulated actuation signal. This Surveillance Requirement is applicable to the circuit breakers which de-energize the power to the pressurizer heaters upon a pressurizer heater trip. The OPERABILITY of these breakers is checked by opening these breakers using the Plant Control System.

The Frequency of 24 months is based on the need to perform this surveillance during periods in which the plant is shutdown for refueling to prevent any upsets of plant operation. This Frequency is adequate based on the use of multiple circuit breakers to prevent the failure of any single circuit breaker from disabling the function and that all circuit breakers are tested.

REFERENCES 1. FSAR Chapter 7.0, Instrumentation and Controls.

2. FSAR Chapter 15.0, Accident Analysis.

3. Institute of Electrical and Electronic Engineers, IEEE 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, June 27, 1991.

AP1000 STS B 3.3.8-64 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 131

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES REFERENCES (continued)

4. 10 CFR 50.49, Environmental Qualifications of Electric Equipment Important to Safety for Nuclear Power Plants.

5. APP-GW-GSC-020, Technical Specification Completion Time and Surveillance Frequency Justification.

6. WCAP-16361-P, Westinghouse Setpoint Methodology for Protection Systems - AP1000, February 2011 (proprietary).

7. WCAP-13632-P-A (Proprietary) and WCAP-13787-A (Non Proprietary), Revision 2, Elimination of Pressure Sensor Response Time Testing Requirements, January 1996.

AP1000 STS B 3.3.8-65 Amendment 0Rev. 0 Revision 19 Date report generated:

Monday, June 29, 2015 Page 132

GTST AP1000-O61-3.3.8, Rev. 1 XII. Applicable STS Subsection After Incorporation of this GTSTs Modifications The entire subsection of the Specifications and the Bases associated with this GTST, following incorporation of the modifications, is presented next.

Date report generated:

Monday, June 29, 2015 Page 133

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 3.3 INSTRUMENTATION 3.3.8 Engineered Safety Feature Actuation System (ESFAS) Instrumentation LCO 3.3.8 The ESFAS instrumentation channels for each Function in Table 3.3.8-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.8-1.

ACTIONS

NOTE-----------------------------------------------------------

Separate Condition entry is allowed for each Function.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions A.1 Place inoperable channel in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with one channel bypass or trip.

inoperable.

B. One or more Functions B.1 Place one inoperable 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with two channels channel in bypass.

inoperable.

AND B. 2 Place one inoperable 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months channel in trip.

AP1000 STS 3.3.8-1 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 134

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. Required Action and C.1 Enter the Condition Immediately associated Completion referenced in Table 3.3.8-1 Time of Condition A or B for the channel(s).

not met.

OR One or more Functions with three or more channels inoperable.

D. As required by Required D.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in Table 3.3.8-1.

E. As required by Required E.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

E.2 Be in MODE 4. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months F. As required by Required F.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

F.2 Be in MODE 4 with the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Reactor Coolant System (RCS) cooling provided by the Normal Residual Heat Removal System (RNS).

G. As required by Required G.1 Be in MODE 3 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

AP1000 STS 3.3.8-2 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 135

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME G. (continued) G.2 Be in MODE 4. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND G.3 Establish RCS cooling 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months provided by the RNS.

H. As required by Required H.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

H.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months I. As required by Required I.1 Declare affected isolation Immediately Action C.1 and valve(s) inoperable.

referenced in Table 3.3.8-1.

J. As required by Required J.1 Be in MODE 5. 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months with three or Action C.1 and more inoperable referenced in channels Table 3.3.8-1.

AND 180 hours0.00208 days 0.05 hours 2.97619e-4 weeks 6.849e-5 months AND J.2 Initiate action to open the 180 hours0.00208 days 0.05 hours 2.97619e-4 weeks 6.849e-5 months RCS pressure boundary and establish a pressurizer level 20%.

AP1000 STS 3.3.8-3 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 136

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME K. As required by Required K.1 Suspend positive reactivity Immediately Action C.1 and additions.

referenced in Table 3.3.8-1. AND K.2 Initiate action to open RCS Immediately pressure boundary and establish 20% pressurizer level.

L. As required by Required L.1 Suspend positive reactivity Immediately Action C.1 and additions.

referenced in Table 3.3.8-1. AND L.2 Initiate action to remove the Immediately upper internals.

M. As required by Required M.1 Suspend positive reactivity Immediately Action C.1 and additions.

referenced in Table 3.3.8-1. AND M.2 Be in MODE 5. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months AND M.3 Initiate action to establish a 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months pressurizer level 20%

with the RCS pressure boundary intact.

N. As required by Required N.1 Suspend positive reactivity Immediately Action C.1 and additions.

referenced in Table 3.3.8-1. AND AP1000 STS 3.3.8-4 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 137

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME N. (continued) N.2 Initiate action to establish Immediately water level 23 feet above the top of the reactor vessel flange.

O. As required by Required O.1 Declare affected isolation Immediately Action C.1 and valve(s) inoperable.

referenced in Table 3.3.8-1. AND O.2 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months P. As required by Required P.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action C.1 and referenced in AND Table 3.3.8-1.

P.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months AND P.3 Open a containment air 44 hours5.092593e-4 days 0.0122 hours 7.275132e-5 weeks 1.6742e-5 months flow path 6 inches in diameter.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.3.8.1 Perform CHANNEL CHECK. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months SR 3.3.8.2 Perform CHANNEL OPERATIONAL TEST (COT) in 92 days accordance with Setpoint Program.

AP1000 STS 3.3.8-5 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 138

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.3.8.3 --------------------------------NOTE--------------------------------

This surveillance shall include verification that the time constants are adjusted to within limits.

Perform CHANNEL CALIBRATION in accordance with 24 months Setpoint Program.

SR 3.3.8.4 Verify ESF RESPONSE TIME is within limit. 24 months on a STAGGERED TEST BASIS AP1000 STS 3.3.8-6 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 139

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 Table 3.3.8-1 (page 1 of 2)

Engineered Safeguards Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED CHANNELS CONDITIONS

1. Containment Pressure - Low 2 1,2,3,4,5(a),6(a) 4 P

2. Containment Pressure - High 2 1,2,3,4 4 H

3. Containment Radioactivity - High 1 1,2,3,4(b) 4 I

4. Containment Radioactivity - High 2 1,2,3 4 I

5. Pressurizer Pressure - Low 1,2,3(c) 4 E

6. Pressurizer Water Level - Low 1 1,2 4 D

7. Pressurizer Water Level - Low 2 1,2,3,4(b) 4 F 4(d), 5(e)(f) 4 J

8. Pressurizer Water Level - High 1 1,2,3 4 I

9. Pressurizer Water Level - High 2 1,2,3,4(g) 4 I

10. Pressurizer Water Level - High 3 1,2,3,4(g) 4 F

11. RCS Cold Leg Temperature (Tcold) - Low 1,2,3(c) 4 per loop E

12. Reactor Coolant Average Temperature (Tavg) - 1,2 4 D Low 1

13. Reactor Coolant Average Temperature (Tavg) - 1,2 4 D Low 2

14. RCS Wide Range Pressure - Low 1,2,3,4 4 H 5 4 K 6(h) 4 L

15. Core Makeup Tank (CMT) Level - Low 1 1,2,3,4 4 per tank H 5(i) 4 per OPERABLE tank J

16. CMT Level - Low 2 1,2,3,4 4 per tank H 5 4 per OPERABLE tank J AP1000 STS 3.3.8-7 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 140

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation 3.3.8 Table 3.3.8-1 (page 2 of 2)

Engineered Safeguards Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED FUNCTION CONDITIONS REQUIRED CHANNELS CONDITIONS

17. Source Range Neutron Flux Doubling 2(j),3(j),4 4 I 5 4 I

18. IRWST Level - Low 3 1,2,3,4(b) 4 F 4(d),5 4 M 6(h) 4 N

19. Reactor Coolant Pump Bearing Water 1,2,3,4 4 per RCP O Temperature - High

20. SG Narrow Range Water Level - Low 1,2,3,4(b) 4 per SG F

21. SG Wide Range Water Level - Low 1,2,3,4(b) 4 per SG F

22. SG Narrow Range Water Level - High 1,2,3,4 4 per SG I

23. SG Narrow Range Water Level - High 2 1,2 4 per SG D 3,4 4 per SG I

24. Steam Line Pressure - Low 1,2,3,4(b) 4 per steam line G

25. Steam Line Pressure - Negative Rate - High 3(k) 4 per steam line I (a) Without an open containment air flow path 6 inches in diameter.

(b) With the RCS not being cooled by the Normal Residual Heat Removal System (RNS).

(c) Above the P-11 (Pressurizer Pressure) interlock, when the RCS boron concentration is below that necessary to meet the SDM requirements at an RCS temperature of 200°F.

(d) With the RCS being cooled by the RNS.

(e) With the RCS pressure boundary intact.

(f) With RCS not being cooled by the RNS and with pressurizer level 20%.

(g) Above the P-19 (RCS Pressure) interlock with the RCS not being cooled by RNS.

(h) With upper internals in place.

(i) With RCS pressure boundary intact and with pressurizer level 20%.

(j) Not applicable when critical or during intentional approach to criticality.

(k) Below the P-11 (Pressurizer Pressure) interlock.

AP1000 STS 3.3.8-8 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 141

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based upon the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded. The Safety Analysis Limit (SAL) is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that an SL is not exceeded.

However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Safety Analysis Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The LSSS values are identified and maintained in the Setpoint Program (SP) and are controlled by 10.CFR.50.59.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded. The Safety Analysis Limit (SAL) is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to assure that a SL is not exceeded.

However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Safety Analysis Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The LSSS values are identified and maintained in the Setpoint Program (SP) and are controlled by 10 CFR 50.59.

AP1000 STS B 3.3.8-1 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 142

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

The Nominal Trip Setpoint (NTS) specified in the SP is a predetermined field setting for a protection channel chosen to initiate automatic actuation prior to the process variable reaching the Safety Analysis Limit and, thus, assures that the SL is not exceeded. As such, the NTS accounts for uncertainties in setting the channel (e.g., calibration),

uncertainties in how the channel might actually perform (e.g.,

repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the NTS assures that the SLs are not exceeded. Therefore, the NTS meets the 10 CFR 50.36 definition of an LSSS.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as ...being capable of performing its safety functions(s). Relying solely on the NTS to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the as-found value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule that are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the NTS due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the NTS, and thus, the automatic protective action would still have ensured that the SL would not be exceeded with the as-found setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function. If the as-found condition of the channel is near the as-found tolerance, recalibration is considered appropriate to allow for drift during the next surveillance interval.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);

AP1000 STS B 3.3.8-2 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 143

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

2. Fuel centerline melt shall not occur; and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, Safety Limits (SLs), also maintains the above values and assures that offsite doses are within the acceptance criteria during AOOs.

Design Basis Accidents (DBA) are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of the limits. Different accident categories are allowed a different fraction of these limits, based on the probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The ESFAS instrumentation is segmented into distinct but interconnected modules.

Field Transmitters and Sensors Normally, four redundant measurements using four separate sensors, are made for each variable used for actuation of Engineered Safety Features (ESF). The use of four channels for protection Functions is based on a minimum of two channels being required for a trip or actuation, one channel in test or bypass, and a single failure on the remaining channel. The signal selector in the Plant Control System will function correctly with only three channels. This includes two channels properly functioning and one channel having a single failure. Minimum requirements for protection and control are achieved only with three channels OPERABLE. The fourth channel is provided to increase plant availability, and permits the plant to run for an indefinite time with a single channel out of service. The circuit design is able to withstand both an input failure to the control system, which may then require the protection Function actuation, and a single failure in the other channels providing the protection Function actuation. Again, a single failure will neither cause nor prevent the protection Function actuation. These requirements are described in IEEE-603 (Ref. 3). The actual number of channels provided for each plant parameter is specified in Reference 1.

AP1000 STS B 3.3.8-3 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 144

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

Engineered Safety Features Channel An ESF channel extends from the sensor to the output of the associated ESF subsystem and shall include the sensor (or sensors), the signal conditioning, any associated data links, and the associated ESF subsystem. For ESF channels containing nuclear instrumentation, the ESF channel shall also include the nuclear instrument signal conditioning and the associated Nuclear Instrumentation Signal Processing and Control (NISPAC) subsystem. Any manual ESF controls that are associated with a particular ESF channel are also included in that ESF channel.

Plant Protection Subsystem The Protection and Safety Monitoring System cabinets contain the necessary equipment to:

Permit acquisition and analysis of the sensor inputs, including plant process sensors and nuclear instrumentation, required for reactor trip and ESF calculations;

Perform computation or logic operations on variables based on these inputs;

Provide trip signals to the reactor trip switchgear and ESF actuation data to the ESF coincidence logic as required;

Permit manual trip or bypass of each individual reactor trip Function and permit manual actuation or bypass of each individual voted ESF Function;

Provide data to other systems in the Instrumentation and Control (I&C) architecture;

Provide separate input circuitry for control Functions that require input from sensors that are also required for protection Functions.

Each of the four divisions provides signal conditioning, comparable output signals for indications in the main control room, and comparison of measured input signals with established setpoints. The basis of the setpoints is described in References 2 and 6. If the measured value of a unit parameter exceeds the predetermined setpoint, an output is AP1000 STS B 3.3.8-4 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 145

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued) generated which is transmitted to the ESF coincidence logic for logic evaluation.

Within the Protection and Safety Monitoring System (PMS), redundancy is generally provided for active equipment such as processors and communication hardware. This redundancy is provided to increase plant availability and facilitate surveillance testing. A division or channel is OPERABLE if it is capable of performing its specified safety function(s) and all the required supporting functions or systems are also capable of performing their related support functions. Thus, a division or channel is OPERABLE as long as one set of redundant components within the division or channel is capable of performing its specified safety function(s).

ESF Coincidence Logic The ESF coincidence logic contains the necessary equipment to:

Permit reception of the data supplied by the four divisions of plant protection and perform voting on the trip outputs;

Perform system level logic using the input data from the plant protection subsystems and transmit the output to the ESF actuation subsystems; and

Provide redundant hardware capable of providing system level commands to the ESF actuation subsystems.

ESF Actuation Subsystems The ESF actuation subsystems contain the necessary equipment to:

Receive automatic system level signals supplied by the ESF coincidence logic;

Receive and transmit data to/from main control room multiplexers;

Receive and transmit data to/from other PLCs on the same logic bus; AP1000 STS B 3.3.8-5 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 146

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

Receive status data from component position switches (such as limit switches and torque switches); and

Perform logic computations on received data, generate logic commands for final actuators (such as START, STOP, OPEN, and CLOSE).

ESF Coincidence Logic and ESF Actuation Subsystem OPERABILITY

Background

Each ESF coincidence logic and ESF actuation subsystem has two subsystems that communicate by means of redundant halves of the logic bus. This arrangement is provided to facilitate testing. If one subsystem is removed from service, the remaining subsystem continues to function and the ESF division continues to provide full protection. At least one of these redundant halves is connected to the battery backed portion of the power system. This provides full functionality of the ESF division even when all ac power sources are lost. As long as one battery subsystem within an ESF coincidence logic or ESF actuation subsystem continues to operate, the ESF division is unaffected. An ESF division is only affected when all battery backed subsystems within that divisions ESF coincidence logic or ESF actuation subsystem are not OPERABLE.

Nominal Trip Setpoints (NTSs)

The NTS is the nominal value at which the trip output is set. Any trip output is considered to be properly adjusted when the as-left value is within the band for CHANNEL CALIBRATION, i.e., +/- rack calibration accuracy.

The trip setpoints used in the trip output are based on the Safety Analysis Limits stated in Reference 2. The determination of these NTSs is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 4), the NTSs specified in the SP are conservative with respect to the Safety Analysis Limits. A detailed description of the methodology used to calculate the NTSs, including their explicit uncertainties, is provided in the Westinghouse Setpoint Methodology for Protection Systems (Ref. 6). The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found AP1000 STS B 3.3.8-6 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 147

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

OPERABILITY limit for the purpose of the CHANNEL OPERATIONAL TEST (COT) is defined as the as-left limit about the NTS (i.e., +/- rack calibration accuracy).

The NTSs listed in the SP are based on the methodology described in Reference 6, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTS. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.

The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The basis of the setpoints is described in References 2 and 6. Trending of calibration results is required by the program description in Technical Specification 5.5.14.d.

Note that the as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION, CHANNEL OPERATIONAL TEST, or a TRIP ACTUATING DEVICE OPERATIONAL TEST that requires trip setpoint verification.

The protection and safety monitoring system testing features are designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features. Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded. For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing. To the extent possible, protection and safety monitoring system functional testing will be accomplished with continuous system self-checking features and the continuous functional testing features.

AP1000 STS B 3.3.8-7 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 148

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES BACKGROUND (continued)

The protection and safety monitoring system incorporates continuous system self-checking features wherever practical. Self-checking features include on-line diagnostics for the computer system and the hardware and communications tests. These self-checking tests do not interfere with normal system operation.

In addition to the self-checking features, the system includes functional testing features. Functional testing features include continuous functional testing features and manually initiated functional testing features. To the extent practical, functional testing features are designed not to interfere with normal system operation.

In addition to the system self-checking features and functional testing features, other test features are included for those parts of the system which are not tested with self-checking features or functional testing features. These test features allow for instruments/sensor checks, calibration verification, response time testing, setpoint verification and component testing. The test features again include a combination of continuous testing features and manual testing features.

All of the testing features are designed so that the duration of the testing is as short as possible. Testing features are designed so that the actual logic is not modified. To prevent unwanted actuation, the testing features are designed with either the capability to bypass a Function during testing and/or limit the number of signals allowed to be placed in test at one time.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure - Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment. Functions such as manual initiation not specifically credited in the accident safety analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the plant. These Functions may provide protection for conditions which do not require dynamic transient analysis to demonstrate Function performance. These AP1000 STS B 3.3.8-8 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 149

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 2).

Permissive and interlock functions are based upon the associated protection function instrumentation. Because they do not have to operate in adverse environmental conditions, the trip settings of the permissive and interlock functions use the normal environment, steady-state instrument uncertainties of the associated protection function instrumentation. This results in OPERABILITY criteria (i.e., as-found tolerance and as-left tolerance) that are the same as the associated protection function sensor and process rack modules. The NTSs for permissives and interlocks are based on the associated protection function OPERABILITY requirements; i.e., permissives and interlocks performing enabling functions must be set to occur prior to the specified trip setting of the associated protection function.

The LCO requires all instrumentation performing an ESFAS Function, listed in Table 3.3.8-1 in the accompanying LCO, to be OPERABLE. The as-left and as-found tolerances specified in the SP define the OPERABILITY limits for a channel during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the as-left and as-found tolerances differ from the NTS by plus or minus the PMS rack calibration accuracy and envelope the expected calibration accuracy and drift. In this manner, the actual setting of the channel (NTS) prevents exceeding an SL at any given point in time as long as the channel has not drifted beyond the expected tolerances during the surveillance interval. Note that the as-left and as-found recorded values must be confirmed to be within the assumptions of the statistical uncertainty calculations.

If the actual setting of the channel is found outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed tolerance) and evaluating the channels response. If the channel is functioning as required and expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

AP1000 STS B 3.3.8-9 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 150

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

A trip setpoint may be set more conservative than the NTS as necessary in response to plant conditions. However, in this case, the OPERABILITY of this instrument must be verified based on the actual field setting and not the NTS. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

ESFAS Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlocks backup manual actions to ensure bypassable Functions are in operation under the conditions assumed in the safety analyses. Proper operation of these interlocks supports OPERABILITY of the associated TS Functions and/or the requirement for actuation logic OPERABILITY. Interlocks must be in the required state, as appropriate, to support OPERABILITY of ESFAS.

Reactor Trip Breaker Open, P-3 The P-3 interlock is provided to permit the block of automatic Safeguards Actuation after a predetermined time interval following automatic Safeguards Actuation.

The reactor trip breaker position switches that provide input to the P-3 interlock only function to energize or de-energize (open or close) contacts. Therefore, this interlock does not have an adjustable trip setpoint.

Reactor Trip, P-4 There are eight reactor trip breakers with two breakers in each division.

The P-4 interlock is enabled when the breakers in two-out-of-four divisions are open. Additionally, the P-4 interlock is enabled by all Automatic Reactor Trip Actuations. Once enabled, the P-4 interlock initiates the following actions:

Main turbine trip (closes turbine stop valves, control valves, reheat stop valves, intercept valves, extraction steam shutoff and non-return valves, and opens automatic steam line drain valves)

AP1000 STS B 3.3.8-10 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 151

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Boron dilution block (closes the two isolation valves in the demineralized water system supply line to the makeup pump suction control valve)

CVS makeup isolation (closes the two makeup line containment isolation motor-operated valves) if coincident with a steam generator (SG) narrow range water level high voting logic output signal (Table 3.3.8-1, Function 22) for either SG to limit primary-to-secondary leakage to the affected SG following a SGTR event

Startup feedwater isolation (closes control and isolation valves and trips startup feedwater pump) if coincident with a SG narrow range water level high voting logic output signal (Table 3.3.8-1, Function 22) for either SG

Isolate main feedwater coincident with a reactor coolant system average temperature - Low 2 voting logic output signal (Table 3.3.8-1, Function 13) (Even though this function is not assumed in safety analysis, it is included in the technical specifications.)

The reactor trip breaker position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this RTB position switch function has no adjustable trip setpoint.

Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is automatically enabled when the respective PMS division Intermediate Range Neutron Flux channel increases to approximately one decade above the channel lower range limit. Below the setpoint, the P-6 interlock is automatically disabled, which unblocks the Source Range Neutron Flux Doubling instrument Function, permitting the automatic block of boron dilution.

Normally, this Function is blocked by the main control room operator during reactor startup after the Intermediate Range Neutron Flux instrument indicates that reactor power exceeds the P-6 setpoint because above the setpoint the block of boron dilution is not needed.

AP1000 STS B 3.3.8-11 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 152

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without Safeguards Actuation or main steam line and feedwater isolation.

With pressurizer pressure channels less than the P-11 setpoint, the operator can manually block the following listed ESFAS instrument Functions, which initiate these ESF actuation and isolation Functions, by manually blocking the initiation signal from the ESFAS instrument channel in at least three PMS divisions:

Safeguards Actuation on

- Pressurizer Pressure - Low (Table 3.3.8-1, Function 5),

- Steam Line Pressure - Low (Table 3.3.8-1, Function 24), or

- Tcold - Low (Table 3.3.8-1, Function 11).

Steam Line Isolation on

- Steam Line Pressure - Low (Table 3.3.8-1, Function 24) or

- Tcold - Low (Table 3.3.8-1, Function 11).

Manually blocking the Steam Line Pressure - Low ESFAS instrument channels enables the ESF Function of Main Steam Isolation on Steam Line Pressure-Negative Rate - High (Table 3.3.8-1, Function 25). This provides protection for an SLB by closure of the main steam isolation valves.

Feedwater Isolation on

- Tavg - Low 1 (Table 3.3.8-1, Function 12),

- Tavg - Low 2 (Table 3.3.8-1, Function 13), and

- Tcold - Low (Table 3.3.8-1, Function 11).

With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Safeguards Actuation signals on Pressurizer Pressure -

Low, Steam Line Pressure - Low, and Tcold - Low, the Steam Line Isolation signals on Steam Line Pressure Low and Tcold - Low, Feedwater Isolation signals on Tcold - Low, Tavg - Low 1 and Tavg - Low 2 are automatically enabled. The operator can also manually enable these signals by use of the respective PMS division manual reset buttons for these ESFAS instrument Functions. With pressurizer pressure channels greater than or equal to the P-11 setpoint, the Steam Line Isolation signal on Steam Line Pressure-Negative Rate - High is automatically blocked.

AP1000 STS B 3.3.8-12 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 153

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

When the Steam Line Pressure - Low and Tcold - Low steam line isolation signals are enabled, the main steam isolation on Steam Line Pressure-Negative Rate - High is disabled. The Containment Pressure - High 2 and Containment Radioactivity - High 2 channels are automatically unblocked above the P-11 setpoint, with manual block permitted below the P-11 setpoint. The P-11 setpoint reflects only steady state instrument uncertainties.

Pressurizer Level, P-12 The P-12 interlock is provided to permit midloop operation without core makeup tank actuation, reactor coolant pump trip, CVS letdown isolation, or purification line isolation. With pressurizer level channels less than the P-12 setpoint, the operator can manually block the Pressurizer Water Level - Low 1 and Pressurizer Water Level - Low 2 signals used for these actuations. Concurrent with blocking CMT actuation on Pressurizer Water Level - Low 2, ADS 4th Stage actuation on Low 2 RCS hot leg level is enabled. Also CVS letdown isolation on Low 1 RCS hot leg level is enabled. When the pressurizer level is above the P-12 setpoint, the Pressurizer Water Level - Low 2 signal is automatically enabled and a confirmatory open signal is issued to the isolation valves on the CMT cold leg balance lines.

RCS Pressure, P-19 The P-19 interlock is provided to permit water solid conditions (i.e., when the pressurizer water level is > 92%) in lower MODES without automatic isolation of the CVS makeup pumps. With RCS pressure below the P-19 setpoint, the operator can manually block CVS isolation on Pressurizer Water Level - High 2 (Table 3.3.8-1, Function 9), and block PRHR actuation and Pressurizer Heater Trip on Pressurizer Water Level -

High 3 (Table 3.3.8-1, Function 10). When RCS pressure is above the P-19 setpoint, these Functions are automatically unblocked. When the RNS is cooled by the RNS, the RNS suction relief valve provides the required overpressure protection (LCO 3.4.14).

The LCO generally requires OPERABILITY of four channels in each instrumentation/logic Function and two devices for each manual initiation Function. The two-out-of-four configurations allow one channel to be bypassed during maintenance or testing without causing an ESFAS initiation. Two manual initiation channels are required to ensure no single random failure disables the ESFAS.

AP1000 STS B 3.3.8-13 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 154

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The required channels of ESFAS instrumentation provide plant protection in the event of any of the analyzed accidents. ESFAS protective functions are as follows:

Safeguards Actuation The Safeguards Actuation signal actuates the alignment of the Core Makeup Tank (CMT) valves for passive injection to the RCS. The Safeguards Actuation signal provides two primary Functions:

Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal and clad integrity, peak clad temperature < 2200°F); and

Boration to ensure recovery and maintenance of SHUTDOWN MARGIN (keff < 1.0).

These Functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The Safeguards Actuation signal is also used to initiate other Functions such as:

Containment Isolation;

Reactor Trip;

Close Main Feedwater Control Valves;

Trip Main Feedwater Pumps and Closure of Isolation and Crossover Valves; and

Reactor Coolant Pump Trip.

These other Functions ensure:

Isolation of nonessential systems through containment penetrations;

Trip of the turbine and reactor to limit power generation;

Isolation of main feedwater to limit secondary side mass losses; AP1000 STS B 3.3.8-14 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 155

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Trip of the reactor coolant pumps to ensure proper CMT actuation;

Enabling automatic depressurization of the RCS on CMT Level -

Low 1 to ensure continued safeguards actuated injection.

Safeguards Actuation is initiated by the following signals:

Containment Pressure - High 2 (LCO 3.3.8, Function 2);

Pressurizer Pressure - Low (LCO 3.3.8, Function 5);

RCS Cold Leg Temperature (Tcold) - Low (LCO 3.3.8, Function 11);

Steam Line Pressure - Low (LCO 3.3.8, Function 24); and

Safeguards Actuation - Manual Initiation (LCO 3.3.9, Function 1).

Core Makeup Tank (CMT) Actuation CMT Actuation provides the passive injection of borated water into the RCS. Injection provides RCS makeup water and boration during transients or accidents when the normal makeup supply from the Chemical and Volume Control System (CVS) is lost or insufficient. Two tanks are available to provide passive injection of borated water. CMT injection mitigates the effects of high energy line breaks by adding primary side water to ensure maintenance or recovery of reactor vessel water level following a LOCA, and by borating to ensure recovery or maintenance of SHUTDOWN MARGIN following a steam line break.

CMT Valve Actuation is initiated by the following signals:

Safeguards Actuation;

Pressurizer Water Level - Low 2 (LCO 3.3.8, Function 7);

ADS Stages 1, 2, and 3 Actuation; and

CMT Actuation - Manual Initiation (LCO 3.3.9, Function 2).

AP1000 STS B 3.3.8-15 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 156

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Containment Vacuum Relief Valve Actuation The purpose of the vacuum relief lines is to protect the containment vessel against damage due to a negative pressure (i.e., a lower pressure inside than outside). Containment Vacuum Relief Valve Actuation is actuated by the following signals:

Containment Pressure - Low 2 (LCO 3.3.8, Function 1); and

Containment Vacuum Relief Valve Actuation - Manual Initiation (LCO 3.3.9, Function 15).

Containment Isolation Containment Isolation provides isolation of the containment atmosphere and selected process systems which penetrate containment from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

Containment Isolation is actuated by the following signals:

Safeguards Actuation;

Passive Containment Cooling Actuation - Manual Initiation (LCO 3.3.9, Function 8); and

Containment Isolation - Manual Initiation (LCO 3.3.9, Function 3).

Containment Air Filtration System Isolation Some DBAs such as a LOCA may release radioactivity into the containment where the potential would exist for the radioactivity to be released to the atmosphere and exceed the acceptable site dose limits.

Isolation of the Containment Air Filtration System provides protection to prevent radioactivity inside containment from being released to the atmosphere.

AP1000 STS B 3.3.8-16 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 157

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Containment Air Filtration System Isolation is actuated by the following signals:

Containment Radioactivity - High 1 (LCO 3.3.8, Function 3); and

Containment Isolation Actuation.

Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one steam generator (SG) at most. For an SLB upstream of the isolation valves, inside or outside of containment, closure of the isolation valves limits the accident to the blowdown from only the affected SG. For a SLB downstream of the isolation valves, closure of the isolation valves terminates the accident as soon as the steam lines depressurize.

Closure of the turbine stop and control valves and the main steam branch isolation valves is initiated by this Function. Closure of these valves limits the accidental depressurization of the main steam system associated with an inadvertent opening of a single steam dump, relief, safety valve, or a rupture of a main steam line. Closure of these valves also supports a steam generator tube rupture event by isolating the faulted steam generator.

Steam Line Isolation is actuated by the following signals:

Containment Pressure - High 2 (LCO 3.3.8, Function 2);

RCS Cold Leg Temperature (Tcold) - Low (LCO 3.3.8, Function 11);

Steam Line Pressure - Low (LCO 3.3.8, Function 24);

Steam Line Pressure - Negative Rate - High (LCO 3.3.8, Function 25); and

Steam Line Isolation - Manual Initiation (LCO 3.3.9, Function 4).

AP1000 STS B 3.3.8-17 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 158

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

SG Power Operated Relief Valve and Block Valve Isolation The Function of the SG Power Operated Relief Valve and Block Valve Isolation is to ensure that the SG PORV flow paths can be isolated during a SG tube rupture (SGTR) event. The PORV flow paths must be isolated following a SGTR to minimize radiological releases from the ruptured steam generator into the atmosphere. The PORV flow path is assumed to open due to high secondary side pressure, during the SGTR. Dose analyses take credit for subsequent isolation of the PORV flow path by the PORV and/or the block valve which receive a close signal on low steam line pressure. Additionally, the PORV flow path can be isolated manually.

SG Power Operated Relief Valve and Block Valve Isolation is actuated by the following signals:

Steam Line Pressure - Low (LCO 3.3.8, Function 24); and

SG Power Operated Relief Valve and Block Valve Isolation - Manual Initiation (LCO 3.3.9, Function 14).

Steam Generator Blowdown Isolation The primary Function of the steam generator blowdown isolation is to preserve water inventory in the steam generators to support removing the excess heat being generated until the decay heat has decreased to within the PRHR HX capability.

Steam Generator Blowdown Isolation is actuated by the following signals:

PRHR HX Actuation; and

SG Narrow Range Water Level - Low (LCO 3.3.8, Function 20).

AP1000 STS B 3.3.8-18 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 159

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Turbine Trip The primary Function of the Turbine Trip is to prevent damage to the turbine due to water in the steam lines. This Function is necessary in MODES 1 and 2, and 3 above the P-11 pressurizer pressure interlock setpoint to mitigate the effects of a large SLB or a large Feedline Break (FLB). Failure to trip the turbine following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment.

Turbine Trip is actuated by the following signals:

SG Narrow range Water Level - High 2 (LCO 3.3.8, Function 23);

Reactor Trip Signal (P-4) (LCO 3.3.12); and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

Main Feedwater Control Valve Isolation The primary Function of Main Feedwater Control Valve Isolation is to prevent damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs.

Main Feedwater Control Valve Isolation is actuated by the following signals:

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

Safeguards Actuation;

Reactor Coolant Average Temperature (Tavg) - Low 1 (LCO 3.3.8, Function 12) coincident with Reactor Trip Signal (P-4) (LCO 3.3.12);

and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

AP1000 STS B 3.3.8-19 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 160

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Main Feedwater Pump Trip and Valve Isolation The primary function of the Main Feedwater Pump Trip and Isolation is to prevent damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs. Valve isolation includes closing the main feedwater isolation and crossover valves. Isolation of main feedwater is necessary to prevent an increase in heat removal from the reactor coolant system in the event of a feedwater system malfunction. Addition of excessive feedwater causes an increase in core power by decreasing reactor coolant temperature.

Main Feedwater Pump Trip and Valve Isolation is actuated by the following signals:

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

Safeguards Actuation;

Reactor Coolant Average Temperature (Tavg) - Low 2 (LCO 3.3.8, Function 13) coincident with Reactor Trip Signal (P-4) (LCO 3.3.12);

and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

Startup Feedwater Isolation The primary Function of the Startup Feedwater Isolation is to stop the excessive flow of feedwater into the SGs. This Function is necessary in MODES 1, 2, 3, and 4 to mitigate the effects of a large SLB or a large FLB. Failure to isolate the startup feedwater system following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment.

Startup Feedwater Isolation is actuated by the following signals:

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

RCS Cold Leg Temperature (Tcold) - Low (LCO 3.3.8, Function 11);

AP1000 STS B 3.3.8-20 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 161

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

SG Narrow Range Water Level - High (LCO 3.3.8, Function 22) coincident with Reactor Trip Signal (P-4) (LCO 3.3.12); and

Feedwater Isolation - Manual Initiation (LCO 3.3.9, Function 5).

ADS Stages 1, 2, & 3 Actuation The Automatic Depressurization System (ADS) provides a sequenced depressurization of the reactor coolant system to allow passive injection from the CMTs, accumulators, and the in-containment refueling water storage tank (IRWST) to mitigate the effects of a LOCA. The depressurization is accomplished in four stages, with the first three stages discharging into the IRWST and the last stage discharging into containment. Each of the first three stages consists of two parallel paths with each path containing an isolation valve and a depressurization valve.

The first stage isolation valves open on any ADS Stages 1, 2, and 3 actuation. The first stage depressurization valves are opened following a preset time delay after the actuation of the isolation valves. The second stage isolation valves are opened following a preset time delay after actuation of the first stage depressurization valves open. The second stage depressurization valves are opened following a preset time delay after the second stage isolation valves are actuated, similar to stage one.

Similar to the second stage, the third stage isolation valves are opened following a preset time delay after the actuation of the second stage depressurization valves. The third stage depressurization valves are opened following a preset time delay after the third stage isolation valves are actuated.

ADS Stages 1, 2, & 3 is actuated on the following signals:

CMT Level - Low 1 (LCO 3.3.8, Function 15) coincident with CMT Actuation; and

ADS Stages 1, 2, & 3 Actuation - Manual Initiation (LCO 3.3.9, Function 6).

AP1000 STS B 3.3.8-21 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 162

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

ADS Stage 4 Actuation The ADS provides a sequenced depressurization of the reactor coolant system to allow passive injection from the CMTs, accumulators, and the IRWST to mitigate the effects of a LOCA. The depressurization is accomplished in four stages, with the first three stages discharging into the IRWST and the fourth stage discharging into containment.

The fourth stage of the ADS consists of four parallel paths. Each of these paths consists of a normally open isolation valve and a depressurization valve. The four paths are divided into two groups with two paths in each group. Within each group, one path is designated to be substage A and the second path is designated to be substage B.

The substage A depressurization valves are opened following a preset time delay after the substage A isolation valve confirmatory open signal.

The sequence is continued with substage B. A confirmatory open signal is provided to the substage B isolation valves following a preset time delay after the substage A depressurization valve has been opened. The signal to open the substage B depressurization valve is provided following a preset time delay after the substage B isolation valves confirmatory open signal.

ADS Stage 4 is actuated on the following signals:

CMT Level - Low 2 (LCO 3.3.8, Function 16) coincident with both ADS Stage 1, 2, & 3 Actuation and RCS Wide Range Pressure -

Low (LCO 3.3.8, Function 14);

Hot Leg Loop 1 Level - Low 2 coincident with Hot Leg Loop 2 Level -

Low 2 (LCO 3.3.10, Function 1, Hot Leg Level - Low 2);

ADS Stage 4 Actuation - Manual Initiation (LCO 3.3.9, Function 6) coincident with ADS Stages 1, 2, & 3 Actuation; and

ADS Stage 4 Actuation - Manual Initiation (LCO 3.3.9, Function 6) coincident with RCS Wide Range Pressure - Low (LCO 3.3.8, Function 14).

AP1000 STS B 3.3.8-22 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 163

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Coolant Pump Trip Reactor Coolant Pump (RCP) Trip allows the passive injection of borated water into the RCS. Injection provides RCS makeup water and boration during transients or accidents when the normal makeup supply from the CVS is lost or insufficient. Two tanks provide passive injection of borated water by gravity when the reactor coolant pumps are tripped. CMT injection mitigates the effects of high energy line breaks by adding primary side water to ensure maintenance or recovery of reactor vessel water level following a LOCA, and by borating to ensure recovery or maintenance of SHUTDOWN MARGIN following a steam line break.

RCP trip on high bearing water temperature protects the RCP coast down.

RCP trip is actuated on the following signals:

Safeguards Actuation;

ADS Stages 1, 2, and 3 Actuation;

Reactor Coolant Pump Bearing Water Temperature - High (LCO 3.3.8, Function 19);

Pressurizer Water Level - Low 2 (LCO 3.3.8, Function 7); and

CMT Injection Actuation - Manual Initiation (LCO 3.3.9, Function 2).

Component Cooling Water System Containment Isolation Valve Closure The function of the Component Cooling Water System (CCS) containment isolation valve closure is to ensure that the CCS flow paths can be isolated during an RCP heat exchanger tube rupture event. The CCS flow paths must be isolated following an RCP heat exchanger tube rupture event to minimize radiological releases from the ruptured tube into the turbine building. CCS Containment Isolation Valve Closure is actuated by Reactor Coolant Pump Bearing Water Temperature - High (LCO 3.3.8, Function 19).

AP1000 STS B 3.3.8-23 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 164

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Passive Containment Cooling Actuation The Passive Containment Cooling System (PCS) transfers heat from the reactor containment to the environment. This Function is necessary to prevent the containment design pressure and temperature from being exceeded following any postulated DBA (such as LOCA or SLB). PCS heat removal is initiated automatically in response to a Containment Pressure - High 2 signal or manually.

A Passive Containment Cooling Actuation signal initiates water flow by gravity by opening the isolation valves. The water flows onto the containment dome, wetting the outer surface. The path for natural circulation of air along the outside walls of the containment structure is always open.

Passive Containment Cooling is actuated on the following signals:

Containment Pressure - High 2 (LCO 3.3.8, Function 2); and

Passive Containment Cooling Actuation - Manual Initiation (LCO 3.3.9, Function 8).

Passive Residual Heat Removal (PRHR) Heat Exchanger Actuation The PRHR Heat Exchanger (HX) provides emergency core decay heat removal when the Startup Feedwater System is not available to provide a heat sink.

PRHR is actuated on the following signals:

SG Narrow Range Water Level - Low (LCO 3.3.8, Function 20) coincident with Startup Feedwater Flow - Low (LCO 3.3.11);

SG Wide Range Water Level - Low (LCO 3.3.8, Function 21);

ADS Stages 1, 2, and 3 Actuation;

CMT Actuation;

Pressurizer Water Level - High 3 (LCO 3.3.8, Function 10); and AP1000 STS B 3.3.8-24 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 165

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

PRHR Heat Exchanger Actuation - Manual Initiation (LCO 3.3.9, Function 9).

Boron Dilution Block The block of boron dilution is accomplished by closing the CVS makeup pump suction valves to demineralized water storage tanks, and aligning the boric acid tank to the CVS makeup pump suction.

Boron Dilution Block is actuated on the following signals:

Source Range Neutron Flux Doubling (LCO 3.3.8, Function 17); and

Reactor Trip Signal (P-4) (LCO 3.3.12).

Chemical and Volume Control System Makeup Line Isolation The CVS makeup line is isolated following certain events to prevent overfilling of the RCS. In addition, this line is isolated on High 2 containment radioactivity to provide containment isolation following an accident. This line is not isolated on a containment isolation signal, to allow the CVS makeup pumps to perform their defense-in-depth functions. However, if very high containment radioactivity exists (above the High 2 setpoint) this line is isolated.

Chemical and Volume Control System Makeup Line Isolation is actuated on the following signals:

Containment Radioactivity - High 2 (LCO 3.3.8, Function 4);

Pressurizer Water Level - High 2 (LCO 3.3.8, Function 9);

Pressurizer Water Level - High 1 (LCO 3.3.8, Function 8) coincident with unlatched Safeguards Actuation;

Source Range Neutron Flux Doubling (LCO 3.3.8, Function 17);

SG Narrow Range Water Level - High 2 (LCO 3.3.8, Function 23);

SG Narrow Range Water Level - High (LCO 3.3.8, Function 22) coincident with Reactor Trip Signal (P-4) (LCO 3.3.12); and AP1000 STS B 3.3.8-25 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 166

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Chemical and Volume Control System Makeup Isolation - Manual Initiation (LCO 3.3.9, Function 10).

Chemical and Volume Control System Letdown Isolation The CVS provides letdown to the liquid radwaste system to maintain the pressurizer level. To help maintain RCS inventory in the event of a LOCA, the CVS Letdown Isolation is actuated on Hot Leg Level - Low 1 (LCO 3.3.10, Function 2).

Auxiliary Spray and Purification Line Isolation The CVS maintains the RCS fluid purity and activity level within acceptable limits. The CVS purification line receives flow from the discharge of the RCPs. The CVS also provides auxiliary spray to the pressurizer. To preserve the reactor coolant pressure in the event of a break in the CVS loop piping, the purification line and the auxiliary spray line are isolated to help maintain reactor coolant system inventory.

Auxiliary Spray and Purification Line Isolation is actuated on the following signals:

Pressurizer Water Level - Low 1 (LCO 3.3.8, Function 6); and

Chemical and Volume Control System Makeup Isolation - Manual Initiation (LCO 3.3.9, Function 10).

Pressurizer Heater Trip Pressurizer heaters are automatically tripped upon receipt of a core makeup tank operation signal or a Pressurizer Water Level - High 3 signal. This pressurizer heater trip reduces the potential for SG overfill and automatic ADS Stages 1, 2, and 3 actuation for a SG tube rupture event. Automatically tripping the pressurizer heaters reduces the pressurizer level swell for certain non-LOCA events such as loss of normal feedwater, inadvertent CMT operation, and CVS malfunction resulting in an increase in RCS inventory. For small break LOCA analysis, tripping the pressurizer heaters supports depressurization of the RCS following actuation of the CMTs.

AP1000 STS B 3.3.8-26 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 167

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Pressurizer Heater Trip is actuated on the following signals:

CMT Actuation; and

Pressurizer Water Level - High 3 (LCO 3.3.8, Function 10).

Normal Residual Heat Removal System (RNS) Isolation The RNS suction line is isolated by closing the containment isolation valves on High 2 containment radioactivity to provide containment isolation following an accident. This line is isolated on a safeguards actuation signal. However, the valves may be reset to permit the RNS pumps to perform their defense-in-depth functions post accident. Should a high containment radiation signal (above the High 2 setpoint) develop following the containment isolation signal, the RNS valves would re-close. A high containment radiation signal is indicative of a high RCS source term and the valves would re-close to assure offsite doses do not exceed regulatory limits.

RNS Isolation is actuated on the following signals:

Containment Radioactivity - High 2 (LCO 3.3.8, Function 4);

Safeguards Actuation; and

Normal Residual Heat Removal System Isolation - Manual Initiation (LCO 3.3.9, Function 11).

IRWST Injection Line Valve Actuation The PXS provides core cooling by gravity injection and recirculation for decay heat removal following an accident. The IRWST has two injection flow paths. Each injection path includes a normally open motor operated isolation valve and two parallel lines, each isolated by one check valve and one squib valve in series.

AP1000 STS B 3.3.8-27 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 168

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

IRWST Injection Line Valve Actuation is actuated on the following signals:

ADS Stage 4 Actuation; and

IRWST Injection Line Valve Actuation - Manual Initiation (LCO 3.3.9, Function 12).

IRWST Containment Recirculation Valve Actuation The PXS provides core cooling by gravity injection and recirculation for decay heat removal following an accident. The PXS has two containment recirculation flow paths. Each path contains two parallel flow paths, one path is isolated by a motor operated valve in series with a squib valve and one path is isolated by a check valve in series with a squib valve.

IRWST Containment Recirculation Valve Actuation opens the recirculation valves on the following signals:

ADS Stage 4 Actuation coincident with IRWST Level - Low 3 (LCO 3.3.8, Function 18); and

IRWST Containment Recirculation Valve Actuation - Manual Initiation (LCO 3.3.9, Function 13).

Main Control Room Isolation and Air Supply Initiation Isolation of the main control room and initiation of the air supply provides a protected environment from which operators can control the plant following an uncontrolled release of radioactivity. Main Control Room Isolation and Air Supply Initiation is actuated on a Control Room Air Supply Radiation - High 2 signal (LCO 3.3.13).

Refueling Cavity Isolation The containment isolation valves in the lines between the refueling cavity and the Spent Fuel Pool Cooling System are isolated on a Spent Fuel Pool Level - Low signal (LCO 3.3.14).

AP1000 STS B 3.3.8-28 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 169

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

ESF Logic LCO 3.3.15 and LCO 3.3.16 require four sets of ESF coincidence logic, each set with one battery backed logic group OPERABLE to support automatic actuation. These logic groups are implemented as processor based actuation subsystems. The ESF coincidence logic provides the system level logic interfaces for the divisions. The ESF coincidence logic includes both the voting logic for the divisional signals from each ESF instrument function, and the coincidence logic of ESF actuation and ESF instrument function divisional signals needed to generate an ESF actuation signal for some ESFAS protective functions.

ESF Actuation LCO 3.3.15 and LCO 3.3.16 require that for each division of ESF actuation, one battery backed logic group be OPERABLE to support both automatic and manual actuation. The ESF actuation subsystems provide the logic and power interfaces for the actuated components.

The following are descriptions of the individual instrument Functions required by this LCO as presented in Table 3.3.8-1. Each Function description also provides the ESFAS protective functions actuated by the instrumentation.

1. Containment Pressure - Low 2 This signal provides protection against a negative pressure in containment due to loss of ac power or inadvertent actuation of containment cooling and a low outside ambient air temperature in combination with limited containment heating that reduces the atmospheric temperature (and hence pressure) inside containment.

Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function.

The Containment Vacuum Relief Valve Actuation ESFAS protective function is actuated by Containment Pressure - Low 2.

Automatic Containment Vacuum Relief Valve actuation must be OPERABLE in MODES 1 through 4 and in MODES 5 and 6 without an open containment air flow path 6 inches in diameter. With a AP1000 STS B 3.3.8-29 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 170

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 6-inch diameter or equivalent containment air flow path, the vacuum relief function is not needed to mitigate a low pressure event.

2. Containment Pressure - High 2 This signal provides protection against the following accidents:

SLB inside containment;

LOCA; and

Feed line break inside containment.

The ESFAS protective functions actuated by Containment Pressure

- High 2 are:

Safeguards Actuation;

Steam Line Isolation; and

Passive Containment Cooling Actuation.

The transmitters (d/p cells) and electronics are located outside of containment. Since the transmitters and electronics are located outside of containment, they will not experience adverse environmental conditions. The Containment Pressure - High 2 setpoint has been specified as low as reasonable, without creating potential for spurious trips during normal operations, consistent with the TMI action item (NUREG-0933, Item II.E.4.2) guidance.

The LCO requires four channels of Containment Pressure - High 2 to be OPERABLE in MODES 1, 2, 3, and 4. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function. In MODES 5 and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure - High 2 setpoint.

AP1000 STS B 3.3.8-30 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 171

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

3. Containment Radioactivity - High 1 This signal to isolate Containment Air Filtration System results from the coincidence of containment radioactivity above the High 1 setpoint in any two of the four divisions.

The Containment Air Filtration System Isolation ESFAS protective function is actuated by Containment Radioactivity - High 1.

Four channels of Containment Radioactivity - High 1 are required to be OPERABLE in MODES 1, 2, and 3, and MODE 4 with the RCS not being cooled by the RNS, when the potential exists for a LOCA, to protect against radioactivity inside containment being released to the atmosphere. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function. This Function is not required to be OPERABLE in MODE 4 with the RCS being cooled by the RNS, MODE 5 and MODE 6. Any DBA release of radioactivity into the containment in these conditions would not require the Containment Air Filtration System Isolation Function.

4. Containment Radioactivity - High 2 This signal to isolate CVS makeup and to isolate the normal residual heat removal system results from the coincidence of containment radioactivity above the High 2 setpoint in any two of the four divisions.

The ESFAS protective functions actuated by Containment Radioactivity - High 2 are:

Chemical and Volume Control System Makeup Isolation; and

Normal Residual Heat Removal System Isolation.

Four channels of Containment Radioactivity - High 2 are required to be OPERABLE in MODES 1, 2, and 3 when the potential exists for a LOCA, to ensure that the radioactivity inside containment is not released to the atmosphere. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function. This Function is not required to be OPERABLE in MODES 4, 5, and 6 AP1000 STS B 3.3.8-31 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 172

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) because there is no credible release of radioactivity into the containment in these MODES that would result in a High 2 actuation.

5. Pressurizer Pressure - Low This signal provides protection against the following accidents:

Inadvertent opening of a steam generator safety valve;

SLB;

A spectrum of rod cluster control assembly ejection accidents (rod ejection);

Inadvertent opening of a pressurizer safety valve;

LOCAs; and

Steam Generator Tube Rupture (SGTR).

The Safeguards Actuation ESFAS protective function is actuated by Pressurizer Pressure - Low. The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment). Therefore, the NTS reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

The LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE in MODES 1, 2, and 3 (above P-11, when the RCS boron concentration is below that necessary to meet the SDM requirements at an RCS temperature of 200°F), to mitigate the consequences of a high energy line rupture inside containment.

Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic actuation below this pressure is then performed by the Containment Pressure - High 2 signal.

AP1000 STS B 3.3.8-32 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 173

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF Functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

6. Pressurizer Water Level - Low 1 A signal to isolate the purification line and the auxiliary spray line is generated upon the coincidence of pressurizer level below the Low 1 setpoint in any two-out-of-four divisions.

The Auxiliary Spray and Purification Line Isolation ESFAS protective function is actuated by Pressurizer Water Level - Low 1.

Four channels of Pressurizer Water Level - Low 1 are required to be OPERABLE in MODES 1 and 2 to help maintain RCS inventory. In MODES 3, 4, 5, and 6, this instrument Function is not needed for accident detection and mitigation.

7. Pressurizer Water Level - Low 2 This instrument Function initiates CMT Valve Actuation and tripping of the RCPs from the coincidence of pressurizer level below the Low 2 Setpoint in any two of the four divisions.

The ESFAS protective functions actuated by Pressurizer Water Level - Low 2 are:

CMT Actuation; and

Reactor Coolant Pump Trip.

This function can be manually blocked when the pressurizer water level is below the P-12 Setpoint. This Function is automatically unblocked when the pressurizer water level is above the P-12 Setpoint. The Setpoint reflects both steady state and adverse environmental instrument uncertainties as the detectors provide protection for an event that results in a harsh environment.

AP1000 STS B 3.3.8-33 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 174

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function is required to be OPERABLE in MODES 1, 2, 3, and 4. This Function is also required to be OPERABLE in MODE 5 with pressurizer level 20%, when the RCS is not being cooled by the RNS.

8. Pressurizer Water Level - High 1 Four channels of pressurizer level are provided on the pressurizer.

Two-out-of-four channels on indicating level greater than the High 1 setpoint coincident with a Safeguards Actuation signal will close the containment isolation valves for the CVS. This instrument Function prevents the pressurizer level from reaching a level that could lead to water relief through the pressurizer safety valves during some DBAs.

The Chemical and Volume Control System Makeup Isolation ESFAS protective function is actuated by Pressurizer Water Level - High 1.

This Function is required to be OPERABLE in MODES 1, 2, and 3.

This Function is not required to be OPERABLE in MODES 4, 5, and 6, because it is not required to mitigate a DBA in these MODES.

This Function is not applicable in MODE 3, if the CVS makeup flow path is isolated.

9. Pressurizer Water Level - High 2 A signal to close the CVS isolation valves is generated on Pressurizer Water Level - High 2. This instrument Function results from the coincidence of pressurizer level above the High 2 setpoint in any two of the four divisions. This Function can be manually blocked when the pressurizer pressure is below the P-19 (RCS Pressure) setpoint to permit pressurizer water solid conditions with the plant cold and to permit level makeup during plant cooldowns.

This Function is automatically unblocked when RCS pressure is above the P-19 setpoint.

The Chemical and Volume Control System Makeup Isolation ESFAS protective function is actuated by Pressurizer Water Level - High 2.

AP1000 STS B 3.3.8-34 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 175

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when above the P-19 interlock with the RCS not being cooled by the RNS. This Function is not required to be OPERABLE in MODE 4either below the P-19 setpoint or with the RCS being cooled by the RNS, or bothand in MODES 5 and 6.

The CVS Makeup Isolation on Pressurizer Water Level - High 2 ESFAS Function is not required to mitigate a DBA in these conditions.

10. Pressurizer Water Level - High 3 PRHR is actuated and the pressurizer heaters are tripped when the pressurizer water level reaches its High 3 setpoint. This signal provides protection against a pressurizer overfill following an inadvertent core makeup tank actuation with consequential loss of offsite power. This instrument Function is automatically unblocked when RCS pressure is above the P-19 (RCS pressure) setpoint.

The ESFAS protective functions actuated by Pressurizer Water Level - High 3 are:

PRHR Heat Exchanger Actuation; and

Pressurizer Heater Trip.

This Function is required to be OPERABLE in MODES 1, 2, and 3, and in MODE 4 when the RCS is not being cooled by the RNS and RCS Pressure is above the P-19 interlock setpoint. This Function is not required to be OPERABLE in MODES 5 and 6 because it is not required to mitigate a DBA in these MODES.

11. RCS Cold Leg Temperature (Tcold) - Low This signal provides protection against the following accidents:

SLB;

Feed line break; and

Inadvertent opening of an SG relief valve or an SG safety valve.

AP1000 STS B 3.3.8-35 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 176

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The ESFAS protective functions actuated by RCS Cold Leg Temperature (Tcold) - Low are:

Safeguards Actuation;

Steam Line Isolation; and

Startup Feedwater Isolation.

This Function provides closure of the MSIVs during a SLB or inadvertent opening of a SG relief or a safety valve to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment. This Function also closes the startup feedwater control and isolation valves and trips the startup feedwater pumps if reactor coolant system cold leg temperature is below the Tcold - Low setpoint in any loop.

The LCO requires four channels of Tcold - Low to be OPERABLE in MODES 1 and 2, and in MODE 3 with any main steam isolation valve open and above P-11 when the RCS boron concentration is below that necessary to meet the SDM requirements at an RCS temperature of 200°F. At these conditions, a secondary side break or stuck open valve could result in the rapid cooldown of the primary side. Four channels are provided in each loop to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation because the cold leg temperature is reduced below the actuation setpoint.

12. Tavg - Low 1 This signal provides protection against excessive feedwater flow by closing the main feedwater control valves. This signal results from a coincidence of two of the four divisions of reactor loop average temperature below the Low 1 setpoint coincident with the Reactor Trip (P-4) permissive. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument Function.

AP1000 STS B 3.3.8-36 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 177

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Main Feedwater Control Valve Isolation ESFAS protective function is actuated by Tavg - Low 1 provided a P-4 signal is present indicating that a reactor trip has occurred or has been initiated.

Closing the Main Feedwater Control Valves on Tavg - Low 1 coincident with P-4 is required to be OPERABLE in MODES 1 and 2. Failure to close the main feedwater control valves following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment.

13. Tavg - Low 2 This signal provides protection against excessive feedwater flow by closing the main feedwater isolation and crossover leg valves, and tripping of the main feedwater pumps. This signal results from a coincidence of two out of four divisions of reactor loop average temperature below the Low 2 setpoint coincident with the P-4 permissive (which initiates main turbine trip).

Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument Function. This Function may be manually blocked when the pressurizer pressure is below the P-11 setpoint.

The block is automatically removed when the pressurizer pressure is above the P-11 setpoint.

The Main Feedwater Pump Trip and Valve Isolation ESFAS protective function is actuated by Tavg - Low 2.

This Function is required to be OPERABLE in MODES 1 and 2 to mitigate the effects of a large SLB or a large FLB. Failure to trip the turbine or isolate the main feedwater system following a SLB or FLB can lead to additional mass and energy being delivered to the steam generators, resulting in excessive cooldown and additional mass and energy release in containment.

AP1000 STS B 3.3.8-37 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 178

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

14. RCS Wide Range Pressure - Low The fourth stage depressurization valves open on manual actuation, but are interlocked to actuate coincident with the presence of either a Low RCS pressure signal or an ADS Stages 1, 2, & 3 actuation signal. These interlocks minimize the potential for inadvertent opening of the ADS Stage 4 depressurization valves. This consideration is important in PRA modeling to improve the reliability of reducing the RCS pressure following a small-break LOCA or transient event.

The ADS Stage 4 Actuation ESFAS protective function is actuated by RCS Wide Range Pressure - Low.

This Function must be OPERABLE in MODES 1, 2, 3, 4, and 5. This Function must also be OPERABLE in MODE 6 with the upper internals in place.

15. CMT Level - Low 1 This Function ensures continued passive injection or borated water to the RCS following a small break LOCA. ADS Stages 1, 2 and 3 actuation is initiated when the CMT Level reaches its Low 1 setpoint coincident with any CMT Actuation signal. Four channels are provided in each CMT to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function.

The ADS Stages 1, 2, & 3 Actuation ESFAS protective function is actuated by CMT Level - Low 1.

This Function must be OPERABLE in MODES 1, 2, 3, and 4. This Function must also be OPERABLE in MODE 5 with the RCS pressure boundary intact and pressurizer level 20%. In MODE 5, only one CMT is required to be OPERABLE in accordance with LCO 3.5.3, CMTs - Shutdown, RCS Intact; therefore, CMT level channels are only required on an OPERABLE CMT.

AP1000 STS B 3.3.8-38 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 179

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

16. CMT Level - Low 2 The fourth stage depressurization valves open on CMT Level -

Low 2 in two-out-of-four channels in either CMT. Actuation of the fourth stage depressurization valves is interlocked with the third stage depressurization signal such that the fourth stage is not actuated unless the third stage has been previously actuated following a preset time delay. Actuation of the fourth stage ADS valves is further interlocked with a low RCS pressure signal such that the ADS Stage 4 actuation is not actuated unless the RCS pressure is below a predetermined setpoint.

Four channels of CMT level instrumentation are provided per tank to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function.

The ADS Stage 4 Actuation ESFAS protective function is actuated by CMT Level - Low 2.

This Function must be OPERABLE in MODES 1, 2, 3, 4, and 5. In MODE 5, only one CMT is required to be OPERABLE in accordance with LCO 3.5.3, CMTs - Shutdown, RCS Intact; therefore, CMT level channels are only required on an OPERABLE CMT.

17. Source Range Neutron Flux Doubling The source range neutron detectors are used for this instrument Function. A signal to block boron dilution is derived from source range neutron flux increasing at an excessive rate (source range neutron flux doubling). The LCO requires four divisions to be OPERABLE. There are four divisions and two-out-of-four logic is used. On a coincidence of excessively increasing source range neutron flux in two of the four divisions, demineralized water is isolated from the makeup pumps and reactor coolant makeup is isolated from the reactor coolant system to preclude a boron dilution event.

The Boron Dilution Block ESFAS protective function is actuated by Source Range Neutron Flux Doubling.

AP1000 STS B 3.3.8-39 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 180

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The signal to block boron dilution on source range neutron flux increasing at an excessive rate (source range neutron flux doubling) must be OPERABLE in MODES 2 and 3, when not critical or during an intentional approach to criticality, and in MODES 4 and 5. This Function is not applicable in MODES 4 and 5 if the demineralized water makeup flow path is isolated. In MODE 6, a dilution event is precluded by the requirement in LCO 3.9.2 to close, lock and secure at least one valve in each unborated water source flow path.

18. IRWST Level - Low 3 A low IRWST level coincident with a ADS Stage 4 Actuation signal will open the containment recirculation valves. Four channels of IRWST Level - Low 3 instrumentation are provided to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument Function.

The IRWST Containment Recirculation Valve Actuation ESFAS protective function is actuated by IRWST Level - Low 3.

Four channels of IRWST Level - Low 3 are required to be OPERABLE in MODES 1, 2, 3, 4, and 5, and MODE 6 with the upper internals in place.

19. Reactor Coolant Pump Bearing Water Temperature - High The CCS containment isolation valves are closed and the RCPs are tripped if two-out-of-four sensors on any RCP indicate high bearing water temperature.

The ESFAS protective functions actuated by Reactor Coolant Pump Bearing Water Temperature - High are:

Reactor Coolant Pump Trip; and

Component Cooling Water System Containment Isolation Valve Closure.

This Function is required to be OPERABLE in MODES 1, 2, 3, and 4. Four channels are provided for each RCP to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function.

AP1000 STS B 3.3.8-40 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 181

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

20. SG Narrow Range Water Level - Low PRHR is actuated when the SG Narrow Range Water Level reaches its low setpoint coincident with an indication of low Startup Feedwater Flow. The LCO requires four channels per steam generator to be OPERABLE to satisfy the requirements with a two-out-of-four logic. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function. The Setpoint reflects both steady state and adverse environmental instrument uncertainties as the detectors provide protection for an event that results in a harsh environment.

The ESFAS protective functions actuated by SG Narrow Range Water Level - Low are:

PRHR Heat Exchanger Actuation; and

SG Blowdown Isolation The SG Narrow Range Water Level - Low Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when the RCS is not being cooled by the Normal Residual Heat Removal System (RNS). This ensures that PRHR can be actuated in the event of a loss of the normal heat removal systems. In MODE 4 when the RCS is being cooled by the RNS, and in MODES 5 and 6, the SGs are not required to provide the normal RCS heat sink. Therefore, startup feedwater flow is not required, and PRHR actuation on low steam generator narrow range water level is not required.

21. SG Wide Range Water Level - Low PRHR is also actuated when the SG Wide Range Water Level reaches its Low Setpoint. There are four wide range level channels for each steam generator and a two-out-of-four logic is used. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this instrument Function.

The PRHR Heat Exchanger Actuation ESFAS protective function is actuated by SG Narrow Range Water Level - Low.

AP1000 STS B 3.3.8-41 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 182

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function is required to be OPERABLE in MODES 1, 2, and 3 and in MODE 4 when the RCS is not being cooled by the RNS. This ensures that PRHR can be actuated in the event of a loss of the normal heat removal systems. In MODE 4 when the RCS is being cooled by the RNS, and in MODES 5 and 6, the SGs are not required to provide the normal RCS heat sink. Therefore, SG Wide Range Water Level is not required, and PRHR actuation on low wide range SG level is not required.

22. SG Narrow Range Water Level - High If steam generator narrow range water level reaches the High setpoint in either steam generator coincident with a Reactor Trip (P-4), then all startup feedwater control and isolation valves are closed, the startup feedwater pumps are tripped, and the isolation valves for the CVS are closed. This instrument Function prevents adding makeup water to the RCS during an SGTR. Four channels are provided in each steam generator to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this function.

The ESFAS protective functions actuated by SG Narrow Range Water Level - High are:

Startup Feedwater Isolation; and

Chemical and Volume Control System Makeup Isolation.

This Function is required to be OPERABLE in MODES 1, 2, 3, and 4. This Function is not required to be OPERABLE in MODES 5 and 6 because the RCS pressure and temperature are reduced and a steam generator tube rupture event is not credible.

23. SG Narrow Range Water Level - High 2 This signal provides protection against excessive feedwater flow by closing the main feedwater control, isolation and crossover valves, tripping of the main feedwater pumps, and tripping the turbine. The signal also prevents adding makeup water to the RCS during a SGTR by closing the isolation valves for the CVS. Four channels are provided to permit one channel to be in trip or bypass indefinitely AP1000 STS B 3.3.8-42 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 183

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) and still ensure no single random failure will disable this instrument Function.

The ESFAS protective functions actuated by SG Narrow Range Water Level - High 2 are:

Turbine Trip;

Main Feedwater Control Valve Isolation;

Main Feedwater Pump Trip and Valve Isolation;

Startup Feedwater Isolation, and

Chemical and Volume Control System Makeup Isolation.

The transmitters (d/p cells) are located inside containment.

However, the events which this Function protect against cannot cause severe environment in containment. Therefore, the Setpoint reflects only steady state instrument uncertainties. The LCO requires four channels of SG Narrow Range Water Level - High 2 instrumentation per steam generator to be OPERABLE in MODES 1, 2, 3, and 4 when there is significant mass and energy in the RCS and the steam generators. In MODES 5 and 6, the energy in the RCS and the steam generators is low and this Function is not required to be OPERABLE.

24. Steam Line Pressure - Low Steam Line Pressure - Low provides protection against the following accidents:

SLB;

Feed line break; and

Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - Low provides closure of the PORV flow paths in the event of SGTR in which the PORV(s) open, to limit the radiological releases from the ruptured steam generator into the AP1000 STS B 3.3.8-43 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 184

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) atmosphere. Steam Line Pressure - Low also provides closure of the MSIVs in the event of an SLB to limit the mass and energy release to containment and limit blowdown to a single SG.

Four channels are provided in each steam line to permit one channel to be in trip or bypass indefinitely and still ensure that no single random failure will disable this instrument Function.

This Function is anticipatory in nature and has a typical leading/lag ratio of 50/5. It is possible for the transmitters to experience adverse environmental conditions during a secondary side break. Therefore, the NTS reflects both steady state and adverse environmental instrument uncertainties.

The ESFAS protective functions actuated by Steam Line Pressure -

Low are:

Safeguards Actuation;

Steam Line Isolation; and

SG Power Operated Relief Valve and Block Valve Isolation.

The LCO requires four channels per steam line of Steam Line Pressure - Low Function to be OPERABLE in MODES 1, 2, and 3, and MODE 4 with the RCS cooling not being provided by the RNS.

25. Steam Line Pressure-Negative Rate - High Steam Line Pressure-Negative Rate - High provides closure of the MSIVs for an SLB, when less than the P-11 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low when less than the P-11 setpoint, the Steam Line Pressure-Negative Rate - High signal is automatically enabled.

The Steam Line Isolation ESFAS protective function is actuated by Steam Line Pressure-Negative Rate - High.

AP1000 STS B 3.3.8-44 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 185

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires four channels of Steam Line Pressure-Negative Rate - High instrumentation per steam line to be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). Four channels are provided in each steam line to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this trip instrument Function. In MODES 1 and 2, and in MODE 3 when above the P-11 setpoint with the RCS boron concentration below that necessary to meet the SDM requirements at an RCS temperature of 200°F, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled.

In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

While the transmitters may experience elevated ambient temperatures due to a steam line break, the instrument Function is on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the NTS reflects only steady state instrument uncertainties.

ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this specification may be entered independently for each Function listed on Table 3.3.8-1. The Completion Time(s) of the inoperable equipment of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

In the event a channels as-found condition is outside the as-found tolerance described in the SP, or the channel is not functioning as required, or the transmitter, or the Protection and Safety Monitoring System Division, associated with a specific Function is found inoperable, then all affected protection Functions supported by or dependent on that channel must be declared inoperable and the LCO Condition(s) entered for the particular protection Function(s) affected. When the Required Channels are specified only on a per steam line, per loop, per SG, basis, then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

AP1000 STS B 3.3.8-45 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 186

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

A.1 Condition A is applicable to the ESFAS protection Functions listed in Table 3.3.8-1. Condition A addresses the situation where one channel for one or more functions is inoperable. With one channel inoperable, the affected channel must be placed in a bypass or trip condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If one channel is bypassed, the logic becomes two-out-of-three, while still meeting the single failure criterion. (A failure in one of the three remaining channels will not prevent the protective function.) If one channel is tripped, the logic becomes one-out-of-three, while still meeting the single failure criterion. (A failure in one of the three remaining channels will not prevent the protective function.) The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowed to place the inoperable channel(s) in the bypassed or tripped condition is justified in Reference 5.

B.1 and B.2 With one or more functions with two channels inoperable, one affected channel must be placed in bypass and one affected channel must be placed in trip within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If one channel is bypassed and one channel is tripped, the logic becomes one-out-of-two, while still meeting the single failure criterion. The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowed to place one inoperable channel(s) in bypass and one inoperable channel(s) in trip is justified in Reference 5.

C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.8-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A or B are not met or if three or more channels for one or more Functions are inoperable Condition C is entered to provide for transfer to the appropriate subsequent Condition.

D.1 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels for one or more Functions are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

AP1000 STS B 3.3.8-46 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 187

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

E.1 and E.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

F.1 and F.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 4 with the RCS being cooled by the RNS within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed time is reasonable, based on operating experience, to reach the required plant conditions in an orderly manner without challenging plant systems.

G.1, G.2, and G.3 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and establishing RNS cooling of the RCS within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

H.1 and H.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE in which the LCO does not apply. This is accomplished by placing the plant in MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions AP1000 STS B 3.3.8-47 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 188

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued) from full power conditions in an orderly manner without challenging plant systems.

I.1 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the affected isolation valve(s) must be declared inoperable immediately. Declaring the affected isolation valve inoperable allows the supported system Actions (i.e., for inoperable valves) to dictate the required measures.

The respective isolation valve LCO provides appropriate actions for the inoperable components. This action is in accordance with LCO 3.0.6, which requires that the applicable Conditions and Required Actions for the isolation valves declared inoperable shall be entered in accordance with LCO 3.0.2.

J.1 and J.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. Required Action J.1 requires that the plant shall be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by placing the plant in MODE 5. Once in MODE 5, action shall be initiated to open the RCS pressure boundary and establish 20% pressurizer level. Opening the RCS pressure boundary assures that cooling water can be injected without ADS operation. Filling the RCS to provide 20% pressurizer level minimizes the consequences of a loss of decay heat removal event.

The Completion Time to be in MODE 5 (Required Action J.1) is 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months with three or more channels for the affected Function inoperable. This time is based on the time provided in LCO 3.0.3 to reach MODE 5. The 180 hour0.00208 days 0.05 hours 2.97619e-4 weeks 6.849e-5 months Completion Time is based on the ability of the two remaining OPERABLE channels to provide the protective Function.

AP1000 STS B 3.3.8-48 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 189

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

K.1 and K.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by immediately initiating action to open the RCS pressure boundary and establish 20%

pressurizer level. Additionally, action is required to immediately suspend positive reactivity additions. These requirements minimize the consequences of the loss of decay heat removal by maximizing RCS inventory and maintaining RCS temperature as low as practical.

Additionally, the potential for a criticality event is minimized by suspension of positive reactivity additions.

L.1and L.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by immediately initiating action to suspend positive reactivity additions. This requirement minimizes the consequences of the loss of decay heat removal by maximizing RCS inventory and maintaining RCS temperature as low as practical. The potential for a criticality event is also minimized by suspension of positive reactivity additions. Additionally, Required Action L.2 requires that action be immediately initiated to remove the upper internals.

M.1, M.2, and M.3 If the Required Action and associated Completion Time of Condition A or B is not met, the plant must be placed in a MODE in which the likelihood and consequences of an event are minimized. This is accomplished by placing the plant in MODE 5 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is a reasonable time to reach MODE 5 from MODE 4 with RCS cooling provided by the RNS (approximately 350°F) in an orderly manner without challenging plant systems. Required Action M.3 requires initiation of action within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to close the RCS pressure boundary and establish 20% pressurizer level. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time allows transition to MODE 5 in accordance with M.2, if needed, prior to initiating action to open the RCS pressure boundary.

AP1000 STS B 3.3.8-49 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 190

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

Required Action M.1 minimizes the potential for a criticality event by suspension of positive reactivity additions. Required Actions M.2 and M.3 minimize the consequences of a loss of decay heat removal event by optimizing conditions for RCS cooling in MODE 5 using the PRHR HX. Additionally, maximizing RCS inventory and maintaining RCS temperature as low as practical further minimize the consequences of a loss of decay heat removal event. Closing the RCS pressure boundary in MODE 5 assures that PRHR HX cooling is available.

N.1 and N.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the plant must be placed in a condition in which the likelihood and consequences of an event are minimized. This is accomplished by immediately initiating action to establish the reactor cavity water level 23 feet above the top of the reactor vessel flange and immediately suspending positive reactivity additions.

Required Action N.2 minimizes the consequences of a loss of decay heat removal event by maximizing RCS inventory and maintaining RCS temperature as low as practical further minimizes the consequences of a loss of decay heat removal event. Additionally, the potential for a criticality event is minimized by suspension of positive reactivity additions in accordance with Required Action N.1.

O.1 and O.2 If the Required Action and associated Completion Time of Condition A or B is not met or if three or more channels are inoperable, the affected isolation valve(s) must be declared inoperable immediately. Declaring the affected isolation valve inoperable allows the supported system Actions (i.e., for inoperable valves) to dictate the required measures.

The respective isolation valve LCOs provide appropriate actions for the inoperable components. This action is in accordance with LCO 3.0.6, which requires that the applicable Conditions and Required Actions for the isolation valves declared inoperable shall be entered in accordance with LCO 3.0.2. Additionally, Required Action O.2 requires that the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed time is reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

AP1000 STS B 3.3.8-50 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 191

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES ACTIONS (continued)

P.1, P.2, and P.3 If the Required Action and associated Completion Time of Condition A or B is not met, the plant must be placed in a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

A containment air flow path 6 inches in diameter shall be opened within 44 hours5.092593e-4 days 0.0122 hours 7.275132e-5 weeks 1.6742e-5 months from Condition entry. Opening any flow path (or paths) with an area equivalent to 6 inches in diameter provides the required vacuum relief path in the event of a low pressure event.

The primary means of opening a containment air flow path is by establishing a VFS air flow path into containment. Manual actuation and maintenance as necessary to open a purge supply, purge exhaust, or vacuum relief flow path are available means to open a containment air flow path. In addition, opening of a spare penetration is an acceptable means to provide the necessary flow path. Opening of an equipment hatch or a containment airlock is acceptable. Containment air flow paths opened must comply with LCO 3.6.7, Containment Penetrations.

The 44 hour5.092593e-4 days 0.0122 hours 7.275132e-5 weeks 1.6742e-5 months Completion Time is reasonable for opening a containment air flow path in an orderly manner.

SURVEILLANCE The following SRs apply to each ESFAS Instrumentation Function in REQUIREMENTS Table 3.3.8-1.

SR 3.3.8.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or even something more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the AP1000 STS B 3.3.8-51 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 192

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued) instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the match criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside their corresponding limits.

The Surveillance Frequency is based on operating experience that demonstrates that channel failure is rare. Automated operator aids may be used to facilitate performance of the CHANNEL CHECK.

SR 3.3.8.2 SR 3.3.8.2 is the performance of a CHANNEL OPERATIONAL TEST (COT) every 92 days. The test is performed in accordance with the SP.

If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A COT is performed on each required channel to provide reasonable assurance that the entire channel will perform the intended ESF Function.

A test subsystem is provided with the PMS to aid the plant staff in performing the COT. The test subsystem is designed to allow for complete functional testing by using a combination of system self-checking features, functional testing features, and other testing features.

Successful functional testing consists of verifying that the capability of the system to perform the safety function has not failed or degraded.

AP1000 STS B 3.3.8-52 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 193

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)

For hardware functions this would involve verifying that the hardware components and connections have not failed or degraded. Generally this verification includes a comparison of the outputs from two or more redundant subsystems or channels.

Since software does not degrade, software functional testing involves verifying that the software code has not changed and that the software code is executing.

To the extent possible, PMS functional testing is accomplished with continuous system self-checking features and the continuous functional testing features. The COT shall include a review of the operation of the test subsystem to verify the completeness and adequacy of the results.

If the COT cannot be completed using the built-in test subsystem, either because of failures in the test subsystem or failures in redundant channel hardware used for functional testing, the COT can be performed using portable test equipment.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this COT. This portion of the COT ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP. If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The 92 day Frequency is based on Reference 5 and the use of continuous diagnostic test features, such as deadman timers, cross-check of redundant channels, memory checks, numeric coprocessor checks, and tests of timers, counters and crystal time bases, which will report a failure within the integrated protection cabinets (IPCs) to the operator.

During the COT, the PMS cabinets in the division under test may be placed in bypass.

AP1000 STS B 3.3.8-53 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 194

GTST AP1000-O61-3.3.8, Rev. 1 ESFAS Instrumentation B 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.8.3 SR 3.3.8.3 is the performance of a CHANNEL CALIBRATION every 24 months or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor and the IPC. The test is performed in accordance with the SP. If the actual setting of the channel is found to be outside the as-found tolerance, the channel is considered inoperable. This condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTS (within the allowed as-left tolerance), and evaluating the channels response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation. Transmitter calibration must be performed consistent with the assumptions of the setpoint methodology.

The difference between the current as-found values and the previous as-left values must be consistent with the transmitter drift allowance used in the setpoint methodology.

Interlocks implicitly required to support the Function's OPERABILITY are also addressed by this CHANNEL CALIBRATION. This portion of the CHANNEL CALIBRATION ensures the associated Function is not bypassed when required to be enabled. This can be accomplished by ensuring the interlocks are calibrated properly in accordance with the SP.

If the interlock is not automatically functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations performed for the affected Function. The affected Functions OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function. When an interlock is not supporting the associated Functions OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The setpoint methodology requires that 30 months drift be used (1.25 times the surveillance calibration interval, 24 months).

The Frequency is based on operating experience and consistency with the refueling cycle.

AP1000 STS B 3.3.8-54 Rev. 0 Date report generated:

Monday, June 29, 2015 Page 195