Rev. 18 to Technical Specification, Bases Change, Chapter 3.8, Electrical Power Systems

ML23067A182
Person / Time
Site:	Callaway
Issue date:	12/29/2022
From:	Union Electric Co, Ameren Missouri
To:	Office of Nuclear Reactor Regulation
Shared Package
ML23067A139	List: ML23062A606 ML23062A607 ML23062A608 ML23062A609 ML23062A611 ML23062A612 ML23062A613 ML23062A615 ML23062A616 ML23062A617 ML23062A618 ML23062A619 ML23062A620 ML23062A621 ML23062A622 ML23062A623 ML23062A624 ML23062A625 ML23062A626 ML23062A627 ML23062A628 ML23062A629 ML23062A630 ML23062A631 ML23062A632 ML23062A633 ML23062A634 ML23062A635 ML23062A636 ML23062A637 ML23062A638 ML23062A639 ML23062A640 ML23062A641 ML23062A642 ... further results
References
ULNRC-06782
Download: ML23067A182 (1)
v • d • e

Text

CHAPTER TABLE OF CONTENTS CHAPTER B 3.8 ELECTRICAL POWER SYSTEMS Section Page B 3.8.1 AC Sources - Operating ..............................................................................B 3.8.1-1 BACKGROUND ......................................................................................B 3.8.1-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.1-2 LCO ..........................................................................................................B 3.8.1-3 APPLICABILITY .....................................................................................B 3.8.1-4 ACTIONS ...............................................................................................B 3.8.1-4 SURVEILLANCE REQUIREMENTS .....................................................B 3.8.1-14 REFERENCES .....................................................................................B 3.8.1-30 B 3.8.2 AC Sources - Shutdown ...............................................................................B 3.8.2-1 BACKGROUND .......................................................................................B 3.8.2-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.2-1 LCO ........................................................................................................B 3.8.2-3 APPLICABILITY .....................................................................................B 3.8.2-4 ACTIONS ................................................................................................B 3.8.2-5 SURVEILLANCE REQUIREMENTS .........................................................B 3.8.2-6 REFERENCES .......................................................................................B 3.8.2-7 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ....................................................B 3.8.3-1 BACKGROUND ......................................................................................B 3.8.3-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.3-2 LCO ........................................................................................................B 3.8.3-3 APPLICABILITY .....................................................................................B 3.8.3-3 ACTIONS ...............................................................................................B 3.8.3-4 SURVEILLANCE REQUIREMENTS .........................................................B 3.8.3-6 REFERENCES ........................................................................................B 3.8.3-9 B 3.8.4 DC Sources - Operating ...............................................................................B 3.8.4-1 BACKGROUND ......................................................................................B 3.8.4-1 APPLICABLE SAFETY ANALYSES .......................................................B 3.8.4-2 LCO .........................................................................................................B 3.8.4-3 APPLICABILITY ......................................................................................B 3.8.4-3 ACTIONS ..................................................................................................B 3.8.4-4 CALLAWAY PLANT 3.8-i

CHAPTER TABLE OF CONTENTS (Continued)

Section Page SURVEILLANCE REQUIREMENTS .........................................................B 3.8.4-4 REFERENCES .......................................................................................B 3.8.4-8 B 3.8.5 DC Sources - Shutdown ...............................................................................B 3.8.5-1 BACKGROUND ......................................................................................B 3.8.5-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.5-1 LCO ........................................................................................................B 3.8.5-3 APPLICABILITY .....................................................................................B 3.8.5-4 ACTIONS ..................................................................................................B 3.8.5-4 SURVEILLANCE REQUIREMENTS .........................................................B 3.8.5-5 REFERENCES .......................................................................................B 3.8.5-6 B 3.8.6 Battery Cell Parameters ...............................................................................B 3.8.6-1 BACKGROUND ......................................................................................B 3.8.6-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.6-1 LCO ........................................................................................................B 3.8.6-1 APPLICABILITY .....................................................................................B 3.8.6-2 ACTIONS ...............................................................................................B 3.8.6-2 SURVEILLANCE REQUIREMENTS .........................................................B 3.8.6-3 REFERENCES .......................................................................................B 3.8.6-7 B 3.8.7 Inverters - Operating ....................................................................................B 3.8.7-1 BACKGROUND ......................................................................................B 3.8.7-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.7-1 LCO ........................................................................................................B 3.8.7-2 APPLICABLE SAFETY ANALYSES (continued) ..............................................................................................B 3.8.7-2 APPLICABILITY .....................................................................................B 3.8.7-3 ACTIONS ..................................................................................................B 3.8.7-4 SURVEILLANCE REQUIREMENTS .........................................................B 3.8.7-5 REFERENCES .......................................................................................B 3.8.7-5 B 3.8.8 Inverters - Shutdown ....................................................................................B 3.8.8-1 BACKGROUND ......................................................................................B 3.8.8-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.8-1 LCO ........................................................................................................B 3.8.8-3 APPLICABILITY .....................................................................................B 3.8.8-4 ACTIONS ..................................................................................................B 3.8.8-5 SURVEILLANCE REQUIREMENTS .........................................................B 3.8.8-6 REFERENCES .......................................................................................B 3.8.8-6 3.8-ii

CHAPTER TABLE OF CONTENTS (Continued)

Section Page B 3.8.9 Distribution Systems - Operating .................................................................B 3.8.9-1 BACKGROUND ......................................................................................B 3.8.9-1 APPLICABLE SAFETY ANALYSES ......................................................B 3.8.9-1 LCO ........................................................................................................B 3.8.9-2 APPLICABILITY .....................................................................................B 3.8.9-3 ACTIONS ..................................................................................................B 3.8.9-3 SURVEILLANCE REQUIREMENTS .........................................................B 3.8.9-8 REFERENCES .......................................................................................B 3.8.9-8 B 3.8.10 Distribution Systems - Shutdown ...............................................................B 3.8.10-1 BACKGROUND ....................................................................................B 3.8.10-1 APPLICABLE SAFETY ANALYSES ....................................................B 3.8.10-1 LCO ......................................................................................................B 3.8.10-3 APPLICABILITY ...................................................................................B 3.8.10-4 ACTIONS ................................................................................................B 3.8.10-5 SURVEILLANCE REQUIREMENTS .......................................................B 3.8.10-6 REFERENCES .....................................................................................B 3.8.10-6 3.8-iii

LIST OF TABLES Number Title B 3.8.9-1 AC and DC Electrical Power Distribution Systems CALLAWAY PLANT 3.8-i

AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources, normal and alternate), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed. Each train can be supplied by a single DG, and each train has the capability for connection to either of the preferred offsite power sources. The preferred offsite source connection configuration, however, is for one offsite power source to be connected to its associated train (NB01 bus) and the other offsite power source to be connected to its associated train (NB02 bus), in order to maintain separation and independence to the extent practical.

Offsite power is supplied to the unit switchyard from the transmission network by four transmission lines. From the switchyard, two electrically and physically separated circuits provide AC power, through ESF transformers, to the 4.16 kV ESF buses. Automatic load tap changers associated with the ESF transformers, as well as associated capacitor banks, provide voltage regulation for the preferred sources in the event of changing switchyard voltage. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the FSAR, Chapter 8 (Ref. 2).

An offsite circuit consists of all breakers, transformers, voltage regulation equipment, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the associated onsite Class 1E ESF bus.

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the transformer supplying offsite power to the onsite Class 1E Distribution System. Within 1 minute after the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service via the load sequencer.

(continued)

CALLAWAY PLANT B 3.8.1-1 Revision 16

AC Sources - Operating B 3.8.1 BASES BACKGROUND The onsite standby power source for each 4.16 kV ESF bus is a dedicated (continued) DG. DGs NE01 and NE02 are dedicated to ESF buses NB01 and NB02, respectively. A DG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure, steam line pressure or high containment pressure signals) or on an ESF bus undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation"). After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage, degraded voltage or voltage imbalance, independent of or coincident with an SI signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal alone.

Following the trip of offsite power, a Load Shedder and Emergency Load Sequencer (LSELS) strips nonpermanent loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the LSELS. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Within 1 minute after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each DG is 6201 kW with 10% overload permissible for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

APPLICABLE The initial conditions of DBA and transient analyses in the FSAR, SAFETY Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are ANALYSES OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);

and Section 3.6, Containment Systems.

(continued)

CALLAWAY PLANT B 3.8.1-2 Revision 16

AC Sources - Operating B 3.8.1 BASES APPLICABLE The OPERABILITY of the AC electrical power sources is consistent with SAFETY the initial assumptions of the Accident analyses and is based upon ANALYSES meeting the design basis of the unit. This results in maintaining at least (continued) one train of the onsite or offsite AC sources OPERABLE during Accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and

b. A worst case single failure.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Power System, along with separate and independent DGs for each train, ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Qualified circuits are those that are described in the FSAR and are part of the licensing basis for the unit. The capacities of the transformers and inclusion of normal and alternate feeder breakers in the offsite circuit connections to the ESF buses provide flexibility and diversity in the means to provide offsite power to each bus, as described in the FSAR. However, to maintain separation and independence of the offsite power sources for the ESF buses and their redundant trains of safety equipment, two qualified offsite power source connection circuits are specifically required for meeting the requirements of LCO 3.8.1.

One required offsite circuit consists of either Safeguards Transformer A or B, which is supplied from Switchyard Bus A or B and feeds through a breaker to ESF transformer XNB01, which in turn powers the NB01 ESF bus through its normal feeder breaker. The other required offsite circuit consists of the Startup Transformer, which is normally fed from the switchyard through breaker PA0201 and feeds to ESF transformer XNB02, which in turn powers the NB02 ESF bus through its normal feeder breaker.

Each offsite circuit must be capable of maintaining rated frequency and voltage on all three phases, and accepting required loads during an accident, while connected to its associated ESF bus.

In addition, one required LSELS per train must be OPERABLE.

Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus (continued)

CALLAWAY PLANT B 3.8.1-3 Revision 16

AC Sources - Operating B 3.8.1 BASES LCO undervoltage. This will be accomplished within 12 seconds. Each DG (continued) must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with the engine hot and DG in standby with the engine at ambient conditions. Additional DG capabilities must be demonstrated to meet required Surveillance, e.g.,

capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

Initiating a DG start upon a detected undervoltage condition, tripping of the incoming offsite power upon a detected undervoltage or degraded voltage condition, shedding of nonessential loads, and proper sequencing of loads are required functions of LSELS and required for DG OPERABILITY.

OPERABILITY of the undervoltage and degraded voltage instrumentation functions is addressed in LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation."

The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, separation and independence are complete. For the offsite AC sources, separation and independence are to the extent practical. A circuit may be connected to more than one ESF bus provided the appropriate LCO Required Actions are entered for loss of one offsite power source.

APPLICABILITY The AC sources and LSELS trains are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 5 and 6 and during movement of irradiated fuel assemblies are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.

There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other (continued)

CALLAWAY PLANT B 3.8.1-4 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS specified condition in the Applicability with the LCO not met after (continued) performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if the second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features.

These features are powered from the redundant AC electrical power train.

This includes motor driven auxiliary feedwater pumps and the turbine driven auxiliary feedwater pump which must be available for mitigation of a feedwater line break. Single train systems, other than the turbine driven auxiliary feedwater pump, are not included in this condition.

A Note is added to this Required Action stating that in MODES 1, 2, and 3, the turbine driven auxiliary feedwater pump is considered a required redundant feature. The reason for the Note is to confirm the OPERABILITY of the turbine driven auxiliary feedwater pump in this Condition, since the unaffected trains motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis.

The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads; and (continued)

CALLAWAY PLANT B 3.8.1-5 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS A.2 (continued)

b. A required feature on the other train is inoperable.

If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable coincident with no offsite power to one train of the onsite Class 1E Electrical Power Distribution System, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

Required Action A.2 is no longer applicable when the train of onsite Class 1E Electrical Power Distribution System is connected to the remaining OPERABLE offsite circuit. In this case, Required Actions A.1 and A.3 continue to apply.

The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

A.3 According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

CALLAWAY PLANT B 3.8.1-6 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This could lead to a total of 144 hours0.00167 days <br />0.04 hours <br />2.380952e-4 weeks <br />5.4792e-5 months <br />, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (for a total of 9 days) allowed prior to complete restoration of the LCO. The 6 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 6 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition A was entered.

B.1 To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related trains. This includes motor driven auxiliary feedwater pumps and the turbine-driven auxiliary feedwater pump which must be available for mitigation of a feedwater line break.

Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG.

(continued)

CALLAWAY PLANT B 3.8.1-7 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS B.2 (continued)

A Note is added to this Required Action stating that in MODES 1, 2, and 3, the turbine driven auxiliary feedwater pump is considered a required redundant feature. The reason for the Note is to confirm the OPERABILITY of the turbine driven auxiliary feedwater pump in this Condition, since the unaffected trains motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis.

The Completion Time for Required Action B.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A required feature on the other train (Train A or Train B) is inoperable.

If at any time during the existence of this Condition (one DG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

CALLAWAY PLANT B 3.8.1-8 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS B.3.1 and B.3.2 (continued)

Required Action B.3.1 provides an allowance to avoid unnecessary testing of the OPERABLE DG. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG. SR 3.8.1.2 does not have to be performed. If the DG was declared inoperable for preplanned preventive maintenance, testing, or maintenance to correct a condition which, if left uncorrected, would not affect the OPERABILITY of the DG, or for an inoperable Support System, or for an independently testable component, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on the other DG, the other DG would be declared inoperable upon discovery and Condition E of LCO 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer exists, and Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG. Required Action B.3.2 is modified by a Note stating that it is satisfied by the automatic start and sequence loading of the DG.

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> constraint imposed while in Condition B.

According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is reasonable to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG.

B.4 Both Completion Times of Required Action B.4 are modified by a Note that allows a one-time Completion Time of 14 days to support the planned replacement of ESW B train piping prior to April 30, 2009.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition B for a period that should not exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

CALLAWAY PLANT B 3.8.1-9 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS B.4 (continued)

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

This could lead to a total of 144 hours0.00167 days <br />0.04 hours <br />2.380952e-4 weeks <br />5.4792e-5 months <br />, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (for a total of 9 days) allowed prior to complete restoration of the LCO. The 6 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 6 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition B was entered.

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are powered from redundant AC safety trains. This includes motor driven auxiliary feedwater pumps and the turbine driven auxiliary feedwater pump which must be available for mitigation of a feedwater line break. Single train features, other than the turbine driven auxiliary feedwater pump, are not included in this Condition.

(continued)

CALLAWAY PLANT B 3.8.1-10 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued)

A Note is added to this Required Action stating that in MODES 1, 2, and 3, the turbine driven auxiliary feedwater pump is considered a required redundant feature. The reason for the Note is to confirm the OPERABILITY of the turbine driven auxiliary feedwater pump in this Condition, since one motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis.

The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. All required offsite circuits are inoperable; and

b. A required feature is inoperable.

If at any time during the existence of Condition C (two offsite circuits inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

However, two factors tend to decrease the severity of this level of degradation:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

(continued)

CALLAWAY PLANT B 3.8.1-11 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued)

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Reference 6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If two offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation continues in accordance with Condition A.

D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems-Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of one offsite circuit and one DG, without regard to whether a train is de-energized.

LCO 3.8.9 provides the appropriate restrictions for a de-energized train.

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

(continued)

CALLAWAY PLANT B 3.8.1-12 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS E.1 (continued)

With Train A and Train B DGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted.

The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Reference 6, with both DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

F.1 Required Action F.1 provides assurance that the appropriate Action is entered for the affected DG and offsite circuit if its associated Load Shedder and Emergency Sequencer (LSELS) becomes inoperable. A sequencer failure results in the inability to start all or part of the safety loads powered from the associated ESF bus and thus when an LSELS is inoperable it is appropriate to immediately enter the Conditions for an inoperable DG and offsite circuit. Because an inoperable LSELS affects all or part of the safety loads, an immediate Completion Time is appropriate, and the allowed Completion Time for an inoperable DG and offsite circuit of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is consistent with the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for an inoperable LSELS.

F.2 The Load Shedder and Emergency Load Sequencer is an essential support system to both the offsite circuit and the DG associated with a given ESF bus. Furthermore, the sequencer is on the primary success path for most major AC electrically powered safety systems powered from the associated ESF bus. Therefore, loss of an ESF bus sequencer affects every major ESF system in the division. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time (continued)

CALLAWAY PLANT B 3.8.1-13 Revision 16

AC Sources - Operating B 3.8.1 BASES ACTIONS F.2 (continued) provides a period of time to correct the problem commensurate with the importance of maintaining sequencer OPERABILITY. This time period also ensures that the probability of an accident (requiring sequencer OPERABILITY) occurring during periods when the sequencer is inoperable is minimal.

G.1 and G.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

H.1 Condition H corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, Appendix A, GDC 18 (Ref. 8).

Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3), Regulatory Guide 1.108 (Ref. 9), and Regulatory Guide 1.137 (Ref. 10), as addressed in the FSAR. The SR frequencies for required tests are controlled under the Surveillance Frequency Control Program (SFCP) described in Technical Specification 5.5.18, as approved by the NRC via Amendment 202 to the Callaway Operating License.

(continued)

CALLAWAY PLANT B 3.8.1-14 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE Where the SRs discussed herein specify voltage and frequency REQUIREMENTS tolerances, the following is applicable. The minimum steady state output (continued) voltage of 3740 V is 90% of the nominal 4160 V output voltage. This value, which is specified in ANSI C84.1 (Ref. 11), allows for voltage drop to the terminals of 4000-V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and other equipment down through the 120-V level where minimum operating voltage is also usually specified as 90% of name plate rating. This value provides for the OPERABILITY of all required loads as shown by load flow calculations in support of NRC Branch Technical Position PSB-1. The specified maximum steady state output voltage of 4320 V ensures that for a lightly loaded distribution system, the voltage at the terminals of motors and other equipment is no more than the maximum rated operating voltages. With respect to frequency tolerances, the specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations given in Regulatory Guide 1.9 (Ref. 3).

For the offsite electrical power sources, and in accordance with industry guidance (Ref. 17), voltage balance is monitored to ensure that three-phase motors or their protection circuits are not adversely impacted by open-phase conditions in the preferred offsite sources.

SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The verification of correct breaker alignment and indicated power availability ensures each breaker is in its correct position, power is available on all three phases of the offsite circuits, distribution buses and loads are connected to their preferred power source, and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe shutdown condition.

(continued)

CALLAWAY PLANT B 3.8.1-15 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued)

REQUIREMENTS To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs are modified by a Note (Note 2 for SR 3.8.1.2) to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period and followed by a warmup period prior to loading.

For the purposes of SR 3.8.1.2 and SR 3.8.1.7 testing, the DGs are started from standby conditions. For SR 3.8.1.7 the DGs are started using one of the following signals: 1) manual, or 2) simulated loss of offsite power by itself, or 3) safety injection test signal. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations.

In order to reduce stress and wear on diesel engines, the manufacturer recommends a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 3, which is only applicable when such modified start procedures are recommended by the manufacturer.

SR 3.8.1.7 requires that the DG starts from standby conditions and achieves required voltage and frequency within 12 seconds. The 12 second start requirement supports the assumptions of the design basis LOCA analysis in the FSAR, Chapter 15 (Ref. 5).

The 12 second start requirement is not applicable to SR 3.8.1.2 (see Note 3) when a modified start procedure as described above is used. If a modified start is not used, the 12 second start requirement of SR 3.8.1.7 applies. Since SR 3.8.1.7 requires a 12 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This is the intent of Note 1 of SR 3.8.1.2.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads and aligned to (continued)

CALLAWAY PLANT B 3.8.1-16 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 (continued)

REQUIREMENTS provide standby power to the associated emergency buses. A minimum run time of 60 minutes provides adequate time to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The DG is considered OPERABLE during performance of the Surveillance, i.e., while it is paralleled to the offsite power source, consistent with the Technical Evaluation contained in the Safety Evaluation provided for OL Amendment 162 (Reference 16), which includes consideration of the potential challenges to the DG and its response to a LOCA and/or a loss of offsite power, while it is paralleled to the offsite power source for testing.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by four Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients, because of changing bus loads, do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance.

SR 3.8.1.4 This SR provides verification that the fuel oil transfer pump starts on low level in the day tank standpipe to automatically maintain the day tank fuel (continued)

CALLAWAY PLANT B 3.8.1-17 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 (continued)

REQUIREMENTS oil level above the DG fuel headers. The minimum fuel oil free surface elevation is required to be at least 130 inches above the baseline of the diesel generator skid. The transfer pump start/stop setpoints are controlled to maintain level in the standpipe in order to ensure there is sufficient fuel to meet the 12 second start requirement for the DG. This level also ensures adequate fuel oil for a minimum of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of DG operation at full load plus 10%.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during the performance of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for fuel transfer systems are OPERABLE.

(continued)

CALLAWAY PLANT B 3.8.1-18 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.6 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.7 See SR 3.8.1.2.

SR 3.8.1.8 Not Used SR 3.8.1.9 Not Used SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits.

The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide for DG damage protection. While the DG is not expected to experience this transient during an event and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.

In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing must be performed using a power factor 0.8 and 0 9. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience.

Simulated test conditions for the load rejection per this Surveillance may involve paralleling the DG to the offsite power source to establish the (continued)

CALLAWAY PLANT B 3.8.1-19 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS required load. The DG is considered OPERABLE while it is paralleled to the offsite power source, consistent with the Technical Evaluation contained in the Safety Evaluation provided for OL Amendment 162 (Reference 16), which includes consideration of the potential challenges to the DG and its response to a LOCA and/or a loss of offsite power, while it is paralleled to the offsite power source for testing.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The requirements of the "Single-Load Rejection Test" and the "Full-Load Rejection Test" as described in Regulatory Guide 1.9, Revision 3 have been combined. The "Full-Load Rejection Test" is a demonstration of the emergency diesel generators capability to reject a load equal to 90 to 100 percent of its continuous rating (5580-6201 kilowatts) while operating at a power factor between 0.8 and 0.9 and that the voltage does not exceed 4784 volts and that the frequency does not exceed 65.4 Hertz following a load rejection of 5580 to 6201 kilowatts. The frequency criteria is from the "Single-Load Rejection Test" and is based on nominal engine speed plus 75 percent of the difference between nominal speed and the over-speed trip setpoint (Refs. 13 and 15).

The ESW pump, starting transient during the LOCA sequencing test, will be demonstrated to be within a minimum voltage of 3120 Vac and to recover to 3680 Vac within 3 seconds and to be within a maximum voltage of 4784 Vac and recover to 4320 Vac within 2 seconds. This is based on Regulatory Guide 1.9 Revision 3 Section 1.4 and past trending of ESW pump starting transient performance (Refs. 14 and 15).

SR 3.8.1.11 As required by Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(1), and the SFCP described in TS 5.5.18, this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time.

(continued)

CALLAWAY PLANT B 3.8.1-20 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS The DG autostart time of 12 seconds is derived from requirements of the accident analysis to respond to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability is achieved.

The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow, or residual heat removal (RHR) systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG systems to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

The Note 2 restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post-work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of (continued)

CALLAWAY PLANT B 3.8.1-21 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.12 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (12 seconds) from the design basis actuation signal (SI signal) and operates for 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on a safety injection signal without loss of offsite power.

The requirement to verify the connection of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is (continued)

CALLAWAY PLANT B 3.8.1-22 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems.

The Note 2 restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post-work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.13 This Surveillance demonstrates that DG noncritical protective functions are bypassed on a loss of voltage signal concurrent with safety injection signal. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.14 Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(3), requires periodic demonstration that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the auto-connected (continued)

CALLAWAY PLANT B 3.8.1-23 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS design loads have increased above the continuous duty rating the load shall be increased to 110% of the continuous duty rating for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and the remainder of the time at a load equivalent to the continuous duty rating of the DG. The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor of 0.8 and 0.9. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The generator voltage and frequency is maintained within 4160 + 160 - 420 volts and 60 +/- 1.2 Hz during this test.

Administrative controls for performing this Surveillance in MODES 1 or 2 with the DG connected to the offsite power supply ensure or require that:

a. Weather conditions are conducive for performing the Surveillance.

b. The offsite power supply and switchyard conditions are conducive for performing the Surveillance, which includes ensuring that switchyard access is restricted and no effective maintenance within the switchyard is performed

c. No equipment or systems assumed to be available for supporting the performance of the Surveillance are removed from service.

The DG is considered OPERABLE during performance of the Surveillance, i.e., while it is paralleled to the offsite power source, consistent with the Technical Evaluation contained in the Safety Evaluation provided for OL Amendment 162 (Reference 16), which includes consideration of the potential challenges to the DG and its response to a LOCA and/or loss of offsite power, while it is paralleled to the offsite power source for testing.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

CALLAWAY PLANT B 3.8.1-24 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS This Surveillance is modified by two Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the power factor limit will not invalidate the test. The reason for Note 2 is that operating the DG for greater than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in the overloaded condition need not be performed, provided the auto-connected loads remain below the 6201 KW continuous rating of the DG.

SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 12 seconds. The 12 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary transients due to changing bus loads do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing.

SR 3.8.1.16 As required by Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(6), and the SFCP described in TS 5.5.18, this Surveillance ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and the DG can be returned to ready to load status when offsite power is restored. It also ensures that the autostart logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs.

(continued)

CALLAWAY PLANT B 3.8.1-25 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.16 (continued)

REQUIREMENTS The DG is considered to be in ready to load status when the DG is at rated speed and voltage, the output breaker is open and can receive an autoclose signal on bus undervoltage, and the load sequence timers are reset.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

The restriction from normally performing the Surveillance in MODE 1, 2, 3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post-work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2, 3 or 4. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.17 Demonstration of the test mode override ensures that the DG availability under accident conditions will not be compromised as the result of testing and the DG will automatically reset to ready to load operation if a safety injection signal is received during operation in the test mode. Ready to load operation is defined as the DG running at rated speed and voltage with the DG output breaker open. These provisions for automatic switchover are required by IEEE-308 (Ref. 13), paragraph 6.2.6(2).

The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirement associated with SR 3.8.1.17.b is to show that the emergency loading was not affected by the DG operation in test mode. In (continued)

CALLAWAY PLANT B 3.8.1-26 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.17 (continued)

REQUIREMENTS lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

The restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post-work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.18 Under accident and loss of offsite power conditions loads are sequentially connected to the bus by the Load Shedder and Emergency Load Sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence time interval tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated.

Reference 2 provides a summary of the automatic loading of ESF buses.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

CALLAWAY PLANT B 3.8.1-27 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.18 (continued)

REQUIREMENTS This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

The restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post-work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates the DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with a safety injection signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs. The reason for (continued)

CALLAWAY PLANT B 3.8.1-28 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.19 (continued)

REQUIREMENTS Note 2 is that the performance of the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.

The Note 2 restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post-work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partial Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.

The ESW pump starting transient during the LOCA sequencing test, will be demonstrated to be within a minimum voltage of 3120 Vac and to recover to 3680 Vac within 3 seconds and to be within a maximum voltage of 4784 Vac and recover to 4320 Vac within 2 seconds. This is based on Regulatory Guide 1.9 Revision 3 Section 1.4 and past trending of ESW pump starting transient performance (Refs. 14 and 15).

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note. The reason for the Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant (continued)

CALLAWAY PLANT B 3.8.1-29 Revision 16

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.20 (continued)

REQUIREMENTS and oil continuously circulated and temperature maintained consistent with manufacturer recommendations.

SR 3.8.1.21 SR 3.8.1.21 is the performance of an ACTUATION LOGIC TEST for each Load Shedder and Emergency Load Sequencer train, except that the continuity check does not have to be performed, as explained in the Note.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. FSAR, Chapter 8.

3. Regulatory Guide 1.9, Rev. 3, July 1993.

4. FSAR, Chapter 6.

5. FSAR, Chapter 15.

6. Regulatory Guide 1.93, Rev. 0, December 1974.

7. Generic Letter 84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July 2, 1984.

8. 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.108, Rev. 1, August 1977.

10. Regulatory Guide 1.137, Rev. 0, January. 1978.

11. ANSI C84.1 - 1982.

12. IEEE Standard 308-1978.

13. ULNRC-3244, dated July 25, 1995.

14. ULNRC-3342, dated February 28, 1996.

15. OL Amendment No. 112, dated August 4, 1996.

(continued)

CALLAWAY PLANT B 3.8.1-30 Revision 16

AC Sources - Operating B 3.8.1 BASES REFERENCES 16. OL Amendment No. 162, dated June14, 2004.

(continued)

17. NRC Letter to NEI regarding Open Phase Condition Protection Detection, dated November 25, 2014.

CALLAWAY PLANT B 3.8.1-31 Revision 16

AC Sources - Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources - Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources-Operating."

APPLICABLE The OPERABILITY of the minimum AC sources during MODES 5 and 6 SAFETY and during movement of irradiated fuel assemblies ensures that:

ANALYSES

a. The unit can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents, including a fuel handling accident.

However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required, as described in the FSAR, Section 3.1.2 (Ref.

1). The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events such as loss-of-coolant accidents and limiting pipe breaks are deemed not credible in MODES 5 and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems, including those required for mitigation of a fuel handling accident which may be postulated to occur during such conditions (i.e., MODES 5 and 6 or with the reactor defueled/offloaded).

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6 (including during movement (continued)

CALLAWAY PLANT B 3.8.2-1 Revision 15

AC Sources - Shutdown B 3.8.2 BASES APPLICABLE of irradiated fuel assemblies), performance of a significant number of SAFETY required testing and maintenance activities is also required. The activities ANALYSES are generally planned and administratively controlled. Relaxations from (continued) MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite diesel generator (DG) power.

In addition to the requirements established by the technical specifications, the plant staff must also manage shutdown tasks and electrical support to maintain risk at an acceptably low value.

As required by the technical specifications, one train of the required equipment during shutdown conditions is supported by one train of AC and DC power and distribution. The availability of additional equipment, both redundant equipment as required by the technical specifications and equipment not required by the specifications, contributes to risk reduction and this equipment should be supported by reliable electrical power systems. Typically the Class 1E power sources and distribution systems of the unit are used to power equipment because these power and distribution systems are available and reliable. When portions of the Class 1E power distribution systems are not available (usually as a result of maintenance or modifications), other reliable power sources or distribution are used to provide the needed electrical support. The plant staff assesses these alternate power sources and distribution systems to assure that the desired level of minimal risk is maintained (frequently referred to as maintaining a desired defense in depth). The level of detail (continued)

CALLAWAY PLANT B 3.8.2-2 Revision 15

AC Sources - Shutdown B 3.8.2 BASES APPLICABLE involved in the assessment will vary with the significance of the equipment SAFETY being supported. In some cases, prepared guidelines are used which ANALYSES include controls designed to manage risk and retain the desired defense in (continued) depth.

The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem of LCO 3.8.10, "Distribution Systems-Shutdown,"

ensures that one train of required loads are powered from offsite power.

An OPERABLE DG, associated with the distribution system train required to be OPERABLE by LCO 3.8.10, ensures a diverse power source is available to provide electrical power support, assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and DG ensures the availability of sufficient AC sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents).

The DG must be supporting the train of AC electrical distribution required to be OPERABLE per LCO 3.8.10. The offsite circuit must also support the train of AC electrical distribution required to be OPERABLE per LCO 3.8.10. When the second AC electrical power distribution train (subsystem) is needed to support redundant required systems, equipment and components, the second train may be energized from any available source. The available source must be Class 1E or another reliable source. The available source must be capable of supplying sufficient AC electrical power such that the redundant components are capable of performing their specified safety function(s) (implicitly required by the definition of OPERABILITY). Otherwise, the supported components must be declared inoperable and the appropriate conditions of the LCOs for the redundant components must be entered.

The qualified offsite circuit must be capable of maintaining rated frequency and three-phase voltage, and accepting required loads during an accident, while connected to the Engineered Safety Feature (ESF) bus(es). Qualified offsite circuits are those that are described in the FSAR and are part of the licensing basis for the unit.

The DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This sequence must be accomplished within 12 seconds.

The DG must be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be (continued)

CALLAWAY PLANT B 3.8.2-3 Revision 15

AC Sources - Shutdown B 3.8.2 BASES LCO met from a variety of initial conditions such as DG in standby with the (continued) engine hot and DG in standby at ambient conditions.

Initiating a DG start upon a detected undervoltage condition, tripping of the incoming offsite power upon a detected undervoltage or degraded voltage condition, shedding of nonessential loads, and proper sequencing of loads are required functions of LSELS and required for DG OPERABILITY. OPERABILITY of the undervoltage and degraded voltage instrumentation functions is addressed in LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation." Only the shutdown portion of the associated Load Shedder and Emergency Sequencer is required to be OPERABLE in MODES 5 and 6 and when moving irradiated fuel assemblies during shutdown conditions.

In addition, Load Shedder and Emergency Load Sequencer operation is an integral part of offsite circuit OPERABILITY since its inoperability impacts on the ability to start and maintain energized loads required OPERABLE by LCO 3.8.10. However, proper sequencer operation shall only be required on the train supported by the OPERABLE DG.

It is acceptable for trains to be cross tied during shutdown conditions, allowing a single offsite power circuit to supply all required trains.

APPLICABILITY The AC sources required to be OPERABLE in MODES 5 and 6 and during movement of irradiated fuel assemblies provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The AC power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.1.

(continued)

CALLAWAY PLANT B 3.8.2-4 Revision 15

AC Sources - Shutdown B 3.8.2 BASES (Continued)

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown unnecessarily.

A.1 An offsite circuit would be considered inoperable if it were not available to one required ESF train. The one train with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. By the allowance of the option to declare required features inoperable, with no offsite power available, appropriate restrictions will be implemented in accordance with the affected required features LCO's ACTIONS.

A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 With the offsite circuit not available to one required train, the option would still exist to declare all required features inoperable. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required DG inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability or the occurrence of postulated events. It is further required to (continued)

CALLAWAY PLANT B 3.8.2-5 Revision 15

AC Sources - Shutdown B 3.8.2 BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

Pursuant to LCO 3.0.6, the Distribution System's ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A is entered with no AC power to the required ESF bus, the ACTIONS for LCO 3.8.10 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit, whether or not a train is de-energized.

LCO 3.8.10 would provide the appropriate restrictions for the situation involving a de-energized train.

C.1 Required Action C.1 provides assurance that the appropriate Action is entered for the affected DG and offsite circuit if the shutdown portion of the Load Shedder and Emergency Load Sequencer (LSELS) becomes inoperable. The shutdown portion of the LSELS is an essential support system to both the offsite circuit and the DG associated with a given ESF bus. Furthermore, the sequencer is on the primary success path for most AC electrically powered safety systems powered from the associated ESF bus. With the required LSELS (shutdown portion) inoperable, immediately declare the affected DG and offsite circuit inoperable and take the Required Actions of Conditions A and B. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention.

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, (continued)

CALLAWAY PLANT B 3.8.2-6 Revision 15

AC Sources - Shutdown B 3.8.2 BASES SURVEILLANCE SR 3.8.2.1 (continued)

REQUIREMENTS 3, and 4. SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.17, SR 3.8.1.18 (LOCA load sequencer only), SR 3.8.1.19, and SR 3.8.1.21 (LOCA load sequencer only) are not required to be met because the capability to respond to a safety injection signal is not required to be demonstrated in MODE 5 or 6 or during movement of irradiated fuel assemblies. SR 3.8.1.20 is excepted because starting independence is not required with the DG that is not required to be operable.

This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DG from being paralleled with the offsite power network or otherwise rendered inoperable during performance of SRs, and to preclude deenergizing a required 4160 V ESF bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG. It is the intent that these SRs (SR 3.8.1.3, SR 3.8.1.10, SR 3.8.1.11, SR 3.8.1.14, SR 3.8.1.15, SR 3.8.1.16, and SR 3.8.1.18 (shutdown load sequencer only)) must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit is required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.

REFERENCES 1. FSAR, Section 3.1.2.

CALLAWAY PLANT B 3.8.2-7 Revision 15

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND Each diesel generator (DG) is provided with a storage tank having a fuel oil capacity sufficient to operate that diesel for a period of 7 days while the DG is supplying maximum post loss of coolant accident load demand discussed in the FSAR, Section 9.5.4.2 (Ref. 1). The maximum load demand is calculated based on the fuel consumption by one DG for operation at continuous rating for 7 days. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources.

Fuel oil is transferred from storage tank to day tank by a transfer pumps associated with each storage tank. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve or tank resulting in the loss of more than one DG. All outside tanks, pumps, and piping are located underground.

For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref. 3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity),

and impurity level.

The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions.

The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. The contained volume of lube oil in each diesel engine crankcase is sufficient to allow full load operation for greater than 7 days.

With a contained volume equivalent to the add oil mark on the dipstick, a 10 day supply is available to support full load operation of the engine.

The lube oil system is designed with an automatic makeup supply that begins makeup before the low level alarm is received and before reaching the add oil level on the dipstick. The capacity and controls associated with the lube oil system are sufficient to ensure a minimum of 7 days of operation. Refer to the table below:

(continued)

CALLAWAY PLANT B 3.8.3-1 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES BACKGROUND (continued)

Approximate Description Crankcase Volume Hi level alarm 1215 gallons Dip stick full mark 1200 gallons Automatic Makeup valve isolates 1116 gallons Automatic Makeup valve opens 1063 gallons Low level alarm 963 gallons Dip stick add oil mark (10 day supply) 948 gallons 7 day supply 750 gallons 6 day supply 686 gallons Unusable volume in crankcase 300 gallons Each DG has an air start system with adequate capacity for five successive start attempts on the DG without recharging the air start receiver(s).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 4), and in the FSAR, Chapter 15 ANALYSES (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, and the air start subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

(continued)

CALLAWAY PLANT B 3.8.3-2 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES (Continued)

LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. It is also required to meet specific standards for quality.

Additionally, sufficient lubricating oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank fuel requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."

The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers.

The diesel generators are not considered inoperable when the missile cover is removed from the emergency diesel fuel oil storage tanks so long as appropriate administrative controls are followed to ensure adequate missile protection is maintained. These controls include: limiting the time the cover may be removed to 36 consecutive hours, maintaining the cover rigged to the crane with personnel stationed to facilitate immediate replacement, and monitoring weather forecasts and local conditions to allow immediate replacement of the cover if necessary.

Both diesel generators are inoperable when the diesel fuel transfer systems are cross-connected, except when only one diesel generator is required to be OPERABLE per LCO 3.8.2, and the diesel generators are cross-connected under administrative controls. Administrative controls consist of stationing operators at each cross-connect isolation valve (JEV0007 and JEV0008) with communications established between the operators and control room. In this way, the cross-connect isolation valves can be rapidly closed when a problem occurs with the cross connection. Cross-connecting the DGs in MODE 1, 2, 3 or 4 under administrative controls is not permitted, because the DGs would no longer be separate and independent as required by LCO 3.8.1.

APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA. Since stored diesel fuel oil, lube oil, and the starting air subsystem support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to be within limits when the associated DG is required to be OPERABLE.

(continued)

CALLAWAY PLANT B 3.8.3-3 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES (Continued)

ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate Condition entry and application of associated Required Actions.

A.1 In this Condition, the 7 day fuel oil supply for a DG is not available.

However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply. These circumstances may be caused by events, such as full load operation required after an inadvertent start while at minimum required level, or feed and bleed operations, which may be necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

B.1 In this Condition there may not be an adequate amount of lube oil capacity to support the 7 days of full load operation of the diesel engine.

However, in the unlikely event that this Condition is entered the lower limit was established to ensure that there was at least a 6 day supply of lube oil. This restriction allows sufficient time to obtain the requisite replacement volume. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required volume prior to declaring the diesel generator inoperable.

C.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis can (continued)

CALLAWAY PLANT B 3.8.3-4 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS C.1 (continued) produce failures that do not follow a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling and re-analysis of the DG fuel oil.

D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its intended function.

E.1 With starting air receiver pressure < 435 psig in two receivers or < 610 psig in one receiver, sufficient capacity for five successive DG start attempts does not exist. However, as long as the receiver pressure is 250 psig in two receivers or 300 psig in one receiver, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable.

This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period.

F.1 With a Required Action and associated Completion Time not met, or one or more DG's fuel oil, lube oil, or starting air subsystem not within the SR (continued)

CALLAWAY PLANT B 3.8.3-5 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS F.1 (continued) limits and not within limits specified by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support each DG's operation for 7 days at full load.

The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The 750 gal requirement is based on the DG manufacturer consumption values for the run time of the DG. There are several methods available to verify a lube oil volume greater than or equal to 750 gallons. The preferred method is to verify that lube oil level is greater than the required inventory with the engine dipstick. Other indirect methods, such as the local level indicator or the absence of a low level alarm are acceptable as alternate methods.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.3 The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate, detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between receipt of new fuel and (continued)

CALLAWAY PLANT B 3.8.3-6 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 (continued)

REQUIREMENTS conducting the tests to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:

a. Sample the new fuel oil in accordance with ASTM D4057 (Ref. 6);

b. Verify in accordance with the tests specified in ASTM D975-81 (Ref. 6) that the sample has a kinematic viscosity at 40°C of 1.9 centistokes and 4.1 centistokes, and a flash point of 125°F; and

c. Verify that the new fuel oil has a water and sediment content of less than or equal to 0.05% when tested in accordance with ASTM D1796-83 (Ref. 6).

d. Verify in accordance with the tests specified in ASTM D1298-85 (Ref. 6) that the sample has an absolute specific gravity at 60/60°F of 0.83 and 0.89 or an API gravity at 60ºF of 27º and 39º.

Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.

Within 31 days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-81 (Ref. 7) are met for new fuel oil when tested in accordance with ASTM D975-81 (Ref. 6), except that the analysis for sulfur may be performed in accordance with ASTM D1552-79 (Ref. 6),

ASTM D2622-82 (Ref. 6) or ASTM D4294-90 (Ref. 6) and the acceptance criteria for fuel oil maximum cloud point is 0°C. If the 31 day sample results from the vendor come back unsatisfactory per Table 1 of ASTM-D975-81, Condition D is entered. If a representative sample is taken from the underground fuel oil storage tank, is analyzed and passes the sample parameters in Table 1 of ASTM-D975-81 that had tested as unsatisfactory, Condition D is exited. The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation. This Surveillance ensures the availability of high quality fuel oil for the DGs.

Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does not mean the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.

(continued)

CALLAWAY PLANT B 3.8.3-7 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 (continued)

REQUIREMENTS Particulate concentrations should be determined in accordance with ASTM D2276-78, Method A (Ref. 6). This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/l. The filter size for the determination of particulate contamination will be 3.0 micron nominal instead of 0.8 micron nominal as specified by ASTM D2276-78, Method A (Ref. 6). It is acceptable to contamination will be 3.0 micron nominal instead of 0.8 micron nominal as specified by ASTM D2276-78, Method A (Ref. 6). It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing.

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.

SR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a minimum of five engine start cycles without recharging. A start cycle is defined as 3 seconds of cranking time or approximately 2 to 3 engine revolutions. The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, and contaminated fuel oil, and from breakdown of the fuel oil (continued)

CALLAWAY PLANT B 3.8.3-8 Revision 11

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.5 (continued)

REQUIREMENTS by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This SR is for preventive maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance.

SR 3.8.3.6 This SR is not applicable.

REFERENCES 1. FSAR, Section 9.5.4.2.

2. Regulatory Guide 1.137.

3. ANSI N195-1976, Appendix B.

4. FSAR, Chapter 6.

5. FSAR, Chapter 15.

6. ASTM Standards: D4057; D975-81; D1796-83; D1552-79; D2622-82; D2276, Method A, D4294-90, D1298-85.

7. ASTM Standards, D975, Table 1.

8. ASME, Boiler and Presser Vessel Code,Section XI.

CALLAWAY PLANT B 3.8.3-9 Revision 11

DC Sources - Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating BASES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment and preferred AC vital bus power (via inverters). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3).

The 125 VDC electrical power system consists of two independent and redundant Class 1E DC electrical power subsystems (Train A and Train B). Each DC electrical subsystem consists of two 125 VDC batteries, two battery chargers, one swing battery charger and all the associated control equipment and interconnecting cabling.

During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.

The Train A and Train B DC electrical power subsystems provide the control power for associated Class 1E AC power load group, 4.16 kV switchgear, and 480 V load centers. The DC electrical power subsystems also provide DC electrical power to the inverters, which in turn power the AC vital buses.

The DC power distribution system is described in more detail in Bases for LCO 3.8.9, "Distribution System - Operating," and LCO 3.8.10, "Distribution Systems - Shutdown."

Each battery has adequate storage capacity to carry the required load continuously for at least a 200 minute duty cycle with margin as discussed in the FSAR, Chapter 8 (Ref. 4).

Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystem to ensure that a single failure in one subsystem does not cause a failure in a (continued)

CALLAWAY PLANT B 3.8.4-1 Revision 10

DC Sources - Operating B 3.8.4 BASES BACKGROUND redundant subsystem. While the DC buses in each subsystem share a (continued) swing battery charger, there is no sharing between redundant Class 1E subsystems, such as batteries, battery chargers, or distribution panels.

The batteries for Train A and Train B DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100%

design demand. Battery size is based on 125% of required capacity and, after selection of an available commercial battery, results in a battery capacity in excess of 150% of required capacity. The voltage limit is 2.17 V per cell, which corresponds to a total minimum voltage output of 130.2 V per battery as recommended by the battery manufacturer for a minimum float voltage. The criteria for sizing large lead storage batteries are defined in IEEE-485 (Ref. 5).

Each Train A and Train B DC battery charger has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while supplying normal steady state loads discussed in the FSAR, Chapter 8 (Ref. 4).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 6), and in the FSAR, Chapter 15 ANALYSES (Ref. 7), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power; and

b. A worst case single failure.

The DC sources satisfy Criterion 3 of the 10 CFR 50.36(c)(2)(ii).

(continued)

CALLAWAY PLANT B 3.8.4-2 Revision 10

DC Sources - Operating B 3.8.4 BASES (Continued)

LCO The DC electrical power subsystems (Train A and Train B), each subsystem consisting of batteries and battery chargers, as shown in the table below, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA.

TRAIN A TRAIN B Bus NK03 Bus NK04 energized from energized from Bus NK01 Battery NK13 Bus NK02 Battery NK14 energized from and energized from and Battery NK11 and Charger NK23 Battery NK12 and Charger NK24 Charger NK21 or or Charger NK22 or or Swing Charger Swing Charger Swing Charger Swing Charger NK25 (powered NK25 (powered NK26 (powered NK26 (powered from AC Load from AC Load from AC Load from AC Load Center NG01) Center NG01) Center NG04) Center NG04)

Loss of any train DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 4).

An OPERABLE DC electrical power subsystem requires all required batteries and respective chargers, as shown in the table, to be operating and connected to the associated DC bus(es).

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 5 and 6 and during movement of irradiated fuel assemblies are addressed in the Bases for LCO 3.8.5, "DC Sources - Shutdown."

(continued)

CALLAWAY PLANT B 3.8.4-3 Revision 10

DC Sources - Operating B 3.8.4 BASES (Continued)

ACTIONS A.1 Condition A represents one train with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is consistent with the allowed time for an inoperable DC distribution system train.

If one of the required DC electrical power subsystems is inoperable (e.g.,

inoperable battery, inoperable battery charger(s), or inoperable battery charger and associated inoperable battery), the remaining DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure would, however, result in the complete loss of the remaining 125 VDC electrical power subsystems with attendant loss of ESF functions, continued power operation should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is based on Regulatory Guide 1.93 (Ref. 8) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.

B.1 and B.2 If the inoperable DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time to bring the unit to MODE 5 is consistent with the time required in Regulatory Guide 1.93 (Ref. 8).

SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the (continued)

CALLAWAY PLANT B 3.8.4-4 Revision 10

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.1 (continued)

REQUIREMENTS internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells and connections, or measurement of the resistance of each intercell, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The visual inspection is to detect corrosion in cell post connection area; corrosion outside the connection area is not an OPERABILITY concern and would not require measuring resistance.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

(continued)

CALLAWAY PLANT B 3.8.4-5 Revision 10

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.4 and SR 3.8.4.5 REQUIREMENTS (continued) Visual inspection and resistance measurements of intercell, and terminal connections provide an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anticorrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible corrosion is a preventive maintenance SR. The presence of visible corrosion does not necessarily represent a failure of this SR provided visible corrosion is removed during performance of SR 3.8.4.4.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.6 This SR requires that each battery charger be capable of supplying 300 amps and 130.2 V for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. These requirements are based on the design rating of the chargers (Ref. 4) and the time needed to reach thermal equilibrium. According to Regulatory Guide 1.32 (Ref. 10), the battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensures that these requirements can be satisfied.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.7 A battery service test is a special test of battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements as specified in Reference 4.

(continued)

CALLAWAY PLANT B 3.8.4-6 Revision 10

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.7 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test.

The modified performance discharge test is a simulated duty cycle consisting of just two rates; the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a rated one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

The reason for Note 2 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems.

SR 3.8.4.8 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to trend overall battery degradation due to age and usage.

A battery modified performance discharge test is described in the Bases for SR 3.8.4.7. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8; however, only the modified performance discharge test may (continued)

CALLAWAY PLANT B 3.8.4-7 Revision 10

DC Sources - Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 (continued)

REQUIREMENTS be used to satisfy SR 3.8.4.8 while satisfying the requirements of SR 3.8.4.7 at the same time.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 9) and IEEE-485 (Ref. 5). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. If the battery shows degradation, or if the battery has reached 85% of its expected life the Surveillance Frequency is reduced to 18 months. Degradation is indicated, according to IEEE-450 (Ref. 9), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is below 90% of the manufacturer's rating.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. Regulatory Guide 1.6, March 10, 1971.

3. IEEE-308-1978.

4. FSAR, Chapter 8.

5. IEEE-485-1983, June 1983.

6. FSAR, Chapter 6.

7. FSAR, Chapter 15.

8. Regulatory Guide 1.93, December 1974.

9. IEEE-450-1995.

10. Regulatory Guide 1.32, February 1977.

11. Regulatory Guide 1.129, February 1978.

CALLAWAY PLANT B 3.8.4-8 Revision 10

DC Sources - Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources - Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources - Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses in SAFETY the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that ANALYSES Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation, including during movement of irradiated fuel assemblies.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 5 and 6 and during movement of irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents, including a fuel handling accident.

However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required, as described in the FSAR, Section 3.1.2 (Ref.

3). The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events such as loss-of-coolant accidents and limiting pipe breaks are deemed not credible in MODES 5 and 6 because the energy contained within the (continued)

CALLAWAY PLANT B 3.8.5-1 Revision 9

DC Sources - Shutdown B 3.8.5 BASES APPLICABLE reactor pressure boundary, reactor coolant temperature and pressure, and SAFETY the corresponding stresses result in the probabilities of occurrence being ANALYSES significantly reduced or eliminated, and in minimal consequences. These (continued) deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems, including those required for mitigation of a fuel handling accident which may be postulated to occur during such conditions (i.e., MODES 5 and 6 or with the reactor defueled/offloaded).

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6 (including during movement of irradiated fuel assemblies), performance of a significant number of required testing and maintenance activities is also required. The activities are generally planned and administratively controlled. Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In addition to the requirements established by the technical specifications, the plant staff must also manage shutdown tasks and electrical support to maintain risk at an acceptably low value.

As required by the technical specifications, one train of the required equipment during shutdown conditions is supported by one train of AC and DC power and distribution. The availability of additional equipment, both redundant equipment as required by the technical specifications and equipment not required by the specifications, contributes to risk reduction and this equipment should be supported by reliable electrical power (continued)

CALLAWAY PLANT B 3.8.5-2 Revision 9

DC Sources - Shutdown B 3.8.5 BASES APPLICABLE systems. Typically the Class 1E power sources and distribution systems SAFETY of the unit are used to power equipment because these power and ANALYSES distribution systems are available and reliable. When portions of the (continued) Class 1E power distribution systems are not available (usually as a result of maintenance or modifications), other reliable power sources or distribution are used to provide the needed electrical support. The plant staff assesses these alternate power sources and distribution systems to assure that the desired level of minimal risk is maintained (frequently referred to as maintaining a desired defense in depth). The level of detail involved in the assessment will vary with the significance of the equipment being supported. In some cases, prepared guidelines are used which include controls designed to manage risk and retain the desired defense in depth.

The DC sources satisfy Criterion 3 of the 10 CFR 50.36(c)(2)(ii).

LCO One DC electrical power subsystem shall be OPERABLE to support one train of the DC electrical power distribution subsystems required by LCO 3.8.10, "Distribution Systems - Shutdown." The required DC electrical power subsystem (Train A or Train B) shall consist of two DC buses energized from the associated batteries and chargers or swing charger powered from the respective Class 1E 480 V load center, and the corresponding control equipment and interconnecting cabling within the train. This ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents).

The required DC electrical power distribution subsystem is supported by one train of DC electrical power system. When the second DC electrical power distribution train (subsystem) is needed to support redundant required systems, equipment and components, the second Train may be energized from any available source. The available source must be Class 1E or another reliable source. The available source must be capable of supplying sufficient DC electrical power such that the redundant components are capable of performing their specified safety function(s) (implicitly required by the definition of OPERABILITY).

Otherwise, the supported components must be declared inoperable and the appropriate conditions of the LCOs for the redundant components must be entered.

(continued)

CALLAWAY PLANT B 3.8.5-3 Revision 9

DC Sources - Shutdown B 3.8.5 BASES LCO (continued)

TRAIN A TRAIN B Bus NK01 Bus NK03 Bus NK02 Bus NK04 energized from energized from energized from energized from Battery NK11 and Battery NK13 Battery NK12 and Battery NK14 Charger NK21 or and Charger NK22 or and Swing Charger Charger NK23 Swing Charger Charger NK24 NK25 (powered or NK26 (powered or from AC Load Swing Charger from AC Load Swing Charger Center NG01) NK25 (powered Center NG04) NK26 (powered from AC Load from AC Load Center NG01) Center NG04)

APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 5 and 6 and during movement of irradiated fuel assemblies provide assurance that:

a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core;

b. Required features needed to mitigate a fuel handling accident are available;

c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The DC electrical power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.4.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent (continued)

CALLAWAY PLANT B 3.8.5-4 Revision 9

DC Sources - Shutdown B 3.8.5 BASES ACTIONS of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 (continued) would require the unit to be shutdown unnecessarily.

A.1, A.2.1, A.2.2, A.2.3, and A.2.4 By allowing the option to declare required features inoperable with the associated DC power source inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCO ACTIONS. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6)). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation.

Introduction of coolant inventory must be from sources that have a boron concentration greater than that required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystem and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystem should be completed as quickly as possible in order to minimize the time during which the unit safety systems may be without sufficient power.

SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.8. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.

(continued)

CALLAWAY PLANT B 3.8.5-5 Revision 9

DC Sources - Shutdown B 3.8.5 BASES SURVEILLANCE SR 3.8.5.1 (continued)

REQUIREMENTS This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs (SR 3.8.4.6, SR 3.8.4.7, and SR 3.8.4.8) must still be capable of being met, but actual performance is not required.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. FSAR, Section 3.1.2.

CALLAWAY PLANT B 3.8.5-6 Revision 9

Battery Cell Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC power source batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources - Operating," and LCO 3.8.5, "DC Sources - Shutdown."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2),

ANALYSES assume Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation, as well as during movement of irradiated fuel assmeblies.

The OPERABILITY of the DC electrical power subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one train of DC sources OPERABLE during accident conditions, in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power; and

b. A worst case single failure.

Battery cell parameters satisfy the Criterion 3 of the 10 CFR 50.36(c)(2)(ii).

LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Electrolyte limits are conservatively established, allowing continued DC electrical power system function even with Category A and B limits not met.

(continued)

CALLAWAY PLANT B 3.8.6-1 Revision 11

Battery Cell Parameters B 3.8.6 BASES (Continued)

APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystems (Train A and Train B).

Therefore, battery electrolyte is only required when the battery DC power source is required to be OPERABLE. Refer to the Applicability discussion in Bases for LCO 3.8.4 and LCO 3.8.5. The table shows the DC electrical power trains and associated batteries.

TRAIN A TRAIN B Bus NK01 Bus NK03 Bus NK02 Bus NK04 energized from energized from energized from energized from Battery NK11 Battery NK13 Battery NK12 Battery NK14 ACTIONS The ACTIONS Table is modified by a Note indicating that separate condition entry is allowed for each battery. This is acceptable since the Required Actions provide appropriate compensatory actions for each battery cell parameter not within limits.

A.1, A.2, and A.3 With one or more cells in one or more batteries not within limits (i.e.,

Category A limits not met, Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1 in the accompanying LCO, the battery may be degraded but there is still sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met and operation is permitted for a limited period.

The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1). This check will provide a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. One hour is considered a reasonable amount of time to perform the required verification.

Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to complete the initial verification because several measurements must be obtained for each (continued)

CALLAWAY PLANT B 3.8.6-2 Revision 11

Battery Cell Parameters B 3.8.6 BASES ACTIONS A.1, A.2, and A.3 (continued) connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The verification is repeated at 7 day intervals until the parameters are restored to Category A or B limits.

Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. With the consideration that, while battery capacity may be degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable prior to declaring the battery inoperable.

B.1 With one or more batteries with one or more battery cell parameters outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of Condition A within the required Completion Time or average electrolyte temperature of representative cells falling below 60°F, are also cause for immediately declaring the associated battery inoperable. IEEE 450 suggests that representative cells be interpreted to mean every sixth cell.

SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 3), which recommends regular battery inspections including voltage, electrolyte level, temperature, level corrected specific gravity, and electrolyte temperature of pilot cells.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.2 Within 7 days of a battery discharge with terminal voltage < 110 V or a battery overcharge with terminal voltage > 150 V, the battery must be (continued)

CALLAWAY PLANT B 3.8.6-3 Revision 11

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE SR 3.8.6.2 (continued)

REQUIREMENTS demonstrated to meet Category B limits. Transients, such as motor starting transients, which may momentarily cause battery voltage to drop to < 110 V, do not constitute a significant battery discharge provided the battery terminal voltage and float current return to pre-transient values.

This inspection is also consistent with IEEE-450 (Ref. 3), which recommends special inspections following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.3 This Surveillance verification that the average temperature of representative cells is 60°F, is consistent with a recommendation of IEEE-450 (Ref. 3), that states that the temperature of electrolytes in representative cells should be determined periodically. IEEE 450 suggests that representative cells be interpreted to mean every sixth cell.

Lower than normal temperatures act to inhibit or reduce battery capacity.

This SR ensures that the operating temperatures remain within an acceptable operating range. This limit is based on manufacturer recommendations.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Table 3.8.6-1 This table delineates the limits on battery cell parameters for three different categories. The meaning of each category is discussed below.

Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, and electrolyte specific gravity approximate the condition of the entire battery.

(continued)

CALLAWAY PLANT B 3.8.6-4 Revision 11

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS The Category A limits specified for electrolyte level are based on manufacturer recommendations and are consistent with the guidance in IEEE-450 (Ref. 3), with the extra 1/4 inch allowance above the high level indication for operating margin to account for temperatures and charge effects. In addition to this allowance, footnote a to Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. IEEE-450 (Ref. 3) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The Category A limit specified for float voltage is 2.13 V per cell. This value is based on the recommendations of IEEE-450 (Ref. 3), which states that prolonged operation of cells < 2.13 V can reduce the life expectancy of cells.

The Category A limit specified for specific gravity for each pilot cell is 1.200 (0.015 below the manufacturer fully charged nominal specific gravity). This value is characteristic of a charged cell with adequate capacity. According to IEEE-450 (Ref. 3), the specific gravity readings are based on a temperature of 77°F (25°C).

The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3°F (1.67°C) above 77°F (25°C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3°F below 77°F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation.

Category B defines the normal parameter limits for each connected cell.

The term "connected cell" excludes any battery cell that may be jumpered out.

The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above except the float voltage is corrected for average electrolyte temperature. The Category B limit specified for specific gravity for each connected cell is 1.195 (0.020 below the manufacturer fully charged, nominal specific gravity) with the average of all connected cells > 1.205 (0.010 below the manufacturer fully charged, nominal specific gravity).

These values are based on manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that the (continued)

CALLAWAY PLANT B 3.8.6-5 Revision 11

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS effects of a highly charged or newly installed cell will not mask overall degradation of the battery.

Category C defines the allowable limits for each connected cell. These values provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C allowable limits, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.

The Category C allowable limits specified for electrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. The Category C allowable limits for float voltage is based on IEEE-450 (Ref. 3), which states that a cell voltage of 2.07 V or below, under float charge and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement.

The Category C allowable limit of average specific gravity 1.195 is based on manufacturer recommendations (0.020 below the manufacturer recommended fully charged, nominal specific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a fully charged or new cell does not mask overall degradation of the battery.

The footnotes to Table 3.8.6-1 are applicable to Category A, B, and C specific gravity. Footnote (b) to Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current is < 2 amps on float charge. This current provides, in general, an indication of overall battery condition.

Because of specific gravity gradients that are produced during the recharging process, delays of several weeks may occur while waiting for the specific gravity to stabilize. A stabilized float charger current is an acceptable alternative to specific gravity measurement for determining the state of charge. This phenomenon is discussed in IEEE-450 (Ref. 3).

Footnote (c) to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 7 days following a battery recharge. Within 7 days, each connected cell's specific gravity must be measured to confirm the state of charge. Following a minor battery (continued)

CALLAWAY PLANT B 3.8.6-6 Revision 11

Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued)

REQUIREMENTS recharge (such as equalizing charge that does not follow a deep discharge) specific gravity gradients are not significant, and confirming measurements may be made in less than 7 days.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. IEEE-450-1995.

CALLAWAY PLANT B 3.8.6-7 Revision 11

Inverters - Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Inverters - Operating BASES BACKGROUND The inverters are the preferred source of power for the AC vital buses because of the stability and reliability they achieve. The function of the inverters is to provide AC electrical power to the vital buses. Each inverter is normally powered from its associated NK system 125 VDC battery; however, a 480 VAC source is available via a bypass constant voltage transformer (BCVT) to provide an alternate power source to the vital AC bus via an automatic static switch internal to the inverter. The automatic static transfer switch may be manually bypassed to provide a bypass power source to the vital AC bus directly from the BCVT.

Two swing inverters (one per train) are provided such that within either train, a swing inverter may be alternatively aligned to either AC vital bus when the normal source inverter is removed from service. The swing inverters are designed with the same functional capability as the normal source inverters, including alternate source capability via a BCVT. When a swing inverter is placed into service, the requirements for independence and redundancy between trains are maintained.

The inverters, as powered from the station batteries, provide an uninterruptible power source for the instrumentation and controls for the Reactor Trip System (RTS) and the Engineered Safety Feature Actuation System (ESFAS). Specific details on inverters and their operating characteristics are found in the FSAR, Chapter 8 (Ref. 1).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 2) and Chapter 15 (Ref. 3), assume ANALYSES Engineered Safety Feature systems are OPERABLE. The inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RTS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

(continued)

CALLAWAY PLANT B 3.8.7-1 Revision 14

Inverters - Operating B 3.8.7 BASES APPLICABLE The OPERABILITY of the inverters is consistent with the initial SAFETY assumptions of the accident analyses and is based on meeting the design ANALYSES basis of the unit. This includes maintaining required AC vital buses (continued) OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC electrical power or all onsite AC electrical power; and

b. A worst case single failure.

Inverters satisfy Criterion 3 of the 10 CFR 50.36(c)(2)(ii).

LCO The inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RTS and ESFAS instrumentation and controls is maintained. The four inverters (two per train) ensure an uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV safety buses are de-energized.

An OPERABLE inverter (i.e., normal source inverter or swing inverter) requires the associated AC vital bus to be powered by the inverter with output voltage within tolerances, and with power input to the inverter from a 125 VDC battery. The inverter must be powered from its associated 125 VDC battery to meet the uninterruptible power supply design requirements of the RTS and ESFAS instrumentation. OPERABILITY requirements for the AC vital buses (NN01-NN04) are specified in LCO 3.8.9, Distribution Systems - Operating.

(continued)

CALLAWAY PLANT B 3.8.7-2 Revision 14

Inverters - Operating B 3.8.7 BASES LCO The required inverters/AC vital buses are associated with the DC electrical (continued) power subsystems (Train A and Train B) as follows:

TRAIN A TRAIN B Bus NN01 Bus NN03 Bus NN02 Bus NN04 energized from energized from energized from energized from Inverter NN11 or Inverter NN13 or Inverter NN12 or Inverter NN14 or Swing Inverter Swing Inverter Swing Inverter Swing inverter NN17 NN17 NN18 NN18 and and and and Connected to Connected to Connected to Connected to DC Bus NK01 and DC Bus NK03 and DC Bus NK02 and DC Bus NK04 and Battery NK11 Battery NK13 Battery NK12 Battery NK14 Train A and Train B are required to be OPERABLE. A swing inverter may be substituted for one of the two required inverters in each train.

APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Inverter requirements for MODES 5 and 6 and during movement of irradiated fuel assemblies are covered in LCO 3.8.8, "Inverters -

Shutdown."

(continued)

CALLAWAY PLANT B 3.8.7-3 Revision 14

Inverters - Operating B 3.8.7 BASES (Continued)

ACTIONS A.1 With a required (normal source) inverter inoperable, its associated AC vital bus also becomes inoperable until the bus is re-energized to proper voltage from the inoperable inverters internal AC source (BCVT) or from a swing inverter powered from the associated 125-VDC battery or via the swing inverters associated alternate AC source (BCVT).

To ensure prompt action is taken in response to de-energization of an AC vital bus due to inverter inoperability, a Note is included in Condition A requiring entry into the Conditions and Required Actions of LCO 3.8.9, Distribution Systems - Operating, with any vital bus de-energized. This ensures that the vital bus is re-energized within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

Required Action A.1 allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to fix the inoperable inverter and return it to service. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit is based upon engineering judgment, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems such a shutdown might entail. When the AC vital bus is powered from its bypass source (via the bypass constant voltage transformer associated with either the normal source inverter or the swing inverter) it is relying upon interruptible AC electrical power sources (offsite or onsite).

The uninterruptible inverter source to the AC vital bus (i.e., normal source inverter or swing inverter, as connected to the associated 125-VDC battery) is the required source for powering instrumentation trip setpoint devices. Vital AC power source requirements are covered in LCO 3.8.7; the vital AC power distribution requirements are covered in LCO 3.8.9.

B.1 and B.2 If the inoperable devices or components cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

CALLAWAY PLANT B 3.8.7-4 Revision 14

Inverters - Operating B 3.8.7 BASES (Continued)

SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the required inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage output ensures that the required power is readily available for the instrumentation of the RTS and ESFAS connected to the AC vital buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 8.

2. FSAR, Chapter 6.

3. FSAR, Chapter 15.

CALLAWAY PLANT B 3.8.7-5 Revision 14

Inverters - Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Inverters - Shutdown BASES BACKGROUND A description of the inverters is provided in the Bases for LCO 3.8.7, "Inverters - Operating."

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2),

ANALYSES assume Engineered Safety Feature systems are OPERABLE. The DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the Reactor Trip System and Engineered Safety Features Actuation System instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 and during movement of irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shut down, the Technical Specification requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents, including a fuel handling accident.

However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required, as described in the FSAR, Section 3.1.2 (Ref.

3). The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events such as loss-of-coolant accidents and limiting pipe breaks are deemed not (continued)

CALLAWAY PLANT B 3.8.8-1 Revision 14

Inverters - Shutdown B 3.8.8 BASES APPLICABLE credible in MODES 5 and 6 because the energy contained within the SAFETY reactor pressure boundary, reactor coolant temperature and pressure, and ANALYSES the corresponding stresses result in the probabilities of occurrence being (continued) significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems, including those required for mitigation of a fuel handling accident which may be postulated to occur during such conditions (i.e., MODES 5 and 6 or with the reactor defueled/offloaded).

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6 (including during movement of irradiated fuel assemblies), performance of a significant number of required testing and maintenance activities is also required. The activities are generally planned and administratively controlled. Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as an economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In addition to the requirements established by the technical specifications, the plant staff must also manage shutdown tasks and electrical support to maintain risk at an acceptably low value.

As required by the Technical Specifications, one train of the required equipment during shutdown conditions is supported by one train of AC and DC power sources and distribution. The availability of additional equipment, both redundant equipment as required by the Technical Specifications and equipment not required by the Technical Specifications, (continued)

CALLAWAY PLANT B 3.8.8-2 Revision 14

Inverters - Shutdown B 3.8.8 BASES APPLICABLE contributes to risk reduction and this equipment should be supported by SAFETY reliable electrical power systems. Typically, the Class 1E power sources ANALYSES and distribution subsystems are used to power equipment because these (continued) power sources and distribution subsystems are available and reliable.

When portions of the Class 1E power sources or distribution subsystems are not available (usually as a result of maintenance or modifications),

other reliable power sources or distribution subsystems are used to provide the needed electrical support. The plant staff assesses these alternate power sources and distribution subsystems to assure that the desired level of minimal risk is maintained (frequently referred to as maintaining a desired defense in depth). The level of detail involved in the assessment will vary with the significance of the equipment being supported. In some cases, prepared guidelines are used which include controls designed to manage risk and retain the desired defense in depth.

The inverters satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO One train of inverters shall be OPERABLE to support one Class 1E AC vital bus electrical power distribution subsystem required by LCO 3.8.10, "Distribution Systems - Shutdown." The required train of inverters (Train A or Train B) shall consist of two AC vital buses energized from the associated inverters (one of which may be a swing inverter) with the selected inverters connected to their respective DC bus. The inverters ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA.

The battery powered inverters provide uninterruptible supply of AC electrical power to the AC vital buses even if the 4.16 kV safety buses are de-energized.

An OPERABLE inverter (i.e., normal source inverter or swing inverter) requires the associated AC vital bus to be powered by the inverter with output voltage within tolerances, and with power input to the inverter from a 125 VDC battery. Power input to the inverter must come from its associated 125 VDC battery in order to meet the uninterruptible power supply design requirements of the instrumentation needed to detect NB system bus undervoltage, isolate control room ventilation and fuel building exhaust ventilation systems, detect and mitigate inadvertent neutron flux multiplication, and provide neutron flux information to the control room.

The requirements for inverter OPERABILITY thus ensure the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown.

(continued)

CALLAWAY PLANT B 3.8.8-3 Revision 14

Inverters - Shutdown B 3.8.8 BASES LCO OPERABILITY requirements for the AC vital buses are specified in (continued) LCO 3.8.10, Distribution Systems - Shutdown.

The required AC vital bus electrical power distribution subsystem is supported by one train of inverters. When the second (subsystem) of AC vital bus electrical power distribution is needed to support redundant required systems, equipment and components, the second train may be energized from any available source. The available source must be Class 1E or another reliable source. The available source must be capable of supplying sufficient AC electrical power such that the redundant components are capable of performing their specified safety function(s) (implicitly required by the definition of OPERABILITY).

Otherwise, the supported components must be declared inoperable and the appropriate conditions of the LCOs for the redundant components must be entered.

TRAIN A TRAIN B Bus NN01 Bus NN03 Bus NN02 Bus NN04 energized from energized from energized from energized from Inverter NN11 or Inverter NN13 or Inverter NN12 or Inverter NN14 or Swing Inverter Swing Inverter Swing Inverter Swing Inverter NN17 NN17 NN18 NN18 and and and and Connected to Connected to Connected to Connected to DC Bus NK01 and DC Bus NK03 and DC Bus NK02 and DC bus NK04 and Battery NK11 Battery NK13 Battery NK12 Battery NK14 Train A or Train B is required to be OPERABLE. A swing inverter may be substituted for one of the two required inverters in the required train.

APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 and during movement of irradiated fuel assemblies provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;

b. Systems needed to mitigate a fuel handling accident are available; (continued)

CALLAWAY PLANT B 3.8.8-4 Revision 14

Inverters - Shutdown B 3.8.8 BASES APPLICABILITY c. Systems necessary to mitigate the effects of events that can lead (continued) to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

Inverter requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.7, Inverters - Operating.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1. 2. 3. or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown unnecessarily.

A.1, A.2.1, A.2.2, A.2.3, and A.2.4 By allowing the option to declare required features inoperable with the required inverter(s) inoperable, appropriate restrictions are implemented in accordance with the affected required features LCOs' Required Actions.

In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6)). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the (continued)

CALLAWAY PLANT B 3.8.8-5 Revision 14

Inverters - Shutdown B 3.8.8 BASES ACTIONS probability of the occurrence of postulated events. It is further required to (continued) immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power or powered from an interruptible source (i.e., bypass constant voltage transformer).

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the required inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. FSAR, Section 3.1.2.

CALLAWAY PLANT B 3.8.8-6 Revision 14

Distribution Systems - Operating B 3.8.9 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.9 Distribution Systems - Operating BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital bus electrical power distribution systems are divided by train into two redundant and independent AC, DC, and AC vital bus electrical power distribution subsystems as defined in Table B 3.8.9-1. Train A is associated with AC load group 1; Train B, with AC load group 2.

The AC electrical power subsystem for each train consists of an Engineered Safety Feature (ESF) 4.16 kV bus and 480 V buses, and load centers. Each 4.16 kV ESF bus has one separate and independent offsite source of power as well as a dedicated onsite diesel generator (DG) source. Each 4.16 kV ESF bus is normally connected to a preferred offsite source. After a loss of the preferred offsite power source to a 4.16 kV ESF bus, the onsite emergency DG supplies power to the bus. A transfer to the alternate offsite source is accomplished by manually repositioning breakers, if required. Control power for the 4.16 kV breakers is supplied from the Class 1E batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources -

Operating," and the Bases for LCO 3.8.4, "DC Sources - Operating."

The 120 VAC vital buses are arranged in two load groups per train and are normally powered through the inverters from the 125 VDC electrical power subsystem. Refer to Bases B 3.8.7 for further information on the 120 VAC vital system.

The 125 VDC electrical power distribution system is arranged into two buses per train. Refer to Bases B 3.8.4 for further information on the 125 VDC electrical power subsystem.

The list of all required distribution buses is presented in Table B 3.8.9-1.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 1), and in the FSAR, Chapter 15 ANALYSES (Ref. 2), assume ESF systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power (continued)

CALLAWAY PLANT B 3.8.9-1 Revision 14

Distribution Systems - Operating B 3.8.9 BASES APPLICABLE Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and SAFETY Section 3.6, Containment Systems.

ANALYSES (continued) The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit.

This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and

b. A worst case single failure.

The distribution systems satisfy Criterion 3 of the 10 CFR 50.36(c)(2)(ii).

LCO The required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital bus electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE.

Maintaining the Train A and Train B AC, DC, and AC vital bus electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

OPERABLE AC electrical power distribution subsystems require the associated buses and load centers to be energized to their proper voltages. OPERABLE DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. OPERABLE vital bus electrical power distribution subsystems require the associated buses to be energized to their proper voltage, each from its associated normal source inverter or swing inverter, via inverted DC voltage or the alternate AC source (i.e., bypass constant voltage transformer).

No tie breakers between redundant safety related AC, DC, and AC vital bus power distribution subsystems, exist. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, that could cause the failure of a redundant subsystem and a loss of essential safety function(s). It does not, (continued)

CALLAWAY PLANT B 3.8.9-2 Revision 14

Distribution Systems - Operating B 3.8.9 BASES LCO however, preclude redundant Class 1E 4.16 kV buses from being (continued) powered from the same offsite circuit.

Closure of the tie breaker 52NG0116 between NG01 and NG03 or tie breaker 52NG0216 between NG02 and NG04 will render all four degraded voltage channels for the associated 4.16 kV bus inoperable.

Refer to LCO 3.3.5, "LOP DG Start Instrumentation." The 480 V load center transformer load and voltage drop increase when one transformer is supplying both 480 V buses. Since the degraded voltage is sensed on the 4.16 kV bus, the actual 480 V bus voltage will be lower (lower than assumed during a degraded voltage condition) when the protection setpoint is reached. In this case, adequate protection is not provided for the 480 V bus loads.

APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Electrical power distribution subsystem requirements for MODES 5 and 6 and during movement of irradiated fuel assemblies are covered in LCO 3.8.10, "Distribution Systems - Shutdown."

ACTIONS A.1 With one or more required AC buses or load centers, except AC vital buses, in one train inoperable, the remaining AC electrical power distribution subsystem in the other train is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses, and load centers must be restored to OPERABLE status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

Condition A worst scenario is one train without AC power (i.e., no offsite power to the train and the associated DG inoperable). In this Condition, (continued)

CALLAWAY PLANT B 3.8.9-3 Revision 14

Distribution Systems - Operating B 3.8.9 BASES ACTIONS A.1 (continued) the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operator's attention be focused on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. This 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate AC power. Taking exception to LCO 3.0.2 for components without adequate AC power, that would have the Required Action Completion Times shorter than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> if declared inoperable, is acceptable because of:

a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; and

b. The potential for an event in conjunction with a single failure of a redundant component in the train with AC power.

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This could lead to a total of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to restore the AC distribution system. At this time, a DC circuit could again become inoperable, and AC distribution restored OPERABLE. This could continue indefinitely.

The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition A was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

B.1 With one AC vital bus inoperable, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition.

Overall reliability is reduced, however, since an additional single failure could result in the minimum required ESF functions not being supported.

Therefore, the required AC vital bus must be restored to OPERABLE (continued)

CALLAWAY PLANT B 3.8.9-4 Revision 14

Distribution Systems - Operating B 3.8.9 BASES ACTIONS B.1 (continued) status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by powering the bus from the associated normal source inverter or swing inverter, via inverted DC voltage or the alternate AC source (i.e., bypass constant voltage transformer).

Condition B represents one AC vital bus without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining vital buses and restoring power to the affected vital bus.

This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate vital AC power.

Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> if declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue;

b. The potential for decreased safety by requiring entry into numerous Applicable Conditions and Required Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.1 establishes a limit on the maximum allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This could lead to a (continued)

CALLAWAY PLANT B 3.8.9-5 Revision 14

Distribution Systems - Operating B 3.8.9 BASES ACTIONS B.1 (continued) total of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to restore the vital bus distribution system. At this time, an AC train could again become inoperable, and vital bus distribution restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition B was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

C.1 With DC bus(es) in one train inoperable, the remaining DC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the required DC buses must be restored to OPERABLE status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by powering the bus from the associated battery or charger.

Condition C represents one train without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining trains and restoring power to the affected train.

This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue; (continued)

CALLAWAY PLANT B 3.8.9-6 Revision 14

Distribution Systems - Operating B 3.8.9 BASES ACTIONS C.1 (continued)

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 3).

The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition C is entered while, for instance, an AC bus is inoperable and subsequently returned OPERABLE, the LCO may already have been not met for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This could lead to a total of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of the LCO, to restore the DC distribution system. At this time, an AC train could again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met, instead of the time Condition C was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

D.1 and D.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

CALLAWAY PLANT B 3.8.9-7 Revision 14

Distribution Systems - Operating B 3.8.9 BASES ACTIONS E.1 (continued)

With two trains with inoperable distribution subsystems that result in a loss of safety function, adequate core cooling, containment OPERABILITY and other vital functions for DBA mitigation would be compromised, and immediate plant shutdown in accordance with LCO 3.0.3 is required.

SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions is maintained, and the appropriate voltage is available to each required bus.

The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. Regulatory Guide 1.93, December 1974.

CALLAWAY PLANT B 3.8.9-8 Revision 14

Distribution Systems - Operating B 3.8.9 Table B 3.8.9-1 (page 1 of 1)

AC and DC Electrical Power Distribution Systems TYPE VOLTAGE TRAIN A* TRAIN B*

AC safety 4160 V ESF Bus NB01 ESF Bus NB02 buses 480 V Load Centers Load Centers NG01, NG03 NG02, NG04 DC buses 125 V Bus NK01 Bus NK02 Bus NK03 Bus NK04 AC vital buses 120 V Bus NN01 Bus NN02 Bus NN03 Bus NN04

• Each train of the AC and DC electrical power distribution systems is a subsystem. (A subsystem is defined as a train or any part thereof.)

CALLAWAY PLANT B 3.8.9-9 Revision 14

Distribution Systems - Shutdown B 3.8.10 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.10 Distribution Systems - Shutdown BASES BACKGROUND A description of the AC, DC, and AC vital bus electrical power distribution systems is provided in the Bases for LCO 3.8.9, "Distribution Systems -

Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses in SAFETY the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ANALYSES Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC, DC, and AC vital bus electrical power distribution subsystems during MODES 5 and 6 and during movement of irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents, including a fuel handling accident.

However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required, as described in the FSAR, Section 3.1.2 (Ref.

3). The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5 and 6. Worst case bounding events such (continued)

CALLAWAY PLANT B 3.8.10-1 Revision 11

Distribution Systems - Shutdown B 3.8.10 BASES APPLICABLE as loss-of-coolant accidents and limiting pipe breaks are deemed not SAFETY credible in MODES 5 and 6 because the energy contained within the ANALYSES reactor pressure boundary, reactor coolant temperature and pressure, and (continued) the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems, including those required for mitigation of a fuel handling accident which may be postulated to occur during such conditions (i.e., MODES 5 and 6 or with the reactor defueled/offloaded).

During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level of risk is not exceeded. During MODES 5 and 6 (including during movement of irradiated fuel assemblies), performance of a significant number of required testing and maintenance activities is also required. The activities are generally planned and administratively controlled. Relaxations from MODE 1, 2, 3, and 4 LCO requirements are acceptable during shutdown modes based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operating MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY requirements) with systems assumed to function during an event.

In addition to the requirements established by the technical specifications, the plant staff must also manage shutdown tasks and electrical support to maintain risk at an acceptably low value.

As required by the technical specifications, one train of the required equipment during shutdown conditions is supported by one train of AC and DC power and distribution. The availability of additional equipment, both redundant equipment as required by the technical specifications and (continued)

CALLAWAY PLANT B 3.8.10-2 Revision 11

Distribution Systems - Shutdown B 3.8.10 BASES APPLICABLE equipment not required by the specifications, contributes to risk reduction SAFETY and this equipment should be supported by reliable electrical power ANALYSES systems. Typically the Class 1E power sources and distribution systems (continued) of the unit are used to power equipment because these power and distribution systems are available and reliable. When portions of the Class 1E power distribution systems are not available (usually as a result of maintenance or modifications), other reliable power sources or distribution are used to provide the needed electrical support. The plant staff assesses these alternate power sources and distribution systems to assure that the desired level of minimal risk is maintained (frequently referred to as maintaining a desired defense in depth). The level of detail involved in the assessment will vary with the significance of the equipment being supported. In some cases, prepared guidelines are used which include controls designed to manage risk and retain the desired defense in depth.

The AC and DC electrical power distribution systems satisfy Criterion 3 of the 10 CFR 50.36(c)(2)(ii).

LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of one train of the electrical distribution system necessary to support OPERABILITY of one train of required systems, equipment, and components - all specifically addressed in each LCO and implicitly required via the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents).

The AC electrical power distribution subsystems are supported by the AC electrical power sources as required by LCO 3.8.2, "AC Sources -

Shutdown."

The required DC electrical power distribution subsystem is supported by one train of the DC electrical power system as required by LCO 3.8.5, "DC Sources - Shutdown." When the second DC electrical power distribution train (subsystem) is needed to support redundant required systems, equipment and components, the second train may be energized from any available source. The available source must be Class 1E or (continued)

CALLAWAY PLANT B 3.8.10-3 Revision 11

Distribution Systems - Shutdown B 3.8.10 BASES LCO another reliable source. The available source must be capable of (continued) supplying sufficient DC electrical power such that the redundant components are capable of performing their specified safety function(s)

(implicitly required by the definition of OPERABILITY). Otherwise the supported components must be declared inoperable and the appropriate conditions of the LCOs for the redundant components must be entered.

The required AC vital bus electrical power distribution subsystem is supported by one train of inverters as required by LCO 3.8.8, "Inverters -

Shutdown." When the second (subsystem) of AC vital bus electrical power distribution is needed to support redundant required systems, equipment and components, the second train may be energized from any available source. The available source must be Class 1E or another reliable source. The available source must be capable of supplying sufficient AC electrical power such that the redundant components are capable of performing their specified safety function(s) (implicitly required by the definition of OPERABILITY). Otherwise the supported components must be declared inoperable and the appropriate conditions of the LCOs for the redundant components must be entered.

Closure of the tie breaker 52NG0116 between NG01 and NG03 or tie breaker 52NG0216 between NG02 and NG04 will render all four degraded voltage channels for the associated 4.16 kV bus inoperable.

Refer to LCO 3.3.5, "LOP DG Start Instrumentation." The 480 V load center transformer load and voltage drop increase when one transformer is supplying both 480 V buses. Since the degraded voltage is sensed on the 4.16 kV bus, the actual 480 V bus voltage will be lower (lower than assumed during a degraded voltage condition) when the protection setpoint is reached. In this case, adequate protection is not provided for the 480 V bus loads.

APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 5 and 6 and during movement of irradiated fuel assemblies provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and (continued)

CALLAWAY PLANT B 3.8.10-4 Revision 11

Distribution Systems - Shutdown B 3.8.10 BASES APPLICABILITY d. Instrumentation and control capability is available for monitoring (continued) and maintaining the unit in a cold shutdown condition and refueling condition.

The AC, DC, and AC vital bus electrical power distribution subsystems requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.9.

ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1, 2, 3, or 4 would require the unit to be shutdown innecessarily.

A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6)). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safe operation.

Introduction of coolant inventory must be from sources that have a boron concentration greater than that required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration (continued)

CALLAWAY PLANT B 3.8.10-5 Revision 11

Distribution Systems - Shutdown B 3.8.10 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued) is accomplished in order to provide the necessary power to the unit safety systems.

Notwithstanding performance of the above conservative Required Actions, a required residual heat removal (RHR) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring RHR inoperable and not in operation, which results in taking the appropriate RHR actions. This would assure consideration is given to shutdown cooling systems that are without required power and that appropriate actions are taken to assure operability of these required systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power.

SURVEILLANCE SR 3.8.10.1 REQUIREMENTS This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with all the buses energized. The verification of proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. FSAR, Section 3.1.2.

CALLAWAY PLANT B 3.8.10-6 Revision 11