ML102371266: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(StriderTol Bot change)
 
Line 49: Line 49:
               -----------------------------------------------------------------------REVIEWER'S NOTE---------------------------------------------------------------------
               -----------------------------------------------------------------------REVIEWER'S NOTE---------------------------------------------------------------------
(j)          Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by                                                    2 the unit.
(j)          Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by                                                    2 the unit.
              ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
INSERT 3                    4 WOG STS                                                                3.3.2-15                                              Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517
INSERT 3                    4 WOG STS                                                                3.3.2-15                                              Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517


Line 99: Line 98:
               -----------------------------------------------------------------------REVIEWER'S NOTE---------------------------------------------------------------------
               -----------------------------------------------------------------------REVIEWER'S NOTE---------------------------------------------------------------------
(j)          Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by                                                    2 the unit.
(j)          Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by                                                    2 the unit.
              ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
INSERT 3                    4 WOG STS                                                                3.3.2-15                                              Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517
INSERT 3                    4 WOG STS                                                                3.3.2-15                                              Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517


Line 185: Line 183:
The controls, instrumentation, and transfer switches are required for:
The controls, instrumentation, and transfer switches are required for:
x    Core reactivity control (initial and long term),
x    Core reactivity control (initial and long term),
                                                                                      ;
x    RCS pressure control,                                                  Steam Dump System x    Decay heat removal via the AFW System and the SG safety valves or SG ADVs,                            ;
x    RCS pressure control,                                                  Steam Dump System x    Decay heat removal via the AFW System and the SG safety valves or SG ADVs,                            ;
PORVs x    RCS inventory control via charging flow, and x    Safety support systems for the above Functions, including service water, component cooling water, and onsite power, including the diesel generators.
PORVs x    RCS inventory control via charging flow, and x    Safety support systems for the above Functions, including service water, component cooling water, and onsite power, including the diesel generators.
Line 245: Line 242:
The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant-                                            4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.
The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant-                                            4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.
The [NTSP] is included in the SCP.
The [NTSP] is included in the SCP.
          -------------------------------------------------------------------------------------------------------------------
used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.
used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.
               "Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.
               "Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.
Line 294: Line 290:
[NTSP]          setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a                          10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
[NTSP]          setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a                          10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS
[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS
[NTSP]          setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted
[NTSP]          setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL
                            ,
when the "as-left" setpoint value is within the band for CHANNEL
[NTSP]
[NTSP]
as-left tolerance WOG STS                                                    B 3.3.2-3                                      Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517
as-left tolerance WOG STS                                                    B 3.3.2-3                                      Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517
Line 320: Line 314:
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
                      --------------------------------------------------------------------------------------------------
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                      1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                      1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Line 429: Line 422:
In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no                                  4 control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the [NTSP]                        10 inclusion of both steady state and environmental instrument uncertainties.
In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no                                  4 control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the [NTSP]                        10 inclusion of both steady state and environmental instrument uncertainties.
STET Units only have one of the Functions, 7.b or 7.c.
STET Units only have one of the Functions, 7.b or 7.c.
                    --------------------------------------------------------------------------------------------------
These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps,                                5 and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps,                                5 and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
: 8. Engineered Safety Feature Actuation System Interlocks an                                is To allow some flexibility in unit operations, several interlocks are                              1 included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent s some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
: 8. Engineered Safety Feature Actuation System Interlocks an                                is To allow some flexibility in unit operations, several interlocks are                              1 included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent s some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
Line 451: Line 443:
                           ----------------------------REVIEWERS NOTE------------------------------------------
                           ----------------------------REVIEWERS NOTE------------------------------------------
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the                              4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the                              4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
                          --------------------------------------------------------------------------------------------------
A.1 Condition A applies to all ESFAS protection functions.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
x    SI,    ;                                                                                    2
x    SI,    ;                                                                                    2 x    Containment Spray,            and                                                            2 x    Phase A Isolation, and                                                                        5 x    Phase B Isolation.                                                                            5 Containment WOG STS                                            B 3.3.2-38                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517
                                                          ;
x    Containment Spray,            and                                                            2 x    Phase A Isolation, and                                                                        5 x    Phase B Isolation.                                                                            5 Containment WOG STS                                            B 3.3.2-38                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517


Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Line 507: Line 496:
The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant-                                            4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.
The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant-                                            4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.
The [NTSP] is included in the SCP.
The [NTSP] is included in the SCP.
          -------------------------------------------------------------------------------------------------------------------
used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.
used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.
               "Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.
               "Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.
Line 556: Line 544:
[NTSP]          setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a                          10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
[NTSP]          setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a                          10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.
[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS
[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS
[NTSP]          setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted
[NTSP]          setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL
                            ,
when the "as-left" setpoint value is within the band for CHANNEL
[NTSP]
[NTSP]
as-left tolerance WOG STS                                                    B 3.3.2-3                                      Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517
as-left tolerance WOG STS                                                    B 3.3.2-3                                      Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517
Line 582: Line 568:
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
                      --------------------------------------------------------------------------------------------------
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                      1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                      1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Line 607: Line 592:
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
                      --------------------------------------------------------------------------------------------------
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                        1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                        1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis                          10 and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis                          10 and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Line 701: Line 685:
In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no                                  4 control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the [NTSP]                        10 inclusion of both steady state and environmental instrument uncertainties.
In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no                                  4 control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the [NTSP]                        10 inclusion of both steady state and environmental instrument uncertainties.
STET Units only have one of the Functions, 7.b or 7.c.
STET Units only have one of the Functions, 7.b or 7.c.
                    --------------------------------------------------------------------------------------------------
These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps,                                5 and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps,                                5 and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
: 8. Engineered Safety Feature Actuation System Interlocks an                                is To allow some flexibility in unit operations, several interlocks are                              1 included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent s some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
: 8. Engineered Safety Feature Actuation System Interlocks an                                is To allow some flexibility in unit operations, several interlocks are                              1 included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent s some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
Line 723: Line 706:
                           ----------------------------REVIEWERS NOTE------------------------------------------
                           ----------------------------REVIEWERS NOTE------------------------------------------
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the                              4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the                              4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
                          --------------------------------------------------------------------------------------------------
A.1 Condition A applies to all ESFAS protection functions.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
x    SI,    ;                                                                                    2
x    SI,    ;                                                                                    2 x    Containment Spray,            and                                                            2 x    Phase A Isolation, and                                                                        5 x    Phase B Isolation.                                                                            5 Containment WOG STS                                            B 3.3.2-38                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 73 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517
                                                          ;
x    Containment Spray,            and                                                            2 x    Phase A Isolation, and                                                                        5 x    Phase B Isolation.                                                                            5 Containment WOG STS                                            B 3.3.2-38                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 73 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517


Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 74 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 74 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Line 812: Line 792:
: 1.      The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB), ;      2
: 1.      The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB), ;      2
: 2.      Fuel centerline melt shall not occur, and                                            2
: 2.      Fuel centerline melt shall not occur, and                                            2
                                                          ;
: 3.      The RCS pressure SL of 2750 psia shall not be exceeded.
: 3.      The RCS pressure SL of 2750 psia shall not be exceeded.
Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100          1 criteria during AOOs.
Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100          1 criteria during AOOs.
Line 862: Line 841:
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.
                      --------------------------------------------------------------------------------------------------
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                        1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
APPLICABLE          Each of the analyzed accidents can be detected by one or more ESFAS SAFETY              Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO,      for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY  signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary                                        1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
Line 878: Line 856:
2 WOG STS                                B 3.3.2-9                          Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 88 of 111 Attachment 1, Volume 8, Rev. 0, Page 234 of 517
2 WOG STS                                B 3.3.2-9                          Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 88 of 111 Attachment 1, Volume 8, Rev. 0, Page 234 of 517


Attachment 1, Volume 8, Rev. 0, Page 236 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 89 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are  1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) x    A spectrum of rod cluster control assembly ejection accidents (rod ejection),      ;                                                2 x    Inadvertent opening of a pressurizer relief or safety valve,                ;  2 x    LOCAs, and                                                                      2
Attachment 1, Volume 8, Rev. 0, Page 236 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 89 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are  1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) x    A spectrum of rod cluster control assembly ejection accidents (rod ejection),      ;                                                2 x    Inadvertent opening of a pressurizer relief or safety valve,                ;  2 x    LOCAs, and                                                                      2 x    SG Tube Rupture.
                                                            ;
x    SG Tube Rupture.
At some units pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection three function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic. For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements.
At some units pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection three function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic. For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements.
The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoint                    10 reflects the inclusion of both steady state and adverse
The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoint                    10 reflects the inclusion of both steady state and adverse
Line 968: Line 944:


Attachment 1, Volume 8, Rev. 0, Page 256 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 97 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are  1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Attachment 1, Volume 8, Rev. 0, Page 256 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 97 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are  1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
                                                                                      ,
This Function must be OPERABLE in MODES 1 and 2, and in MODE 3, when above the P-12 setpoint, when a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. Below P-12 this Function is not required to be OPERABLE because the High High Steam Flow coincident with SI Function provides the required protection. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated].                  6 This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.
This Function must be OPERABLE in MODES 1 and 2, and in MODE 3, when above the P-12 setpoint, when a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. Below P-12 this Function is not required to be OPERABLE because the High High Steam Flow coincident with SI Function provides the required protection. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated].                  6 This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.
e  h. Steam Line Isolation - High High Steam Flow Coincident With                    5 Safety Injection (Two Loop Units)
e  h. Steam Line Isolation - High High Steam Flow Coincident With                    5 Safety Injection (Two Loop Units)
Line 1,010: Line 985:
                     ----------------------------REVIEWERS NOTE------------------------------------------
                     ----------------------------REVIEWERS NOTE------------------------------------------
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the                              4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the                              4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.
                    --------------------------------------------------------------------------------------------------
A.1 Condition A applies to all ESFAS protection functions.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:
x    SI,    ;                                                                                    2
x    SI,    ;                                                                                    2 x    Containment Spray,            and                                                            2 x    Phase A Isolation, and                                                                        5 x    Phase B Isolation.                                                                            5 Containment WOG STS                                      B 3.3.2-38                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 101 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517
                                                    ;
x    Containment Spray,            and                                                            2 x    Phase A Isolation, and                                                                        5 x    Phase B Isolation.                                                                            5 Containment WOG STS                                      B 3.3.2-38                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 101 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517


Attachment 1, Volume 8, Rev. 0, Page 275 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) an additional 6 hours (30 hours total time) and in MODE 5 within an additional 30 hours (60 hours total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
Attachment 1, Volume 8, Rev. 0, Page 275 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) an additional 6 hours (30 hours total time) and in MODE 5 within an additional 30 hours (60 hours total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
Line 1,025: Line 997:
5    2 x    Steam Line Pressure - Negative Rate - High,                                  5 x    High Steam Flow Coincident With Safety Injection Coincident With 2
5    2 x    Steam Line Pressure - Negative Rate - High,                                  5 x    High Steam Flow Coincident With Safety Injection Coincident With 2
Tavg - Low Low, ;
Tavg - Low Low, ;
x    High High Steam Flow Coincident With Safety Injection,      ;                2 x    High Steam Flow in Two Steam Lines Coincident With Tavg - Low                5 Low,
x    High High Steam Flow Coincident With Safety Injection,      ;                2 x    High Steam Flow in Two Steam Lines Coincident With Tavg - Low                5 Low, 1    5    2 x    SG Water level - Low Low (two, three, and four loop units), and x    [SG Water level - High High (P-14) (two, three, and four loop units). ]    6    5 1 WOG STS                                          B 3.3.2-40                          Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 Attachment 1, Volume 8, Rev. 0, Page 275 of 517
                                                                                                ;
1    5    2 x    SG Water level - Low Low (two, three, and four loop units), and x    [SG Water level - High High (P-14) (two, three, and four loop units). ]    6    5 1 WOG STS                                          B 3.3.2-40                          Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 Attachment 1, Volume 8, Rev. 0, Page 275 of 517


Attachment 1, Volume 8, Rev. 0, Page 276 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 103 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)
Attachment 1, Volume 8, Rev. 0, Page 276 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 103 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)
Line 1,040: Line 1,010:
5  4 The below text should be used for plants with installed bypass test capability:
5  4 The below text should be used for plants with installed bypass test capability:
The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours while performing routine surveillance testing. The 12 hour time limit is justified in Reference 8.
The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours while performing routine surveillance testing. The 12 hour time limit is justified in Reference 8.
                          --------------------------------------------------------------------------------------------------
E.1, E.2.1, and E.2.2 5  2 Condition E applies to:
E.1, E.2.1, and E.2.2 5  2 Condition E applies to:
                                                                                 - High High x    Containment Spray Containment Pressure - High 3 (High, High) (two,                            2  5 three, and four loop units), and .                                                        1  2 x    Containment Phase B Isolation Containment Pressure - High 3 (High,                              5 High).
                                                                                 - High High x    Containment Spray Containment Pressure - High 3 (High, High) (two,                            2  5 three, and four loop units), and .                                                        1  2 x    Containment Phase B Isolation Containment Pressure - High 3 (High,                              5 High).
Line 1,053: Line 1,022:
5 The below text should be used for plants with installed bypass test capability:
5 The below text should be used for plants with installed bypass test capability:
4 The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours while performing routine surveillance testing. The 12 hour time limit is justified in Reference 8.
4 The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours while performing routine surveillance testing. The 12 hour time limit is justified in Reference 8.
                              --------------------------------------------------------------------------------------------------
WOG STS                                                B 3.3.2-42                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 104 of 111 Attachment 1, Volume 8, Rev. 0, Page 277 of 517
WOG STS                                                B 3.3.2-42                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 104 of 111 Attachment 1, Volume 8, Rev. 0, Page 277 of 517


Line 1,077: Line 1,045:
                                 ----------------------------REVIEWERS NOTE------------------------------------------
                                 ----------------------------REVIEWERS NOTE------------------------------------------
The below text should be used for plants with installed bypass test capability:                                                                                            4 The Required Actions are modified by a Note that allows placing one                                    5 channel in bypass for up to 12 hours while performing routine surveillance testing. The 72 hours allowed to place the inoperable channel in the tripped condition, and the 12 hours allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8.
The below text should be used for plants with installed bypass test capability:                                                                                            4 The Required Actions are modified by a Note that allows placing one                                    5 channel in bypass for up to 12 hours while performing routine surveillance testing. The 72 hours allowed to place the inoperable channel in the tripped condition, and the 12 hours allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8.
                                --------------------------------------------------------------------------------------------------
WOG STS                                                  B 3.3.2-45                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 106 of 111 Attachment 1, Volume 8, Rev. 0, Page 281 of 517
WOG STS                                                  B 3.3.2-45                                    Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 106 of 111 Attachment 1, Volume 8, Rev. 0, Page 281 of 517


Latest revision as of 19:39, 11 March 2020

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3)
ML102371266
Person / Time
Site: Kewaunee Dominion icon.png
Issue date: 08/18/2010
From:
Dominion Energy Kewaunee
To:
Office of Nuclear Reactor Regulation
References
10-457, TAC ME2139
Download: ML102371266 (0)
v  d  e


Text

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 1 of 111 ITS NRC Questions Id 1401 NRC Question KAB-057 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number 212 (s)

NRC Reviewer Gerald Waig Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question On page 212 of Attachment 1, volume 8, function 6.e in TS Table 3.3.2-1 references justification for deviations (JFD) 16. However, there is no JFD

16. Please provide a JFD reference that explains the change.

Attach File 1 Attach File 2 Issue Date 12/14/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/14/2009 2:54 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 1 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1401 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 2 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1371 NRC Question KAB-057 Number Select Licensee Response Application

Response

12/18/2009 9:25 AM Date/Time Closure Statement Response After further review, Kewaunee Power Station (KPS) has determined that Statement JFDs 15 and 16 should actually be 14 and 15. JFD 14 justifies deleting ISTS SR 3.3.2.9 (a CHANNEL CALIBRATION) and JFD 15 justifies deleting ISTS SR 3.3.2.10 (ESFAS RESPONSE TIME test). Furthermore, JFD 15 uses the term RTS RESPONSE TIME, but should be ESFAS RESPONSE TIME. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-057 Markup.pdf (1MB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Added By David Mielke Date Added 12/18/2009 9:27 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 2 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1371 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 212 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 CTS All changes are 3 ESFAS Instrumentation 3.3.2 unless otherwise noted Table 3.3.2-1 (page 7 of 8)

Engineered Safety Feature Actuation System Instrumentation 12 10 APPLICABLE MODES (j)

OR OTHER NOMINAL SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE TRIP FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE SETPOINT

6. Auxiliary Feedwater Tables TS 3.5-3, #4.a
b. c. SG Water Level - 1,2,3 [3] per SG D SR 3.3.2.1      8 1 and #5.a; TS Low Low SR 3.3.2.5 4 4.1-1, #11.a SR 3.3.2.9 6 5 SR 3.3.2.10 15 Table TS 3.5- 8 3, #4.c c. Refer to Function 1 (Safety Injection) for all initiation functions and requirements.
d. Safety Injection
e. Loss of Offsite 1,2,3 3] per bus F SR 3.3.2.7  [2912] V with [2975] V with 8 Power SR 3.3.2.9 0.8 sec time 0.8 sec time 10 SR 3.3.2.10 delay delay Tables TS 8 1 3.5-2, #13; TS
d. f. Undervoltage 1,2 [3] per bus I H SR 3.3.2.7 3      

3.5-3, #5.b; Reactor Coolant SR 3.3.2.9 6 voltage voltage 5 DOC M14 Pump 2 SR 3.3.2.10 15 8

1 DOC M13; e. g. Trip of all Main 1,2 [2] per J I SR 3.3.2.8 5  [ ] psig [ ] psig Tables TS pump SR 3.3.2.9 5 16 3.5-3, #4.b; Feedwater both 15 Pumps 1 SR 3.3.2.10 TS 4.1-1, #35 12

h. Auxiliary 1,2,3 [2] F SR 3.3.2.1  [20.53] [psia] [ ] [psia] 14 Feedwater Pump SR 3.3.2.7 8 Suction Transfer SR 3.3.2.9 15 on Suction Pressure - Low
7. Automatic INSERT 2 4 Switchover to Containment Sump
a. Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays 1,2,3,4 4 K SR 3.3.2.1   nd [  and [  9
b. Refueling Water Storage Tank SR 3.3.2.5 [ 

(RWST) Level - SR 3.3.2.9 SR 3.3.2.10 Low Low Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection

REVIEWER'S NOTE---------------------------------------------------------------------

(j) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by 2 the unit.

INSERT 3 4 WOG STS 3.3.2-15 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517

Attachment 1, Volume 8, Rev. 0, Page 219 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 4 of 111 JUSTIFICATION FOR DEVIATIONS ITS 3.3.2, ENGINEERED SAFETY FEATURE ACTUATION SYSTEM (ESFAS)

INSTRUMENTATION requirement to perform the surveillance test in accordance with the SCP. Hence, the addition of the phrase "in accordance with the Setpoint Control Program" to ITS SR 3.3.2.4, CHANNEL OPERATIONAL TEST (COT) and ITS SR 3.3.2.6, CHANNEL CALIBRATION in the surveillance requirement table.

13. The ISTS contains bracketed information and/or values that are generic to all Westinghouse vintage plants. ISTS Required Actions D, E, and I (ITS Required Actions D, E, and H, respectively) are modified by a Note that provides two options for bypassing a channel for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for the purpose of performing surveillance testing without entry into the applicable Required Actions. One option is for plants that have installed bypass testing capabilities. The other option is for plants that do not have installed bypass testing capabilities. KPS does not have installed bypass testing capabilities. Therefore, the Note for plants that do not have bypass testing capabilities is retained for Required Actions D, E, and H.
14. ISTS Table 3.3.2-1 Function 6.g (Trip of all Main Feedwater Pumps) specifies that ISTS SR 3.3.2.9, a CHANNEL CALIBRATION, is required for the Function. This CHANNEL CALIBRATION requirement is not being included in the KPS ITS for the same Function (ITS Table 3.3.2-1 Function 6.e). The ISTS shows that the Function has an ALLOWABLE VALUE and NOMINAL TRIP SETPOINT based on a pressure. The ISTS Bases describes that the trip is derived from low pressure on the control air/oil line of the turbine driven main feedwater pumps. Thus, it is appropriate to perform a CHANNEL CALIBRATION on the sensors. However, KPS uses motor driven main feedwater pumps, and the signal to start the AFW pumps comes from the breaker position contacts. Thus, there is no CHANNEL CALIBRATION to perform. This is also consistent with the KPS CTS, which does not require a CHANNEL CALIBRATION.

ESFAS

15. The RTS RESPONSE TIME requirement, ISTS SR 3.3.2.10, has not been adopted into the KPS ITS, consistent with Kewaunee current licensing basis and current Technical Specifications. The Kewaunee USAR describes the implementation of the principles as related to the proposed IEEE-279 "Standard, Nuclear Power Plant Protection Systems," August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing. Furthermore, generic studies have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other required surveillances (e.g., CHANNEL CALIBRATIONS). Since the addition of these tests would be a major burden (plant design does not readily lend itself to such testing) with little gain in safety, ISTS SR 3.3.2.10 has not been added.

Kewaunee Power Station Page 5 of 5 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 4 of 111 Attachment 1, Volume 8, Rev. 0, Page 219 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 5 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1731 NRC Question KAB-057 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/12/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/12/2010 3:21 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 5 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1731 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 6 of 111 ITS NRC Questions Id 1411 NRC Question KAB-058 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number 8l9 JFD Bases Number Page Number(s) 212 NRC Reviewer Gerald Waig Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question On page 212 of Attachment 1, volume 8, function 7a & b in TS Table 3.3.2-1 references justification for deviations (JFD) 9. Should JFD 8 be the reference for function 7a & b?

Attach File 1 Attach File 2 Issue Date 12/14/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/14/2009 2:55 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 6 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1411 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 7 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1381 NRC Question KAB-058 Number Select Licensee Response Application

Response

12/18/2009 9:25 AM Date/Time Closure Statement Response After further review, Kewaunee Power Station (KPS) has determined that Statement the NRC reviewer is correct, in that the annotation for ISTS Table 3.3.2-1 Functions 7.a and 7.b should be JFD 8, not JFD 9. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment 1 KAB-058 Markup.pdf (844KB)

Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Added By David Mielke Date Added 12/18/2009 9:30 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 7 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1381 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 212 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 CTS All changes are 3 ESFAS Instrumentation 3.3.2 unless otherwise noted Table 3.3.2-1 (page 7 of 8)

Engineered Safety Feature Actuation System Instrumentation 12 10 APPLICABLE MODES (j)

OR OTHER NOMINAL SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE TRIP FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE SETPOINT

6. Auxiliary Feedwater Tables TS 3.5-3, #4.a
b. c. SG Water Level - 1,2,3 [3] per SG D SR 3.3.2.1      8 1 and #5.a; TS Low Low SR 3.3.2.5 4 4.1-1, #11.a SR 3.3.2.9 6 5 SR 3.3.2.10 15 Table TS 3.5- 8 3, #4.c c. Refer to Function 1 (Safety Injection) for all initiation functions and requirements.
d. Safety Injection
e. Loss of Offsite 1,2,3 3] per bus F SR 3.3.2.7  [2912] V with [2975] V with 8 Power SR 3.3.2.9 0.8 sec time 0.8 sec time 10 SR 3.3.2.10 delay delay Tables TS 8 1 3.5-2, #13; TS
d. f. Undervoltage 1,2 [3] per bus I H SR 3.3.2.7 3      

3.5-3, #5.b; Reactor Coolant SR 3.3.2.9 6 voltage voltage 5 DOC M14 Pump 2 SR 3.3.2.10 15 8

1 DOC M13; e. g. Trip of all Main 1,2 [2] per J I SR 3.3.2.8 5  [ ] psig [ ] psig Tables TS pump SR 3.3.2.9 5 16 3.5-3, #4.b; Feedwater both 15 Pumps 1 SR 3.3.2.10 TS 4.1-1, #35 12

h. Auxiliary 1,2,3 [2] F SR 3.3.2.1  [20.53] [psia] [ ] [psia]

Feedwater Pump SR 3.3.2.7 8 Suction Transfer SR 3.3.2.9 on Suction Pressure - Low

7. Automatic INSERT 2 4 Switchover to Containment Sump
a. Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 8

Relays 1,2,3,4 4 K SR 3.3.2.1   nd [  and [  9

b. Refueling Water Storage Tank SR 3.3.2.5 [ 

(RWST) Level - SR 3.3.2.9 SR 3.3.2.10 Low Low Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection

REVIEWER'S NOTE---------------------------------------------------------------------

(j) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by 2 the unit.

INSERT 3 4 WOG STS 3.3.2-15 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 9 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1741 NRC Question KAB-058 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/12/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/12/2010 3:22 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 9 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1741 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 10 of 111 ITS NRC Questions Id 1421 NRC Question KAB-059 Number Category Technical ITS Section 3.3 ITS Number 3.3.1 DOC Number JFD Number 7 JFD Bases Number Page Number 73 (s)

NRC Reviewer Rob Elliott Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question On page 73 of Attachment 1, volume 8, justification for deviation 7 indicates that response time testing is not being adopted into the KPS ITS. Please explain how KPS will ensure the safety analysis is met without response time testing for TS 3.3.1 Functions 2.a, 2.b, 3.b, 5, 6, 7, 8.a, 8.b, 10, 12, 13, 14, and 15.

Attach File 1 Attach File 2 Issue Date 12/18/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/18/2009 1:38 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 10 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1421 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 11 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1771 NRC Question KAB-059 Number Select Licensee Response Application

Response

1/13/2010 11:35 AM Date/Time Closure Statement Response RPS and ESFAS Response Time Testing are not being adopted into KPS ITS.

Statement This is consistent with Kewaunees current licensing basis and current Technical Specifications. The Kewaunee USAR describes the testing principles as stated in the proposed IEEE-279, "Standard Nuclear Power Plant Protection Systems,"

August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing.

In 1975 the NRC started requiring Response Time Testing and KPS was licensed prior to 1975 without requirements for Response Time Testing. In addition, plants of KPS vintage that have implemented ITS also do not perform Response Time Testing (e.g., Ginna, Point Beach).

Additionally, the Westinghouse Owners Group developed a document, "Elimination of Periodic Protection Channel Response Time Tests," MUHP-3041 Rev. 1, dated October 6, 1998 to facilitate the removal of Response Time Testing for plants that were licensed after 1975 and subject to Response Time Testing requirements (which Kewaunee is not).

Studies like these have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other surveillances (e. g. CHANNEL CALIBRATIONS). Therefore, it is the KPS position that Response Time Surveillances are not needed to ensure safety analysis assumptions are met.

Question Closure Date Attachment 1

Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/13/2010 11:40 AM Modified By Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 11 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1771 06/24/2010

Kewaunee ITS Conversion Database Page 2 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 12 of 111 Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 12 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1771 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 13 of 111 Licensee Response/NRC Response/NRC Question Closure Id 3241 NRC Question KAB-059 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 5/26/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 5/26/2010 11:20 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 13 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=3241 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 14 of 111 ITS NRC Questions Id 1431 NRC Question KAB-060 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number 15 JFD Bases Number Page Number 219 (s)

NRC Reviewer Rob Elliott Supervisor Technical Barry Marcus Branch POC Conf Call N

Requested NRC Question On page 219 of Attachment 1, volume 8, justification for deviation 15 indicates that response time testing is not being adopted into the KPS ITS. Please explain how KPS will ensure the safety analysis is met without response time testing for TS 3.3.2 functions 1.c, 1.d, 1.e, 2.c, 4.c, 4.d, 4.e, 5.b, 6.b, 6.d, and 6.e.

Attach File 1 Attach File 2 Issue Date 12/18/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/18/2009 1:39 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 14 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1431 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 15 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1781 NRC Question KAB-060 Number Select Licensee Response Application

Response

1/13/2010 11:40 AM Date/Time Closure Statement Response RPS and ESFAS Response Time Testing are not being adopted into KPS ITS.

Statement This is consistent with Kewaunees current licensing basis and current Technical Specifications. The Kewaunee USAR describes the testing principles as stated in the proposed IEEE-279, "Standard Nuclear Power Plant Protection Systems,"

August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing.

In 1975 the NRC started requiring Response Time Testing and KPS was licensed prior to 1975 without requirements for Response Time Testing. In addition, plants of KPS vintage that have implemented ITS also do not perform Response Time Testing (e.g., Ginna, Point Beach).

Additionally, the Westinghouse Owners Group developed a document, "Elimination of Periodic Protection Channel Response Time Tests," MUHP-3041 Rev. 1, dated October 6, 1998 to facilitate the removal of Response Time Testing for plants that were licensed after 1975 and subject to Response Time Testing requirements (which Kewaunee is not).

Studies like these have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other surveillances (e. g. CHANNEL CALIBRATIONS). Therefore, it is the KPS position that Response Time Surveillances are not needed to ensure safety analysis assumptions are met.

Question Closure Date Attachment 1

Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/13/2010 11:42 AM Modified By Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 15 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1781 06/24/2010

Kewaunee ITS Conversion Database Page 2 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 16 of 111 Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 16 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1781 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 17 of 111 Licensee Response/NRC Response/NRC Question Closure Id 3251 NRC Question KAB-060 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 5/26/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 5/26/2010 11:21 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 17 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=3251 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 18 of 111 ITS NRC Questions Id 1491 NRC Question KAB-061 Number Category Technical ITS Section 3.3 ITS Number 3.3.4 DOC Number JFD Number JFD Bases Number Page 360 Number(s)

NRC Reviewer Carl Schulten Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC On page 360 of Attachment 1, volume 8, the sentence, A function of a Question remote shutdown system is OPERABLE if all instrument and control channels needed to support the remote shutdown system function are OPERABLE. has been changed to, A function of a dedicated shutdown system is OPERABLE if all instruments or control channels for the function are OPERABLE. The wording change, specifically the and to or changes the requirements for operability for each function. STS 3.3.4 requires the operability of all control channels and all instrumentation for each function to be operable. For example, the RCS Inventory Control function is operable when pressurizer level is operable and the charging pump control is operable. Please correct this change or provide an explanation of the wording change.

Attach File 1

Attach File 2

Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:41 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 18 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1491 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 19 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1851 NRC Question KAB-061 Number Select Licensee Response Application

Response

1/21/2010 12:45 PM Date/Time Closure Statement Response KPS changed the words from "and" to "or" since not all of the four Statement Functions listed in ITS 3.3.4 Bases Table B 3.3.4-1 include both instruments and control channels (i.e., Function 1, Reactivity Control). Thus, it was believed that including the word "and" implied that all Functions included controls. After further review, Kewaunee Power Station (KPS) has determined that the change is not necessary, and could wrongly imply that the other three Functions only need either the listed instruments or the controls to be OPERABLE for the entire Function to be OPERABLE.

Therefore, the word "or" will be changed back to "and" in the ITS 3.3.4 Bases for the LCO section. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-061 Markup.pdf (838KB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:49 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 19 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1851 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 360 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 20 of 111 All changes are 1 Dedicated Remote Shutdown System unless otherwise noted B 3.3.4 BASES Dedicated LCO The Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to place and maintain the unit in MODE 3 from a location other than the control room.

The instrumentation and controls required are listed in Table B 3.3.4-1.

The controls, instrumentation, and transfer switches are required for:

x Core reactivity control (initial and long term),

x RCS pressure control, Steam Dump System x Decay heat removal via the AFW System and the SG safety valves or SG ADVs,  ;

PORVs x RCS inventory control via charging flow, and x Safety support systems for the above Functions, including service water, component cooling water, and onsite power, including the diesel generators.

Dedicated s stet A Function of a Remote Shutdown System is OPERABLE if all instrument or and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, Table B 3.3.4-1 may indicate for the that the required information or control capability is available from several alternate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate information or control sources is OPERABLE.

dedicated The remote shutdown instrument and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and control circuits will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation. Dedicated Dedicated APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3.

This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy.

Under these conditions, considerable time is available to restore necessary instrument control functions if control room instruments or controls become unavailable.

WOG STS B 3.3.4-2 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 20 of 111 Attachment 1, Volume 8, Rev. 0, Page 360 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 21 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1901 NRC Question KAB-061 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/22/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:23 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 21 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1901 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 22 of 111 ITS NRC Questions Id 1501 NRC Question KAB-062 Number Category Technical ITS Section 3.3 ITS Number 3.3.6 DOC Number M-4 JFD Number JFD Bases Number Page Number(s) 413 NRC Reviewer Carl Schulten Supervisor Technical Branch Add Name POC Conf Call N

Requested NRC Question On page 413 of Attachment 1, volume 8, discussion of change M04 references ITS 3.3.5. Please explain why ITS 3.3.5 is being referenced or correct the discrepancy?

Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:44 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 22 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1501 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 23 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1861 NRC Question KAB-062 Number Select Licensee Response Application

Response

1/21/2010 12:50 PM Date/Time Closure Statement Response After further review, Kewaunee Power Station (KPS) has determined that Statement in the reference is in error. Discussion of Change (DOC) M04 should reference ITS 3.3.6, not ITS 3.3.5. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment 1 KAB-062 Markup.pdf (851KB)

Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:51 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 23 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1861 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 413 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 24 of 111 DISCUSSION OF CHANGES ITS 3.3.6, CONTAINMENT PURGE AND VENT ISOLATION INSTRUMENTATION M03 CTS Table TS 4.1-1 Channel Description 19 requires a Daily instrument check of the radiation monitoring system. ITS SR 3.3.6.1 requires the performance of a CHANNEL CHECK of the required containment purge and vent isolation radiation monitors every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. This changes the CTS by requiring a check of the required containment purge and vent isolation radiation monitors more often in ITS than in CTS.

The purpose of the instrument check is to demonstrate that the required containment purge and vent isolation radiation monitors are OPERABLE and capable of providing an early indication of any abnormal leakage conditions in the containment. ITS SR 3.3.6.1 provides reasonable confidence that the channel is operating properly. This change is designated more restrictive because less time is allowed between performances of the CHANNEL CHECK than was allowed in the CTS.

M04 CTS 3.5.d states, in part, that in the event of subsystem instrumentation channel failure permitted by CTS 3.5.b, then Tables TS 3.5-2 through TS 3.5-5 need not be observed for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> while the operable channels are tested, as long as the failed channel is blocked to prevent an unnecessary reactor trip.

CTS 3.5.b states, in part, that in the event of failure of a subsystem instrumentation channel, plant operation shall be permitted to continue at RATED POWER in accordance with Tables TS 3.5-2 through TS 3.5-5. ITS 3.3.5 does 3.3.6 not contain this allowance. This changes the CTS by removing the allowance to block a failed channel.

The purpose of CTS 3.5.d is to allow time to perform testing of the operable subsystem channels without entering into the requirements specified in Tables TS 3.5-2 through TS 3.5-5. In order to perform this task, the inoperable channel must be placed in bypass. Currently, KPS does not have the ability to perform a bypass of an inoperable channel for the purpose of testing without performing a temporary alteration of the circuit. Since the installation of temporary alterations is intrusive, KPS has determined that this practice is unacceptable. Therefore KPS does not have the ability to perform testing with a channel in bypass and the allowance is not incorporated in the ITS. This change is designated as more restrictive because an allowance that was allowed in the CTS is not allowed in the ITS.

RELOCATED SPECIFICATIONS None REMOVED DETAIL CHANGES LA01 (Type 1 - Removing Details of System Design and System Description, Including Design Limits) CTS Table TS 4.1-1 Channel Description 19, Remarks Section Note (a) states that the CHECK, CALIBRATE, and TEST Frequencies for the Radiation Monitoring System are applicable only to channels R11 thru R15, R19, R21, and R23. For the Containment Purge and Vent Isolation Instrumentation Specification, only instruments R11, R12, and R21 apply. ITS 3.3.6 does not Kewaunee Power Station Page 4 of 6 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 24 of 111 Attachment 1, Volume 8, Rev. 0, Page 413 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 25 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1911 NRC Question KAB-062 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/22/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:23 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 25 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1911 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 26 of 111 ITS NRC Questions Id 1511 NRC Question KAB-063 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number 221-292 (s)

NRC Reviewer Select Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question Pages 221 through 292 of Attachment 1, volume 8, are the proposed TS 3.3.2 Bases. TS 3.3.2 Bases are not consistent with the Bases in TSTF-493, Revision 4, including applicable errata. Please correct the TS 3.3.2 Bases or provide an explanation of the changes.

Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:45 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 26 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1511 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 27 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1871 NRC Question KAB-063 Number Select Licensee Response Application

Response

1/21/2010 12:55 PM Date/Time Closure Statement Response The Kewaunee Power Station (KPS) ITS Amendment was based upon the Statement most current revision of TSTF-493 at the time of submittal. Since the date of the submittal, a newer revision (Rev. 4) of the TSTF has been sent to the NRC for review. KPS has reviewed this revision and appropriate changes will be made. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-063 Markup.pdf (2MB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:55 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 27 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1871 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 222 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 28 of 111 B 3.3.2 10 INSERT 1 This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor 8 ESFAS system parameters and equipment performance. ESFAS Where a LSSS is Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables specified for a that have significant safety functions. LSSS are defined by the regulation as "...settings variable on which must be a safety limits chosen so for automatic protective devices...so chosen that automatic protective action will correct has been placed, the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the Setpoint Control Program (SCP) controlled by 10.CFR.50.59.

REVIEWER'S NOTE -------------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant- 4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.

The [NTSP] is included in the SCP.

used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.

"Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.

Insert Page B 3.3.2-1a Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 28 of 111 Attachment 1, Volume 8, Rev. 0, Page 222 of 517

Attachment 1, Volume 8, Rev. 0, Page 223 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 29 of 111 B 3.3.2 10 INSERT 1 (continued) 6 The [NTSP] specified in the SCP is a predetermined setting, plus margin, for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the

[NTSP] accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the [NTSP] ensures that SLs are not exceeded. Therefore, the [NTSP]

meets the definition of an LSSS (Ref. 1). 11 9 Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the [NTSP] to define OPERABILITY in Technical Specifications would be an overly 6 restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the

[NTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the channel to the [NTSP] to account for further drift during the next surveillance within the interval. Note that, although the channel is OPERABLE under these circumstances, the established as-trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance left tolerance with uncertainty assumptions stated in the referenced setpoint methodology (as-left around the

[NTSP] to 6 criteria), and confirmed to be operating within the statistical allowances of the uncertainty account for terms assigned (as-found criteria). further drift during the next surveillance However, there is also some point beyond which the channel would have not been able interval.

to perform its function due to, for example, greater than expected drift. The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, 6 such as drift, during the surveillance interval. In this manner, the actual setting of the channel will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

Insert Page B 3.3.2-1b Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 29 of 111 Attachment 1, Volume 8, Rev. 0, Page 223 of 517

Attachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 30 of 111 B 3.3.2 10 INSERT 1 (continued)

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.

However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist 6

of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the 6

channel setpoint can not be reset to the [LTSP], it is inoperable.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),
2. Fuel centerline melt shall not occur, and
3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 1 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident 50.67 1 categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as 6 defined in 10 CFR 50.36.

Insert Page B 3.3.2-1c Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 30 of 111 Attachment 1, Volume 8, Rev. 0, Page 224 of 517

Attachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 31 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to six measure unit parameters. In many cases, field transmitters or sensors Protection that input to the ESFAS are shared with the Reactor Trip System (RTS).

P In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are

[NTSP] provided in the Trip Setpoint and Allowable Values. The OPERABILITY 10 of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

NTSPs Signal Processing Equipment derived from Analytical Generally, three or four channels of process control equipment are used Limits for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, Analytical Limits comparable output signals for instruments located on the main control [NTSPs] 10

[NTSPs]

board, and comparison of measured input signals with setpoints U 10 established by safety analyses. These setpoints are defined in FSAR, 14 Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the 6 ESF logic measured value of a unit parameter exceeds the predetermined setpoint, relays an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input logic relay cabinets bays. However, not all unit parameters require four channels of sensor 3 measurement and signal processing. Some unit parameters provide ESF logic input only to the SSPS, while others provide input to the SSPS, the main relays control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 31 of 111 Attachment 1, Volume 8, Rev. 0, Page 225 of 517

Attachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) a protection function Generally, if a parameter is used for input to the SSPS and a control 1 function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

[NTSPs]

Allowable Values and ESFAS Setpoints 10 calculation 3

The trip setpoints used in the bistables are based on the analytical limits 1 10 analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time the Nominal Trip Setpoints delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values the SCP specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the

[NTSPs]

methodology used to calculate the Allowable Values and ESFAS The as-left tolerance and setpoints including their explicit uncertainties, is provided in the plant as-found tolerance band specific setpoint methodology study (Ref. 6) which incorporates all of the methodology is provided in the SCP. known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS

[NTSP] setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a 10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS

[NTSP] setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL

[NTSP]

as-left tolerance WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517

Attachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 33 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) and comparator setting

+/- rack CALIBRATION uncertainty allowance (i.e., calibration tolerance

[NTSP]

uncertainties). The ESFAS setpoint value is therefore considered a

, "nominal value" (i.e., expressed as a value without inequalities) for the

[Nominal Trip Setpoints] in conjunction purposes of the COT and CHANNEL CALIBRATION.

with the use of as-found and as-left tolerances together 10 Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs)

Note that the Allowable Values listed in will be acceptable, providing the unit is operated from within the LCOs at 8 the SCP are the least conservative value the onset of the DBA and the equipment functions as designed. provided of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that Each channel can be tested on line to verify that the signal processing requires trip setpoint verification.

equipment and setpoint accuracy is within the specified allowance the SCP requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; 3 generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 33 of 111 Attachment 1, Volume 8, Rev. 0, Page 227 of 517

Attachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 34 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) channel STET channels Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the 10 3 other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time. STET channel The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the 1 condition of the unit. Each master relay then energizes one or more slave 10 relays, which then cause actuation of the end devices. The master and channels slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal STET 1

path continuity. The SLAVE RELAY TEST actuates the devices if their 10 operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay. channels

REVIEWERS NOTE------------------------------------------

No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4

Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary 1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 34 of 111 Attachment 1, Volume 8, Rev. 0, Page 228 of 517

Attachment 1, Volume 8, Rev. 0, Page 230 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 35 of 111 B 3.3.2 10 INSERT 2 Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e., the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO).

10 INSERT 3 The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the within the as-found as-found setpoint is conservative with respect to the Allowable Value during the tolerance CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the and is Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. 6 In this manner, the actual setting of the channel ([NTSP]) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval.

tolerances Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria),

and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). The degraded condition of the channel will be If the actual setting of the channel is found to be conservative with respect to the evaluated Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE during performance of but a degraded condition has been identified. During the SR performance, the condition the SR.

of the channel will be evaluated. This evaluation will consist of resetting the channel evaluating setpoint to the [NTSP] (within the allowed tolerance) and determining that the channel is 6 the channel performing as expected. At the completion of the SR, operations will confirm the SR response.

results and determine the channel condition. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation.

If the channel is not performing as expected the channel is degraded because it may not 6 pass its next surveillance test. If the channel setpoint cannot be reset to the [NTSP], it is inoperable.

Insert Page B 3.3.2-6a Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 35 of 111 Attachment 1, Volume 8, Rev. 0, Page 230 of 517

Attachment 1, Volume 8, Rev. 0, Page 231 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 36 of 111 B 3.3.2 10 INSERT 3 (continued)

A trip setpoint may be set more conservative than the [NTSP] as necessary in response 6 to plant conditions. However, in this case, the operability of the instrument must be 6

verified based on the [field setting] and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

Insert Page B 3.3.2-6b Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 36 of 111 Attachment 1, Volume 8, Rev. 0, Page 231 of 517

Attachment 1, Volume 8, Rev. 0, Page 239 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 37 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Steam Line Pressure - High Differential Pressure Between Steam Lines Steam Line Pressure - High Differential Pressure Between Steam Lines provides protection against the following accidents:

x SLB, x Feed line break, and x Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - High Differential Pressure Between Steam Lines provides no input to any control functions.

Thus, three OPERABLE channels on each steam line are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.

5 With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse STET

[NTSP]

environmental conditions during an SLB event. Therefore, 10 the Trip Setpoint reflects both steady state and adverse STET environmental instrument uncertainties. Steam line high differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is not sufficient energy in the secondary side of the unit to cause an accident.

f, g. Safety Injection - High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low or Coincident With Steam Line Pressure - Low These Functions (1.f and 1.g) provide protection against the following accidents:

x SLB, and x the inadvertent opening of an SG relief or an SG safety valve.

WOG STS B 3.3.2-12 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 37 of 111 Attachment 1, Volume 8, Rev. 0, Page 239 of 517

Attachment 1, Volume 8, Rev. 0, Page 241 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 38 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

With the transmitters typically located inside the containment (Tavg) or inside the steam tunnels (High Steam Flow), it is possible for them to experience adverse steady state STET STET environmental conditions during an SLB event. Therefore, the 10

[NTSP] Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties. The Steam Line Pressure - Low signal was discussed previously under Function 1.e.(1).

This Function must be OPERABLE in MODES 1, 2, and 3 5 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s).

This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked. This Function is not required OPERABLE below P-12 because the reactor is not critical, so feed line break is not a concern. SLB may be addressed by Containment Pressure High 1 (inside containment) or by High Steam Flow in Two Steam Lines coincident with Steam Line Pressure - Low, for Steam Line Isolation, followed by High Differential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment Spray a LOCA or main Containment Spray provides three primary functions: steam line break
1. Lowers containment pressure and temperature after an HELB in 1 containment,  ; 2
2. Reduces the amount of radioactive iodine in the containment atmosphere, and 2
spray water and the
3. Adjusts the pH of the water in the containment recirculation 1 sump after a large break LOCA.

These functions are necessary to:

x Ensure the pressure boundary integrity of the containment structure,  ; 2 WOG STS B 3.3.2-14 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 38 of 111 Attachment 1, Volume 8, Rev. 0, Page 241 of 517

Attachment 1, Volume 8, Rev. 0, Page 246 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 39 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.

depressing pushbutton pushbutton Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.

Note that manual actuation of Phase A Containment Isolation also actuates Containment Purge and Exhaust Isolation. Ventilation The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an 10 SLB. For these events, forced circulation using the RCPs is no STET longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.

Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for 7

radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure -

High 3 or Containment Pressure - High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

WOG STS B 3.3.2-18 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 39 of 111 Attachment 1, Volume 8, Rev. 0, Page 246 of 517

Attachment 1, Volume 8, Rev. 0, Page 252 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 40 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked.

The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

(2) Steam Line Pressure - Negative Rate - High 5 STET Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLB when less than the P-11 10 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure -

Negative Rate - High signal is automatically enabled.

Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.

Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled. The WOG STS B 3.3.2-23 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 40 of 111 Attachment 1, Volume 8, Rev. 0, Page 252 of 517

Attachment 1, Volume 8, Rev. 0, Page 253 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 41 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is insufficient STET energy in the primary and secondary sides to have an SLB 10 or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

STET While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only 10 steady state instrument uncertainties. [NTSP]

STET e, f. Steam Line Isolation - High Steam Flow in Two Steam Lines 5 Coincident with Tavg - Low Low or Coincident With Steam Line Pressure - Low (Three and Four Loop Units)

These Functions (4.e and 4.f) provide closure of the MSIVs STET during an SLB or inadvertent opening of an SG relief or a safety 10 valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.

These Functions were discussed previously as Functions 1.f.

and 1.g.

These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines unless all MSIVs are closed and [de-activated]. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

d g. Steam Line Isolation - High Steam Flow Coincident With Safety 5 Injection and Coincident With Tavg - Low Low (Two Loop Units)

This Function provides closure of the MSIVs during an SLB or 10 inadvertent opening of an SG relief or safety valve to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

WOG STS B 3.3.2-24 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 41 of 111 Attachment 1, Volume 8, Rev. 0, Page 253 of 517

Attachment 1, Volume 8, Rev. 0, Page 254 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 42 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation All changes are 1 B 3.3.2 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.

The High Steam Flow Allowable Value is a    11 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.

INSERT 8 With the transmitters (d/p cells) typically located inside the steam STET tunnels, it is possible for them to experience adverse environmental conditions during an SLB event. Therefore, the 10

[NTSP] Trip Setpoints reflect both steady state and adverse normal environmental instrument uncertainties. s 8 The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Two channels of Tavg per loop are required to be OPERABLE.

The Tavg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents a 8 that this Function protects against cause reduction of Tavg in the entire primary system. Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the Tavg - Low Low However, the channel statistical Function. The Tavg channels provide control inputs, but the allowance calculation does not consider any environmental allowance as part of control function cannot initiate events that the Function acts to the instrument uncertainty, since the mitigate. Therefore, additional channels are not required to function is assumed to be performed prior to the time that adverse conditions address control protection interaction issues.

can affect the Function.

With the Tavg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience STET adverse environmental conditions during an SLB event.

[NTSP] Therefore, the Trip Setpoint reflects both steady state and 10 adverse environmental instrumental uncertainties.

WOG STS B 3.3.2-25 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 42 of 111 Attachment 1, Volume 8, Rev. 0, Page 254 of 517

Attachment 1, Volume 8, Rev. 0, Page 265 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 43 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sensed by any one of the switches will cause the emergency supply of water for both pumps to be aligned, or cause the AFW pumps to stop until the emergency source of water is aligned.

ESW (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least one of the SGs as the heat sink for reactor decay heat and sensible heat removal.

Since the detectors are located in an area not affected by HELBs 5 or high radiation, they will not experience any adverse STET environmental conditions and the Trip Setpoint reflects only 10 steady state instrument uncertainties. [NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.

INSERT 12

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject 5 the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.

WOG STS B 3.3.2-32 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 43 of 111 Attachment 1, Volume 8, Rev. 0, Page 265 of 517

Attachment 1, Volume 8, Rev. 0, Page 268 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 44 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) b, c. Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level - Low Low Coincident With Safety Injection and Coincident With Containment Sump Level - High During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions.

Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability.

The RWST - Low Low Allowable Value/Trip Setpoint has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in 5

the containment sump to provide ECCS pump suction.

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects 10 only steady state instrument uncertainties. [NTSP]

STET Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

WOG STS B 3.3.2-33 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 44 of 111 Attachment 1, Volume 8, Rev. 0, Page 268 of 517

Attachment 1, Volume 8, Rev. 0, Page 269 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 45 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

REVIEWERS NOTE-------------------------------

In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no 4 control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the [NTSP] 10 inclusion of both steady state and environmental instrument uncertainties.

STET Units only have one of the Functions, 7.b or 7.c.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, 5 and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks an is To allow some flexibility in unit operations, several interlocks are 1 included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent s some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

WOG STS B 3.3.2-34 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 45 of 111 Attachment 1, Volume 8, Rev. 0, Page 269 of 517

Attachment 1, Volume 8, Rev. 0, Page 271 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 46 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value. 10

[NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam Dump System are not in operation.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -

Low steam line isolation signal (previously discussed). When the Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the 5 Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure -

Negative Rate - High is disabled. The Trip Setpoint reflects only 10 steady state instrument uncertainties.

STET [NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

WOG STS B 3.3.2-36 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 46 of 111 Attachment 1, Volume 8, Rev. 0, Page 271 of 517

Attachment 1, Volume 8, Rev. 0, Page 273 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) [NTSP]

10 In the event a channel's Trip Setpoint is found nonconservative with or the channel is respect to the Allowable Value, or the transmitter, instrument Loop, signal 10 not functioning as processing electronics, or bistable is found inoperable, then all affected required, Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

REVIEWERS NOTE------------------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the 4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

x SI,  ; 2 x Containment Spray, and 2 x Phase A Isolation, and 5 x Phase B Isolation. 5 Containment WOG STS B 3.3.2-38 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517

Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay 5

coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This Thevoltage is insufficient test is performed to with in accordance picktheup theIfslave SCP. relay, the actual but setting of the channel is found large enough to demonstrate to be conservative signal with respect path continuity. to thetest This Allowable is Value but is performed every 92 days beyondonthea as-found STAGGERED tolerance band, TEST the BASIS.

channel is OPERABLE The timebut degraded. The degraded condition of the channel will be further evaluated Move SR allowed for the testing (4 performance during hours) is justified in Reference of the SR. This evaluation will11. The consist of resetting the 3.3.2.3 from Frequency of 92 days is justified channel setpoint to in theReference

[NTSP] (within9.the allowed tolerance), and evaluating 10 page B the channel response. If the channel is functioning as required and is 3.3.2-51 to expected to pass the next surveillance, then the channel is OPERABLE and here can be restored to service at the completion of the surveillance. After the SR 3.3.2.5 4 surveillance is completed, the channel as-found condition will be entered into 5 the Corrective Action Program for further evaluation.

5 SR 3.3.2.5 is the performance of a COT.

in accordance with the SCP 10 A COT is performed on each required channel to ensure the entire conservative with respect to channel will perform the intended Function. Setpoints must be found the Allowable Values as within the Allowable Values specified in Table 3.3.1-1. A successful test controlled by the SCP of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

10 The difference between the current "as found" values and the previous The SCP establishes the necessary controls for properly maintaining the test "as left" values must be consistent with the drift allowance used in the applicable ESFAS instrumentation setpoint methodology. The setpoint shall be left set consistent with the 10 channels.

assumptions of the current unit specific setpoint methodology.

The "as found" and "as left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

The Frequency of 184 days is justified in Reference 11.

10 WOG STS B 3.3.2-50 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 Attachment 1, Volume 8, Rev. 0, Page 287 of 517

Attachment 1, Volume 8, Rev. 0, Page 288 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 49 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.6 5 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

This test is performed every [92] days. The Frequency is adequate, based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.2.7 3 5 5 6 SR 3.3.2.7 is the performance of a TADOT every [92] days. This test is a check of the Loss of Offsite Power, Undervoltage RCP, and AFW Pump Suction Transfer on Suction Pressure - Low Functions. Each Function is tested up to, and including, the master transfer relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least Move to once per refueling interval with applicable extensions.

STET previous 10 page before channels The test also includes trip devices that provide actuation signals directly 1 SR 3.3.2.4 to the SSPS. The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

WOG STS B 3.3.2-51 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 49 of 111 Attachment 1, Volume 8, Rev. 0, Page 288 of 517

Attachment 1, Volume 8, Rev. 0, Page 289 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 50 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.8 5 5 5

SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. It is performed every [18] months. Each Manual Actuation 6 Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.

INSERT for ISTS SR 3.3.2.8 10 SR 3.3.2.9 6 5 5

SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every [18] months, or 6 approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

in accordance CHANNEL CALIBRATIONS must be performed consistent with the 10 SCP. The SCP establishes the assumptions of the unit specific setpoint methodology. The difference necessary controls for properly between the current "as found" values and the previous test "as left" 10 maintaining the applicable ESFAS instrumentation channels. values must be consistent with the drift allowance used in the setpoint methodology.

INSERT for ISTS SR 3.3.2.9 10 The Frequency of [18] months is based on the assumption of an 6

[18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

WOG STS B 3.3.2-52 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 50 of 111 Attachment 1, Volume 8, Rev. 0, Page 289 of 517

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 51 of 111 INSERT for ISTS SR 3.3.2.8 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel 10 response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

INSERT for ISTS SR 3.3.2.9 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel 10 response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 51 of 111

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 52 of 111 Licensee Response/NRC Response/NRC Question Closure Id 2241 NRC Question KAB-063 Number Select Licensee Response Application

Response

2/18/2010 4:00 PM Date/Time Closure Statement Response KPS has reviewed the errata to TSTF-493, Rev. 4 and determined that the Statement draft markup attached to the previous KPS response to KAB-065 did not include a few minor changes. A draft markup regarding these changes is attached, and supersedes the previous draft markup. Changes from the previous markup are identified in red (see pages 1 and 10 of the attachment). These changes will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-063, Rev. 1 Markup.pdf (2MB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays David Mielke Ray Schiele Added By Robert Hanley Date Added 2/18/2010 4:00 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 52 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=2241 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 222 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 53 of 111 B 3.3.2 10 INSERT 1 This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor 8 ESFAS system parameters and equipment performance. ESFAS Where a LSSS is Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables specified for a that have significant safety functions. LSSS are defined by the regulation as "...settings variable on which must be a safety limit has chosen so for automatic protective devices...so chosen that automatic protective action will correct been placed, the the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the Setpoint Control Program (SCP) controlled by 10.CFR.50.59.

field

REVIEWER'S NOTE -------------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant- 4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.

The [NTSP] is included in the SCP.

used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.

"Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.

field setting Insert Page B 3.3.2-1a Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 53 of 111 Attachment 1, Volume 8, Rev. 0, Page 222 of 517

Attachment 1, Volume 8, Rev. 0, Page 223 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 54 of 111 B 3.3.2 10 INSERT 1 (continued) 6 The [NTSP] specified in the SCP is a predetermined setting, plus margin, for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the

[NTSP] accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the [NTSP] ensures that SLs are not exceeded. Therefore, the [NTSP]

meets the definition of an LSSS (Ref. 1). 11 9 Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the [NTSP] to define OPERABILITY in Technical Specifications would be an overly 6 restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the

[NTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the channel to the [NTSP] to account for further drift during the next surveillance within the interval. Note that, although the channel is OPERABLE under these circumstances, the established as-trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance left tolerance with uncertainty assumptions stated in the referenced setpoint methodology (as-left around the

[NTSP] to 6 criteria), and confirmed to be operating within the statistical allowances of the uncertainty account for terms assigned (as-found criteria). further drift during the next surveillance However, there is also some point beyond which the channel would have not been able interval.

to perform its function due to, for example, greater than expected drift. The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, 6 such as drift, during the surveillance interval. In this manner, the actual setting of the channel will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

Insert Page B 3.3.2-1b Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 54 of 111 Attachment 1, Volume 8, Rev. 0, Page 223 of 517

Attachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 55 of 111 B 3.3.2 10 INSERT 1 (continued)

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.

However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist 6

of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the 6

channel setpoint can not be reset to the [LTSP], it is inoperable.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),
2. Fuel centerline melt shall not occur, and
3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 1 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident 50.67 1 categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as 6 defined in 10 CFR 50.36.

Insert Page B 3.3.2-1c Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 55 of 111 Attachment 1, Volume 8, Rev. 0, Page 224 of 517

Attachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 56 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to six measure unit parameters. In many cases, field transmitters or sensors Protection that input to the ESFAS are shared with the Reactor Trip System (RTS).

P In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are

[NTSP] provided in the Trip Setpoint and Allowable Values. The OPERABILITY 10 of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

NTSPs Signal Processing Equipment derived from Analytical Generally, three or four channels of process control equipment are used Limits for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, Analytical Limits comparable output signals for instruments located on the main control [NTSPs] 10

[NTSPs]

board, and comparison of measured input signals with setpoints U 10 established by safety analyses. These setpoints are defined in FSAR, 14 Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the 6 ESF logic measured value of a unit parameter exceeds the predetermined setpoint, relays an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input logic relay cabinets bays. However, not all unit parameters require four channels of sensor 3 measurement and signal processing. Some unit parameters provide ESF logic input only to the SSPS, while others provide input to the SSPS, the main relays control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 56 of 111 Attachment 1, Volume 8, Rev. 0, Page 225 of 517

Attachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) a protection function Generally, if a parameter is used for input to the SSPS and a control 1 function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

[NTSPs]

Allowable Values and ESFAS Setpoints 10 calculation 3

The trip setpoints used in the bistables are based on the analytical limits 1 10 analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time the Nominal Trip Setpoints delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values the SCP specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the

[NTSPs]

methodology used to calculate the Allowable Values and ESFAS The as-left tolerance and setpoints including their explicit uncertainties, is provided in the plant as-found tolerance band specific setpoint methodology study (Ref. 6) which incorporates all of the methodology is provided in the SCP. known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS

[NTSP] setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a 10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS

[NTSP] setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL

[NTSP]

as-left tolerance WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517

Attachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 58 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) and comparator setting

+/- rack CALIBRATION uncertainty allowance (i.e., calibration tolerance

[NTSP]

uncertainties). The ESFAS setpoint value is therefore considered a

, "nominal value" (i.e., expressed as a value without inequalities) for the

[Nominal Trip Setpoints] in conjunction purposes of the COT and CHANNEL CALIBRATION.

with the use of as-found and as-left tolerances together 10 Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs)

Note that the Allowable Values listed in will be acceptable, providing the unit is operated from within the LCOs at 8 the SCP are the least conservative value the onset of the DBA and the equipment functions as designed. provided of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that Each channel can be tested on line to verify that the signal processing requires trip setpoint verification.

equipment and setpoint accuracy is within the specified allowance the SCP requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; 3 generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 58 of 111 Attachment 1, Volume 8, Rev. 0, Page 227 of 517

Attachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 59 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) channel STET channels Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the 10 3 other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time. STET channel The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the 1 condition of the unit. Each master relay then energizes one or more slave 10 relays, which then cause actuation of the end devices. The master and channels slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal STET 1

path continuity. The SLAVE RELAY TEST actuates the devices if their 10 operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay. channels

REVIEWERS NOTE------------------------------------------

No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4

Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary 1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 59 of 111 Attachment 1, Volume 8, Rev. 0, Page 228 of 517

Attachment 1, Volume 8, Rev. 0, Page 230 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 60 of 111 B 3.3.2 10 INSERT 2 Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e., the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO).

10 INSERT 3 The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the within the as-found as-found setpoint is conservative with respect to the Allowable Value during the tolerance CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the and is Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. 6 In this manner, the actual setting of the channel ([NTSP]) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval.

tolerances Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria),

and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). The degraded condition of the channel will be If the actual setting of the channel is found to be conservative with respect to the evaluated Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE during performance of but a degraded condition has been identified. During the SR performance, the condition the SR.

of the channel will be evaluated. This evaluation will consist of resetting the channel evaluating setpoint to the [NTSP] (within the allowed tolerance) and determining that the channel is 6 the channel performing as expected. At the completion of the SR, operations will confirm the SR response.

results and determine the channel condition. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation.

If the channel is not performing as expected the channel is degraded because it may not 6 pass its next surveillance test. If the channel setpoint cannot be reset to the [NTSP], it is inoperable.

Insert Page B 3.3.2-6a Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 60 of 111 Attachment 1, Volume 8, Rev. 0, Page 230 of 517

Attachment 1, Volume 8, Rev. 0, Page 231 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 61 of 111 B 3.3.2 10 INSERT 3 (continued)

A trip setpoint may be set more conservative than the [NTSP] as necessary in response 6 to plant conditions. However, in this case, the operability of the instrument must be 6

verified based on the [field setting] and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

Insert Page B 3.3.2-6b Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 61 of 111 Attachment 1, Volume 8, Rev. 0, Page 231 of 517

Attachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 62 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) stet channel channels Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the 10 3 other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time. channel The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the 1 condition of the unit. Each master relay then energizes one or more slave 10 relays, which then cause actuation of the end devices. The master and channels slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts andstet applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal 1

path continuity. The SLAVE RELAY TEST actuates the devices if their 10 operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay. channels

REVIEWERS NOTE------------------------------------------

No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4

Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary 1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis 10 and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

implicitly WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 62 of 111 Attachment 1, Volume 8, Rev. 0, Page 228 of 517

Attachment 1, Volume 8, Rev. 0, Page 239 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 63 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Steam Line Pressure - High Differential Pressure Between Steam Lines Steam Line Pressure - High Differential Pressure Between Steam Lines provides protection against the following accidents:

x SLB, x Feed line break, and x Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - High Differential Pressure Between Steam Lines provides no input to any control functions.

Thus, three OPERABLE channels on each steam line are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.

5 With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse STET

[NTSP]

environmental conditions during an SLB event. Therefore, 10 the Trip Setpoint reflects both steady state and adverse STET environmental instrument uncertainties. Steam line high differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is not sufficient energy in the secondary side of the unit to cause an accident.

f, g. Safety Injection - High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low or Coincident With Steam Line Pressure - Low These Functions (1.f and 1.g) provide protection against the following accidents:

x SLB, and x the inadvertent opening of an SG relief or an SG safety valve.

WOG STS B 3.3.2-12 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 63 of 111 Attachment 1, Volume 8, Rev. 0, Page 239 of 517

Attachment 1, Volume 8, Rev. 0, Page 241 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 64 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

With the transmitters typically located inside the containment (Tavg) or inside the steam tunnels (High Steam Flow), it is possible for them to experience adverse steady state STET STET environmental conditions during an SLB event. Therefore, the 10

[NTSP] Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties. The Steam Line Pressure - Low signal was discussed previously under Function 1.e.(1).

This Function must be OPERABLE in MODES 1, 2, and 3 5 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s).

This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked. This Function is not required OPERABLE below P-12 because the reactor is not critical, so feed line break is not a concern. SLB may be addressed by Containment Pressure High 1 (inside containment) or by High Steam Flow in Two Steam Lines coincident with Steam Line Pressure - Low, for Steam Line Isolation, followed by High Differential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment Spray a LOCA or main Containment Spray provides three primary functions: steam line break
1. Lowers containment pressure and temperature after an HELB in 1 containment,  ; 2
2. Reduces the amount of radioactive iodine in the containment atmosphere, and 2
spray water and the
3. Adjusts the pH of the water in the containment recirculation 1 sump after a large break LOCA.

These functions are necessary to:

x Ensure the pressure boundary integrity of the containment structure,  ; 2 WOG STS B 3.3.2-14 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 64 of 111 Attachment 1, Volume 8, Rev. 0, Page 241 of 517

Attachment 1, Volume 8, Rev. 0, Page 246 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 65 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.

depressing pushbutton pushbutton Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.

Note that manual actuation of Phase A Containment Isolation also actuates Containment Purge and Exhaust Isolation. Ventilation The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an 10 SLB. For these events, forced circulation using the RCPs is no STET longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.

Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for 7

radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure -

High 3 or Containment Pressure - High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

WOG STS B 3.3.2-18 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 65 of 111 Attachment 1, Volume 8, Rev. 0, Page 246 of 517

Attachment 1, Volume 8, Rev. 0, Page 252 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 66 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked.

The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

(2) Steam Line Pressure - Negative Rate - High 5 STET Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLB when less than the P-11 10 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure -

Negative Rate - High signal is automatically enabled.

Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.

Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled. The WOG STS B 3.3.2-23 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 66 of 111 Attachment 1, Volume 8, Rev. 0, Page 252 of 517

Attachment 1, Volume 8, Rev. 0, Page 253 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 67 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is insufficient STET energy in the primary and secondary sides to have an SLB 10 or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

STET While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only 10 steady state instrument uncertainties. [NTSP]

STET e, f. Steam Line Isolation - High Steam Flow in Two Steam Lines 5 Coincident with Tavg - Low Low or Coincident With Steam Line Pressure - Low (Three and Four Loop Units)

These Functions (4.e and 4.f) provide closure of the MSIVs STET during an SLB or inadvertent opening of an SG relief or a safety 10 valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.

These Functions were discussed previously as Functions 1.f.

and 1.g.

These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines unless all MSIVs are closed and [de-activated]. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

d g. Steam Line Isolation - High Steam Flow Coincident With Safety 5 Injection and Coincident With Tavg - Low Low (Two Loop Units)

This Function provides closure of the MSIVs during an SLB or 10 inadvertent opening of an SG relief or safety valve to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

WOG STS B 3.3.2-24 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 67 of 111 Attachment 1, Volume 8, Rev. 0, Page 253 of 517

Attachment 1, Volume 8, Rev. 0, Page 254 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 68 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation All changes are 1 B 3.3.2 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.

The High Steam Flow Allowable Value is a    11 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.

INSERT 8 With the transmitters (d/p cells) typically located inside the steam STET tunnels, it is possible for them to experience adverse environmental conditions during an SLB event. Therefore, the 10

[NTSP] Trip Setpoints reflect both steady state and adverse normal environmental instrument uncertainties. s 8 The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Two channels of Tavg per loop are required to be OPERABLE.

The Tavg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents a 8 that this Function protects against cause reduction of Tavg in the entire primary system. Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the Tavg - Low Low However, the channel statistical Function. The Tavg channels provide control inputs, but the allowance calculation does not consider any environmental allowance as part of control function cannot initiate events that the Function acts to the instrument uncertainty, since the mitigate. Therefore, additional channels are not required to function is assumed to be performed prior to the time that adverse conditions address control protection interaction issues.

can affect the Function.

With the Tavg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience STET adverse environmental conditions during an SLB event.

[NTSP] Therefore, the Trip Setpoint reflects both steady state and 10 adverse environmental instrumental uncertainties.

WOG STS B 3.3.2-25 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 68 of 111 Attachment 1, Volume 8, Rev. 0, Page 254 of 517

Attachment 1, Volume 8, Rev. 0, Page 265 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 69 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sensed by any one of the switches will cause the emergency supply of water for both pumps to be aligned, or cause the AFW pumps to stop until the emergency source of water is aligned.

ESW (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least one of the SGs as the heat sink for reactor decay heat and sensible heat removal.

Since the detectors are located in an area not affected by HELBs 5 or high radiation, they will not experience any adverse STET environmental conditions and the Trip Setpoint reflects only 10 steady state instrument uncertainties. [NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.

INSERT 12

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject 5 the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.

WOG STS B 3.3.2-32 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 69 of 111 Attachment 1, Volume 8, Rev. 0, Page 265 of 517

Attachment 1, Volume 8, Rev. 0, Page 268 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 70 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) b, c. Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level - Low Low Coincident With Safety Injection and Coincident With Containment Sump Level - High During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions.

Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability.

The RWST - Low Low Allowable Value/Trip Setpoint has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in 5

the containment sump to provide ECCS pump suction.

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects 10 only steady state instrument uncertainties. [NTSP]

STET Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

WOG STS B 3.3.2-33 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 70 of 111 Attachment 1, Volume 8, Rev. 0, Page 268 of 517

Attachment 1, Volume 8, Rev. 0, Page 269 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 71 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

REVIEWERS NOTE-------------------------------

In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no 4 control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the [NTSP] 10 inclusion of both steady state and environmental instrument uncertainties.

STET Units only have one of the Functions, 7.b or 7.c.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, 5 and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks an is To allow some flexibility in unit operations, several interlocks are 1 included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent s some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

WOG STS B 3.3.2-34 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 71 of 111 Attachment 1, Volume 8, Rev. 0, Page 269 of 517

Attachment 1, Volume 8, Rev. 0, Page 271 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 72 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value. 10

[NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam Dump System are not in operation.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -

Low steam line isolation signal (previously discussed). When the Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the 5 Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure -

Negative Rate - High is disabled. The Trip Setpoint reflects only 10 steady state instrument uncertainties.

STET [NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

WOG STS B 3.3.2-36 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 72 of 111 Attachment 1, Volume 8, Rev. 0, Page 271 of 517

Attachment 1, Volume 8, Rev. 0, Page 273 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 73 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) [NTSP]

10 In the event a channel's Trip Setpoint is found nonconservative with or the channel is respect to the Allowable Value, or the transmitter, instrument Loop, signal 10 not functioning as processing electronics, or bistable is found inoperable, then all affected required, Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

REVIEWERS NOTE------------------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the 4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

x SI,  ; 2 x Containment Spray, and 2 x Phase A Isolation, and 5 x Phase B Isolation. 5 Containment WOG STS B 3.3.2-38 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 73 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517

Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 74 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay 5

coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This Thevoltage is insufficient test is performed to with in accordance picktheup theIfslave SCP. relay, the actual but setting of the channel is found large enough to demonstrate to be conservative signal with respect path continuity. to thetest This Allowable is Value but is performed every 92 days beyondonthea as-found STAGGERED tolerance band, TEST the BASIS.

channel is OPERABLE The timebut degraded. The degraded condition of the channel will be further evaluated Move SR allowed for the testing (4 performance during hours) is justified in Reference of the SR. This evaluation will11. The consist of resetting the 3.3.2.3 from Frequency of 92 days is justified channel setpoint to in theReference

[NTSP] (within9.the allowed tolerance), and evaluating 10 page B the channel response. If the channel is functioning as required and is 3.3.2-51 to expected to pass the next surveillance, then the channel is OPERABLE and here can be restored to service at the completion of the surveillance. After the SR 3.3.2.5 4 surveillance is completed, the channel as-found condition will be entered into 5 the Corrective Action Program for further evaluation.

5 SR 3.3.2.5 is the performance of a COT.

in accordance with the SCP 10 A COT is performed on each required channel to ensure the entire conservative with respect to channel will perform the intended Function. Setpoints must be found the Allowable Values as within the Allowable Values specified in Table 3.3.1-1. A successful test controlled by the SCP of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

10 The difference between the current "as found" values and the previous The SCP establishes the necessary controls for properly maintaining the test "as left" values must be consistent with the drift allowance used in the applicable ESFAS instrumentation setpoint methodology. The setpoint shall be left set consistent with the 10 channels.

assumptions of the current unit specific setpoint methodology.

The "as found" and "as left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

The Frequency of 184 days is justified in Reference 11.

10 WOG STS B 3.3.2-50 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 74 of 111 Attachment 1, Volume 8, Rev. 0, Page 287 of 517

Attachment 1, Volume 8, Rev. 0, Page 288 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 75 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.6 5 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

This test is performed every [92] days. The Frequency is adequate, based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.2.7 3 5 5 6 SR 3.3.2.7 is the performance of a TADOT every [92] days. This test is a check of the Loss of Offsite Power, Undervoltage RCP, and AFW Pump Suction Transfer on Suction Pressure - Low Functions. Each Function is tested up to, and including, the master transfer relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least Move to once per refueling interval with applicable extensions.

STET previous 10 page before channels The test also includes trip devices that provide actuation signals directly 1 SR 3.3.2.4 to the SSPS. The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

WOG STS B 3.3.2-51 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 75 of 111 Attachment 1, Volume 8, Rev. 0, Page 288 of 517

Attachment 1, Volume 8, Rev. 0, Page 289 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 76 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.8 5 5 5

SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. It is performed every [18] months. Each Manual Actuation 6 Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.

INSERT for ISTS SR 3.3.2.8 10 SR 3.3.2.9 6 5 5

SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every [18] months, or 6 approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

in accordance CHANNEL CALIBRATIONS must be performed consistent with the 10 SCP. The SCP establishes the assumptions of the unit specific setpoint methodology. The difference necessary controls for properly between the current "as found" values and the previous test "as left" 10 maintaining the applicable ESFAS instrumentation channels. values must be consistent with the drift allowance used in the setpoint methodology.

INSERT for ISTS SR 3.3.2.9 10 The Frequency of [18] months is based on the assumption of an 6

[18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

WOG STS B 3.3.2-52 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 76 of 111 Attachment 1, Volume 8, Rev. 0, Page 289 of 517

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 77 of 111 INSERT for ISTS SR 3.3.2.8 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel 10 response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

INSERT for ISTS SR 3.3.2.9 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel 10 response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 77 of 111

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 78 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1921 NRC Question KAB-063 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/22/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:45 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 78 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1921 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 79 of 111 Licensee Response/NRC Response/NRC Question Closure Id 2251 NRC Question KAB-063 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 2/19/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 2/19/2010 2:31 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 79 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=2251 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 80 of 111 ITS NRC Questions Id 1521 NRC Question KAB-064 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number 221-292 (s)

NRC Reviewer Carl Schulten Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question Pages 221 through 292 of Attachment 1, volume 8, are the proposed TS 3.3.2 Bases. Throughout the Bases there appear to be errors in the reference to the Bases justifications for deviations. Please correct these errors or provide an explanation of the changes.

Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:46 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 80 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1521 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 81 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1881 NRC Question KAB-064 Number Select Licensee Response Application

Response

1/21/2010 12:55 PM Date/Time Closure Statement Response After further review, Kewaunee Power Station (KPS) has determined that Statement the NRC reviewer is correct, in that there are errors in the annotated Bases JFDs. These identified errors will be corrected. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment 1 KAB-064 Markup.pdf (3MB)

Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:58 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 81 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1881 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 221 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 82 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. INSERT 1 10 two 1

The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

x Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured, and 3 2 x Signal processing equipment including analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system .

devices, and control board/control room/miscellaneous indications, 3 2 and channels 10 x Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety 3

feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST 10 (COT). Note that, although a channel is "OPERABLE" under these circumstances, the ESFAS setpoint must be left adjusted to within the established calibration tolerance band of the ESFAS setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology, (as-left criteria) and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

WOG STS B 3.3.2-1 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 82 of 111 Attachment 1, Volume 8, Rev. 0, Page 221 of 517

Attachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 83 of 111 B 3.3.2 10 INSERT 1 (continued)

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.

However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist 6

of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the 6

channel setpoint can not be reset to the [LTSP], it is inoperable.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB), ; 2
2. Fuel centerline melt shall not occur, and 2
3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 1 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident 50.67 1 categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as 6 defined in 10 CFR 50.36.

Insert Page B 3.3.2-1c Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 83 of 111 Attachment 1, Volume 8, Rev. 0, Page 224 of 517

Attachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 84 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to six measure unit parameters. In many cases, field transmitters or sensors Protection that input to the ESFAS are shared with the Reactor Trip System (RTS).

P In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are

[NTSP] provided in the Trip Setpoint and Allowable Values. The OPERABILITY 6 10 of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control [NTSPs] 10

[NTSPs]

board, and comparison of measured input signals with setpoints U 10 established by safety analyses. These setpoints are defined in FSAR, 14 Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the 6 ESF logic measured value of a unit parameter exceeds the predetermined setpoint, relays an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input logic relay cabinets bays. However, not all unit parameters require four channels of sensor 3 measurement and signal processing. Some unit parameters provide ESF logic input only to the SSPS, while others provide input to the SSPS, the main relays control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 84 of 111 Attachment 1, Volume 8, Rev. 0, Page 225 of 517

Attachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 85 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) a protection function Generally, if a parameter is used for input to the SSPS and a control 1 function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

[NTSPs]

Allowable Values and ESFAS Setpoints 6 10 3

The trip setpoints used in the bistables are based on the analytical limits analytical limits stated in Reference 2. The selection of these trip setpoints is such that 9 1 10 adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values the SCP specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the

[NTSPs]

methodology used to calculate the Allowable Values and ESFAS The as-left tolerance and setpoints including their explicit uncertainties, is provided in the plant 6 as-found tolerance band specific setpoint methodology study (Ref. 6) which incorporates all of the methodology is provided in the SCP. known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS

[NTSP] setpoint and corresponding Allowable Value. The nominal ESFAS 6 setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a 10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

[NTSP] is the value 6

The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS

[NTSP] setpoint value ensures the safety analysis limits are met for the 6 is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL

[NTSP] 6 as-left tolerance WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 85 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517

Attachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 86 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) and comparator setting

+/- rack CALIBRATION uncertainty allowance (i.e., calibration tolerance

[NTSP]

uncertainties). The ESFAS setpoint value is therefore considered a 6 "nominal value" (i.e., expressed as a value without inequalities) for the

[Nominal Trip Setpoints] in conjunction purposes of the COT and CHANNEL CALIBRATION.

with the use of as-found and as-left 6 tolerances together 10 Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs)

Note that the Allowable Values listed in will be acceptable, providing the unit is operated from within the LCOs at 8 the SCP are the least conservative value the onset of the DBA and the equipment functions as designed. provided of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that Each channel can be tested on line to verify that the signal processing requires trip setpoint verification.

equipment and setpoint accuracy is within the specified allowance the SCP requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; 3 generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 86 of 111 Attachment 1, Volume 8, Rev. 0, Page 227 of 517

Attachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 87 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) channel channels Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the 10 3 other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time. channel The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the 3 1 condition of the unit. Each master relay then energizes one or more slave 10 relays, which then cause actuation of the end devices. The master and channels slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal 1

path continuity. The SLAVE RELAY TEST actuates the devices if their 10 operation will not interfere with continued unit operation. For the latter 5 case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay. channels

REVIEWERS NOTE------------------------------------------

No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4

Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary 1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 87 of 111 Attachment 1, Volume 8, Rev. 0, Page 228 of 517

Attachment 1, Volume 8, Rev. 0, Page 234 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 88 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation All changes are 1 B 3.3.2 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection - Containment Pressure - High 1 This signal provides protection against the following accidents:

x SLB inside containment,  ; and 2 and x LOCA, and . 2 x Feed line break inside containment.

Containment Pressure - High 1 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment.

[NTSP]

10 Thus, the high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.

INSERT 4 Containment Pressure - High 1 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.

d. Safety Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents:

x Inadvertent opening of a steam generator (SG) relief or safety valve, x SLB,  ;

2 WOG STS B 3.3.2-9 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 88 of 111 Attachment 1, Volume 8, Rev. 0, Page 234 of 517

Attachment 1, Volume 8, Rev. 0, Page 236 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 89 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) x A spectrum of rod cluster control assembly ejection accidents (rod ejection),  ; 2 x Inadvertent opening of a pressurizer relief or safety valve,  ; 2 x LOCAs, and 2 x SG Tube Rupture.

At some units pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection three function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic. For units that have dedicated protection and control channels, only three protection channels are necessary to satisfy the protective requirements.

The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoint 10 reflects the inclusion of both steady state and adverse

[NTSP] 6 environmental instrument uncertainties.

, with pressurizer pressure greater than or a LOCA or SLB accident equal to 2000 psig, This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure - High 1 signal. when pressurizer pressure is less than 2000 psig This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE.

when pressurizer pressure is less than 2000 psig In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

WOG STS B 3.3.2-10 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 89 of 111 Attachment 1, Volume 8, Rev. 0, Page 236 of 517

Attachment 1, Volume 8, Rev. 0, Page 237 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 90 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

e. Safety Injection - Steam Line Pressure (1) Steam Line Pressure - Low Steam Line Pressure - Low provides protection against the following accidents:

x SLB, and 8 x Feed line break, and x Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - Low provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam line. in close proximity to the main steam lines With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse [NTSP] 10 6 environmental conditions during a secondary side break.

Therefore, the Trip Setpoint reflects both steady state and normal adverse environmental instrument uncertainties.

INSERT 5 This Function is anticipatory in nature and has a typical lead/lag ratio of 50/5. 12/2 when pressurizer pressure is less than 2000 psig Steam Line Pressure - Low must be OPERABLE in

, with pressurizer pressure greater than or MODES 1, 2, and 3 (above P-11) when a secondary side equal to 2000 psig, break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be When pressurizer pressure is less than 2000 psig manually blocked by the operator below the P-11 setpoint.

Below P-11, feed line break is not a concern. Inside containment SLB will be terminated by automatic SI actuation via Containment Pressure - High 1, and outside containment SLB will be terminated by the Steam Line Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

The steam line break event will be terminated by the SI signal actuation due to the coincidence of Hi-Hi steam flow and Lo-Lo steam pressure.

WOG STS B 3.3.2-11 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 90 of 111 Attachment 1, Volume 8, Rev. 0, Page 237 of 517

Attachment 1, Volume 8, Rev. 0, Page 244 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 91 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is also required in MODE 4, even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.

- High High

c. Containment Spray - Containment Pressure 10 This signal provides protection against a LOCA or an SLB inside containment. The transmitters (d/p cells) are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment. The transmitters and electronics are located outside of containment. Thus, they will

[NTSP]

not experience any adverse environmental conditions and the 6 10 Trip Setpoint reflects only steady state instrument uncertainties.

This is one of the only Functions that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the 12 probability of an inadvertent actuation.

Two different logic configurations are typically used. Three and four loop units use four channels in a two-out-of-four logic configuration. This configuration may be called the Containment Pressure - High 3 Setpoint for three and four loop units, and WOG STS B 3.3.2-16 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 91 of 111 Attachment 1, Volume 8, Rev. 0, Page 244 of 517

Attachment 1, Volume 8, Rev. 0, Page 245 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 92 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Containment Pressure - High High Setpoint for other units.

Some two loop units use three sets of two channels, each set s combined in a one-out-of-two configuration, with these outputs three combined so that two-out-of-three sets tripped initiates containment spray. This configuration is called Containment Pressure - High 3 Setpoint. Since containment pressure is not used for control, both of these arrangements exceed the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip.

Containment Pressure - [High 3] [High High] must be 6 OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure

- High 3 (High High) setpoints.

3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW), at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the 7 reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW is required to 5 support RCP operation, not isolating CCW on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.

Phase A containment isolation is actuated automatically by SI, or 5 manually via the automatic actuation logic. All process lines penetrating containment, with the exception of CCW, are isolated.

systems required for accident mitigation WOG STS B 3.3.2-17 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 92 of 111 Attachment 1, Volume 8, Rev. 0, Page 245 of 517

Attachment 1, Volume 8, Rev. 0, Page 246 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 93 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.

depressing pushbutton pushbutton Manual Phase A Containment Isolation is accomplished by either of 5 two switches in the control room. Either switch actuates both trains.

Note that manual actuation of Phase A Containment Isolation also 5 actuates Containment Purge and Exhaust Isolation. Ventilation The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an 10 SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.

Therefore, the combination of CCW System design and Phase B 5 isolation ensures the CCW System is not a potential path for 7

radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure -

High 3 or Containment Pressure - High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

WOG STS B 3.3.2-18 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 93 of 111 Attachment 1, Volume 8, Rev. 0, Page 246 of 517

Attachment 1, Volume 8, Rev. 0, Page 247 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 94 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Manual Initiation

a. Containment Isolation - Phase A Isolation 5 (1) Phase A Isolation - Manual Initiation pushbutton depressing Manual Phase A Containment Isolation is actuated by either 5 pushbutton of two switches in the control room. Either switch actuates both trains. Note that manual initiation of Phase A Containment Isolation also actuates Containment Purge
b. Containment Isolation. Ventilation (2) Phase A Isolation - Automatic Actuation Logic and Actuation 5 Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of Phase A Containment 5 Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, 5 actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment 5 Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident

c. Containment conditions.

5 (3) Phase A Isolation - Safety Injection Phase A Containment Isolation is also initiated by all 5 Functions that initiate SI. The Phase A Containment 5 Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

WOG STS B 3.3.2-19 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 94 of 111 Attachment 1, Volume 8, Rev. 0, Page 247 of 517

Attachment 1, Volume 8, Rev. 0, Page 251 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 95 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) High-High

c. Steam Line Isolation - Containment Pressure - High 2 5 This Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain at least one 10 unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high High-High pressure side of the transmitter) located inside containment.

Containment Pressure - High 2 provides no input to any control 5 functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic.

However, for enhanced reliability, this Function was designed with four channels and a two-out-of-four logic. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions, and

[NTSP] the Trip Setpoint reflects only steady state instrument 10 6

uncertainties.

High-High 5 Containment Pressure - High 2 must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSIVs are closed and

[de-activated]. In MODES 4, 5, and 6, there is not enough 6 energy in the primary and secondary sides to pressurize the containment to the Containment Pressure - High 2 setpoint. 5 High-High

d. Steam Line Isolation - Steam Line Pressure (1) Steam Line Pressure - Low STET Steam Line Pressure - Low provides closure of the MSIVs in the event of an SLB to maintain at least one unfaulted SG 10 5

as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump.

Steam Line Pressure - Low was discussed previously under SI Function 1.e.1.

WOG STS B 3.3.2-22 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 95 of 111 Attachment 1, Volume 8, Rev. 0, Page 251 of 517

Attachment 1, Volume 8, Rev. 0, Page 254 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 96 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation All changes are 1 B 3.3.2 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.

The High Steam Flow Allowable Value is a    11 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.

INSERT 8 With the transmitters (d/p cells) typically located inside the steam STET tunnels, it is possible for them to experience adverse environmental conditions during an SLB event. Therefore, the 10

[NTSP] Trip Setpoints reflect both steady state and adverse normal 6 environmental instrument uncertainties. s 8 The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Two channels of Tavg per loop are required to be OPERABLE.

The Tavg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents a 8 that this Function protects against cause reduction of Tavg in the entire primary system. Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the Tavg - Low Low However, the channel statistical Function. The Tavg channels provide control inputs, but the allowance calculation does not consider any environmental allowance as part of control function cannot initiate events that the Function acts to the instrument uncertainty, since the mitigate. Therefore, additional channels are not required to function is assumed to be performed prior to the time that adverse conditions address control protection interaction issues.

can affect the Function.

With the Tavg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience STET adverse environmental conditions during an SLB event.

[NTSP] Therefore, the Trip Setpoint reflects both steady state and 10 adverse environmental instrumental uncertainties.

WOG STS B 3.3.2-25 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 96 of 111 Attachment 1, Volume 8, Rev. 0, Page 254 of 517

Attachment 1, Volume 8, Rev. 0, Page 256 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 97 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function must be OPERABLE in MODES 1 and 2, and in MODE 3, when above the P-12 setpoint, when a secondary side break or stuck open valve could result in rapid depressurization of the steam lines. Below P-12 this Function is not required to be OPERABLE because the High High Steam Flow coincident with SI Function provides the required protection. The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. 6 This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

e h. Steam Line Isolation - High High Steam Flow Coincident With 5 Safety Injection (Two Loop Units)

This Function provides closure of the MSIVs during a steam line break (or inadvertent opening of a relief or safety valve) to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

Two steam line flow channels per steam line are required to be high-OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the Function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements.

The Allowable Value for high steam flow is a    11 to 130% of full steam flow at full steam pressure. The Trip Setpoint is similarly calculated. INSERT 9 With the transmitters typically located inside the steam tunnels, it STET is possible for them to experience adverse environmental conditions during an SLB event. Therefore, the Trip Setpoint 10 reflects both steady state and adverse environmental instrument uncertainties. normal [NTSP] 6 high-The main steam lines isolate only if the high steam flow signal occurs coincident with an SI signal. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

WOG STS B 3.3.2-26 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 97 of 111 Attachment 1, Volume 8, Rev. 0, Page 256 of 517

Attachment 1, Volume 8, Rev. 0, Page 259 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 98 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation All changes are 1 B 3.3.2 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

b. Turbine Trip and Feedwater Isolation - Steam Generator Water 5 Level - High High (P-14)

This signal provides protection against excessive feedwater flow.

8 The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection three function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic. For units that have dedicated protection and control channels, only three The KPS logic design for protection channels are necessary to satisfy the protective this Function is justified in Reference 7. requirements. For other units that have only three channels, a median signal selector is provided or justification is provided in NUREG-1218 (Ref. 7).

The transmitters (d/p cells) are located inside containment. [NTSP] 6 However, the events that this Function protects against cannot cause a severe environment in containment. Therefore, the Trip 10 Setpoint reflects only steady state instrument uncertainties.

normal environmental 5

c. Turbine Trip and Feedwater Isolation - Safety Injection Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is main feedwater isolation valves (MFIVs), main referenced for all initiating functions and requirements.

feedwater regulation valves (MFRVs)

Turbine Trip and Feedwater Isolation Functions must be OPERABLE 5 8 6 MODES in MODES 1 and 2 [and 3] except when all MFIVs, MFRVs, [and associated bypass valves] are closed and [de-activated] [or isolated 6 by a closed manual valve] when the MFW System is in operation and 6 the turbine generator may be in operation. In MODES [3,] 4, 5, 6 and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE. is WOG STS B 3.3.2-28 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 98 of 111 Attachment 1, Volume 8, Rev. 0, Page 259 of 517

Attachment 1, Volume 8, Rev. 0, Page 261 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 99 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) INSERT 10 With the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse environmental conditions (feed line break), the Trip Setpoint reflects the inclusion of both [NTSP] 10 6 steady state and adverse environmental instrument uncertainties. normal

c. d. Auxiliary Feedwater - Safety Injection 5 An SI signal starts the motor driven and turbine driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
e. Auxiliary Feedwater - Loss of Offsite Power A loss of offsite power to the service buses will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The loss of offsite 5

power is detected by a voltage drop on each service bus. Loss of power to either service bus will start the turbine driven AFW pumps to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.

c Functions 6.a through 6.e must be OPERABLE in MODES 1, 2, 5 either and 3 to ensure that the SGs remain the heat sink for the reactor.

SG Water Level - Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG both Water Level - Low Low in any two operating SGs will cause the turbine driven pumps to start. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.

WOG STS B 3.3.2-30 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 99 of 111 Attachment 1, Volume 8, Rev. 0, Page 261 of 517

Attachment 1, Volume 8, Rev. 0, Page 271 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 100 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value. 10

[NTSP]

6 This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam Dump System are not in operation.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -

Low steam line isolation signal (previously discussed). When the Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the 5 Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure -

Negative Rate - High is disabled. The Trip Setpoint reflects only 10 steady state instrument uncertainties.

STET [NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

WOG STS B 3.3.2-36 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 100 of 111 Attachment 1, Volume 8, Rev. 0, Page 271 of 517

Attachment 1, Volume 8, Rev. 0, Page 273 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 101 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) [NTSP] 6 10 In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

REVIEWERS NOTE------------------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the 4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

x SI,  ; 2 x Containment Spray, and 2 x Phase A Isolation, and 5 x Phase B Isolation. 5 Containment WOG STS B 3.3.2-38 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 101 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517

Attachment 1, Volume 8, Rev. 0, Page 275 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing, provided the other 6 1 train is OPERABLE. This allowance is based on the reliability analysis assumption of WCAP-10271-P-A (Ref. 9) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.

D.1, D.2.1, and D.2.2 Condition D applies to:

x Containment Pressure - High 1,  ;

5 2 x Pressurizer Pressure - Low (two, three, and four loop units),  ; 1 5 2 x Steam Line Pressure - Low,  ; 2 x Steam Line Differential Pressure - High, 5 x High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low 5 or Coincident With Steam Line Pressure - Low, Steam Line Isolation High-High x Containment Pressure - High 2,  ;

5 2 x Steam Line Pressure - Negative Rate - High, 5 x High Steam Flow Coincident With Safety Injection Coincident With 2

Tavg - Low Low, ;

x High High Steam Flow Coincident With Safety Injection,  ; 2 x High Steam Flow in Two Steam Lines Coincident With Tavg - Low 5 Low, 1 5 2 x SG Water level - Low Low (two, three, and four loop units), and x [SG Water level - High High (P-14) (two, three, and four loop units). ] 6 5 1 WOG STS B 3.3.2-40 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 102 of 111 Attachment 1, Volume 8, Rev. 0, Page 275 of 517

Attachment 1, Volume 8, Rev. 0, Page 276 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 103 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

STET If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel 7 to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic.

Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a 8

two one-out-of-three configuration that satisfies redundancy requirements.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference 8.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. (78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> total time) 7 (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time)

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

[ The Required Actions are modified by a Note that allows the inoperable 1 6 channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing, are justified in Reference 8. ] 1 6

REVIEWERS NOTE------------------------------------------

5 4 The below text should be used for plants with installed bypass test capability:

The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

E.1, E.2.1, and E.2.2 5 2 Condition E applies to:

- High High x Containment Spray Containment Pressure - High 3 (High, High) (two, 2 5 three, and four loop units), and . 1 2 x Containment Phase B Isolation Containment Pressure - High 3 (High, 5 High).

WOG STS B 3.3.2-41 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 103 of 111 Attachment 1, Volume 8, Rev. 0, Page 276 of 517

Attachment 1, Volume 8, Rev. 0, Page 277 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 104 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

None of these signals has input to a control function. Thus, two-out-of-1 three logic is necessary to meet acceptable protective requirements.

INSERT 13 However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed 1 INSERT 14 channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, tripped with one channel bypassed, a single instrumentation channel failure will 12 not spuriously initiate containment spray.

To avoid the inadvertent actuation of containment spray and Phase B 12 containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass trip 12 condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable tripped channel to OPERABLE status, or place it in the bypassed condition within 12 72 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, requires the unit be placed in MODE 3 within the following 8 (78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> total time) 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The allowed Completion 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (84 Times are reasonable, based on operating experience, to reach the 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> total time) required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

[ The Required Actions are modified by a Note that allows one additional 6 channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing. 1 Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing purposes is acceptable based on the results of Reference 8. ] 6 1

REVIEWERS NOTE------------------------------------------

5 The below text should be used for plants with installed bypass test capability:

4 The Required Actions are modified by a Note that allows placing one channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

WOG STS B 3.3.2-42 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 104 of 111 Attachment 1, Volume 8, Rev. 0, Page 277 of 517

Attachment 1, Volume 8, Rev. 0, Page 280 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 105 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) ESF relay logic 1

The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 8. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 7 (36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> total time) 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing provided the other 1 6 train is OPERABLE. This allowance is based on the reliability analysis (Ref. 9) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

[ H.1 and H.2 Condition H applies to the automatic actuation logic and actuation relays for the Turbine Trip and Feedwater Isolation Function.

This action addresses the train orientation of the SSPS and the master and slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for 5

restoring the inoperable train to OPERABLE status is justified in Reference 8. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. These Functions are no longer required in MODE 3. Placing the unit in MODE 3 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

WOG STS B 3.3.2-44 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 105 of 111 Attachment 1, Volume 8, Rev. 0, Page 280 of 517

Attachment 1, Volume 8, Rev. 0, Page 281 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 106 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued)

The Required Actions are modified by a Note that allows one train to be bypassed for up to [4] hours for surveillance testing provided the other 5

train is OPERABLE. This allowance is based on the reliability analysis (Ref. 9) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance. ]

H 5

I.1 and I.2 H

Condition I applies to: 5 2 x [ SG Water Level - High High (P-14) (two, three, and four loop units), 5 and ]

5 2 x Undervoltage Reactor Coolant Pump.

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where 1

channels on the other bus one-out-of-two or one-out-of-three logic will result in actuation. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit to be placed in MODE 3 (78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> total time) within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is 7 reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.

[ The Required Actions are modified by a Note that allows the inoperable 6 1 channel to be bypassed for up to [12] hours for surveillance testing of 6 other channels. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8. ] 6 1

REVIEWERS NOTE------------------------------------------

The below text should be used for plants with installed bypass test capability: 4 The Required Actions are modified by a Note that allows placing one 5 channel in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a second channel to be in the bypassed condition for testing, are justified in Reference 8.

WOG STS B 3.3.2-45 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 106 of 111 Attachment 1, Volume 8, Rev. 0, Page 281 of 517

Attachment 1, Volume 8, Rev. 0, Page 286 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 107 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The ESF relay logic SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass test condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without 1 applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 11. 9 10 SR 3.3.2.3 SR 3.3.2.3 is the performance of an ACTUATION LOGIC TEST as described in SR 3.3.2.2, except that the semiautomatic tester is not used and the continuity check does not have to be performed, as explained in the Note. This SR is applied to the balance of plant actuation logic and 5 relays that do not have the SSPS test circuits installed to utilize the semiautomatic tester or perform the continuity check. This test is also performed every 31 days on a STAGGERED TEST BASIS. The Frequency is adequate based on industry operating experience, considering instrument reliability and operating history data.

WOG STS B 3.3.2-49 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 107 of 111 Attachment 1, Volume 8, Rev. 0, Page 286 of 517

Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 108 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay 5

coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The time Move SR allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 11. The 3.3.2.3 from Frequency of 92 days is justified in Reference 9.

page B 3.3.2-51 to here SR 3.3.2.5 4 5 5

SR 3.3.2.5 is the performance of a COT.

in accordance with the SCP 10 A COT is performed on each required channel to ensure the entire conservative with respect to channel will perform the intended Function. Setpoints must be found the Allowable Values as within the Allowable Values specified in Table 3.3.1-1. A successful test controlled by the SCP of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

10 The difference between the current "as found" values and the previous The SCP establishes the necessary controls for properly maintaining the test "as left" values must be consistent with the drift allowance used in the applicable ESFAS instrumentation setpoint methodology. The setpoint shall be left set consistent with the channels.

assumptions of the current unit specific setpoint methodology.

The "as found" and "as left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

The Frequency of 184 days is justified in Reference 11. 9 10 WOG STS B 3.3.2-50 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 108 of 111 Attachment 1, Volume 8, Rev. 0, Page 287 of 517

Attachment 1, Volume 8, Rev. 0, Page 292 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 109 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES REFERENCES 1. FSAR, Chapter [6].

U 1 6

2. FSAR, Chapter [7].

U

3. FSAR, Chapter [15]. 14 Technical Report EE-0116, Revision 5, "Allowable Values for North Anna Improved Technical Specifications (ITS) Table
4. IEEE-279-1971. 3.3.1-1 and 3.3.2-1, Setting Limits for Surry Custom Technical Specifications (CTS), Sections 2.3 and 3.7, and Allowable Values for Kewaunee Power Station Improved Technical
5. 10 CFR 50.49. Specifications (ITS) Functions listed in Specification 5.5.16."
6. Plant-specific setpoint methodology study. 1 Letter from C. R. Steinhardt (WPSC) to NRC Document 1
7. NUREG-1218, April 1988. Control Desk, "Kewaunee Nuclear Power Plant Response to Generic Letter 89-19," dated March 19, 1990.
8. WCAP-14333-P-A, Rev. 1, October 1998.
9. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.

9

10. [Plant specific evaluation reference.]

9 10 11. WCAP-15376, Rev. 0. October 2000.

12. Technical Requirements Manual, Section 15, "Response Times."
13. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor 9 5 Response Time Testing Requirements," January 1996.
14. WCAP-14036-P, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," December 1995.
11. Regulatory Guide 1.105, "Setpoints for Safety Related Instrumentation," Revision 3. 10 WOG STS B 3.3.2-55 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 109 of 111 Attachment 1, Volume 8, Rev. 0, Page 292 of 517

Attachment 1, Volume 8, Rev. 0, Page 294 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 110 of 111 JUSTIFICATION FOR DEVIATIONS ITS 3.3.2 BASES, ENGINEERED SAFETY FEATURE ACTUATION SYSTEM (ESFAS)

INSTRUMENTATION type of the information contained within the Bases. Allowable Values are typically found in a plant specific setpoint calculation or Setpoint Control Program document. At KPS, the Allowable Values for the Steam Line Isolation High Steam Flow and the High-High Steam Flow Functions will be contained and controlled in accordance with the Setpoint Control Program. In addition, the only ISTS ESFAS Functions that discuss the Allowable Values to this detail are those relative to steam flow as found in ISTS Functions 1.f, 1.g, 4.g, and 4.h. This change to not include the Allowable Value information in the ITS Bases is acceptable because this type of information is not necessary to be retained in the Technical Specifications and is better suited to be retained and controlled in the Setpoint Control Program document.

12. Throughout the ISTS, in both the Specifications and the Bases, reference is made to placing a channel in bypass or bypassing an inoperable channel. KPS does not have the ability to place a channel in bypass or perform a bypass of an inoperable channel without performing a temporary alteration of the circuit. Since the installation of temporary alterations is intrusive, KPS has determined that this practice is unacceptable. Therefore, KPS does not have the ability place a channel in bypass or perform a bypass of an inoperable channel. As a result, when a channel is required to be placed in bypass or a bypass of an inoperable channel is required, the channel is placed in the trip condition. JFD 13 and JFD 14 of the Specifications address those cases where a Note or a Reviewer's Note makes reference to the allowance to bypass a channel.

This change is also consistent with changes made to the Specifications.

13. Response Time testing has been deleted. See ITS 3.3.2 JFD 15 for justification for exclusion of Response Time testing.

Kewaunee Power Station Page 2 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 110 of 111 Attachment 1, Volume 8, Rev. 0, Page 294 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 111 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1931 NRC Question KAB-064 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/22/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:52 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 111 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1931 06/09/2010

Retrieved from "https://kanterella.com/w/index.php?title=ML102371266&oldid=2556063"