Latest revision as of 20:39, 11 March 2020

Text

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3)
	ML102371266
Person / Time
Site:	Kewaunee
Issue date:	08/18/2010
From:	; Dominion Energy Kewaunee
To:	; Office of Nuclear Reactor Regulation
References
	10-457, TAC ME2139
	Download: ML102371266 (0)
	v • d • e

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 1 of 111 ITS NRC Questions Id 1401 NRC Question KAB-057 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number 212 (s)

NRC Reviewer Gerald Waig Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question On page 212 of Attachment 1, volume 8, function 6.e in TS Table 3.3.2-1 references justification for deviations (JFD) 16. However, there is no JFD

16. Please provide a JFD reference that explains the change.

Attach File 1 Attach File 2 Issue Date 12/14/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/14/2009 2:54 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 1 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1401 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 2 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1371 NRC Question KAB-057 Number Select Licensee Response Application

Response

12/18/2009 9:25 AM Date/Time Closure Statement Response After further review, Kewaunee Power Station (KPS) has determined that Statement JFDs 15 and 16 should actually be 14 and 15. JFD 14 justifies deleting ISTS SR 3.3.2.9 (a CHANNEL CALIBRATION) and JFD 15 justifies deleting ISTS SR 3.3.2.10 (ESFAS RESPONSE TIME test). Furthermore, JFD 15 uses the term RTS RESPONSE TIME, but should be ESFAS RESPONSE TIME. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-057 Markup.pdf (1MB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Added By David Mielke Date Added 12/18/2009 9:27 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 2 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1371 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 212 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 CTS All changes are 3 ESFAS Instrumentation 3.3.2 unless otherwise noted Table 3.3.2-1 (page 7 of 8)

Engineered Safety Feature Actuation System Instrumentation 12 10 APPLICABLE MODES (j)

OR OTHER NOMINAL SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE TRIP FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE SETPOINT

6. Auxiliary Feedwater Tables TS 3.5-3, #4.a

b. c. SG Water Level - 1,2,3 [3] per SG D SR 3.3.2.1 8 1 and #5.a; TS Low Low SR 3.3.2.5 4 4.1-1, #11.a SR 3.3.2.9 6 5 SR 3.3.2.10 15 Table TS 3.5- 8 3, #4.c c. Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

d. Safety Injection

e. Loss of Offsite 1,2,3 3] per bus F SR 3.3.2.7 [2912] V with [2975] V with 8 Power SR 3.3.2.9 0.8 sec time 0.8 sec time 10 SR 3.3.2.10 delay delay Tables TS 8 1 3.5-2, #13; TS

d. f. Undervoltage 1,2 [3] per bus I H SR 3.3.2.7 3

3.5-3, #5.b; Reactor Coolant SR 3.3.2.9 6 voltage voltage 5 DOC M14 Pump 2 SR 3.3.2.10 15 8

1 DOC M13; e. g. Trip of all Main 1,2 [2] per J I SR 3.3.2.8 5 [ ] psig [ ] psig Tables TS pump SR 3.3.2.9 5 16 3.5-3, #4.b; Feedwater both 15 Pumps 1 SR 3.3.2.10 TS 4.1-1, #35 12

h. Auxiliary 1,2,3 [2] F SR 3.3.2.1 [20.53] [psia] [ ] [psia] 14 Feedwater Pump SR 3.3.2.7 8 Suction Transfer SR 3.3.2.9 15 on Suction Pressure - Low

7. Automatic INSERT 2 4 Switchover to Containment Sump

a. Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 Relays 1,2,3,4 4 K SR 3.3.2.1 nd [ and [ 9

b. Refueling Water Storage Tank SR 3.3.2.5 [

(RWST) Level - SR 3.3.2.9 SR 3.3.2.10 Low Low Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection

REVIEWER'S NOTE---------------------------------------------------------------------

(j) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by 2 the unit.

INSERT 3 4 WOG STS 3.3.2-15 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 3 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517

Attachment 1, Volume 8, Rev. 0, Page 219 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 4 of 111 JUSTIFICATION FOR DEVIATIONS ITS 3.3.2, ENGINEERED SAFETY FEATURE ACTUATION SYSTEM (ESFAS)

INSTRUMENTATION requirement to perform the surveillance test in accordance with the SCP. Hence, the addition of the phrase "in accordance with the Setpoint Control Program" to ITS SR 3.3.2.4, CHANNEL OPERATIONAL TEST (COT) and ITS SR 3.3.2.6, CHANNEL CALIBRATION in the surveillance requirement table.

13. The ISTS contains bracketed information and/or values that are generic to all Westinghouse vintage plants. ISTS Required Actions D, E, and I (ITS Required Actions D, E, and H, respectively) are modified by a Note that provides two options for bypassing a channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for the purpose of performing surveillance testing without entry into the applicable Required Actions. One option is for plants that have installed bypass testing capabilities. The other option is for plants that do not have installed bypass testing capabilities. KPS does not have installed bypass testing capabilities. Therefore, the Note for plants that do not have bypass testing capabilities is retained for Required Actions D, E, and H.

14. ISTS Table 3.3.2-1 Function 6.g (Trip of all Main Feedwater Pumps) specifies that ISTS SR 3.3.2.9, a CHANNEL CALIBRATION, is required for the Function. This CHANNEL CALIBRATION requirement is not being included in the KPS ITS for the same Function (ITS Table 3.3.2-1 Function 6.e). The ISTS shows that the Function has an ALLOWABLE VALUE and NOMINAL TRIP SETPOINT based on a pressure. The ISTS Bases describes that the trip is derived from low pressure on the control air/oil line of the turbine driven main feedwater pumps. Thus, it is appropriate to perform a CHANNEL CALIBRATION on the sensors. However, KPS uses motor driven main feedwater pumps, and the signal to start the AFW pumps comes from the breaker position contacts. Thus, there is no CHANNEL CALIBRATION to perform. This is also consistent with the KPS CTS, which does not require a CHANNEL CALIBRATION.

ESFAS

15. The RTS RESPONSE TIME requirement, ISTS SR 3.3.2.10, has not been adopted into the KPS ITS, consistent with Kewaunee current licensing basis and current Technical Specifications. The Kewaunee USAR describes the implementation of the principles as related to the proposed IEEE-279 "Standard, Nuclear Power Plant Protection Systems," August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing. Furthermore, generic studies have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other required surveillances (e.g., CHANNEL CALIBRATIONS). Since the addition of these tests would be a major burden (plant design does not readily lend itself to such testing) with little gain in safety, ISTS SR 3.3.2.10 has not been added.

Kewaunee Power Station Page 5 of 5 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 4 of 111 Attachment 1, Volume 8, Rev. 0, Page 219 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 5 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1731 NRC Question KAB-057 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/12/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/12/2010 3:21 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 5 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1731 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 6 of 111 ITS NRC Questions Id 1411 NRC Question KAB-058 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number 8l9 JFD Bases Number Page Number(s) 212 NRC Reviewer Gerald Waig Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question On page 212 of Attachment 1, volume 8, function 7a & b in TS Table 3.3.2-1 references justification for deviations (JFD) 9. Should JFD 8 be the reference for function 7a & b?

Attach File 1 Attach File 2 Issue Date 12/14/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/14/2009 2:55 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 6 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1411 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 7 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1381 NRC Question KAB-058 Number Select Licensee Response Application

Response

12/18/2009 9:25 AM Date/Time Closure Statement Response After further review, Kewaunee Power Station (KPS) has determined that Statement the NRC reviewer is correct, in that the annotation for ISTS Table 3.3.2-1 Functions 7.a and 7.b should be JFD 8, not JFD 9. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment 1 KAB-058 Markup.pdf (844KB)

Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Added By David Mielke Date Added 12/18/2009 9:30 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 7 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1381 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 212 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 CTS All changes are 3 ESFAS Instrumentation 3.3.2 unless otherwise noted Table 3.3.2-1 (page 7 of 8)

Engineered Safety Feature Actuation System Instrumentation 12 10 APPLICABLE MODES (j)

OR OTHER NOMINAL SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE TRIP FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE SETPOINT

6. Auxiliary Feedwater Tables TS 3.5-3, #4.a

b. c. SG Water Level - 1,2,3 [3] per SG D SR 3.3.2.1 8 1 and #5.a; TS Low Low SR 3.3.2.5 4 4.1-1, #11.a SR 3.3.2.9 6 5 SR 3.3.2.10 15 Table TS 3.5- 8 3, #4.c c. Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

d. Safety Injection

e. Loss of Offsite 1,2,3 3] per bus F SR 3.3.2.7 [2912] V with [2975] V with 8 Power SR 3.3.2.9 0.8 sec time 0.8 sec time 10 SR 3.3.2.10 delay delay Tables TS 8 1 3.5-2, #13; TS

d. f. Undervoltage 1,2 [3] per bus I H SR 3.3.2.7 3

3.5-3, #5.b; Reactor Coolant SR 3.3.2.9 6 voltage voltage 5 DOC M14 Pump 2 SR 3.3.2.10 15 8

1 DOC M13; e. g. Trip of all Main 1,2 [2] per J I SR 3.3.2.8 5 [ ] psig [ ] psig Tables TS pump SR 3.3.2.9 5 16 3.5-3, #4.b; Feedwater both 15 Pumps 1 SR 3.3.2.10 TS 4.1-1, #35 12

h. Auxiliary 1,2,3 [2] F SR 3.3.2.1 [20.53] [psia] [ ] [psia]

Feedwater Pump SR 3.3.2.7 8 Suction Transfer SR 3.3.2.9 on Suction Pressure - Low

7. Automatic INSERT 2 4 Switchover to Containment Sump

a. Automatic 1,2,3,4 2 trains C SR 3.3.2.2 NA NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6 8

Relays 1,2,3,4 4 K SR 3.3.2.1 nd [ and [ 9

b. Refueling Water Storage Tank SR 3.3.2.5 [

(RWST) Level - SR 3.3.2.9 SR 3.3.2.10 Low Low Coincident with Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

Safety Injection

REVIEWER'S NOTE---------------------------------------------------------------------

(j) Unit specific implementations may contain only Allowable Value depending on Setpoint Study methodology used by 2 the unit.

INSERT 3 4 WOG STS 3.3.2-15 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 8 of 111 Attachment 1, Volume 8, Rev. 0, Page 212 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 9 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1741 NRC Question KAB-058 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/12/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/12/2010 3:22 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 9 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1741 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 10 of 111 ITS NRC Questions Id 1421 NRC Question KAB-059 Number Category Technical ITS Section 3.3 ITS Number 3.3.1 DOC Number JFD Number 7 JFD Bases Number Page Number 73 (s)

NRC Reviewer Rob Elliott Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question On page 73 of Attachment 1, volume 8, justification for deviation 7 indicates that response time testing is not being adopted into the KPS ITS. Please explain how KPS will ensure the safety analysis is met without response time testing for TS 3.3.1 Functions 2.a, 2.b, 3.b, 5, 6, 7, 8.a, 8.b, 10, 12, 13, 14, and 15.

Attach File 1 Attach File 2 Issue Date 12/18/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/18/2009 1:38 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 10 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1421 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 11 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1771 NRC Question KAB-059 Number Select Licensee Response Application

Response

1/13/2010 11:35 AM Date/Time Closure Statement Response RPS and ESFAS Response Time Testing are not being adopted into KPS ITS.

Statement This is consistent with Kewaunees current licensing basis and current Technical Specifications. The Kewaunee USAR describes the testing principles as stated in the proposed IEEE-279, "Standard Nuclear Power Plant Protection Systems,"

August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing.

In 1975 the NRC started requiring Response Time Testing and KPS was licensed prior to 1975 without requirements for Response Time Testing. In addition, plants of KPS vintage that have implemented ITS also do not perform Response Time Testing (e.g., Ginna, Point Beach).

Additionally, the Westinghouse Owners Group developed a document, "Elimination of Periodic Protection Channel Response Time Tests," MUHP-3041 Rev. 1, dated October 6, 1998 to facilitate the removal of Response Time Testing for plants that were licensed after 1975 and subject to Response Time Testing requirements (which Kewaunee is not).

Studies like these have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other surveillances (e. g. CHANNEL CALIBRATIONS). Therefore, it is the KPS position that Response Time Surveillances are not needed to ensure safety analysis assumptions are met.

Question Closure Date Attachment 1

Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/13/2010 11:40 AM Modified By Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 11 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1771 06/24/2010

Kewaunee ITS Conversion Database Page 2 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 12 of 111 Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 12 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1771 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 13 of 111 Licensee Response/NRC Response/NRC Question Closure Id 3241 NRC Question KAB-059 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 5/26/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 5/26/2010 11:20 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 13 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=3241 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 14 of 111 ITS NRC Questions Id 1431 NRC Question KAB-060 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number 15 JFD Bases Number Page Number 219 (s)

NRC Reviewer Rob Elliott Supervisor Technical Barry Marcus Branch POC Conf Call N

Requested NRC Question On page 219 of Attachment 1, volume 8, justification for deviation 15 indicates that response time testing is not being adopted into the KPS ITS. Please explain how KPS will ensure the safety analysis is met without response time testing for TS 3.3.2 functions 1.c, 1.d, 1.e, 2.c, 4.c, 4.d, 4.e, 5.b, 6.b, 6.d, and 6.e.

Attach File 1 Attach File 2 Issue Date 12/18/2009 Added By Kristy Bucholtz Date Modified Modified By Date Added 12/18/2009 1:39 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 14 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1431 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 15 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1781 NRC Question KAB-060 Number Select Licensee Response Application

Response

1/13/2010 11:40 AM Date/Time Closure Statement Response RPS and ESFAS Response Time Testing are not being adopted into KPS ITS.

Statement This is consistent with Kewaunees current licensing basis and current Technical Specifications. The Kewaunee USAR describes the testing principles as stated in the proposed IEEE-279, "Standard Nuclear Power Plant Protection Systems,"

August 1968. This industry standard provides guidance and requirements for conducting periodic testing of protection systems. IEEE-279-1968 does not address response time testing.

In 1975 the NRC started requiring Response Time Testing and KPS was licensed prior to 1975 without requirements for Response Time Testing. In addition, plants of KPS vintage that have implemented ITS also do not perform Response Time Testing (e.g., Ginna, Point Beach).

Additionally, the Westinghouse Owners Group developed a document, "Elimination of Periodic Protection Channel Response Time Tests," MUHP-3041 Rev. 1, dated October 6, 1998 to facilitate the removal of Response Time Testing for plants that were licensed after 1975 and subject to Response Time Testing requirements (which Kewaunee is not).

Studies like these have shown that instrumentation response time changes (increasing times), that could impact safety, do not normally vary such that they would not be detected during other surveillances (e. g. CHANNEL CALIBRATIONS). Therefore, it is the KPS position that Response Time Surveillances are not needed to ensure safety analysis assumptions are met.

Question Closure Date Attachment 1

Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/13/2010 11:42 AM Modified By Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 15 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1781 06/24/2010

Kewaunee ITS Conversion Database Page 2 of 2 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 16 of 111 Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 16 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1781 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 17 of 111 Licensee Response/NRC Response/NRC Question Closure Id 3251 NRC Question KAB-060 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 5/26/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 5/26/2010 11:21 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 17 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=3251 06/24/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 18 of 111 ITS NRC Questions Id 1491 NRC Question KAB-061 Number Category Technical ITS Section 3.3 ITS Number 3.3.4 DOC Number JFD Number JFD Bases Number Page 360 Number(s)

NRC Reviewer Carl Schulten Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC On page 360 of Attachment 1, volume 8, the sentence, A function of a Question remote shutdown system is OPERABLE if all instrument and control channels needed to support the remote shutdown system function are OPERABLE. has been changed to, A function of a dedicated shutdown system is OPERABLE if all instruments or control channels for the function are OPERABLE. The wording change, specifically the and to or changes the requirements for operability for each function. STS 3.3.4 requires the operability of all control channels and all instrumentation for each function to be operable. For example, the RCS Inventory Control function is operable when pressurizer level is operable and the charging pump control is operable. Please correct this change or provide an explanation of the wording change.

Attach File 1

Attach File 2

Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:41 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 18 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1491 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 19 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1851 NRC Question KAB-061 Number Select Licensee Response Application

Response

1/21/2010 12:45 PM Date/Time Closure Statement Response KPS changed the words from "and" to "or" since not all of the four Statement Functions listed in ITS 3.3.4 Bases Table B 3.3.4-1 include both instruments and control channels (i.e., Function 1, Reactivity Control). Thus, it was believed that including the word "and" implied that all Functions included controls. After further review, Kewaunee Power Station (KPS) has determined that the change is not necessary, and could wrongly imply that the other three Functions only need either the listed instruments or the controls to be OPERABLE for the entire Function to be OPERABLE.

Therefore, the word "or" will be changed back to "and" in the ITS 3.3.4 Bases for the LCO section. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-061 Markup.pdf (838KB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:49 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 19 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1851 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 360 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 20 of 111 All changes are 1 Dedicated Remote Shutdown System unless otherwise noted B 3.3.4 BASES Dedicated LCO The Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to place and maintain the unit in MODE 3 from a location other than the control room.

The instrumentation and controls required are listed in Table B 3.3.4-1.

The controls, instrumentation, and transfer switches are required for:

x Core reactivity control (initial and long term),

x RCS pressure control, Steam Dump System x Decay heat removal via the AFW System and the SG safety valves or SG ADVs, ;

PORVs x RCS inventory control via charging flow, and x Safety support systems for the above Functions, including service water, component cooling water, and onsite power, including the diesel generators.

Dedicated s stet A Function of a Remote Shutdown System is OPERABLE if all instrument or and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, Table B 3.3.4-1 may indicate for the that the required information or control capability is available from several alternate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate information or control sources is OPERABLE.

dedicated The remote shutdown instrument and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and control circuits will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation. Dedicated Dedicated APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3.

This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy.

Under these conditions, considerable time is available to restore necessary instrument control functions if control room instruments or controls become unavailable.

WOG STS B 3.3.4-2 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 20 of 111 Attachment 1, Volume 8, Rev. 0, Page 360 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 21 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1901 NRC Question KAB-061 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/22/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:23 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 21 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1901 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 22 of 111 ITS NRC Questions Id 1501 NRC Question KAB-062 Number Category Technical ITS Section 3.3 ITS Number 3.3.6 DOC Number M-4 JFD Number JFD Bases Number Page Number(s) 413 NRC Reviewer Carl Schulten Supervisor Technical Branch Add Name POC Conf Call N

Requested NRC Question On page 413 of Attachment 1, volume 8, discussion of change M04 references ITS 3.3.5. Please explain why ITS 3.3.5 is being referenced or correct the discrepancy?

Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:44 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 22 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1501 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 23 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1861 NRC Question KAB-062 Number Select Licensee Response Application

Response

1/21/2010 12:50 PM Date/Time Closure Statement Response After further review, Kewaunee Power Station (KPS) has determined that Statement in the reference is in error. Discussion of Change (DOC) M04 should reference ITS 3.3.6, not ITS 3.3.5. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment 1 KAB-062 Markup.pdf (851KB)

Attachment 2 Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:51 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 23 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1861 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 413 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 24 of 111 DISCUSSION OF CHANGES ITS 3.3.6, CONTAINMENT PURGE AND VENT ISOLATION INSTRUMENTATION M03 CTS Table TS 4.1-1 Channel Description 19 requires a Daily instrument check of the radiation monitoring system. ITS SR 3.3.6.1 requires the performance of a CHANNEL CHECK of the required containment purge and vent isolation radiation monitors every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This changes the CTS by requiring a check of the required containment purge and vent isolation radiation monitors more often in ITS than in CTS.

The purpose of the instrument check is to demonstrate that the required containment purge and vent isolation radiation monitors are OPERABLE and capable of providing an early indication of any abnormal leakage conditions in the containment. ITS SR 3.3.6.1 provides reasonable confidence that the channel is operating properly. This change is designated more restrictive because less time is allowed between performances of the CHANNEL CHECK than was allowed in the CTS.

M04 CTS 3.5.d states, in part, that in the event of subsystem instrumentation channel failure permitted by CTS 3.5.b, then Tables TS 3.5-2 through TS 3.5-5 need not be observed for approximately 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months while the operable channels are tested, as long as the failed channel is blocked to prevent an unnecessary reactor trip.

CTS 3.5.b states, in part, that in the event of failure of a subsystem instrumentation channel, plant operation shall be permitted to continue at RATED POWER in accordance with Tables TS 3.5-2 through TS 3.5-5. ITS 3.3.5 does 3.3.6 not contain this allowance. This changes the CTS by removing the allowance to block a failed channel.

The purpose of CTS 3.5.d is to allow time to perform testing of the operable subsystem channels without entering into the requirements specified in Tables TS 3.5-2 through TS 3.5-5. In order to perform this task, the inoperable channel must be placed in bypass. Currently, KPS does not have the ability to perform a bypass of an inoperable channel for the purpose of testing without performing a temporary alteration of the circuit. Since the installation of temporary alterations is intrusive, KPS has determined that this practice is unacceptable. Therefore KPS does not have the ability to perform testing with a channel in bypass and the allowance is not incorporated in the ITS. This change is designated as more restrictive because an allowance that was allowed in the CTS is not allowed in the ITS.

RELOCATED SPECIFICATIONS None REMOVED DETAIL CHANGES LA01 (Type 1 - Removing Details of System Design and System Description, Including Design Limits) CTS Table TS 4.1-1 Channel Description 19, Remarks Section Note (a) states that the CHECK, CALIBRATE, and TEST Frequencies for the Radiation Monitoring System are applicable only to channels R11 thru R15, R19, R21, and R23. For the Containment Purge and Vent Isolation Instrumentation Specification, only instruments R11, R12, and R21 apply. ITS 3.3.6 does not Kewaunee Power Station Page 4 of 6 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 24 of 111 Attachment 1, Volume 8, Rev. 0, Page 413 of 517

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 25 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1911 NRC Question KAB-062 Number Select Application NRC Question Closure

Response

Date/Time Closure Statement This question is closed and no further information is required at this time to draft the Safety Evaluation.

Response

Statement Question Closure 1/22/2010 Date Attachment 1 Attachment 2 Notification NRC/LICENSEE Supervision Added By Kristy Bucholtz Date Added 1/22/2010 8:23 AM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 25 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1911 06/09/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 26 of 111 ITS NRC Questions Id 1511 NRC Question KAB-063 Number Category Technical ITS Section 3.3 ITS Number 3.3.2 DOC Number JFD Number JFD Bases Number Page Number 221-292 (s)

NRC Reviewer Select Supervisor Technical Add Name Branch POC Conf Call N

Requested NRC Question Pages 221 through 292 of Attachment 1, volume 8, are the proposed TS 3.3.2 Bases. TS 3.3.2 Bases are not consistent with the Bases in TSTF-493, Revision 4, including applicable errata. Please correct the TS 3.3.2 Bases or provide an explanation of the changes.

Attach File 1 Attach File 2 Issue Date 1/20/2010 Added By Kristy Bucholtz Date Modified Modified By Date Added 1/20/2010 2:45 PM Notification NRC/LICENSEE Supervision Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 26 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1511 06/08/2010

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 27 of 111 Licensee Response/NRC Response/NRC Question Closure Id 1871 NRC Question KAB-063 Number Select Licensee Response Application

Response

1/21/2010 12:55 PM Date/Time Closure Statement Response The Kewaunee Power Station (KPS) ITS Amendment was based upon the Statement most current revision of TSTF-493 at the time of submittal. Since the date of the submittal, a newer revision (Rev. 4) of the TSTF has been sent to the NRC for review. KPS has reviewed this revision and appropriate changes will be made. A draft markup regarding this change is attached. This change will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-063 Markup.pdf (2MB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays Ray Schiele Added By Robert Hanley Date Added 1/21/2010 12:55 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 27 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=1871 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 222 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 28 of 111 B 3.3.2 10 INSERT 1 This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor 8 ESFAS system parameters and equipment performance. ESFAS Where a LSSS is Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables specified for a that have significant safety functions. LSSS are defined by the regulation as "...settings variable on which must be a safety limits chosen so for automatic protective devices...so chosen that automatic protective action will correct has been placed, the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the Setpoint Control Program (SCP) controlled by 10.CFR.50.59.

REVIEWER'S NOTE -------------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant- 4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.

The [NTSP] is included in the SCP.

used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.

"Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.

Insert Page B 3.3.2-1a Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 28 of 111 Attachment 1, Volume 8, Rev. 0, Page 222 of 517

Attachment 1, Volume 8, Rev. 0, Page 223 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 29 of 111 B 3.3.2 10 INSERT 1 (continued) 6 The [NTSP] specified in the SCP is a predetermined setting, plus margin, for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the

[NTSP] accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the [NTSP] ensures that SLs are not exceeded. Therefore, the [NTSP]

meets the definition of an LSSS (Ref. 1). 11 9 Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the [NTSP] to define OPERABILITY in Technical Specifications would be an overly 6 restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the

[NTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the channel to the [NTSP] to account for further drift during the next surveillance within the interval. Note that, although the channel is OPERABLE under these circumstances, the established as-trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance left tolerance with uncertainty assumptions stated in the referenced setpoint methodology (as-left around the

[NTSP] to 6 criteria), and confirmed to be operating within the statistical allowances of the uncertainty account for terms assigned (as-found criteria). further drift during the next surveillance However, there is also some point beyond which the channel would have not been able interval.

to perform its function due to, for example, greater than expected drift. The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, 6 such as drift, during the surveillance interval. In this manner, the actual setting of the channel will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

Insert Page B 3.3.2-1b Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 29 of 111 Attachment 1, Volume 8, Rev. 0, Page 223 of 517

Attachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 30 of 111 B 3.3.2 10 INSERT 1 (continued)

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.

However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist 6

of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the 6

channel setpoint can not be reset to the [LTSP], it is inoperable.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),

2. Fuel centerline melt shall not occur, and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 1 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident 50.67 1 categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as 6 defined in 10 CFR 50.36.

Insert Page B 3.3.2-1c Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 30 of 111 Attachment 1, Volume 8, Rev. 0, Page 224 of 517

Attachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 31 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to six measure unit parameters. In many cases, field transmitters or sensors Protection that input to the ESFAS are shared with the Reactor Trip System (RTS).

P In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are

[NTSP] provided in the Trip Setpoint and Allowable Values. The OPERABILITY 10 of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

NTSPs Signal Processing Equipment derived from Analytical Generally, three or four channels of process control equipment are used Limits for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, Analytical Limits comparable output signals for instruments located on the main control [NTSPs] 10

[NTSPs]

board, and comparison of measured input signals with setpoints U 10 established by safety analyses. These setpoints are defined in FSAR, 14 Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the 6 ESF logic measured value of a unit parameter exceeds the predetermined setpoint, relays an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input logic relay cabinets bays. However, not all unit parameters require four channels of sensor 3 measurement and signal processing. Some unit parameters provide ESF logic input only to the SSPS, while others provide input to the SSPS, the main relays control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 31 of 111 Attachment 1, Volume 8, Rev. 0, Page 225 of 517

Attachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) a protection function Generally, if a parameter is used for input to the SSPS and a control 1 function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

[NTSPs]

Allowable Values and ESFAS Setpoints 10 calculation 3

The trip setpoints used in the bistables are based on the analytical limits 1 10 analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time the Nominal Trip Setpoints delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values the SCP specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the

[NTSPs]

methodology used to calculate the Allowable Values and ESFAS The as-left tolerance and setpoints including their explicit uncertainties, is provided in the plant as-found tolerance band specific setpoint methodology study (Ref. 6) which incorporates all of the methodology is provided in the SCP. known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS

[NTSP] setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a 10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS

[NTSP] setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL

[NTSP]

as-left tolerance WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 32 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517

Attachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 33 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) and comparator setting

+/- rack CALIBRATION uncertainty allowance (i.e., calibration tolerance

[NTSP]

uncertainties). The ESFAS setpoint value is therefore considered a

, "nominal value" (i.e., expressed as a value without inequalities) for the

[Nominal Trip Setpoints] in conjunction purposes of the COT and CHANNEL CALIBRATION.

with the use of as-found and as-left tolerances together 10 Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs)

Note that the Allowable Values listed in will be acceptable, providing the unit is operated from within the LCOs at 8 the SCP are the least conservative value the onset of the DBA and the equipment functions as designed. provided of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT that Each channel can be tested on line to verify that the signal processing requires trip setpoint verification.

equipment and setpoint accuracy is within the specified allowance the SCP requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; 3 generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

WOG STS B 3.3.2-4 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 33 of 111 Attachment 1, Volume 8, Rev. 0, Page 227 of 517

Attachment 1, Volume 8, Rev. 0, Page 228 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 34 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) channel STET channels Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the 10 3 other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time. STET channel The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the 1 condition of the unit. Each master relay then energizes one or more slave 10 relays, which then cause actuation of the end devices. The master and channels slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal STET 1

path continuity. The SLAVE RELAY TEST actuates the devices if their 10 operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay. channels

REVIEWERS NOTE------------------------------------------

No one unit ESFAS incorporates all of the Functions listed in Table 3.3.2-1. In some cases (e.g., Containment Pressure - High 3, 4

Function 2.c), the Table reflects several different implementations of the same Function. Typically, only one of these implementations are used at any specific unit.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY Functions. One of the ESFAS Functions is the primary actuation signal ANALYSES, LCO, for that accident. An ESFAS Function may be the primary actuation and APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other break accidents. For example, Pressurizer Pressure - Low is a primary 1 actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

WOG STS B 3.3.2-5 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 34 of 111 Attachment 1, Volume 8, Rev. 0, Page 228 of 517

Attachment 1, Volume 8, Rev. 0, Page 230 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 35 of 111 B 3.3.2 10 INSERT 2 Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy, (i.e., the value indicated is sufficiently close to the necessary value to ensure proper operation of the safety systems to turn the AOO).

10 INSERT 3 The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the within the as-found as-found setpoint is conservative with respect to the Allowable Value during the tolerance CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the and is Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. 6 In this manner, the actual setting of the channel ([NTSP]) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval.

tolerances Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria),

and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria). The degraded condition of the channel will be If the actual setting of the channel is found to be conservative with respect to the evaluated Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE during performance of but a degraded condition has been identified. During the SR performance, the condition the SR.

of the channel will be evaluated. This evaluation will consist of resetting the channel evaluating setpoint to the [NTSP] (within the allowed tolerance) and determining that the channel is 6 the channel performing as expected. At the completion of the SR, operations will confirm the SR response.

results and determine the channel condition. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation.

If the channel is not performing as expected the channel is degraded because it may not 6 pass its next surveillance test. If the channel setpoint cannot be reset to the [NTSP], it is inoperable.

Insert Page B 3.3.2-6a Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 35 of 111 Attachment 1, Volume 8, Rev. 0, Page 230 of 517

Attachment 1, Volume 8, Rev. 0, Page 231 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 36 of 111 B 3.3.2 10 INSERT 3 (continued)

A trip setpoint may be set more conservative than the [NTSP] as necessary in response 6 to plant conditions. However, in this case, the operability of the instrument must be 6

verified based on the [field setting] and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

Insert Page B 3.3.2-6b Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 36 of 111 Attachment 1, Volume 8, Rev. 0, Page 231 of 517

Attachment 1, Volume 8, Rev. 0, Page 239 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 37 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Steam Line Pressure - High Differential Pressure Between Steam Lines Steam Line Pressure - High Differential Pressure Between Steam Lines provides protection against the following accidents:

x SLB, x Feed line break, and x Inadvertent opening of an SG relief or an SG safety valve.

Steam Line Pressure - High Differential Pressure Between Steam Lines provides no input to any control functions.

Thus, three OPERABLE channels on each steam line are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.

5 With the transmitters typically located inside the steam tunnels, it is possible for them to experience adverse STET

[NTSP]

environmental conditions during an SLB event. Therefore, 10 the Trip Setpoint reflects both steady state and adverse STET environmental instrument uncertainties. Steam line high differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is not sufficient energy in the secondary side of the unit to cause an accident.

f, g. Safety Injection - High Steam Flow in Two Steam Lines Coincident With Tavg - Low Low or Coincident With Steam Line Pressure - Low These Functions (1.f and 1.g) provide protection against the following accidents:

x SLB, and x the inadvertent opening of an SG relief or an SG safety valve.

WOG STS B 3.3.2-12 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 37 of 111 Attachment 1, Volume 8, Rev. 0, Page 239 of 517

Attachment 1, Volume 8, Rev. 0, Page 241 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 38 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

With the transmitters typically located inside the containment (Tavg) or inside the steam tunnels (High Steam Flow), it is possible for them to experience adverse steady state STET STET environmental conditions during an SLB event. Therefore, the 10

[NTSP] Trip Setpoint reflects both steady state and adverse environmental instrument uncertainties. The Steam Line Pressure - Low signal was discussed previously under Function 1.e.(1).

This Function must be OPERABLE in MODES 1, 2, and 3 5 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s).

This signal may be manually blocked by the operator when below the P-12 setpoint. Above P-12, this Function is automatically unblocked. This Function is not required OPERABLE below P-12 because the reactor is not critical, so feed line break is not a concern. SLB may be addressed by Containment Pressure High 1 (inside containment) or by High Steam Flow in Two Steam Lines coincident with Steam Line Pressure - Low, for Steam Line Isolation, followed by High Differential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment Spray a LOCA or main Containment Spray provides three primary functions: steam line break

1. Lowers containment pressure and temperature after an HELB in 1 containment, ; 2

2. Reduces the amount of radioactive iodine in the containment atmosphere, and 2

spray water and the

3. Adjusts the pH of the water in the containment recirculation 1 sump after a large break LOCA.

These functions are necessary to:

x Ensure the pressure boundary integrity of the containment structure, ; 2 WOG STS B 3.3.2-14 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 38 of 111 Attachment 1, Volume 8, Rev. 0, Page 241 of 517

Attachment 1, Volume 8, Rev. 0, Page 246 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 39 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.

depressing pushbutton pushbutton Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.

Note that manual actuation of Phase A Containment Isolation also actuates Containment Purge and Exhaust Isolation. Ventilation The Phase B signal isolates CCW. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an 10 SLB. For these events, forced circulation using the RCPs is no STET longer desirable. Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment.

Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for 7

radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure -

High 3 or Containment Pressure - High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 or Containment Pressure - High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

WOG STS B 3.3.2-18 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 39 of 111 Attachment 1, Volume 8, Rev. 0, Page 246 of 517

Attachment 1, Volume 8, Rev. 0, Page 252 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 40 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure - Negative Rate - High signal for Steam Line Isolation below P-11 when SI has been manually blocked.

The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

(2) Steam Line Pressure - Negative Rate - High 5 STET Steam Line Pressure - Negative Rate - High provides closure of the MSIVs for an SLB when less than the P-11 10 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure - Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure -

Negative Rate - High signal is automatically enabled.

Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.

Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure - Low signal is automatically enabled. The WOG STS B 3.3.2-23 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 40 of 111 Attachment 1, Volume 8, Rev. 0, Page 252 of 517

Attachment 1, Volume 8, Rev. 0, Page 253 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 41 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and [de-activated]. In MODES 4, 5, and 6, there is insufficient STET energy in the primary and secondary sides to have an SLB 10 or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

STET While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only 10 steady state instrument uncertainties. [NTSP]

STET e, f. Steam Line Isolation - High Steam Flow in Two Steam Lines 5 Coincident with Tavg - Low Low or Coincident With Steam Line Pressure - Low (Three and Four Loop Units)

These Functions (4.e and 4.f) provide closure of the MSIVs STET during an SLB or inadvertent opening of an SG relief or a safety 10 valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.

These Functions were discussed previously as Functions 1.f.

and 1.g.

These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines unless all MSIVs are closed and [de-activated]. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

d g. Steam Line Isolation - High Steam Flow Coincident With Safety 5 Injection and Coincident With Tavg - Low Low (Two Loop Units)

This Function provides closure of the MSIVs during an SLB or 10 inadvertent opening of an SG relief or safety valve to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

WOG STS B 3.3.2-24 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 41 of 111 Attachment 1, Volume 8, Rev. 0, Page 253 of 517

Attachment 1, Volume 8, Rev. 0, Page 254 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 42 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation All changes are 1 B 3.3.2 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Two steam line flow channels per steam line are required OPERABLE for this Function. These are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow channel is not sufficient to cause initiation.

The High Steam Flow Allowable Value is a 11 25% of full steam flow at no load steam pressure. The Trip Setpoint is similarly calculated.

INSERT 8 With the transmitters (d/p cells) typically located inside the steam STET tunnels, it is possible for them to experience adverse environmental conditions during an SLB event. Therefore, the 10

[NTSP] Trip Setpoints reflect both steady state and adverse normal environmental instrument uncertainties. s 8 The main steam line isolates only if the high steam flow signal occurs coincident with an SI and low low RCS average temperature. The Main Steam Line Isolation Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Two channels of Tavg per loop are required to be OPERABLE.

The Tavg channels are combined in a logic such that two channels tripped cause a trip for the parameter. The accidents a 8 that this Function protects against cause reduction of Tavg in the entire primary system. Therefore, the provision of two OPERABLE channels per loop in a two-out-of-four configuration ensures no single random failure disables the Tavg - Low Low However, the channel statistical Function. The Tavg channels provide control inputs, but the allowance calculation does not consider any environmental allowance as part of control function cannot initiate events that the Function acts to the instrument uncertainty, since the mitigate. Therefore, additional channels are not required to function is assumed to be performed prior to the time that adverse conditions address control protection interaction issues.

can affect the Function.

With the Tavg resistance temperature detectors (RTDs) located inside the containment, it is possible for them to experience STET adverse environmental conditions during an SLB event.

[NTSP] Therefore, the Trip Setpoint reflects both steady state and 10 adverse environmental instrumental uncertainties.

WOG STS B 3.3.2-25 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 42 of 111 Attachment 1, Volume 8, Rev. 0, Page 254 of 517

Attachment 1, Volume 8, Rev. 0, Page 265 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 43 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 All changes are 1 unless otherwise noted BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sensed by any one of the switches will cause the emergency supply of water for both pumps to be aligned, or cause the AFW pumps to stop until the emergency source of water is aligned.

ESW (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least one of the SGs as the heat sink for reactor decay heat and sensible heat removal.

Since the detectors are located in an area not affected by HELBs 5 or high radiation, they will not experience any adverse STET environmental conditions and the Trip Setpoint reflects only 10 steady state instrument uncertainties. [NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.

INSERT 12

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject 5 the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.

WOG STS B 3.3.2-32 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 43 of 111 Attachment 1, Volume 8, Rev. 0, Page 265 of 517

Attachment 1, Volume 8, Rev. 0, Page 268 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 44 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) b, c. Automatic Switchover to Containment Sump - Refueling Water Storage Tank (RWST) Level - Low Low Coincident With Safety Injection and Coincident With Containment Sump Level - High During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions.

Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability.

The RWST - Low Low Allowable Value/Trip Setpoint has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in 5

the containment sump to provide ECCS pump suction.

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the Trip Setpoint reflects 10 only steady state instrument uncertainties. [NTSP]

STET Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

WOG STS B 3.3.2-33 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 44 of 111 Attachment 1, Volume 8, Rev. 0, Page 268 of 517

Attachment 1, Volume 8, Rev. 0, Page 269 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 45 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

REVIEWERS NOTE-------------------------------

In some units, additional protection from spurious switchover is provided by requiring a Containment Sump Level - High signal as well as RWST Level - Low Low and SI. This ensures sufficient water is available in containment to support the recirculation phase of the accident. A Containment Sump Level - High signal must be present, in addition to the SI signal and the RWST Level - Low Low signal, to transfer the suctions of the RHR pumps to the containment sump. The containment sump is equipped with four level transmitters. These transmitters provide no 4 control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability. The containment sump level Trip Setpoint/Allowable Value is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction. The transmitters are located inside containment and thus possibly experience adverse environmental conditions. Therefore, the trip setpoint reflects the [NTSP] 10 inclusion of both steady state and environmental instrument uncertainties.

STET Units only have one of the Functions, 7.b or 7.c.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, 5 and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks an is To allow some flexibility in unit operations, several interlocks are 1 included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent s some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

WOG STS B 3.3.2-34 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 45 of 111 Attachment 1, Volume 8, Rev. 0, Page 269 of 517

Attachment 1, Volume 8, Rev. 0, Page 271 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 46 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value. 10

[NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the Steam Dump System are not in operation.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure -

Low steam line isolation signal (previously discussed). When the Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the 5 Pressurizer Pressure - Low and Steam Line Pressure - Low SI signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure -

Negative Rate - High is disabled. The Trip Setpoint reflects only 10 steady state instrument uncertainties.

STET [NTSP]

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

WOG STS B 3.3.2-36 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 46 of 111 Attachment 1, Volume 8, Rev. 0, Page 271 of 517

Attachment 1, Volume 8, Rev. 0, Page 273 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES ACTIONS (continued) [NTSP]

10 In the event a channel's Trip Setpoint is found nonconservative with or the channel is respect to the Allowable Value, or the transmitter, instrument Loop, signal 10 not functioning as processing electronics, or bistable is found inoperable, then all affected required, Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

REVIEWERS NOTE------------------------------------------

Certain LCO Completion Times are based on approved topical reports. In order for a licensee to use these times, the licensee must justify the 4 Completion Times as required by the staff Safety Evaluation Report (SER) for the topical report.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

x SI, ; 2 x Containment Spray, and 2 x Phase A Isolation, and 5 x Phase B Isolation. 5 Containment WOG STS B 3.3.2-38 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 47 of 111 Attachment 1, Volume 8, Rev. 0, Page 273 of 517

Attachment 1, Volume 8, Rev. 0, Page 287 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay 5

coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This Thevoltage is insufficient test is performed to with in accordance picktheup theIfslave SCP. relay, the actual but setting of the channel is found large enough to demonstrate to be conservative signal with respect path continuity. to thetest This Allowable is Value but is performed every 92 days beyondonthea as-found STAGGERED tolerance band, TEST the BASIS.

channel is OPERABLE The timebut degraded. The degraded condition of the channel will be further evaluated Move SR allowed for the testing (4 performance during hours) is justified in Reference of the SR. This evaluation will11. The consist of resetting the 3.3.2.3 from Frequency of 92 days is justified channel setpoint to in theReference

[NTSP] (within9.the allowed tolerance), and evaluating 10 page B the channel response. If the channel is functioning as required and is 3.3.2-51 to expected to pass the next surveillance, then the channel is OPERABLE and here can be restored to service at the completion of the surveillance. After the SR 3.3.2.5 4 surveillance is completed, the channel as-found condition will be entered into 5 the Corrective Action Program for further evaluation.

5 SR 3.3.2.5 is the performance of a COT.

in accordance with the SCP 10 A COT is performed on each required channel to ensure the entire conservative with respect to channel will perform the intended Function. Setpoints must be found the Allowable Values as within the Allowable Values specified in Table 3.3.1-1. A successful test controlled by the SCP of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

10 The difference between the current "as found" values and the previous The SCP establishes the necessary controls for properly maintaining the test "as left" values must be consistent with the drift allowance used in the applicable ESFAS instrumentation setpoint methodology. The setpoint shall be left set consistent with the 10 channels.

assumptions of the current unit specific setpoint methodology.

The "as found" and "as left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

The Frequency of 184 days is justified in Reference 11.

10 WOG STS B 3.3.2-50 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 48 of 111 Attachment 1, Volume 8, Rev. 0, Page 287 of 517

Attachment 1, Volume 8, Rev. 0, Page 288 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 49 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.6 5 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

This test is performed every [92] days. The Frequency is adequate, based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.2.7 3 5 5 6 SR 3.3.2.7 is the performance of a TADOT every [92] days. This test is a check of the Loss of Offsite Power, Undervoltage RCP, and AFW Pump Suction Transfer on Suction Pressure - Low Functions. Each Function is tested up to, and including, the master transfer relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least Move to once per refueling interval with applicable extensions.

STET previous 10 page before channels The test also includes trip devices that provide actuation signals directly 1 SR 3.3.2.4 to the SSPS. The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

WOG STS B 3.3.2-51 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 49 of 111 Attachment 1, Volume 8, Rev. 0, Page 288 of 517

Attachment 1, Volume 8, Rev. 0, Page 289 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 50 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.8 5 5 5

SR 3.3.2.8 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. It is performed every [18] months. Each Manual Actuation 6 Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.

INSERT for ISTS SR 3.3.2.8 10 SR 3.3.2.9 6 5 5

SR 3.3.2.9 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every [18] months, or 6 approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

in accordance CHANNEL CALIBRATIONS must be performed consistent with the 10 SCP. The SCP establishes the assumptions of the unit specific setpoint methodology. The difference necessary controls for properly between the current "as found" values and the previous test "as left" 10 maintaining the applicable ESFAS instrumentation channels. values must be consistent with the drift allowance used in the setpoint methodology.

INSERT for ISTS SR 3.3.2.9 10 The Frequency of [18] months is based on the assumption of an 6

[18] month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

WOG STS B 3.3.2-52 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 50 of 111 Attachment 1, Volume 8, Rev. 0, Page 289 of 517

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 51 of 111 INSERT for ISTS SR 3.3.2.8 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel 10 response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

INSERT for ISTS SR 3.3.2.9 The test is performed in accordance with the SCP. If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the [NTSP] (within the allowed tolerance), and evaluating the channel 10 response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 51 of 111

Kewaunee ITS Conversion Database Page 1 of 1 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 52 of 111 Licensee Response/NRC Response/NRC Question Closure Id 2241 NRC Question KAB-063 Number Select Licensee Response Application

Response

2/18/2010 4:00 PM Date/Time Closure Statement Response KPS has reviewed the errata to TSTF-493, Rev. 4 and determined that the Statement draft markup attached to the previous KPS response to KAB-065 did not include a few minor changes. A draft markup regarding these changes is attached, and supersedes the previous draft markup. Changes from the previous markup are identified in red (see pages 1 and 10 of the attachment). These changes will be reflected in the supplement to this section of the ITS conversion amendment.

Question Closure Date Attachment KAB-063, Rev. 1 Markup.pdf (2MB) 1 Attachment 2

Notification NRC/LICENSEE Supervision Kristy Bucholtz Jerry Jones Bryan Kays David Mielke Ray Schiele Added By Robert Hanley Date Added 2/18/2010 4:00 PM Modified By Date Modified Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 52 of 111 http://www.excelservices.com/rai/index.php?requestType=areaItemPrint&itemId=2241 06/09/2010

Attachment 1, Volume 8, Rev. 0, Page 222 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 53 of 111 B 3.3.2 10 INSERT 1 This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor 8 ESFAS system parameters and equipment performance. ESFAS Where a LSSS is Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables specified for a that have significant safety functions. LSSS are defined by the regulation as "...settings variable on which must be a safety limit has chosen so for automatic protective devices...so chosen that automatic protective action will correct been placed, the the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the Setpoint Control Program (SCP) controlled by 10.CFR.50.59.

field

REVIEWER'S NOTE -------------------------------------------

The term "Limiting Trip Setpoint (LTSP)" is generic terminology for the calculated setting (setpoint) value calculated by means of the plant-specific setpoint methodology documented in a document controlled under 10 CFR 50.59. The term [LTSP] indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. For most Westinghouse plants the term Nominal Trip Setpoint (NTSP) is the terminology for the setpoint value calculated by means of the plant- 4 specific setpoint methodology documented in a document subject to 10 CFR 50.59. The term NTSP indicates that no additional margin has been added between the Analytical Limit and the calculated trip setting. The NTSP would replace LTSP in the Bases descriptions. The term field setting is terminology for the actual setpoint implemented in the plant surveillance procedures which is standard terminology for the NTSP with additional margin applied. The as-found and as-left tolerances will apply to the actual setpoint (field setting) implemented in the Surveillance procedures to confirm channel performance.

The [NTSP] is included in the SCP.

used in place of the term LTSP, and NTSP will replace LTSP in the Bases descriptions.

"Field setting" is the suggested terminology for the actual setpoint implemented in the plant surveillance procedures where margin has been added to the calculated.

field setting Insert Page B 3.3.2-1a Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 53 of 111 Attachment 1, Volume 8, Rev. 0, Page 222 of 517

Attachment 1, Volume 8, Rev. 0, Page 223 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 54 of 111 B 3.3.2 10 INSERT 1 (continued) 6 The [NTSP] specified in the SCP is a predetermined setting, plus margin, for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the

[NTSP] accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the [NTSP] ensures that SLs are not exceeded. Therefore, the [NTSP]

meets the definition of an LSSS (Ref. 1). 11 9 Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the [NTSP] to define OPERABILITY in Technical Specifications would be an overly 6 restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the

[NTSP] due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the [NTSP] and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the channel to the [NTSP] to account for further drift during the next surveillance within the interval. Note that, although the channel is OPERABLE under these circumstances, the established as-trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance left tolerance with uncertainty assumptions stated in the referenced setpoint methodology (as-left around the

[NTSP] to 6 criteria), and confirmed to be operating within the statistical allowances of the uncertainty account for terms assigned (as-found criteria). further drift during the next surveillance However, there is also some point beyond which the channel would have not been able interval.

to perform its function due to, for example, greater than expected drift. The Allowable Value specified in the SCP is the least conservative value of the as-found setpoint that the channel can have when tested, such that a channel is OPERABLE if the as-found setpoint is conservative with respect to the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the [NTSP] by an amount [greater than or] equal to the expected instrument channel uncertainties, 6 such as drift, during the surveillance interval. In this manner, the actual setting of the channel will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond that expected during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

Insert Page B 3.3.2-1b Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 54 of 111 Attachment 1, Volume 8, Rev. 0, Page 223 of 517

Attachment 1, Volume 8, Rev. 0, Page 224 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 55 of 111 B 3.3.2 10 INSERT 1 (continued)

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE.

However, a potential degraded condition has been identified. During the SR performance, the condition of the channel will be evaluated. This evaluation will consist 6

of resetting the channel setpoint to the [LTSP] (within the allowed tolerance), and the channel's response evaluated. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel's as-found setting will be entered into the Corrective Action Program for further evaluation. If any of the above-described evaluations determine that the channel is not performing as expected the channel is degraded because it may not pass its next surveillance test. If the 6

channel setpoint can not be reset to the [LTSP], it is inoperable.

If the actual setting of the channel is found to be non-conservative with respect to the Allowable Value, the channel would be considered inoperable. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protection channels do not function as required.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB),

2. Fuel centerline melt shall not occur, and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 1 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident 50.67 1 categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. However the acceptable dose limit for an accident category and their associated [NTSPs] are not considered to be LSSS as 6 defined in 10 CFR 50.36.

Insert Page B 3.3.2-1c Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 55 of 111 Attachment 1, Volume 8, Rev. 0, Page 224 of 517

Attachment 1, Volume 8, Rev. 0, Page 225 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 56 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation 1

B 3.3.2 All changes are unless otherwise noted BASES BACKGROUND (continued)

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to six measure unit parameters. In many cases, field transmitters or sensors Protection that input to the ESFAS are shared with the Reactor Trip System (RTS).

P In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are

[NTSP] provided in the Trip Setpoint and Allowable Values. The OPERABILITY 10 of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

NTSPs Signal Processing Equipment derived from Analytical Generally, three or four channels of process control equipment are used Limits for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, Analytical Limits comparable output signals for instruments located on the main control [NTSPs] 10

[NTSPs]

board, and comparison of measured input signals with setpoints U 10 established by safety analyses. These setpoints are defined in FSAR, 14 Chapter [6] (Ref. 1), Chapter [7] (Ref. 2), and Chapter [15] (Ref. 3). If the 6 ESF logic measured value of a unit parameter exceeds the predetermined setpoint, relays an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input logic relay cabinets bays. However, not all unit parameters require four channels of sensor 3 measurement and signal processing. Some unit parameters provide ESF logic input only to the SSPS, while others provide input to the SSPS, the main relays control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

WOG STS B 3.3.2-2 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 56 of 111 Attachment 1, Volume 8, Rev. 0, Page 225 of 517

Attachment 1, Volume 8, Rev. 0, Page 226 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) a protection function Generally, if a parameter is used for input to the SSPS and a control 1 function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 2.

[NTSPs]

Allowable Values and ESFAS Setpoints 10 calculation 3

The trip setpoints used in the bistables are based on the analytical limits 1 10 analytical limits stated in Reference 2. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time the Nominal Trip Setpoints delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values the SCP specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the

[NTSPs]

methodology used to calculate the Allowable Values and ESFAS The as-left tolerance and setpoints including their explicit uncertainties, is provided in the plant as-found tolerance band specific setpoint methodology study (Ref. 6) which incorporates all of the methodology is provided in the SCP. known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS

[NTSP] setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by as-found trip setpoint the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT. One example of such a 10 change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

[NTSP] is the value The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS

[NTSP] setpoint value ensures the safety analysis limits are met for the is the LSSS and surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL

[NTSP]

as-left tolerance WOG STS B 3.3.2-3 Rev. 3.0, 03/31/04 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 57 of 111 Attachment 1, Volume 8, Rev. 0, Page 226 of 517

Attachment 1, Volume 8, Rev. 0, Page 227 of 517 Enclosure (6 of 8), Q&A to Attachment 1, Volume 8 (Section 3.3) Page 58 of 111 Engineered Safety Feature Actuation System (ESFAS) Instrumentation B 3.3.2 BASES BACKGROUND (continued) and comparator setting