Supplement to License Amendment Request (LAR)20-006

ML21194A078
Person / Time
Site:	Comanche Peak
Issue date:	07/13/2021
From:	Thomas McCool Luminant, Vistra Operations Company
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
CP-202100394, TXX-21093
Download: ML21194A078 (174)
v • d • e

Text

m Thomas P. McCool Site Vice President Comanche Peak Nuclear Power Plant (Vistra Operations Company LLC)

Luminant P.O. Box 1002 6322 North FM 56 Glen Rose , TX 76043 T 254.897.6042 CP-202100394 TXX-21093 July 13, 2021 U.S. Nuclear Regulatory Commission Ref 10 CFR 50.90 ATTN: Document Control Desk 10 CFR 50.91(a)(6)

Washington, DC 20555-0001 10 CFR 50.91(b)(1)

Subject:

Comanche Peak Nuclear Power Plant (CPNPP)

Docket Nos. 50-445 and 50-446 Supplement to License Amendment Request (LAR)20-006 APPLICATION TO REVISE TECHNICAL SPECIFICATIONS TO ADOPT RISK INFORMED COMPLETION TIMES, TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES - RITSTF INITIATIVE 4b (Accession No. ML21131A233)"

Reference:

1. Letter TXX-21046 from Thomas P. McCool to the NRC, License Amendment Request (LAR)20-006, APPLICATION TO REVISE TECHNICAL SPECIFICATIONS TO ADOPT RISK INFORMED COMPLETION TIMES, TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES - RITSTF lNITIA TIVE 4b," dated May 11, 2021 (Accession No. ML21131A233)

2. Letter from Dennis Galvin to Ken Peters, SUPPLEMENTAL INFORMATION NEEDED FOR ACCEPTANCE OF REQUESTED LICENSING ACTION RE: LICENSE AMENDMENT REQUEST TO ADOPT TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES- RITSTF INITIATIVE 4b" (EPID L-2021-LLA-0085) (Accession Number: ML21166A338)

Dear Sir or Madam:

Pursuant to 10 CFR 50.90 and 10 CFR 50.91, Vistra Operations Company LLC (Vistra OpCo) hereby submits a supplement to the license amendment request for the Comanche Peak Nuclear Power Plant (CPNPP) Unit 1 and Unit 2 Technical Specifications in connection with LAR 20-006, Revision to multiple specifications as requested in Reference 1. This change supplement applies to both units .

This submittal addresses information requested by Reference 2 and supplements the proposed amendment that would modify Technical Specifications (TS) requirements for CPNPP to permit the use of Risk Informed Completion Times in accordance with TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b", (ADAMS Accession No. ML18183A493). A model safety evaluation was provided by the NRC to the TSTF on November 21, 2018 (ADAMS Accession No. ML18267A259). This supplement includes the following additional information:

• Executive Summary for Supplement

• Attachment 1 provides a revised Description and Assessment

TXX-21093 Page 2 of 3

• Attachment 2 provides revised proposed Technical Specification changes

• Attachment 4 provides a revised Cross Reference between TSTF-505, Revision 2 and CPNPP Technical Specifications proposed changes

• Enclosure 1 provides a revised List of Required Actions to Corresponding PRA Functions

• Table El In Scope TS /LCO Conditions to Corresponding PRA Functions

• Table El In Scope TS/LCO Conditions RICT Estimates

• Table El Conditions Requiring Additional Technical Justification

• Table El Evaluation of Instrumentation and Control Systems

• Table El Reactor Trip System (RTS) Instrumentation Functions

• Table El Engineered Safety Features Actuation System (ESF AS) Instrumentation Functions

• Table El Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions

• Table El Event Protection and Diverse Functions

• Enclosure 7 provides a revised description of the PRA Model Update Process Attachments 1, 2, and 4 and Enclosures 1 and 7 of letter TXX-21093 replace the corresponding Attachments and Enclosures of letter TXX-21046 (Accession Number: ML21131A233). Attachment 3, Enclosures 2 through 6, and Enclosures 8 through 12 of TXX-21046 remain valid.

In accordance with 10 CFR 50.91(b)(1), a copy of the supplement for the proposed license amendment is being forwarded to the State of Texas.

Vistra OpCo has determined that this supplement does not change the No Significant Hazards Consideration provided in the Enclosure submitted by Reference 1.

This communication contains no new commitments regarding CPNPP Units 1 and 2.

Should you have any questions, please contact Garry Struble at (254) 897-6628 or Garry.Struble@luminant.com.

I state under penalty of perjury that the foregoing is true and correct.

Executed on July 13, 2021.

Sincerely, Th:£;

TXX:-21093 Page 3 of 3 Executive Summary: Supplement to License Amendment Request (LAR)20-006 RICT Attachments: 1. Description and Assessment

2. Proposed Technical Specification pages (markup)

4. Cross-Reference of TSTF-505 and CPNPP Technical Specifications

Enclosures:

1. List of Required Actions to Corresponding PRA Functions Tables: El-1 In Scope TS /LCO Conditions to Corresponding PRA Functions El-2 In Scope TS/LCO Conditions RICT Estimate El-3 Conditions Requiring Additional Technical Justification El-4 Evaluation of Instrumentation and Control Systems El-5 Reactor Trip System (RTS) Instrumentation Functions El-6 Engineered Safety Features Actuation System (ESFAS) Instrumentation Functions El-7 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions El-8 Event Protection and Diverse Functions

7. PRA Model Update Process c (email) - Scott Morris, Region IV [Scott.Morris@nrc.gov]

Dennis Galvin, NRR [Dennis.Galvin@nrc.gov]

John Ellegood, Senior Resident Inspector, CPNPP Uohn.Ellegood@nrc.gov]

Neil Day, Resident Inspector, CPNPP [Neil.Day@nrc.gov]

Mr. Robert Free [robert.free@dshs.state.tx.us]

Environmental Monitoring & Emergency Response Manager Texas Department of State Health Services Mail Code 1986 P.O. Box 149347 Austin, TX 78714-9347

Executive Summary for TXX-21093 Page 1 of 16 SUPPLEMENT to LICENSE AMENDMENT REQUEST (LAR)20-006 APPLICATION TO REVISE TECHNICAL SPECIFICATIONS TO ADOPT RISK INFORMED COMPLETION TIMES, TSTF-505, REVISION 2, "PROVIDE RISK-INFORMED EXTENDED COMPLETION TIMES - RITSTF INITIATIVE 4b"

[Original submittal is found under Accession Number: ML21131A233]

Executive Summary The following items describe the supplemental changes to the original LAR submittal based on information received by letter on June 22, 2021 to the Licensee (Vistra Operations Company LLC (Vistra OpCo)) from the Nuclear Regulatory Commission (Accession No. ML21166A363).

NRC Acceptance Review Information Insufficiencies (ARII) and CPNPP Response NRC ARII 1 LAR Enclosure 7, "PRA [Probabilistic Risk Assessment] Model Update Process,"

Section 2.2, "Review of Plant Changes for Incorporation into the PRA Model," Item 3 proposes a standard frequency of 48 months for PRA model updates; however, Nuclear Energy Institute (NE/) report NE/ 06-09, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS)

Guidelines," Section 2.3.4, "PRA Technical Adequacy," Item 7.1 (ADAMS Package Accession No . ML122860402) states that the PRA shall be maintained and updated on a periodic basis not to exceed two refueling cycles. Comanche Peak has a nominal 18-month refueling cycle which, according to NE/ 06-09, should bound the PRA update to every 36 months. Provide an explanation and justification for the inconsistency between the PRA model update frequency proposed in the LAR and frequency in NE/ 06-09.

CPNPP ARII 1 - Response Comanche Peak Nuclear Power Plant (CPNPP) contends that our PRA update process complies with NEI 06-09-A, Section 2.3.5, Item 9.1 as follows; CPNPP is a dual unit facility with a common PRA for both units as stated in Enclosure 7, Section 2.2.3. In order to capture input from both units across two refueling cycles it could take between 42 and 45 months based on variations in operating cycles. With CPNPP periodic basis at 48 months we ensure that the update includes two refueling cycles for each unit while not exceeding two refueling cycles on either unit. Section 2.2.3 of Enclosure 7 to TXX-21093 is updated to reflect this information.

NRC ARll 2 LAR Enclosure 1, "List of Revised Required Actions to Corresponding PRA Functions,"

Table E1-1, "In Scope TSILCO [Technical Specification/Limiting Condition of Operation]

to Corresponding PRA [Probabilistic Risk Assessment] Functions,' does not provide information on the PRA success criteria for TS Condition 3. 7. 4. C, "Three or more

Executive Summary for TXX-21093 Page 2 of 16 required ARV [atmospheric relief valve] lines inoperable." Provide the applicable PRA success criteria.

CPNPP ARII 2 - Response This item is an error of omission, please refer to attached updated Enclosure 1, Table E1-1. The updated Table E1-1 also includes revision to TS 3.7.4.A and 3.7.4.B . All three Condition's PRA Success Criteria are, "One of four for Transient/ SGTR."

NRC ARll 3 LAR Enclosure 1, Table E1-2, "In Scope TS/LCO Conditions RICT [Risk-Informed Completion Time] Estimate, " does not provide a RICT estimate for TS Condition 3.4.9.B, "One required group of pressurizer heaters inoperable." Provide a RICT for this TS.

CPNPP ARII 3 - Response This item is an error of omission, please refer to attached updated Enclosure 1, Table E1-2. The updated Table E1-2 states "30 days" as the RICT estimate.

NRC ARll 4 The LAR does not address "what redundant or diverse means were available to assist the licensee in responding to various plant conditions." This LAR does not provide a defense-in-depth assessment to address these guidelines for each proposed RICT TS. Describe the defense-in-depth for instrumentation and control features per the guidelines in TSTF-505, Revision 2, Enclosure 1.

CPNPP ARII 4 - Response The approach taken was to include this information in Attachment 1, pages 7 through 12. There is also supporting information found in Attachment 4, Comments.

CPNPP includes the information in updated Enclosure 1, by adding Table E1-3, Conditions Requiring Additional Technical Justification as an attachment to this supplement. Enclosure 1 and associated tables have been revised to include details of the redundancy, independence, diversity, and defense-in-depth of the instrumentation Functions .

NRC ARll 5 The licensee stated in this LAR that "[t]he proposed amendment is consistent with TSTF-505, Revision 2. TSTF-505, Revision 2 excludes loss of function (LOF) conditions, in which there is insufficient operable equipment to meet the safety function of the system, from the RICT program.

The NRC staff identified TS Conditions that appear to include LOF based on the data in columns "Tech Spec Description" and "Design Success Criteria" in Table E1-1;

• 3.3.1.P One or more Turbine Stop Valve Closure Turbine Trip channel(s) inoperable.

• 3.3. 5.B Two channels per bus for the Preferred offsite source bus undervoltage function inoperable.

Executive Summary for TXX-21093 Page 3 of 16

• 3. 3. 5. C Two channels per bus for the Alternate offsite source bus undervoltage function inoperable.

• 3.3.5.D Two channels per bus for the 6.9 kV [kilovolt] bus loss of voltage function inoperable.

• 3. 3. 5. E Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable.

• 3.3.5.F One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

• 3. 4. 11 . C One block valve inoperable.

• 3. 7. 4. C Three or more required ARV lines inoperable.

CPNPP ARII 5 - Response

• 3.3.1.P, One or more Turbine Stop Valve Closure Tu rbine Trip channel(s) inoperable.

From CPNPP TS Bases; This trip Function will not and is not required to operate in the presence of a single channel failure . The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

These channels also are not a Support System for the Reactor Trip System (RTS) and as such they are not an input into the Safety Function Determination Program (SFDP). This shows that there is no loss of safety function due to the "one or more" verbiage.

• 3.3 .5.B, Two channels per bus for the Preferred offsite source bus undervoltage function inoperable.

• 3.3.5.C, Two channels per bus for the Alternate offsite source bus undervoltage function inoperable.

• 3.3.5.D, Two channels per bus for the 6.9kV bus loss of voltage function inoperable.

• 3.3.5.E, Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable.

From CPNPP TS Bases; Each of the above groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The network of logic and actuation relays actuate the offsite power source breakers and generator start signals .. .

The LOP DG start instrumentation is required for the Engineered Safety Features (ESF)

Systems to function in any accident with a loss of offsite power or degraded power system. Its design basis is that of the ESF Actuation System (ESFAS).

Executive Summary for TXX-21093 Page 4 of 16 In other words, the LOP DG Start Instrumentation is a support system for each Emergency Diesel Generator (EDG) in TS 3.8 .1, AC Sources -- Operating. This group of Conditions is the picture of diverse instrumentation in that they all lead to an automatic start of the EDGs, if needed (loss of all offsite power or degraded voltage) while still allowing automatic actions to maintain or restore AC power without an EOG start. The EDGs may also be started from the Control Room or locally if the LOP DG Start Instrumentation is not available . The two-out-of-two coincidence is requ ired to actuate a response which is bus related. That leaves the other bus to provide the safety function. The application of the RICT for Conditions B, C, D, and E only changes the Completion Time based on risk. There is no change in the safety function status due to the extended Completion Time . and Attachment 2 to the original submittal have been revised to address the identified issues.

• 3.3.5.F, One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

This Condition is like TS 3.3.2 .C in that the circuitry for LOP DG Start Instrumentation was part of the Engineered Safety Feature (ESF) Actuation System. Under that prior Technical Specification (3/4 .3.2, Engineered Safety Features Actuation System Instrumentation)

Automatic Action Logic and Actuation Relays appear in the following Functions; 1.b Safety Injection - Automatic Action Logic and Actuation Relays 2.b Containment Spray - Automatic Action Logic and Actuation Relays 3.a.2 Containment Isolation - Phase "A" Isolation - Automatic Action Logic and Actuation Relays 3.b.2 Containment Isolation - Phase "B Isolation - Automatic Action Logic and Actuation Relays 3.c.2 Containment Isolation - Containment Vent Isolation - Automatic Action Logic and Actuation Relays 4.b Steam Line Isolation - Automatic Action Logic and Actuation Relays 5.a Turbine Trip & Feedwater Isolation - Automatic Action Logic and Actuation Relays 6.a Auxiliary Feedwater - Automatic Action Logic and Actuation Relays 7.a Automatic Initiation of ECCS Switchover to Containment Sump - Automatic Action Logic and Actuation Relays The Safety Injection Function 1.b always has the manual backup of Function 1.a which provides a diversity of actuation methods. Current TS 3.3.2, ESFAS Instrumentation allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to recover a single train inoperable via Conditions C, G , and H for Automatic Action Logic and Actuation Relays. If both trains are inoperable then LCO 3.8 .1, Condition E w ill be entered. The required action is to restore one DG to OPERABLE status in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

In TS 3.3.5, LOP DG Start Instrumentation Condition F for one or more Automatic Action Logic and Actuation Relays trains inoperable provides 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore the inoperable train(s) . If not restored in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, immediately declared associated DG(s) inoperable in accordance with TS 3.8 .1. This is only a loss of safety function if all AC sources are declared inoperable, TS 3.8.1 addresses that condition. The RICT would only extend the Completion Time prior to declaring a DG inoperable if supported by risk analysis. Keeping a unit online when a known remedy exists for the LOP DG Start system may be in the public's best interest.

Executive Summary for TXX-21093 Page 5 of 16

• 3.4.11.C One block valve inoperable.

From CPNPP TS Bases; LCO 3.4.11, Pressurizer PORVs requires the PORVs and their associated block valves to be OPERABLE for manual operation to mitigate the effects associated with an SGTR.

By maintaining two PORVs and their associated block valves OPERABLE, the single failure criterion is satisfied. An OPERABLE block valve may be either open or closed and energized with the capability to be opened, since the required safety function is accomplished by manual operation. Although typically open to allow PORV operation, the block valves may be OPERABLE while closed to isolate the flow path of an inoperable PORV that is capable of being manually cycled (e.g. , as in the case of excessive PORV leakage). Similarly, isolation of an OPERABLE PORV does not render the PORV or the block valve inoperable provided the relief function remains available with manual action.

If one block valve is inoperable, then it is necessary to either restore the block valve to OPERABLE status within the Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or place the associated PORV in manual control. The prime importance for the capability to close the block valve is to isolate a stuck open PORV. Therefore, if the block valve cannot be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Because at least one PORV remains OPERABLE, the operator is permitted a Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore the inoperable block valve to OPERABLE status. The time allowed to restore the block valve is based upon the Completion Time for restoring an inoperable PORV in Condition B, since the PORVs may not be capable of mitigating an event if the inoperable block valve is not fully open. If the block valve is restored within the Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the power will be restored and the PORV restored to OPERABLE status. If it cannot be restored within this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition 0. The Required Actions are modified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with other Required Actions. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of Condition B or E entry with PORV(s) inoperable and not capable of being manually cycled (e.g., as a result of failed control power fuse(s) or control switch malfunction(s)).

With a single block valve inoperable the other PORV and block valve pair are capable of manual operation to mitigate a SGTR event. Applying the RICT would only change the Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> if supported by risk analysis . It may not be in the public's best interest to shutdown a unit if there is reasonable assurance that a single PORV block valve can be returned to OPERABLE status within the limitations of the RICT.

Depending on plant equipment available the Steam Generator (SG) Atmospheric Relief Valves (ARV) , the Steam Dumps, Steam Drains, Main Steam Safety Valves (MSSV), and Pressurizer Safety Valves all are capable of lowering Reactor Coolant System (RCS) pressure.

Executive Summary for TXX-21093 Page 6 of 16

• 3.7.4.C Three or more required ARV lines inoperable.

From the CPNPP TS Bases; The ARVs provide a method for cooling the unit to residual heat removal (RHR) entry conditions should the preferred heat sink via the Steam Dump System to the condenser not be available.

The ARVs may a/so be required to meet the design coo/down rate during a normal coo/down when steam pressure drops too low for maintenance of a vacuum in the condenser to permit use of the Steam Dump System.

The ARVs are OPERABLE with only a DC power source available, however, the automatic controls for the ARVs do not perform a safety function .

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a SGTR, The design basis for the maximum relief capacity is established by the 10CFR100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses. The design rate of 50°F per hour is applicable for a natural circulation coo/down using two steam generators, each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

In the safety analysis, the ARVs are assumed to be used by the operator to cool down the unit to RHR entry conditions for events accompanied by a loss of offsite power. Prior to operator actions to cool down the unit, the main steam safety valves (MSSVs) are assumed to operate automatically to relieve steam and maintain the steam generator pressure below the design value. For the recovery from a steam generator tube rupture (SGTR) event, the operator is a/so required to perform a limited coo/down to establish adequate subcooling as a necessary step to terminate the primary to secondary break flow into the ruptured steam generator. The time required to terminate the primary to secondary break flow for an SGTR is more critical than the time required to cool down to RHR conditions for this event and a/so for other accidents. Thus, the SGTR is the limiting event for the ARVs. Four ARVs are required to be OPERABLE to satisfy the SGTR accident analysis requirements based on consideration of single failure assumptions regarding the failure of one or two ARVs to open on demand.

An ARV is considered OPERABLE when it is capable of providing controlled relief of the main steam flow and capable of fully opening and closing on demand using associated remote manual control.

With three or more ARV lines inoperable, action must be taken to restore at least two ARV line to OPERABLE status. This will result in at least two OPERABLE ARVs. Since the block valve can be closed to isolate an ARV, some repairs may be possible with the unit at power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable to repair inoperable ARV lines, based on the availability of the Steam Dump System and MSSVs, and the low probability of an event occurring during this period that would require the ARV lines.

The RICT would only change the Completion Time based on risk analysis, not introduce a loss of safety function.

Executive Summary for TXX-21093 Page 7 of 16 NRC ARll 6 TSTF-505, Revision 2, Table 1, "Conditions Requiring Additional Technical Justification:

NUREG-1431, Westinghouse STS [Standard Technical Specifications]," requires additional justification for the following TS conditions listed below. The mark-up pages in TSTF-505, Revision 2 a/so indicate that additional technical justification is need for these TS conditions.

• 3.3.1.0 One Power Range Neutron Flux - High channel inoperable.

• 3.3. 1.S One RTB [Reactor Trip Breaker] train inoperable.

• 3. 4. 9. B One required group of pressurizer heaters inoperable.

• 3. 6. 2. C One or more containment air locks inoperable for reasons other than Condition A or B.

• 3. 6. 6.A One containment spray train inoperable.

• 3. 7.2.A One MSIV [Main Steam Isolation Valve] inoperable in MODE 1.

• 3. 7.4.B Two required ARV lines inoperable.

The LAR does not contain such technical justification on changes to these conditions.

Provide the additional justification for these conditions in accordance with TSTF-505, Revision 2.

CPNPP ARII 6 - Response The information is now contained in Enclosure 1 and associated tables.

• 3.3.1.D One Power Range Neutron Flux - High channel inoperable.

The Reactor Trip System (RTS) instrumentation is segmented into four distinct but interconnected modules: field transmitters and process sensors, Signal Process Control and Protection System, Solid State Protection System (SSPS), and reactor trip switchgear. Field transmitters provide measurement of the unit parameters to the Signal Process Control and Protection System via separate , redundant channels. The Signal Process Control and Protection System forwards outputs to the SSPS, which consists of two redundant trains, to actuate a Reactor Trip or an Engineered Safety Feature (ESF).

This redundancy maintains safety function.

Depending on the measured parameter, three or four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions . The output trip signal of each instrumentation channel initiates a trip logic. Failure of any one trip logic does not result in an inadvertent trip. Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient. In both cases, a

Executive Summary for TXX-21093 Page 8 of 16 single failure will neither cause nor prevent the protective safety function actuation. With a failed power range instrument and rated thermal power greater than 75% the Quadrant Power Tilt Ratio must be verified 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the channel became inoperable and then every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> until the channel is restored to OPERABLE status.

• 3.3.1.S One RTB [Reactor Trip Breaker] train inoperable.

A trip breaker train consists of all trip breakers associated with a single Reactor Trip System logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Consistent with the requirement in WCAP-15376-P-A to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when an RTB train is inoperable for maintenance are included . Multiple SSPS outputs provide trip signals to the trip logic which in turn opens the trip breakers. Additionally, CPNPP has ATWS Mitigation System Actuation Circuitry (AMSAC). At CPNPP the ATWS is referred to as the Anticipated Transient Without Trip (ATWT) . AMSAC is independent of SSPS . AMSAC actuation will occur if turbine load is greater than 40% and three of four Steam Generator (SG) narrow range levels are less than 10%. There is a built in time delay to allow SSPS time to actuate. The AMSAC output will trip the main turbine, start all Auxiliary Feedwater (AFW) pumps, isolate SG blowdown and sample lines, and close the Condensate Storage Tank (CST) discharge valves. Due to a different main feedwater design on Unit 2, AMSAC also close the Feedwater Split-flow Bypass Valves (FSBVs). The system design is to provide AFW flow to the SGs and conserve feedwater while responding to an ATWT.

CPNPP adopted TSTF-411 with License Amendment 114 (ML050460331) . It can be seen that the CPNPP SSPS which provides protection through actuation of required reactor trips and engineered safety features and the adoption the AMSAC system described above, there is defense-in-depth should the reactor not trip. AMSAC actuation is delayed allowing SSPS the opportunity to trip the reactor and actuate ESF components. If SSPS fails to perform its safety function, AMSAC will actuate to preserve a heat sink, preventing core damage.

A manual reactor trip from two different handswitches and a manual turbine trip in the Control Room are available, providing diversity and defense-in-depth.

CPNPP adds the following LCOs for completeness in Enclosure 1, Table E1-3, Conditions Requiring Additional Technical Justification;

• 3.3.5.B Two channels per bus for the Preferred offsite source bus undervoltage function inoperable

• 3.3.5.C Two channels per bus for the Alternate offsite source bus undervoltage function inoperable

• 3.3 .5.D Two channels per bus for the 6.9 kV bus loss of voltage function inoperable

Executive Summary for TXX-21093 Page 9 of 16

• 3.3.5.E Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1E buses. For Conditions B, C, D, E, and F separate entries are allowed by TS 3.3.5. Currently each of these Conditions call for restoring one channel per bus to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. "Two channels per bus" is acceptable as each bus must have both channels to initiate the start signal for the DG in Conditions B, C, D, or E. Condition Fallows for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore Automatic Actuation Logic and Actuation Relays train(s) whether one or both trains are inoperable. If one or both Automatic Actuation Logic and Actuation Relays train(s) are inoperable then the associated DG is declared inoperable after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. If both buses are found to be inoperable per Conditions B, C, D, or Ethen actions for the inoperable source or bus will be required. In applying the RICT, the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Times may be extended based on plant configuration and acceptable risk. Failure to meet the Completion Time will cause entry into TS 3.8.1 for an inoperable Diesel Generator in accordance with TS 3.3.5, Condition G.

For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1E buses loss of voltage, 480V Class 1E buses low grid undervoltage, 6.9kV Class 1E buses degraded voltage, and 480V Class 1E buses degraded voltage.

Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

• 3.4.9.B One required group of pressurizer heaters inoperable .

Safety analyses do not take credit for pressurizer heaters. The initial assumption is that the RCS is at normal pressure. Any RICT application will evaluate the anticipated demand for more than one group of heaters. The current model of record does not explicitly model the pressurizer heater directly, instead, we use a surrogate to represent its function/impact in the RICT model. For the RICT, this is done by increasing the likelihood of a reactor trip by a factor of 10 (conservative modeling). The unavailability of one required group of pressurizer heaters would not have any significant impact on

Executive Summary for TXX-21093 Page 10 of 16 plant transient response so there is no quantifiable impact to CDF or LERF. While mitigation of a SGTR is enhanced by the availability of pressurizer heaters, ECA-3.3A/B provides for mitigation of a SGTR without pressurizer heaters, if necessary.

Degraded pressurizer heater capability is supplemented by the availability of the remaining heaters for plant pressure control, and the availability of plant procedures which provide plant shutdown and cooldown guidance with pressurizer heaters. If the available heaters are sufficient to maintain RCS pressure control, normal plant operations can continue. CPNPP design includes one control heater group and three backup heater groups. Only two groups of heaters are required with an output of 150 KW each.

• 3.6.2.C One or more containment air locks inoperable for reasons other than Condition A or B.

TS 3.6.2 Condition C Action C.1 initiates action to evaluate the overall containment leakage rate per LCO 3.6.1. Actions also include verifying a door is closed in the affected air lock and restoring the air lock to OPERABLE status in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If air lock is not restored, be in MODE 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

• 3.6.6.A One containment spray train inoperable.

The Containment Spray (CT) System for each unit consists of two separate and completely redundant safety trains. Each Containment Spray train has two pumps. The CPNPP model of record/ RICT model requires two CT spray pumps per train to meet its success criteria (only one train is required to meet the PRA success criteria). As this is explicitly modeled, when either pump (in a train) is removed from service the function is failed for that train and the RICT will be calculated based on the new configuration.

• 3.7.2.A One MSIV [Main Steam Isolation Valve] inoperable in MODE 1.

The design of the secondary system precludes the uncontrolled blowdown of more than one steam generator, assuming a single active component failure (e.g., the failure of one MSIV to close on demand.) This is accomplished by the closing of the other three MSIVs manually or automatically.

• 3.7.4.B Two required ARV lines inoperable.

The unit can be cooled to residual heat removal (RHR) entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

Currently the Completion Time for one ARV inoperable is 7 days, for two ARVs inoperable is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and for three or more ARVs inoperable is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a SGTR, The design basis for the maximum relief capacity is established by the 10CFR100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses. The design cooldown rate of 50°F per hour is applicable for a natural circulation cooldown

Executive Summary for TXX-21093 Page 11 of 16 using two steam generators, each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

NRC ARll 7 Condition 3. 7.8.A, "Required SSW Pump on the opposite unit or its associated cross-connects inoperable, " and the Required Actions A. 1 and A. 2 are plant-specific and per the TSTF-505, Revision 2 model application, a description of the variation and a justification of the applicability of TSTF-505 are required. LAR Attachment 1 treats Condition 3. 7. 8.A as an administrative difference, which is for differences in numbering or titles, which do not affect the applicability of TSTF-505. However, Condition 3. 7. 8.A is associated with the portion of the limiting condition for operation that is not covered by TSTF-505 and thus is a non-administrative plant-specific variation and a justification for the applicability of TSTF-505 is needed. Provide a description and justification of the applicability of TSTF-505 to Required Actions 3. 7.8.A.1 and 3. 7.8.A.2 in accordance with TSTF-505 .

CPNPP ARII 7 - Response From CPNPP TS Bases; The SSWS consists of two separate, 100% capacity, safety related, cooling water trains. Each train consists of one 100% capacity pump, piping, valving, and instrumentation. The pumps and valves are remote and manually aligned to be operable in the unlikely event of a loss of coolant accident (LOCA). The pumps aligned to their respective loops are automatically started upon receipt of a safety injection signal. An automatic valve in the discharge of each pump is interlocked to open on a pump start.

An automatic valve in the SSWS cooling water flow path for each emergency diesel generator automatically opens on a diesel generator start. All other valves are manual valves operated locally. The SSWS also is the backup water supply to the Auxiliary Feedwater System.

Cross-connections are provided between trains and between units such that any pump can supply any other pump's required flow.

Train isolation by two normally closed valves in series or one locked closed valve is provided to satisfy GDC-44. Unit isolation by one locked closed valve is provided to satisfy GDC-5.

In the event of a total Loss of Station Service Water (LOSSW) event in one unit at Comanche Peak, backup cooling capability is available via a cross-connect between the two units. An OPERABLE pump is manually realigned, and flow balanced to provide cooling to essential heat loads to one or both units as required. The OPERABILITY of the unit cross-connect along with a Station Service Water pump in the shutdown unit ensures the availability of sufficient redundant cooling capacity for the operating unit.

The Limiting Condition of Operation will ensure a significant risk reduction as indicated

Executive Summary for TXX-21093 Page 12 of 16 by the analyses of a Loss of Station Service Water System event. The surveillance requirements ensure the short and long-term OPERABILITY of the Station Service Water System and cross-connect between the two units.

The Station Service Water System cross-connect between the two units consists of appropriate piping and cross-connect valves connecting the discharge of the Station Service Water pumps of the two units. By aligning the cross-connect flow paths, additional redundant cooling capacity from one unit is available to the Station Service Water System of the other unit.

The principal safety related function of the SSWS is the removal of decay heat from the reactor via the CCW System. The design basis of the SSWS is for one SSWS train, in conjunction with the CCW System and a 100% capacity containment cooling system, to remove core decay heat following a design basis LOCA.

An SSW Pump on the opposite unit is OPERABLE as back-up in the event of a LOSSW if it is capable of providing required flow rates. An emergency diesel generator power source is not required because loss of offsite power is not assumed coincident with a LOSSW event.

A cross-connect valve is OPERABLE if it can be cycled or is locked open. A valve that cannot be demonstrated OPERABLE by cycling is considered inoperable until the valve is surveilled in the locked open position. However, at least one cross-connect valve between units is required to be maintained closed in accordance with GDC-5 unless required for flushing or due to total loss of Station Service Water pumps for either unit.

If no SSW pump on the opposite unit or its associated cross-connects are operable, the overall reliability is degraded since a back-up in the event of a Loss of Station Service Water System (LOSSWS) event may not be capable of performing the function. The 7 day completion time is based on the low probability of a LOSSWS during this time period.

CPNPP has consider the condition where a unit in MODEs 5, 6, and Defueled could have a single or no SSWP available. That would put the opposite unit, that is likely in MODE1 in a condition where they could have both trains of SSW OPERABLE but be in a forced unit shutdown based on the unavailability of an SSW pump on the opposite unit.

The RICT estimate for TS 3.7.8 , Condition A is 30 days and Condition Bis 12.2 days. In this situation Conditions A and B need to be considered in the aggregate to determine the appropriate Completion Times for the unit at power. Redundancy is maintained on the operating unit by the opposite train of SSW. It may not be in the public interest to shutdown a CPNPP unit based on the condition of SSW on the shutdown unit.

Executive Summary for TXX-21093 Page 13 of 16 NRC Other Issues Identified During the Acceptance Review (011) and CPNPP

Response

The NRG staff a/so identified the following information requests that, although not required for the NRG to complete its acceptance review, the staff would provide the licensee if the staff ultimately accepts the application for review.

NRC 0111

1. These are editorial items identified in the proposed changes:

NRC 0111 .a

a. Proposed TS 1.3-8 in LAR Attachment 2 does not align with TSTF-505, Revision 2. Some of the defined terms and headings are not capitalized consistent with TSTF-505, Revision 2.

CPNPP 011 1.a - Response TS Example 1.3-8 in Attachment 2 is revised to match TSTF-505, Revision 2.

NRC 0111.b

b. Proposed TS 5.5.23, "Risk Informed Completion Time Program," differs from TSTF-505, Revision 3:

i. missing title underscore, ii. paragraph c has an extra word in first sentence, and 111. paragraph e has different wording in third sentence.

CPNPP 011 1.b - Response Wording in Attachment 2 is revised to match TSTF-505-A, Revision 2 in accordance with WOG markup pages.

NRC 0111.c

c. TS 3. 3. 1: Several renumbered TS Conditions do not have their corresponding Required Actions renumbered in the markups in LAR Attachment 2 (Proposed TS 3.3.1 Conditions R, S, T, U, and V) .

CPNPP 011 1.c - Response Conditions identified in Attachment 2 are revised as identified .

NRC 0111.d

d. Proposed Required Action 3. 3. 1. V. 1 (identified as Required Action 3.3. 1. U. 1 in LAR Attachment 2) is inconsistent with the proposed changes in TSTF-505,

Executive Summary for TXX-21093 Page 14 of 16 Revision 2. TSTF-505, Revision 2 deletes "inoperable" while the proposed change does not.

CPNPP 011 1.d - Response Required Action 3.3.1.V.1 in Attachment 2 is revised to delete "inoperable."

NRC 0111.e

e. TS Required Action 3.6.2.C.1 appears to add text "LCO 3.6.1" ("LCO 3.6.1" is colored.) Proposed TS Required Action 3.6.2. C. 1 is the same as in the current Comanche Peak TS.

CPNPP 011 1.e - Response Attachment 2 Required Action 3.6.2.C.1 red text "LCO 3.6.1" is black to match ADAMS TS.

NRC 0112

2. In the LAR, the licensee requested deletion of TS notes that have one-time change requirements but did not provide justification for these variations. This affects TS Required Actions 3.7 .8.B.1, 3.7.8.B.2, 3.8.1.B.4.1, 3.8.1.B.4.2, and 3.8.4.B.2.

CPNPP 011 2 - Response The justification for removal of the listed Required Actions is that they are no longer applicable. They are historical actions that have already been used. Removal deletes historical information that is no longer needed and is no longer valid. Not included in this list is 3.7.19.A.2 which is also deleted in Attachment 2.

NRC 0113

3. LAR Attachment 1, Section 1.0, Paragraph 4, states in part:

... only those Required Actions described in Attachment 4 and Enclosure 1, as reflected in the proposed TS mark-ups provided in Attachment 2, are proposed to be changed, because some of the modified Required Actions in TSTF-505 are not applicable to CPNPP, and there are some plant-specific Required Actions not included in TSTF-505 that are included in this proposed amendment.

However, there are proposed TS mark-ups in Attachment 2, which appear to be consistent with TSTF-505, that are not described in Attachment 4 and Enclosure 1.

Clarify the inconsistency between the statement in LAR Attachment 1 and the changes indicated and LAR Attachments 2 and 4.

Executive Summary for TXX-21093 Page 15 of 16 CPNPP 011 3 - Response LAR Attachments 1, 2, 4 and Enclosure 1 have been synchronized to eliminate identified inconsistencies. Attachment 1 has been revised to state that the default conditions are consistent with TSTF-505, Revision 2. Attachment 2 includes the proposed TS changes including changes consistent with TSTF-505, Revision 2 and the removal of previously implemented one-time license amendments. Attachment 4 only lists cross-references to those TS changes proposed in Attachment 2. Enclosure 1 is revised to ensure consistency with Attachments 1, 2, and 4.

Revisions to Enclosure 1 include updating Tables E1-1, In Scope TS/LCO Conditions to Corresponding PRA Functions and E1-2, In Scope TS/LCO Conditions RICT Estimate.

Additional tables are provided in Enclosure 1 to document additional justifications and evaluation of instrument and control system.

NRC 0114

4. As part of its TSTF-505 review, the NRC staff examines each proposed TS condition for the potential LOF. One method to do that is reviewing the design success criteria (DSC) the licensee provided in the LAR. The DSC is a minimum set of remaining equipment required to perform the safety function. The DSC must demonstrate that the proposed change will not result in a LOF. The staff notes that the following DSC in Table E1-1 of the LAR do not reflect the criteria of DSC and therefore, raise the concern of the potential LOF.

a. TS Condition 3.8.1.C is "Two required offsite circuits inoperable." The DSC in Table E1-1 for this TS condition is one offsite circuit. With both required offsite circuits inoperable, there is no required offsite circuit available to perform the safety function (providing alternating current (AC) power). However, according to the updated final safety analysis report (ADAMS Package Accession No. ML20315A055), the AC power system consists of the offsite circuits and the onsite AC power sources (i.e. emergency diesel generators).

Therefore, with both offsite circuits inoperable, the onsite AC power sources can provide the AC power. Clarify or correct the DSC information in the Table.

b. TS Condition 3.8.4.A is "One or two required battery chargers on one train inoperable." The DSC in Table E1-1 for this TS condition is "One 100%

capacity battery for one of two DC trains." TS Condition 3.8.4.A is a TS condition related to battery charger inoperability, but the DSC in Table E1-1 describes the battery. Clarify or correct this DSC information in the Table.

CPNPP 011 4 - Response Clarification added to Table E1-1 for above LCOs.

Executive Summary for TXX-21093 Page 16 of 16 NRC 0115

5. LAR Table E1 -1 should be reviewed to determine if additional DSC need to be clarified comparable to the two examples in the previous question.

CPNPP 011 5 - Response Table E1-1 has been reviewed and updated as necessary.

Replacement documents that support the supplemental submittal; Please make the following changes to the original submittal made under Accession No. ML21131A233;

1. Replace Attachment 1 to TXX-21046 with Attachment 1 to TXX-21093.

2. Replace Attachment 2 to TXX-21046 with Attachment 2 to TXX-21093.

3. Replace Attachment 4 to TXX-21046 with Attachment 4 to TXX-21093.

4. Replace Enclosure 1 to TXX-21046 with Enclosure 1 to TXX-21093. Attached Tables E1-1 and E1-2 have been updated and Tables E1-3, E1-4, E1-5, E1-6, E1-7, and E1-8 have been added to address evaluation of instrument and control Functions and Function redundancy, independence, diversity, and defense-in-depth.

5. Replace Enclosure 7 to TXX-21046 with Enclosure 7 to TXX-21093.

to TXX-21093 Page 1 of 17 ATTACHMENT 1 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" Description and Assessment of the Proposed Changes to TXX-21093 Page 2 of 17 Table of Contents

1.0 DESCRIPTION

2.0 ASSESSMENT 2.1 Applicability of Published Safety Evaluation 2.2 Verifications and Regulatory Commitments 2.3 Optional Changes and Variations

3.0 REGULATORY ANALYSIS

3.1 No Significant Hazards Consideration Determination 3.2 Conclusions

4.0 ENVIRONMENTAL CONSIDERATION

5.0 REFERENCES

to TXX-21093 Page 3 of 17

1.0 DESCRIPTION

In accordance with CFR 50.90, "Application for amendment of license, construction permit, or early site permit," Vistra Operations Company LLC (Vistra OpCo) requests an amendment to Facility Operating License Nos. NPF-87 and NPF-89 for Comanche Peak Nuclear Power Plant, Units 1 and 2, (CPNPP).

The proposed amendment would modify the Technical Specification (TS) requirements related to Completion Times (CTs) for Required Actions to provide the option to calculate a longer, risk-informed CT (RICT). A new program, the Risk-Informed Completion Time (RICT) Program ,

is added to TS Section 5.0 , "Administrative Controls ."

The methodology for using the RICT Program is described in NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS)

Guidelines," Revision 0, which was approved by the NRC on May 17, 2007. Adherence to NEI 06-09-A is required by the RICT Program .

The proposed amendment is consistent with TSTF-505 , Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b." However, only those Required Actions described in Attachment 4 and Enclosure 1, as reflected in the proposed TS mark-ups provided in Attachment 2, are proposed to be changed, because some of the modified Required Actions in TSTF-505 are not applicable to CPNPP, and there are some plant-specific Required Actions not included in TSTF-505 that are included in this proposed amendment.

The proposed amendment also removes the following three one-time only amendments;

1. License Amendment 170: COMANCHE PEAK NUCLEAR POWER PLANT, UNIT NOS .

1 AND 2 - ISSUANCE OF AMENDMENTS RE: REVISION TO TECHNICAL SPECIFICATION 3.8.4, "DC SOURCES-OPERATING," CONDITION B (EXIGENT CIRCUMSTANCES) (EPID: L-2018-LLA-0238) (ML18267A384)

2. License Amendment 175: COMANCHE PEAK NUCLEAR POWER PLANT, UNIT NOS .

1 AND 2 - ISSUANCE OF AMENDMENT NOS . 175 AND 175 REGARDING ONE-TIME REVISION TO TECHNICAL SPECIFICATION 3.7.19, "SAFETY CHILLED WATER" (EPID L-2020-LLA-0137) (ML20223A349)

3. License Amendment 178: COMANCHE PEAK NUCLEAR POWER PLANT, UNIT NOS.

1 AND 2 - ISSUANCE OF AMENDMENT NOS. 178 AND 178 REGARDING ONE-TIME REVISION TO TECHNICAL SPECIFICATIONS 3.7.8, "STATION SERVICE WATER SYSTEM (SSWS)," AND 3.8.1 , "AC SOURCES- OPERATING" (EPID L-2020-LLA-0250)

(ML21015A212)

The proposed amendment also establishes default Conditions in TS 3.3.1, Reactor Trip System (RTS) Instrumentation and TS 3.3.2 , Engineered Safety Feature Actuation System (ESFAS)

Instrumentation . While preparing this proposed amendment it became clear that establishing the default Conditions will bring the CPNPP Technical Specifications more in alignment with NUREG-1431, Standard Technical Specifications-Westinghouse Plants and the Technical Specification Writer's Guide.

to TXX-21093 Page 4 of 17 The following default Conditions are proposed ;

1. TS 3.3.1 , Condition N: This Condition establishes the Required Action to Reduce THERMAL POWER to < P-7 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time when the Requ ired Action and associated Completion Time of Condition M is not met.

2. TS 3.3.1 , Condition Q: This Condition establishes the Required Action to Reduce THERMAL POWER to < P-9 with a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time when the Required Action and associated Completion Time of Condition O or P is not met.

3. TS 3.3 .1, Condition W : This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time when the Required Action and associated Completion Time of Condition B, D, E, R, S, T, or Vis not met.

4. TS 3.3.1, Condition X : This Condition establishes the Required Action to Be in MODE 2 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time when the Required Action and associated Completion Time of Condition U is not met.

5. TS 3.3 .2, Cond ition M: This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time AND Be in MODE 5 with a 36 Completion Time when the Required Action and associated Completion Time of Condition B, C, or K is not met.

6. TS 3.3 .2, Condition N: This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time AND Be in MODE 4 with a 12 Completion Time when the Required Action and associated Completion Time of Condition D, E, F, G, or Lis not met.

7. TS 3.3 .2, Condition 0 : This Condition establishes the Required Action to Be in MODE 3 with a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion when the Required Action and associated Completion Time of Condition H, I, or J is not met.

The TS mark-ups in Attachment 2 include proposed changes due to implementation of TSTF-505, Revision 2, the removal of the one-time license amendments and the addition of the default Conditions in TS 3.3.1 and TS 3.3.2 . These default conditions are consistent with TSTF-505, Revision 2.

The TS Bases mark-ups in Attachment 3 are provided "for information only." These proposed changes include changes due to implementation of TSTF-505 , Revision 2, the removal of the one-time license amendments and the addition of the default Conditions in TS 3.3.1 and TS 3.3.2.

2.0 ASSESSMENT 2.1 Applicability of Published Safety Evaluation Vistra OpCo has reviewed TSTF-505, Revision 2 (ADAMS Accession No. ML18183A493) ,

and the model safety evaluation dated November 21 , 2018 (ADAMS Accession No. ML18267A259). This review included the information provided to support TSTF-505 and the safety evaluation for NEI 06-09-A (ADAMS Accession No. ML12286A322 (part of ADAMS Package Accession No. ML122860402)). As described in the subsequent paragraphs ,

Vistra OpCo has concluded that the technical basis is applicable to CPNPP and support incorporation of this amendment in the CPNPP TS.

to TXX-21093 Page 5 of 17 2.2 Verifications and Regulatory Commitments In accordance with Section 4.0 , Limitations and Conditions , of the safety evaluation for NEI 06-09-A, the following is provided:

1. Enclosure 1 identifies each of the TS Required Actions to which the RICT Program will apply , with a comparison of the TS functions to the functions modeled in the probabilistic risk assessment (PRA) of the structures , systems and components (SSCs) subject to those actions.

2. Enclosure 2 provides a discussion of the results of peer reviews and self-assessments conducted for the plant-specific PRA models which support the RICT Program, as required by Regulatory Guide (RG) 1.200, Section 4.2 .

3. Enclosure 3 is not applicable since each PRA model used for the RICT Program is addressed using a standard endorsed by the Nuclear Regulatory Commission.

4. Enclosure 4 provides appropriate justification for excluding sources of risk not addressed by the PRA models.

5. Enclosure 5 provides the plant-specific baseline core damage frequency (CDF) and large early release frequency (LERF) to confirm that the potential risk increases allowed under the RICT Program are acceptable.

6. Enclosure 6 is not applicable since the RICT Program is not being applied to shutdown models.

7. Enclosure 7 provides a discussion of the licensee's programs and procedures that assure the PRA models that support the RICT Program are maintained consistent with the as-built, as-operated plant.

8. Enclosure 8 provides a description of how the baseline PRA model, which calculates average annual risk, is evaluated and modified to assess real time configuration risk, and describes the scope of, and quality controls applied to the real-time model.

9. Enclosure 9 provides a discussion of how the key assumptions and sources of uncertainty in the PRA models were identified, and how their impact on the RICT Program was assessed and dispositioned .

10. Enclosure 10 provides a description of the implementing programs and procedures regarding the plant staff responsibilities for the RICT Program implementation, including risk management action (RMA) implementation.

11. Enclosure 11 provides a description of the monitoring program as described in NEI 06-09-A, Section 2.3.2, Step 7.

to TXX-21093 Page 6 of 17

12. Enclosure 12 provides a description of the process to identify and provide RMAs ,

including examples.

2.3 Optional Changes and Variations Vistra OpCo is proposing the following variations from the TS changes described in TSTF-505, Revision 2, or the applicable parts of the NRC's model safety evaluation dated November 21 , 2018. These options were recognized as acceptable variations in TSTF-505 and the NRC's model safety evaluation .

Note that, in several instances , the CPNPP TS use different numbering and titles than the Standa rd Technical Specifications (STS) on which TSTF-505 was based . These differences are administrative and do not affect the applicability of TSTF-505 to the CPNPP TS . Only TS changes consistent with the CPNPP design and TS are included. Attachment 4 provides specific information. is a cross-reference that provides a comparison between the NUREG-1431, "Standard Technical Specifications Westinghouse Plants," Required Actions included in TSTF-505 and the CPNPP Actions included in this license amendment request. The attachment includes a summary description of the referenced Required Actions , which is provided for information purposes only and is not intended to be a verbatim description of the Required Actions . The cross-reference in Attachment 4 identifies the following:

1. CPNPP Actions that have identical numbers to the corresponding NUREG-1431 Required Actions are not deviations from TSTF-505 , except for administrative deviations (if any) such as formatting. These deviations are administrative with no impact on the NRC's model safety evaluation dated November 21 , 2018.

2. CPNPP Actions that have different numbering than the NUREG-1431 Required Actions are an administrative deviation from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21, 2018.

3. For NUREG-1431 Required Actions that are not contained in the CPNPP TS , the corresponding TSTF-505 mark-ups for the Required Actions are not applicable to CPNPP. This is an administrative deviation from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21, 2018.

4. Existing CPNPP Actions that have new numbers because of additional Actions added to the TS consistent with TSTF-505 are administrative deviations from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21 , 2018.

5. The model application provided in TSTF-505 , Revision 2, includes an attachment for typed, camera-ready (revised) TS pages reflecting the proposed changes. CPNPP is not including such an attachment due to the number of TS pages included in this submittal that have the potential to be affected by other unrelated license amendment requests and the straightforward nature of the proposed changes. Providing only mark-ups of the proposed TS changes satisfies the requirements of 10 CFR 50.90 ,

"Application for amendment of license, construction permit, or early site permit," in that the mark-ups fully describe the changes desired . This is an administrative to TXX-21093 Page 7 of 17 deviation from TSTF-505 with no impact on the NRC's model safety evaluation dated November 21 , 2018. Because of this deviation, the contents and numbering of the attachments for this amendment request differ from the attachments specified in the model application in TSTF-505, Revision 2.

6. As stated in TSTF-505, Revision 2 , it is necessary to adopt TSTF-439, "Eliminate Second Completion Times Limiting Time from Discovery of Failure to Meet an LCO,"

in order to adopt TSTF-505 for those Required Actions that are affected by both travelers. On December 19, 2006, (ADAMS Accession No. ML070580149) Vistra OpCo submitted a license amendment request (LAR) for CPNPP to adopt TSTF-439.

This LAR impacts the following TS .

• TS 3.7.5 , Auxiliary Feedwater System

• TS 3.8.1 , AC Sources-Operating

• TS 3.8.9, Distribution Systems-Operating There are several plant-specific LCOs and associated Actions for which CPNPP are proposing to apply the RICT Program that are variations from TSTF-505 as identified in with additional justification provided below:

• 3.3.5. B.1 - Two channels per bus for the Preferred offsite source bus undervoltage function inoperable.

The requirements of TS 3.3.5, Action B.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status. This will result in at least one operable sensing relay per bus . The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring a loss of power (LOP) start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses . If the Preferred offsite power source is lost, the 6.9kV Class 1E buses are automatically energized from the Alternate offsite power source. If the transfer fails, or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1E buses .

For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1E buses loss of voltage, 480V Class 1 E buses low grid undervoltage, 6.9kV Class 1 E buses degraded voltage, and 480V Class 1 E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered to TXX-21093 Page 8 of 17 from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed .

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function.

• 3.3.5.C.1 - Two channels per bus for the Alternate offsite source bus undervoltage function inoperable.

The requirements of TS 3.3.5, Action C.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status . This will result in at least one operable sensing relay per bus . The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source . The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails , or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1 E buses .

For each unit, the undervoltage protection system , leading to the start of the diesel generators on loss of offsite power, consists of the following functional groups:

Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1 E buses loss of voltage, 480V Class 1E buses low grid undervoltage, 6.9kV Class 1E buses degraded voltage, and 480V Class 1E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable . Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed .

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function .

• 3.3.5. D.1 - Two channels per bus for the 6.9 kV buss loss of voltage function inoperable.

The requirements of TS 3.3.5, Action D.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status . This will result in at least one operable sensing relay per bus. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to to TXX-21093 Page 9 of 17 repair most failures and considers the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energ ized from the Alternate offsite power source. If the transfer fails , or if the Alternate offsite power source is not available , the diesel generators are started to energize the 6.9kV Class 1 E buses.

For each unit, the undervoltage protection system , leading to the start of the diesel generators on loss of offsite power, consists of the following functional groups:

Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1E buses loss of voltage , 480V Class 1E buses low grid undervoltage, 6 .9kV Class 1E buses degraded voltage, and 480V Class 1E buses degraded voltage . Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for thei r respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable . Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation , in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed.

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function .

• 3.3.5.E.1 - Two channels per bus for one or more degraded voltage or low grid undervoltage function inoperable.

The requirements of TS 3.3.5, Action E.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one channel per bus to OPERABLE status. This will result in at least one operable sensing relay per bus. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source . The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses . If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails , or if the Alternate offsite power source is not available , the diesel generators are started to energize the 6.9kV Class 1E buses .

For each unit, the undervoltage protection system , leading to the start of the diesel generators on loss of offsite power, consists of the following functional groups:

Preferred offsite source undervoltage, alternate offsite source undervoltage, to TXX-21093 Page 10 of 17 6.9kV Class 1 E buses loss of voltage, 480V Class 1E buses low grid undervoltage, 6 .9kV Class 1 E buses degraded voltage , and 480V Class 1 E buses degraded voltage . Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general , sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed .

Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function.

• 3.3.5.F.1 - One or more Automatic Actuation Logic and Actuation Relays trains inoperable.

The requirements of TS 3.3.5, Action F.1 currently allow for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore one train to OPERABLE status. This will result in at least one operable Automatic Logic and Actuation Relays train operable. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1 E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1 E buses are automatically energized from the Alternate offsite power source. If the transfer fails , or if the Alternate offsite power source is not available , the diesel generators are started to energize the 6.9kV Class 1E buses.

For each unit, the undervoltage protection system , leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1E buses loss of voltage, 480V Class 1E buses low grid undervoltage, 6.9kV Class 1E buses degraded voltage , and 480V Class 1E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general , sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable . Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed .

to TXX-21093 Page 11 of 17 Application of a RICT for this Action will not adversely affect the ability of the LOOP DG start instrumentation or the Engineered Safety Features Systems to perform their intended safety function .

• 3.5.2.A.1 - One train inoperable because of the inoperability of a centrifugal charging pump.

The requirements of TS 3.5.2, Action A.1 currently allow for 7 days to restore the centrifugal charging pump to operable status. With one centrifugal charging pump inoperable the Emergency Core Cooling System (ECCS) is still capable of providing 100% capacity. The 7 day completion time is based on a risk-informed assessment to manage the risk associated with the equipment in accordance with the Configuration Risk Management Program and is responsible for the repair of a centrifugal charging pump.

The ECCS consists of three separate subsystems: centrifugal charging (high head), safety injection (intermediate head), and residual heat removal (low head).

Each of the three subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100%

of the flow required to mitigate accident consequences. The interconnecting and redundant subsystem design provides the operators with the ability to utilize components from opposite trains to achieve the required 100% flow.

Application of a RICT for this Action will not adversely affect the ability of the ECCS to perform their intended safety function.

• 3.7.4.C.1 - Steam Generator Atmospheric Relief Valves (ARVs); Three or more required ARV lines inoperable.

The requirements of TS 3.7.4, Action C.1 currently allow 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore at least two ARV lines to OPERABLE status. This will result in at least two OPERABLE ARVs. Since the block valve can be closed to isolate an ARV, some repairs may be possible with the unit at power. The 24-hour Completion Time is reasonable to repair inoperable ARV lines, based on the availability of the Steam Dump System and Main Steam Safety Valves (MSSVs), and the low probability of an event occurring during this period that would require the ARV lines.

The ARVs provide a method for cooling the unit to residual heat removal (RHR) entry conditions should the preferred heat sink via the Steam Dump System to the condenser not be available. This is done in conjunction with the Auxiliary Feedwater System providing cooling water from the condensate storage tank (CST) .

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a steam generator tube rupture (SGTR). The design basis for the maximum relief capacity is established by the 10 CFR 100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses. The design rate of 50°F per hour is to TXX-21093 Page 12 of 17 applicable for a natural circulation cooldown using two steam generators , each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

Application of a RICT for this Action will not adversely affect the ability of the Steam Generator ARVs to perform their intended safety function .

• 3.7.8.B.1 -Station Service Water System, One SSWS train inoperable The requirements of TS 3. 7 .8, Action B.1 currently allow 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore the SSWS train to operable status. In this condition, the remaining OPERABLE SSWS is adequate to provide a heat sink for the removal of process and operating heat from safety related components.

The SSWS consists of two separate, 100% capacity, safety related , cooling water trains. Each train consists of one 100% capacity pump, piping, valving, and instrumentation. The pumps and valves are remote and manually aligned to be operable in the unlikely event of a loss of coolant accident (LOCA). The pumps aligned to their respective loops are automatically started upon receipt of a safety injection signal. An automatic valve in the discharge of each pump is interlocked to open on a pump start. An automatic valve in the SSWS cooling water flow path for each emergency diesel generator automatically opens on a diesel generator start. All other valves are manual valves operated locally. The SSWS also is the backup water supply to the Auxiliary Feedwater System.

In the event of a total Loss of Station Service Water (LOSSW) event in one unit at Comanche Peak, backup cooling capability is available via a cross-connect between the two units. An OPERABLE pump is manually realigned, and flow balanced to provide cooling to essential heat loads to one or both units as required . The OPERABILITY of the unit cross-connect along with a Station Service Water pump in the shutdown unit ensures the availability of sufficient redundant cooling capacity for the operating unit. The Limiting Condition of Operation will ensure a significant risk reduction as indicated by the analyses of a Loss of Station Service Water System event. The surveillance requirements ensure the short and long-term OPERABILITY of the Station Service Water System and cross-connect between the two units.

The Station Service Water System cross-connect between the two units consists of appropriate piping and cross-connect valves connecting the discharge of the Station Service Water pumps of the two units. By aligning the cross-connect flow paths, additional redundant cooling capacity from one unit is available to the Station Service Water System of the other unit.

The principal safety related function of the SSWS is the removal of decay heat from the reactor via the CCW System. The design basis of the SSWS is for one SSWS train, in conjunction with the CCW System and a 100% capacity to TXX-21093 Page 13 of 17 containment cooling system , to remove core decay heat following a design basis LOCA.

An SSW Pump on the opposite unit is OPERABLE as back-up in the event of a LOSSW if it is capable of providing required flow rates . An emergency diesel generator power source is not required because loss of offsite power is not assumed coincident with a LOSSW event.

A cross-connect valve is OPERABLE if it can be cycled or is locked open. A valve that cannot be demonstrated OPERABLE by cycling is considered inoperable until the valve is surveilled in the locked open position. However, at least one cross-connect valve between units is requi red to be maintained closed in accordance with GDC-5 unless required for flushing or due to total loss of Station Service Water pumps for either unit.

If no SSW pump on the opposite unit or its associated cross-connects are operable, the overall reliability is degraded since a back-up in the event of a Loss of Station Service Water System (LOSSWS) event may not be capable of performing the function . The 7 day completion time is based on the low probability of a LOSSWS during this time period .

Application of a RICT for this Action will not adversely affect the ability of the Station Service Water System to perform its safety function.

• 3.7.19.A.1 - Safety Chilled Water; One safety chilled water train inoperable The requirements of TS 3.7.19, Action A.1 currently allow 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to restore the safety chilled water train to OPERABLE status. In this condition, the remaining OPERABLE Safety Chilled Water System train is adequate to perform the heat removal function for its associated essential equipment.

However, the overall reliability is reduced because a single failure in the OPERABLE Safety Chilled Water System train could result in loss of the Safety Chilled Water System function . The 72-hour Completion Time is based on the redundant capabilities afforded by the OPERABLE train , and the low probability of a OBA occurring during this time .

The design basis of the Safety Chilled Water System is to support emergency fan coil units (EFCUs) that maintain air temperatures as required in selected rooms containing safety-related equipment during normal operation and during and after a design basis accident (with or without a loss of offsite power) or a blackout (loss of offsite power, LOOP). The system is designed to provide chilled water to maintain the ambient air temperature within the design limits of the essential equipment served by the system.

The Safety Chilled Water System for each unit consists of two separate and completely redundant safety trains. Each train consists of one packaged centrifugal chiller, one centrifugal chilled water recirculation pump , interconnecting piping , valves, controls , and instrumentation. There are no automatic valves in the system.

to TXX-21093 Page 14 of 17 Additionally, the two trains share a common chilled water surge (expansion) tank, partitioned in the middle into two separate compartments to provide complete separation of the two trains, that function to ensure sufficient net positive suction head is available.

Application of a RICT for this Action will not adversely affect the ability of the Safety Chilled Water to perform its intended safety function.

Vistra OpCo has determined that the application of a RICT for these CPNPP plant specific LCOs is consistent with TSTF-505, Revision 2, and with the NRC's model safety evaluation dated November 21, 2018. Application of a RICT for these plant specific LCOs will be controlled under the RICT Program . The RICT Program provides the necessary administrative controls to permit extension of Completion Times and thereby delay reactor shutdown or remedial actions if risk is assessed and managed within specified limits and programmatic requirements . The specified safety function or performance levels of TS required structures , systems or components (SSCs) are unchanged, and the remedial actions, including the requirement to shut down the reactor, are also unchanged; only the Action completion times are extended by the RICT Program.

Application of a RICT is evaluated using the methodology and probabilistic risk guidelines contained in NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines," Revision 0, which was approved by the NRC on May 17, 2007 (ADAMS Accession No. ML071200238). The NEI 06-09-A, Revision O methodology includes a requirement to perform a quantitative assessment of the potential impact of the application of a RICT on risk, to reassess risk due to plant configuration changes , and to implement compensatory measures and risk management actions (RMAs) to maintain the risk below acceptable regulatory risk thresholds. In addition , the NEI 06-09-A, Revision Omethodology satisfies the five key safety principles specified in Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making: Technical Specifications," dated August 1998 (ADAMS Accession No. ML003740176), relative to the risk impact due to the application of a RICT.

Therefore, the proposed application of a RICT in the CPNPP plant specific Actions is consistent with TSTF-505, Revision 2, and with the NRC's model safety evaluation dated November 21 , 2018.

Vistra OpCo has reviewed these changes and determined that they do not affect the applicability of TSTF-505 , Revision 2, to the CPNPP TS.

3.0 REGULA TORY ANALYSIS 3.1 No Significant Hazards Consideration Determination Vistra OpCo has evaluated the proposed changes to the TS using the criteria in 10 CFR 50.92 and has determined that the proposed changes do not involve a significant hazards consideration .

Comanche Peak Nuclear Power Plant, Units 1 and 2 , request adoption of an approved change to the standard technical specifications (STS) and plant-specific technical to TXX-21093 Page 15 of 17 specifications (TS), to modify the TS requirements related to Completion Times for Required Actions to provide the option to calculate a longer, risk-informed Completion Time . The allowance is described in a new program in Section 5.0, "Administrative Controls," entitled the "Risk-Informed Completion Time Program."

As required by 10 CFR 50.91 (a), an analysis of the issue of no significant hazards consideration is presented below:

1. Do the proposed changes involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed changes permit the extension of Completion Times provided the associated risk is assessed and managed in accordance with the NRC approved Risk-Informed Completion Time Program , removes historical information , and establishes default Conditions in TS 3.3.1 and TS 3.3.2. The proposed changes do not involve a significant increase in the probability of an accident previously evaluated because the changes involve no change to the plant or its modes of operation. The proposed changes do not increase the consequences of an accident because the design-basis mitigation function of the affected systems is not changed and the consequences of an accident during the extended Completion Time are no different from those during the existing Completion Time .

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Do the proposed changes create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed changes do not change the design , configuration, or method of operation of the plant. The proposed changes do not involve a physical alteration of the plant (no new or different kind of equipment will be installed).

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Do the proposed changes involve a significant reduction in a margin of safety?

Response: No .

The proposed change permits the extension of Completion Times provided risk is assessed and managed in accordance with the NRC approved Risk-Informed Completion Time Program, removes historical information, and establishes default Conditions in TS 3.3.1 and TS 3.3.2. The proposed change implements a risk-informed configuration management program to assure that adequate margins of safety are maintained.

Application of these new specifications and the configuration management program considers cumulative effects of multiple systems or components being out of service and does so more effectively than the current TS .

Therefore , the proposed change does not involve a significant reduction in a margin of safety.

to TXX-21093 Page 16 of 17 Based on the above , Vistra OpCo , concludes that the proposed changes present no significant hazards consideration under the standards set forth in 10 CFR 50.92(c) , and ,

accordingly, a finding of "no significant hazards consideration" is justified .

3.2 Conclusions In conclusion , based on the considerations discussed above , (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compl iance with the Commission's regulations ,

and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

4.0 ENVIRONMENTAL CONSIDERATION

Vistra OpCo has reviewed the environmental evaluation included in the model safety evaluation published on November 21 , 2018 as part of the Notice of Availability . Vistra OpCo has concluded that the NRC staff findings presented in that evaluation are applicable to CPNPP Units 1 and 2, NPF-87 and NPF-89.

The proposed change would change a requirement with respect to installation or use of a facility component located within the restricted .area, as defined in 10 CFR 20 , or would change an inspection or surveillance requirement. However, the proposed change does not involve (i) a significant hazards consideration , (ii) a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed change meets the eligibility criterion fo r categorical exclusion set forth in 10 CFR 51 .22(c)(9) .

Therefore, pursuant to 10 CFR 51.22(b) , no environmental impact statement or environmental assessment need be prepared in connection with the proposed changes.

5.0 REFERENCES

1. Topical Report NEI 06-09, Revision 0-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines" (ADAMS Accession No. ML12286A322 (part of ADAMS Package Accession No. ML122860402)) .

2. NUREG-0800, Standard Review Plan 19.1, "Determining the Technical Adequacy of Probabilistic Risk Assessment Results fo r Risk-Informed Activities," Revision 3, May 2012.

3. NUREG-0800 , Standard Review Plan 19.2, "Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance," Revision 0, November 2002.

4. NUREG-0800, Standard Review Plan 16.1, "Risk-I nformed Decisionmaking :

Technical Specifications," Revision 1, March 2007.

5. Regulatory Guide 1.174, Revision 2, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, " May 2011 , Accession No. ML 10091006.

6. Regulatory Guide 1. 177, Revision 1, "An Approach for Plant-Specific, Risk-Informed Decisionmaking : Technical Specifications," May 2011 , Accession No .

ML100910008.

to TXX-21093 Page 17 of 17

7. Regulatory Guide 1.200, Revision 2, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,"

March 2009, Accession No. ML090410014.

to TXX-21093 Page 1 of 49 Attachment 2 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" Proposed Technical Specification pages (markup) to TXX-21093 Completion Times Page 2 of 49 1.3 1.3 Completion Times EXAMPLES EXAMPLE 1.3-6 (continued)

If after entry into Condition B, Required Action A.1 or A.2 is met, Condition B is exited and operation may then continue in Condition A.

EXAMPLE 1.3-7 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One subsystem A.1 Verify affected 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable. subsystem isolated .

AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND A.2 Restore subsystem to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> OPERABLE status .

B. Required Action B.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and associated Completion Time - AND-not met.

B.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> Required Action A.1 has two Completion Times . The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time begins at the time the Condition is entered and each "Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter" interval begins upon performance of Required Action A.1 .

If after Condition A is entered, Required Action A .1 is not met within either the initial 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or any subsequent 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> interval from the previous performance (plus the extension allowed by SR 3.0.2), Condition Bis entered . The Completion Time clock for Condition A does not stop after Condition B is entered, but continues from the time Condition A was initially entered. If Required Action A.1 is met after Condition B is entered , Condition B is exited and operation may continue in accordance with Condition A, provided the Completion Time for Required Action A.2 has not expired.

~~ EXAMPLE 1.3-8 INSERT IMMEDIATE When "Immediately" is used as a Completion Time , the Required Action COMPLETION should be pursued without delay and in a controlled manner TIME COMANCHE PEAK- UNITS 1 AND 2 1.3-8 Amendment No. 150 to TXX-21093 Page 3 of 49 RTS Instrumentation 3.3.1 3.3 INSTRUMENTATION 3.3.1 Reactor Trip System (RTS) Instrumentation LCO 3.3.1 The RTS instrumentation for each Function in Table 3.3.1-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3 .1-1 ACTIONS

---

NOT E--------------------------------------------------------------

Sep a rate Condition entry is allowed for each Function .

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions with A.1 Enter the Condition referenced in Immediately one or more required Table 3.3.1-1 for the channel(s) or channels or trains train(s).

inoperable.

B. One Manual Reactor Trip B.1 Restore channel to OPERABLE 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> channel inoperable. status.

GR < IRICT INSE RT 13.2 Be iA MGge d. §4 A91:ffS COMANCHE PEAK - UNITS 1 AND 2 3.3-1 Amendment No . 150 to TXX-21093 Page 4 of 49 RTS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME D. One Power Range Neutron -----------------------NOTE------------------------

Flux - High channel One channel may be bypassed for up to inoperable. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing and setpoint adjustment.

D.1.1 ------------------NOTE--------------------

Only required to be performed when the Power Range Neutron Flux input to QPTR is inoperable.

Perform SR 3.2.4.2 . 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from discovery of THERMAL POWER

> 75% RTP AND Once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter AND D.1.2 Place channel in trip . 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> 00 -<---IRICT INSERT I

~ Bein MODE3 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> COMANCHE PEAK- UNITS 1 AND 2 3.3-3 Amendment No. 150 to TXX-21093 Page 5 of 49 RTS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME E. One channel inoperable. -----------------------NOT E------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

E.1 Place channel in trip. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR < IRICT INS ERT e.~ Be iR MG9e 3. 78 A91:::1FS F. One Intermediate Range F.1 Reduce THERMAL POWER to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Neutron Flux channel < P-6 .

inoperable.

OR F.2 Increase THERMAL POWER to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

> P-10.

G . Two Intermediate Range G .1 ------------------NOTE-----------------------

Neutron Flux channels Limited boron concentration changes inoperable. associated with RCS inventory control or limited plant temperature changes are allowed.

Suspend operations involving Immediately positive reactivity additions.

AND G.2 Reduce THERMAL POWER to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />

< P-6.

COMANCHE PEAK - UNITS 1 AND 2 3.3-4 Amendment No. 150 to TXX-21093 Page 6 of 49 RTS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME M. One channel inoperable. ------------------------NOTE-----------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> fo r surveillance testing.

M .1 Place channel in trip. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR < IRICT INSE RT M.2 ReE11::1ee +l=leRMAb PGVVeR ta 78 R81::1FS 4-P+.

N. ri.Jat 1::1seEI .

/

...... INSERT TS 3.3.1 I Condition N

0. One Low Fluid Oil pressure ------------------------NOTE-----------------------

Turbine Trip channel One channel may be bypassed for up to inoperable. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

0.1 Place channel in trip. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR < IRICT INSE RT G .2 ReE11::1ee +l=leRMAb PGWeR ta 7@ Ral::IFS

~

P. One or more Turbine Stop P.1 Place channel(s) in trip. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Valve Closure Turbine Trip channel(s) inoperable . GR

< IRICT INSE RT P.2 ReEl1::1oe +l=leRMAb PGVVeR ta -7H=l-eu rs INSERT TS 3.3 .1 ~

Condition Q COMANCHE PEAK - UNITS 1 AND 2 3.3-6 Amendment No . 150 to TXX-21093 Page 7 of 49 RTS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME Q-:. One train inoperable. ------------------------NOTE-----------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

R.1 Q-:4 Restore train to OPERABLE status. 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> GR < jRICT INSE RT Q.2 Be iA MGQe 3. 3Q R9l::IFS R One RTB train inoperable. ------------------------NOTE-----------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing or maintenance, provided the other train is OPERABLE.

S.1 R-4 Restore train to OPERABLE status . 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> GR < IRICT INSE RT R.2 Be iA MGQe 3. 3Q R9l::IFS I. I

& . One or more required &4 Verify interlock is in required state for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> channel(s) inoperable. existing unit conditions .

-~

C' ,..,

~

~U""\l"'\I"":,:, "7 i..~

COMANCHE PEAK- UNITS 1 AND 2 3.3-7 Amendment No. 150

Attachment 2 to TXX-21093 Page 8 of 49 RTS Instrumentation 3.3.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME

+. One or more required +. Verify interlock is in required state for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 0---17 channel(s) inoperable. existing unit conditions.

V.1 Y:- One trip mechanism -Y:4 Restore inoperable trip mechanism to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />

~ inoperable for one RTB. OPERABLE status.

GR - < - - - I RICT INSERT I U.2 Be in MODE 3. 54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> INSERT TS 3.3.1

~ Not used . +-------1 w Condition W

~ Condition X SURVEILLANCE REQUIREMENTS

---

NOTE-------------------------------------------------------------

Refer to Table 3.3.1-1 to determine which SRs apply for each RTS Function .

SURVEILLANCE FREQUENCY SR 3.3.1.1 Perform CHANNEL CHECK. In accordance with the Surveillance Frequency Control Program .

COMANCHE PEAK - UNITS 1 AND 2 3.3-8 Amendment No . 4W, 156 to TXX-21093 Page 9 of 49 RTS Instrumentation 3.3.1 Table 3.3.1-1 (page 4 of 6)

Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE(a)

16. Turbine Trip

a. Low Fluid Oil 1U) 3 0 SR 3.3.1.10 2 46.6 psig Pressure SR 3.3.1.15

b. Turbine Stop Valve 1(j) 4 p SR 3.3.1.10 21% open Closure SR 3.3.1.15

17. Safety Injection (SI) Input 1,2 2 trains ~ Q SR 3.3.1.14 NA from Engineered Safety Feature Actuation System (ESFAS)

18. Reactor Trip System Interlocks

a. Intermediate Range 2(e) 2 ~ g SR 3.3. 1.1 1 2 6E-11 amp Neutron Flux, P-6 SR 3.3.1.13

b. Low Power Reactor 1 per train ~ + SR 3.3.1.5 NA Trips Block, P-7 C. Power Range 4 ~ + SR 3.3.1.11 ~ 50.7% RTP Neutron Flux, P-8 SR 3.3.1.13

d. Power Range 4 SR 3.3.1.11 ~ 52 .7% RTP

~ +

Neutron Flux, P-9 SR 3.3.1.13 e, Power Range 1,2 4 ~ g SR 3.3.1.11 2 7.3% RTP and Neutron Flux, P-10 SR 3.3.1.13 ~ 12.7% RTP Turbine First Stage 2 SR 3.3.1.10 ~ 12.7% turbine

f. ~ +

Pressure, P-13 SR 3.3.1.13 power

19. Reactor Trip 1,2 2 trains ~R SR 3.3.1.4 NA Breakers(RTBs)'kl 3(b), 4(b), 5(b) 2 trains C SR 3.3.1.4 NA (a) The Allowable Value defines the limiting safety system setting except for Trip Functions 2a, 2b, 6, 7, and 14 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions). See the Bases for the Nominal Trip Setpoints.

(b) With Rod Contol System capable of rod withdrawal or one or more rods not fully inserted.

(e) Below the P-6 (Intermediate Range Neutron Flux) interlock.

G) Above the P-9 (Power Range Neutron Flux) interlock.

(k) Including any reactor trip bypass breakers that are racked in and closed for bypassing an RTB.

COMANCHE PEAK- UNITS 1 AND 2 3.3-18 Amendment No. 4-§G, 156 to TXX-21093 Page 1O of 49 RTS Instrumentation 3.3.1 Table 3.3.1-1 (page 5 of 6)

Reactor Trip System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE(a)

20. Reactor Trip Breaker 1,2 ti SR 3. 3.1.4 NA Undervoltage and Shunt Trip Mechanisms(k) 1 each per RTB C SR 3.3. 1.4 NA

21. Automatic Trip Logic 1,2 2 trains ~ Q SR 3.3. 1.5 NA 2 trains C SR 3.3.1.5 NA (a) The Allowable Value defines the limiting safety system setting except for Trip Functions 2a , 2b, 6, 7, and 14 (the Nominal Trip Setpoint defines the limiting safety system setting for these Trip Functions). See the Bases for the Nominal Trip Setpoints.

(b} With Rod Contol System capable of rod withdrawal or one or more rods not fully inserted.

(k) Including any reactor trip bypass breakers that are racked in and closed for bypassing an RTB .

COMANCHE PEAK- UNITS 1 AND 2 3.3-19 Amendment No. 4W, 156 to TXX-21093 Page 11 of 49 ESFAS Instrumentation 3.3.2 3.3 INSTRUMENTATION 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation LCO 3.3.2 The ESFAS instrumentation for each Function in Table 3.3.2-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.2-1 ACTIONS

---

NOTE-------------------------------------------------------------

S e para t e Condition entry is allowed for each Function.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions with A.1 Enter the Condition referenced in Immediately one or more required Table 3.3.2-1 for the channel(s) or channels or trains train(s).

inoperable.

B. One channel or train B.1 Restore channel or train to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> inoperable. OPERABLE status .

GR

< IRICT INSE RT B.2.1 Be in MODE 3. 54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> ANG B.2.2 Be in MODE 5. g4 hours COMANCHE PEAK - UNITS 1 AND 2 3.3-21 Amendment No. 4-W;- 156 to TXX-21093 Page 12 of 49 ESFAS Instrumentation 3.3.2 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One train inoperable. -----------------------NO TE------------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

C.1 Restore train to OPERABLE status . 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> GR ( IRICT INSE RT C.2.1 Be in MODE 3. 30 hours ANG C.2.2 Be in MODE 13. eO hOUFS D. One channel inoperable. -----------------------NOTE------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing .

D.1 Place channel in trip. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR ( IRICT INS ERT D.2.1 Be in MODE 3. 78 hOUFS ANG D.2.2 Be in MODE 4. 84 hOUFS COMANCHE PEAK - UNITS 1 AND 2 3.3-22 Amendment No. 4W, 156 to TXX-21093 Page 13 of 49 ESFAS Instrumentation 3.3.2 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME E. One Containment Pressure -----------------------NOTE------------------------

channel inoperable. One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

E.1 Place channel in bypass. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR E.2.1 Be in MODE 3. 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> AN&

E.2.2 Be in MODE 4. 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> F. One channel or train F.1 Restore channel or train to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> inoperable. OPERABLE status.

GR

< IRICT INSE RT F.2.1 Be in MODE 3. 54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> AN&

F.2.2 Be in MODE 4. @Q hours COMANCHE PEAK - UNITS 1 AND 2 3.3-23 Amendment No. 4W, 156 to TXX-21093 Page 14 of 49 ESFAS Instrumentation 3.3.2 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME G. One train inoperable. -----------------------NOTE------------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

G.1 Restore train to OPERABLE status . 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> GR < IRICT INSE RT G.2.1 Be in MODE 3. 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> ANf}

G.2.2 Be in MODE 4. 3@ hours H. One train inoperable. -----------------------NOTE------------------------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

H.1 Restore train to OPERABLE status. 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> GR

< IRICT INSE RT 1=1 .2 Be in MODE 3. 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> COMANCHE PEAK - UNITS 1 AND 2 3.3-24 Amendment No. 4W, 156 to TXX-21093 Page 15 of 49 ESFAS Instrumentation 3.3.2 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME I. One channel inoperable . -----------------------NOTE------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing .

1.1 Place channel in trip. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR ( IRICT INS ERT 1.2 Be iR MGge 3. +8 A81:!FS J. One Main Feedwater Pump J.1 Place channel in trip. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> trip channel inoperable.

GR ( IRICT INS ERT d.2 Be iR MGge 3. 12 A81:!FS K. One channel inoperable . -----------------------N OT E------------------------

One channel may be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing.

K.1 Place channel in bypass. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR K.2.1 Be iR MGge 3. +8 A81:!FS ANG K.2 .2 Be iR MGge: a. 1Q8 A81:!FS COMANCHE PEAK- UNITS 1 AND 2 3.3-2 5 Amendment No. 4eG, 156 to TXX-21093 Page 16 of 49 ESFAS Instrumentation 3.3.2 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME L. One or more requ ired L.1 Verify interlock is in required state for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> channeltst inoperable. existing unit condition.

GR L.2.1 Be in MODE 3. 7 hou rs INSERT TS 3.3.2 ANQ Conditions M, N, and r 0 L.2 .2 Be in MODE 4. 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> SURVEILLANCE REQUIREMENTS

---

NOT E-------------------------------------------------------------

Refer to Table 3.3.2-1 to determine which SRs apply for each ESFAS Function.

SURVEILLANCE FREQUENCY SR 3.3.2.1 Perform CHANNEL CHECK. In accordance with the Surveillance Frequency Control Program.

SR 3.3.2.2 Perform ACTUATION LOGIC TEST. In accordance with the Surveillance Frequency Control Program .

SR 3.3 .2.3 Not Used.

COMANCHE PEAK - UNITS 1 AND 2 3.3-26 Amendment No. 4-eG, 156 to TXX-21093 Page 17 of 49 LOP DG Start Instrumentation 3.3.5 3.3 INSTRUMENTATION 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation LCO 3.3.5 The Loss of Power Diesel Generator Start Instrumentation for each Function in Table 3.3 .5-1 shall be OPERABLE.

APPLICABILITY: MODES 1, 2, 3, and 4

---

N OT E------------------------------------------------

Not applicable for 6.9 kV Preferred Offsite Source Undervoltage function when associated source breaker is open .

ACTIONS

---

NOTE-------------------------------------------------------------

S e pa rate Condition entry is allowed for each Function.

---

NOTE---------------------------------------------------------------

RI CT entry is not permitted for more than one Condition at a time for Conditions B, C, Dor E.

CONDITION REQUIRED ACTION COMPLETION TIME A. --------------NOTE-------------

Not applicable to Automatic Actuation Logic and Actuation Relays Function One or more Functions with A.1 Place channel in trip. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> one channel per bus ~<--IRICT INSERT I inoperable.

COMANCHE PEAK- UNITS 1 AND 2 3.3-42 Amendment No. 4W, 156 to TXX-21093 Page 18 of 49 LOP DG Start Instrumentation 3.3.5 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. Two channels per bus for B.1 Restore one channel per bus to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> the Preferred offsite source OPERABLE status.

bus undervoltage function < IRICT INSE RT I inoperable. OR B.2.1 Declare the Preferred offsite source 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable.

AND B.2.2 Open associated Preferred offsite 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> source bus breaker.

C. Two channels per bus for C.1 Restore one channel per bus to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> the Alternate offsite source OPERABLE status .

bus undervoltage function < IRICT INSE RT I inoperable. OR C.2.1 Declare the Alternate offsite source 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable.

AND C.2.2 Open associated Alternate offsite 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> source bus breaker.

D. Two channels per bus for D.1 Restore one channel per bus to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> the 6.9 kV bus loss of OPERABLE status .

voltage function inoperable.

< IRICT INSE RT I OR D.2 Declare the affected A.C. emergency 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> buses inoperable.

COMANCHE PEAK - UNITS 1 AND 2 3.3-43 Amendment No. 4-W-; 156 to TXX-21093 Page 19 of 49 LOP DG Start Instrumentation 3.3.5 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME E. Two channels per bus for E.1 Restore one channel per bus to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> one or more degraded OPERABLE status.

( IRICT INSE RT I voltage or low grid undervoltage function OR inoperable E.2.1 Declare both offsite power source 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> buses inoperable.

AND E.2.2 Open offsite power source 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> breakers to the associated buses.

F. One or more Automatic F.1 Restore train(s) to OPERABLE 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Actuation Logic and status .

Actuation Relays trains inoperable. ( IRICT INSE RT I G. Required Action and G.1 Enter applicable Condition(s) and Immediately associated Completion Required Action(s) for the associated Time not met. DG made inoperable by LOP DG start instrumentation.

COMANCHE PEAK - UNITS 1 AND 2 3.3-44 Amendment No. 4W, 156 to TXX-21093 Page 20 of 49 Pressurizer 3.4 .9 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4 .9 Pressurizer LCO 3.4 .9 The pressurizer shall be OPERABLE with :

a. Pressurizer water level::; 92%; and

b. Two groups of pressurizer heaters OPERABLE with the capacity of each group ~ 150 kW.

APPLICABILITY: MODES 1, 2, and 3 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. Pressurizer water level not A.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> within limit.

AND A.2 Fully insert all rods . 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AND A.3 Place Rod Control System in a 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> condition incapable of rod withdrawal.

-AND-A.4 Be in MODE 4. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> B. One required group of B.1 Restore required group of pressurizer 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> pressurizer heaters heaters to OPERABLE status.

inoperable.

< IRICT INSE RT I COMANCHE PEAK - UNITS 1 AND 2 3.4-18 Amendment No. 4W, 156 to TXX-21093 Page 21 of 49 Pressurizer PORVs 3.4.11 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)

LCO 3.4.11 Each PORV and associated block valve shall be OPERABLE .

APPLICABILITY: MODES 1, 2, and 3 ACTIONS

---

NOT E-------------------------------------------------------------

Sep arate Condition entry is allowed for each PORV.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more PORVs A.1 Close and maintain power to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable and capable of associated block valve.

being manually cycled .

B. One PORV inoperable and B.1 Close associated block valve. 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> not capable of being manually cycled. AND B.2 Remove power from associated 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> block valve.

AND B.3 Restore PORV to OPERABLE status . 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> EE IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.4-22 Amendment No. 4-eO, 156 to TXX-21093 Page 22 of 49 Pressurizer PORVs 3.4.11 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One block valve inoperable. -----------------------N OT E------------------------

Required Actions do not apply when block valve is inoperable solely as a result of complying with Required Actions 8 .2 or E.2.

C.1 Place associated PORV in manual 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> control.

AND C.2 Restore block valve to OPERABLE 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> status.

< IRICT INSE RT I D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion AND Time of Condition A , B, or C - -

not met.

D.2 Be in MODE 4 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> E. Two PORVs inoperable and E.1 Close associated block valves. 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> not capable of being manually cycled. AND E.2 Remove power from associated 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> block valves.

AND E.3 Be in MODE 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />

-AND-E.4 Be in MODE 4 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> COMANCHE PEAK- UNITS 1 AND 2 3.4-23 Amendment No. 4W, 156 to TXX-21093 Page 23 of 49 ECCS -- Operating 3.5.2 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3.5.2 ECCS -- Operating LCO 3.5.2 Two ECCS trains shall be OPERABLE.

---

NOTES----------------------------------------------

1. In MODE 3, both safety injection (SI) pump flow paths may be isolated by closing the isolation valves for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to perform pressure isolation valve testing per SR 3.4.14.1 .

2. Operation in MODE 3 with ECCS pumps made incapable of injecting, pursuant to LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System," is allowed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or until the temperature of all RCS cold legs exceeds 375°F, whichever comes first.

APPLICABILITY: MODES 1, 2, and 3 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One train inoperable A.1 Restore pump to OPERABLE status . 7 days because of the inoperability of a centrifugal charging pump. -<-----IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.5-4 Amendment No. 4W, 156 to TXX-21093 Page 24 of 49 ECCS -- Operating 3.5.2 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. One or more trains B.1 Restore train(s) to OPERABLE 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> inoperable for reasons status.

other than one inoperable centrifugal charging pump .

AND

< IRICT INSE RT !

At least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available.

C. Required Action and C.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time not met. -AND-C.2 Be in MODE 4. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.5.2.1 Verify the following valves are in the listed position with In accordance with power to the valve operator removed . the Surveillance Frequency Control Number Position Function Program.

8802 A&B Closed SI Pump to Hot Legs 8809 A&B Open RHR to Cold Legs 8835 Open SI Pump to Cold Legs 8840 Closed RHR to Hot Legs 8806 Open SI Pump Suction from RWST 8813 Open SI Pump Miniflow Valve COMANCHE PEAK- UNITS 1 AND 2 3.5-5 Amendment No. 4-eQ, 156 to TXX-21093 Page 25 of 49 Containment Air Locks 3.6.2 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. One or more containment C.1 Initiate action to evaluate overall Immediately air locks inoperable for containment leakage rate reasons other than per LCO 3.6.1 .

Condition A or B.

AND C.2 Verify a door is closed in the affected 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> air lock.

AND C.3 Restore air lock to OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> status .

< IRICT INSE RTI D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time not met. AND D.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> COMANCHE PEAK- UNITS 1 AND 2 3.6-5 Amendment No. 150 to TXX-21093 Page 26 of 49 Containment Isolation Valves 3.6.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME A. --------------NO TE-------------- A.1 Isolate the affected penetration flow 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Only applicable to path by use of at least one closed penetration flow paths with and de-activated automatic valve, two containment isolation closed manual valve, blind flange , or < IRICT INSE RT I valves. check valve with flow through the

---

valve secured .

One or more penetration AND flow paths with one containment isolation valve inoperable except for A.2 --------------------NO TES-------------------

containment purge, 1. Isolation devices in high radiation hydrogen purge or areas may be verified by use of containment pressure relief administrative means.

valve leakage not within limit. 2. Isolation devices that are locked, sealed or otherwise secured may be verified by administrative means.

Verify the affected penetration flow Once per 31 days for path is isolated. isolation devices \ _ f allowing outside containment isolation AND Prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days for isolation devices inside containment COMANCHE PEAK - UNITS 1 AND 2 3.6-8 Amendment No. 150 to TXX-21093 Page 27 of 49 Containment Isolation Valves 3.6.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. ---------------NOTE------------- C.1 Isolate the affected penetration flow 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Only applicable to path by use of at least one closed penetration flow paths with and de-activated automatic valve, < IRICT INSERT I only one containment closed manual valve, or blind flange.

isolation valve and a closed system . AND One or more penetration C .2 -------------------NOTES--------------------

flow paths with one 1. Isolation devices in high radiation containment isolation valve areas may be verified by use of inoperable. administrative means.

2. Isolation devices that are locked ,

sealed or otherwise secured may be verified by administrative means.

Verify the affected penetration flow Once per 31 days path is isolated . 1- following isolation I D. One or more penetration D.1 Isolate the affected penetration flow 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> flow paths with one or more path by use of at least one closed containment purge, and de-activated automatic valve, hydrogen purge or closed manual valve, or bl.ind flange.

containment pressure relief valves not within leakage AND limits.

COMANCHE PEAK - UNITS 1 AND 2 3.6-10 Amendment No. 150 to TXX-21093 Page 28 of 49 Containment Spray System 3.6.6 3.6 CONTAINMENT SYSTEMS 3.6.6 Containment Spray System LCO 3.6.6 Two containment spray trains shall be OPERABLE.

APPLICABILITY: MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One containment spray A.1 Restore containment spray train to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> train inoperable. OPERABLE status. ( IRICT INSE RTI B. Required Action and B.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition A not AND met.

B.2 Be in MODE 5. 84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> C. Two containment spray C.1 Enter LCO 3.0.3. Immediately trains inoperable.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.6.6.1 Verify each containment spray manual , power operated , In accordance with and automatic valve in the flow path that is not locked , the Surveillance sealed, or otherwise secured in position is in the correct Frequency Control position . Program.

COMANCHE PEAK - UNITS 1 AND 2 3.6-16 Amendment No . 4W, 156 to TXX-21093 Page 29 of 49 MSIVs 3.7.2 3.7 PLANT SYSTEMS 3.7.2 Main Steam Isolation Valves (MSIVs)

LCO 3.7.2 Four MSIVs shall be OPERABLE .

APPL! CAB ILITY: MODE 1, MODES 2 and 3 except when all MSIVs are closed and deactivated .

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One MSIV inoperable in A.1 Restore MSIV to OPERABLE status. 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> MODE 1.

< IRICT INSER B. Required Action and B.1 Be in MODE 2. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition A not met.

C. --------------NO TE--------------

Separate Condition entry is allowed for each MSIV.

One or more MSIV C.1 Close MSIV. 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> inoperable in MODE 2 or 3 .

AND C.2 Verify MSIV is closed. Once per 7 days D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition C not AND met.

D.2 Be in MODE 4. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> COMANCHE PEAK - UNITS 1 AND 2 3.7-6 Amendment No. 150 to TXX-21093 Page 30 of 49 ARVs 3.7.4 3.7 PLANT SYSTEMS 3.7.4 Steam Generator Atmospheric Relief Valves (ARVs)

LCO 3.7.4 Four ARV lines shall be OPERABLE .

APPLICABILITY: MODES 1, 2, and 3 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One required ARV line A.1 Restore required ARV line to 7 days inoperable . OPERABLE status .

< IRICT INSER Tl B. Two required ARV lines B.1 Restore at least one ARV line to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> inoperable . OPERABLE status .

< IRICT INSER C . Three or more required C.1 Restore at least two ARV lines to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> ARV lines inoperable. OPERABLE status.

< IRICT INSER D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time not met. -AND-D.2 Be in MODE 4 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> COMANCHE PEAK - UNITS 1 AND 2 3.7- 10 Amendment No. 150 to TXX-21093 Page 31 of 49 AFW System 3.7 .5

3. 7 PLANT SYSTEMS 3.7.5 Auxiliary Feedwater (AFW) System LCO 3.7.5 Three AFW trains shall be OPERABLE.

APPLICABILITY: MODES 1, 2, and 3 ACTIONS

---

NOT E---------------------------------------------------------------

LCO 3.0.4.b is not applicable.

CONDITION REQUIRED ACTION COMPLETION TIME A. One steam supply to A.1 Restore steam supply to OPERABLE 7 days turbine driven AFW pump status.

inoperable. < IRICT INSER B. One AFW train inoperable B.1 Restore AFW train to OPERABLE 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for reasons other than status.

Condition A. < IRICT INSE RT I COMANCHE PEAK - UNITS 1 AND 2 3.7-12 Amendment No. 150 to TXX-21093 Page 32 of 49 CCW System 3.7.7 3.7 PLANT SYSTEMS 3.7.7 Component Cooling Water (CCW) System LCO 3.7.7 Two CCW trains shall be OPERABLE .

APPLICABILITY: MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One CCW train inoperable. -----------------------NOTE------------------------

Enter applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops -

MODE 4," for residual heat removal loops made inoperable by CCW.

A.1 Restore CCW train to OPERABLE 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> status.

< IRICT INSE RTI B. Required Action and B.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition A not AND met.

B.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> COMANCHE PEAK - UNITS 1 AND 2 3.7-18 Amendment No. 4-eG, 156 to TXX-21093 Page 33 of 49 ssws 3.7.8

3. 7 PLANT SYSTEMS 3.7 .8 Station Service Water System (SSWS)

LCO 3.7.8 Two SSWS trains and a SSW Pump on the opposite unit with its associated cross-connects shall be OPERABLE.

APPLICABILITY: MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A . Required SSW Pump on A.1 Restore a SSW Pump on the 7 days the opposite unit or its opposite unit to OPERABLE status.

associated cross-connects inoperable. AND

< IRICT INSERT I A.2 Restore associated cross-connects 7 days to OPERABLE status .

< IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.7-20 Amendment No. 4W;- 156 to TXX-21093 Page 34 of 49 ssws 3.7 .8 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. One SSWS train --------------------NOTES-------------------

inoperable . 1. Enter applicable Conditions and Required Actions of LCO 3.8 .1, "AC Sources -- Operating ," for emergency diesel generator made inoperable by SSWS.

2. Enter applicable Conditions and Required Actions of LCO 3.4 .6, "RCS Loops -- MODE 4," for residual heat removal loops made inoperable by SSWS.

B.1 ~JG+e

~eE11:::1 iFeEl ,A,stiaR e.U is Ret a1313liealale te l::JRit 2 El1:::1FiR§ Fe13IaseR9eRt ei tl:le SSWS Pl:::IR9J3 2 02 (+rniR 8) El1:::1FiR§ l::lRit 2 Gysle rn.

Restore SSWS train to OPERABLE 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> status.

GR < IRICT INSE RT I COMANCHE PEAK - UNITS 1 AND 2 3.7-21 Amendment No. 150, 156, 178 to TXX-21093 Page 35 of 49 ssws 3.7.8 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME 8 . (oontinued) 8 .2 ~JG+e Reeiu iFed ,A.otion 8. 2 is a1313Iioal3Ie on a one tiFfle 13asis to Fe13laoe SS!JlJS PUFflJ3 2 Q2 (+Fain 8 ) duFin§ blnit 2 Gyole ~9 . If: blnit 2 , +m in ,A, SSVlJS 13eGOFfleS ino13eFal3Ie, iFflFflediately enteF l::GG J .Q.J . Re§ulator:y GoFflFflitFflent a9ee82a (Attaol:!Fflent ~

to +XX 2QQ8e) will Be iFflJ3leFflented dUFin§ tl:le g day GGMPl::e+IG~J

+4Me:-

n--*-~~ Cl"\ A/C *--;~

~~

("'\nr-o /I DI C 0

,.,I~

- J

-~

sta-R::I&.

C. Required Action and C.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition A or B AND not met.

C.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> COMANCHE PEAK - UNITS 1 AND 2 3.7-21a Amendment No . 178 to TXX-21093 Page 36 of 49 Safety Chilled Water 3.7.19

3. 7 PLANT SYSTEMS 3.7.19 Safety Chilled Water LCO 3.7.19 Two safety chilled water trains shall be OPERABLE APPLICABILITY: MODES 1, 2, 3, and 4.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One safety chilled water A.1 Restore safety chilled water train to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> train inoperable. OPERABLE status.

/

....... :RICT INSE RT GR A.2 ~JG+e R:eei1::1iFeEl ,C..etiaR A.2 is a1313lieaele aR a aRe tiFRe easis ta Fe13laee Safety Gl=lilleF 2 Ge E+FaiR 13) eaFR13FessaF 81::lFiR§ 61Rit 2 Gyele 19. If +FaiR A safety el=lilleEl 11.<<ateF eeeaFRes iRa13eFaele, iFRFReEliately eRteF bGG J.G.J. R:e§1::1lataPj GaFRFRitFReRt

§9GG4 4 4 EAUael=lFReRt 2 ta

+XX 2GGie) will ee iFR13leFReRteEl 81::lFiR§ tl=le 7 Elay GGMPbe+IG~J

=RMe-:

~estaFe safety el=lilleEl 'NateF tFaiR ta 7 Elays GPeR:ABbe stat1::1s .

B. Required Action and B.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition A not AND met.

B.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> COMANCHE PEAK - UNITS 1 AND 2 3.7-45 Amendment No. 1ae , 1@2, 175 to TXX-21093 Page 37 of 49 AC Sources -- Operating 3.8.1 ACTIONS

---

NOTE---------------------------------------------------------------

LCO 3.0.4 .b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A . One required offsite circuit A.1 Perform SR 3.8.1.1 for required 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable. OPERABLE offsite circuit.

AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND A .2 --------------------NOTE--------------------

1n MODES 1, 2 and 3, the TDAFW pump is considered a required redundant feature .

Declare required feature(s) with no 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from discovery offsite power available inoperable of no offsite power to when its redundant required one train concurrent feature(s) is inoperable . with inoperability of redundant required feature(s)

AND A.3 Restore required offsite circuit to OPERABLE status . 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> ~ - - - - ~ I

< IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.8-2 Amendment No. 150, 152, 160, 164, 177

Attachment 2 to TXX-21093 Page 38 of 49 AC Sources -- Operating No markups on this page. 3.8.1 Included for information only.

ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. One DG inoperable. B.1 Perform SR 3.8.1 .1 for the required 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> offsite circuit(s) .

AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND B. 2 ---------------------NO TE--------------------

1n MODES 1, 2 and 3, the TDAFW pump is considered a required redundant feature .

Declare required feature(s) 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from discovery supported by the inoperable DG of Condition B inoperable when its required concurrent with redundant feature(s) is inoperable. inoperability of redundant required feature(s)

AND B.3.1 Determine OPERABLE DG(s) is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> not inoperable due to common cause failure.

OR B.3.2 -------------------NO TE-------------------

Th e SR need not be performed if the DG is already operating and loaded.

Perform SR 3.8.1 .2 for OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> DG(s).

COMANCHE PEAK- UNITS 1 AND 2 3.8-3 Amendment No. 150 to TXX-21093 Page 39 of 49 AC Sources -- Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) AND B.4.1 ~JG+e ReeiuiFeEI AetieR B.4.1 is Rat a1313lieasle ta 6JRit 2 EluFiR§ Fe13laeeFfleRt sf tl=le SSW£ Pum13 2 02 (+raiR B) EluFiR§ 6JRit 2 Gyele 19.

Restore DG to OPERABLE status. 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> GR

< IRICT INSE RT I B.4.2 ~JG+e ReeiuiFeEI AetieR B.4 .2 is a1313lieasle SR a eRe time sasis ta Fe13laee SSW£ P1:1m13 2 02 (+FaiR 13) El1:1FiR§ 6JRit 2 Gyele 19. If 6JRit 2, +FaiR ,6, SSW£ seeemes iRe13eFasle, immeEliately eRteF bGG a.0.a.

Re§1:1lateFy GemmitmeRt a9ll82a (Attael=lmeRt 1 ta +X:X: 2008@) will se im13lemeRteEI El1:1FiR§ tl=le g Elay GGMPbe+IG~J + IMe.

ResteFe QG ta GPeRABbe stat1:1s. g Elays COMANCHE PEAK- UNITS 1 AND 2 3.8-4 Amendment No. 4-eQ,--178 to TXX-21093 Page 40 of 49 AC Sources -- Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME C. Two required offsite circuits C.1 --------------------NOTE--------------------

inoperable. In MODES 1, 2 and 3, the TDAFW pump is considered a required redundant feature .

Declare required feature(s) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from discovery inoperable when its redundant of Condition C required feature(s) is inoperable. concurrent with inoperability of redundant required features AND C.2 Restore one required offsite circuit to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> OPERABLE status.

- < - - I RICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.8-4a Amendment No. 178 to TXX-21093 Page 41 of 49 AC Sources -- Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME D. One required offsite circuit -----------------------NOTE------------------------

inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.9, "Distribution AND Systems - Operating ," when Condition D is entered with no AC power source to any One DG inoperable. train .

D.1 Restore required offsite circuit to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> OPERABLE status .

< IRICT INSERT I OR D.2 Restore DG to OPERABLE status. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />

< IRICT INSERT I E. Two DGs inoperable. E.1 Restore one DG to OPERABLE 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> status.

F. One SI sequencer F.1 --------------------NOTE---------------------

inoperable. One required SI sequencer channel may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other channel is operable.

Restore SI sequencer to OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> status.

< IRICT INSERT I G. Required Action and G.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time of Condition A, B, C, AND D, E, or F not met.

G.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> COMANCHE PEAK- UNITS 1 AND 2 3.8-5 Amendment No. 150 to TXX-21093 Page 42 of 49 DC Sources -- Operating 3.8.4 3.8 ELECTRICAL POWER SYSTEMS 3.8.4 DC Sources -- Operating LCO 3.8.4 The Train A and Train B DC electrical power subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One or two required battery A.1 Restore affected battery(ies) terminal 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> chargers on one train voltage to greater than or equal to the inoperable. minimum established float voltage.

AND A.2 Verify affected battery(ies) float Once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> currents 2 amps .

AND A.3 Restore required battery charger(s) 7 days to OPERABLE status .

+-(-----1IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.8-23 Amendment No. 4-eQ, 170 to TXX-21093 Page 43 of 49 DC Sources -- Operating 3.8.4 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME B. One or two batteries on one B.1 Restore affected battery(ies) to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> train inoperable. OPERABLE status.

< IRICT INSE RT I GR El~ ~JG+e R:eeitiiFeEI ,A,etiaR 13.~ is a1313liea0le faF a aRe tiFRe sasis ta Fe13laee eell ~+ iR sattept 13+1 eg~ aREI eell 41 iR satteFy 13+1 Eg4 Elt1FiR§ l::JRit 1 Gyele ~8 (Rat at U1e saFRe tiFRe) . If tl=le seeaREI sattept aR tl=le saFRe tFaiR seeaFRes iR9f38F8Sle , iFRFReEliately iRitiate R:eeitiiFeEI ,A,etiaRS g _1 aREI g _~.

R:e§tilataFy b9FRFRitFReRt §@44411 (Attael=IFReRt ~ ta +X:X: 188@4) will se iFR13leFReRteEI ElmiR§ tl=le 1g R9tlF GaFR13letiaR +iFRe.

R:estarn affeeteEI satter=y ta 18 R9t1FS GPeR:Al3be stattis.

C. One DC electrical power C.1 Restore DC electrical power 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> subsystem inoperable for subsystem to OPERABLE status.

reasons other than Condition A or B. < IRICT INSE RT I D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Associated Completion Time not met. -AND-D.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> COMANCHE PEAK- UNITS 1 AND 2 3.8-24 Amendment No. 1§8 , 1a@ , 170 to TXX-21093 Page 44 of 49 Inverters - Operating 3.8.7 3.8 ELECTRICAL POWER SYSTEMS 3.8.7 Inverters -- Operating LCO 3 .8.7 The required Train A and Train B inverters shall be OPERABLE.

---

NOTE----------------------------------------------

Inverters may be disconnected from one DC bus for::::; 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to perform an equalizing charge on their associated common battery, provided:

a. The associated AC vital bus(es) are energized; and

b. All other AC vital buses are energized from their associated OPERABLE inverters.

APPLICABILITY: MODES 1, 2 , 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One required inverter A . 1 ---------------------NOTE--------------------

inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating" with any vital bus de-energized.

Restore inverter to OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> status.

-<--IRICT INSERT I COMANCHE PEAK - UNITS 1 AND 2 3.8-33 Amendment No. 4W, 156 to TXX-21093 Page 45 of 49 Distribution Systems - Operating 3.8.9 3.8 ELECTRICAL POWER SYSTEMS 3.8.9 Distribution Systems -- Operating LCO 3.8 .9 Train A and Train B AC, DC, and AC vital bus electrical power distribution subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2, 3, and 4 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One AC electrical power A.1 Restore AC electrical power 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> distribution subsystem distribution subsystem to inoperable. OPERABLE status. < IRICT INSE RTI B. One AC vital bus 8 .1 Restore AC vital bus subsystem to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> subsystem inoperable. OPERABLE status.

< IRICT INSE RT I C. One DC electrical power C.1 Restore DC electrical power 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> distribution subsystem distribution subsystem to inoperable. OPERABLE status. < ~RICT INSE RT I D. Required Action and D.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time not met. AND D.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> E. Two trains with inoperable E.1 Enter LCO 3.0.3 . Immediately distribution subsystems that result in a loss of safety function.

COMANCHE PEAK - UNITS 1 AND 2 3.8-37 Amendment No. 4-§.G. 156 to TXX-21093 Programs and Manuals Page 46 of 49 5.5 5.5 Programs and Manuals 5.5.22 Spent Fuel Storage Rack Neutron Absorber Monitoring Program (continued)

In order to ensure the reliability of the Neutron Poison material , a monitoring program is required to routinely confirm that the assumptions utilized in the criticality analysis remain valid and bounding . The Neutron Absorber Monitoring Program is established to monitor the integrity of neutron absorber test coupons periodically as described below.

A test coupon "tree" shall be maintained in each SFP. Each coupon tree originally contained 8 neutron absorber surveillance coupons . Detailed measurements were taken on each of these 16 coupons prior to installation, including weight, length, width, thickness at several measurement locations, and B-10 content (g/cm 2). These coupons shall be maintained in the SFP to ensure they are exposed to the same environmental conditions as the neutron absorbers installed in the Region I storage cells, until they are removed for analysis.

One test coupon from each SFP shall be periodically removed and analyzed for potential degradation, per the following schedule. The schedule is established to ensure adequate coupons are available for the planned life of the storage racks.

Year Coupon Number Year Coupon Number 2013 1 2028 5 2015 2 2033 6 2018 3 2043 7 2023 4 2053 8 Further evaluation of the absorber materials, including an investigation into the degradation and potential impacts on the Criticality Safety Analysis, is required if:

A decrease of more than 5% in B-10 content from the initial value is observed in any test coupon as determined by neutron attenuation .

An increase in thickness at any point is greater than 25% of the initial thickness at that point.

~<----iliNSERT SECTION 5.5.23 I COMANCHE PEAK - UNITS 1 AND 2 5.5-19 Amendment No. 173 to TXX-21093 Page 47 of 49 CPNPP TS INSERTS EXAMPLE 1.3-8 INSERT Example 1.3-8 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One subsystem A.1 Restore subsystem 7 days inoperable. to OPERABLE status. OR In accordance with the Risk Informed Completion Time Program B. Required Action and B.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion Time not met. AND B.2 Be in MODE 5. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> When a subsystem is declared inoperable, Condition A is entered. The 7 day Completion Time may be applied as discussed in Example 1.3-2. However, the licensee may elect to apply the Risk Informed Completion Time Program which permits calcu lation of a Risk Informed Completion Time (RICT) that may be used to complete the Required Action beyond the 7 day Completion Time. The RICT cannot exceed 30 days. After the 7 day Completion Time has expired, the subsystem must be restored to OPERABLE status within the RICT or Condition B must also be entered .

The Risk Informed Completion Time Program requires recalculation of the RICT to reflect changing plant conditions . For planned changes, the revised RICT must be determined prior to implementation of the change in configuration. For emergent conditions, the revised RICT must be determ ined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.

If the 7 day Completion Time clock of Condition A has expired and subsequent changes in plant condition result in exiting the applicability of the Risk Informed Completion Time Program without restoring the inoperable subsystem to OPERABLE status, Condition B is also entered and the Completion Time clocks for Required Actions B.1 and B.2 start.

If the RICT expires or is recalculated to be less than the elapsed t ime since the Condition was entered and the inoperable subsystem has not been restored to OPERABLE status, Condition Bis also entered and the Completion Time clocks for Required Actions B.1 and B.2 start. If the inoperable subsystems are restored to OPERABLE status after Condition B is entered, Conditions A is exited, and therefore, the Required Actions of Condition B may be terminated .

to TXX-21093 Page 48 of 49 CPNPP TS INSERT RICT INSERT OR In accordance with the Risk Informed Completion Time Program.

INSERT TS 3.3.1 Condition N N. Required Action and associated N.1 Reduce THERMAL POWER to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of Condition M < P-7 not met.

INSERT TS 3.3.1 Condition Q g,_ Required Action and associated Q.l Reduce THERMAL POWER to 4 hou rs Completion Time of Condition 0 < P-9 or P not met.

INSERT TS 3.3.1 Condition W

w. Required Action and associated W.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of Condition B, D, E, R, S, Tor V not met.

INSERT TS 3.3.1 Condition X X. Required Action and associated X.1 Be in MODE 2. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of Condition U not met.

INSERT TS 3.3.2 Condition M M. Required Action and associated M.l Be in MODE 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of Conditions B, C, or K not met. AND M.2 Be in MODE 5 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> INSERT TS 3.3.2 Condition N N. Required Action and associated N.1 Be in MODE 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of Conditions D, E, F, G, or L not met. AND N.2 Be in MODE 4 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to TXX-21093 Page 49 of 49 INSERT TS 3.3.2 Condition 0

0. Required Action and associated 0.1 Be in MODE 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of Conditions H, I, or J not met.

SECTION 5.5.23 INSERT 5.5.23 Risk Informed Completion Time Program This program provides controls to calculate a Risk Informed Completion Time (RICT) and must be implemented in accordance with NEI 06-09-A, Revision 0, "Risk-Managed Technical Specifications (RMTS) Guidelines." The program shall include the following:

a. The RICT may not exceed 30 days;

b. A RICT may only be utilized in MODE 1 and 2;

c. When a RICT is being used, any change to the plant configuration, as defined in NEI 06-09-A, Appendix A, must be considered for the effect on the RICT.

1. For planned changes, the revised RICT must be determined prior to implementation of the change in configuration.

2. For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.

3. Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.

d. For emergent conditions, if the extent of condition evaluation for inoperable structures, systems, or components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of common cause failure (CCF) by either:

1. Numerically accounting for the increased possibility of CCF in the RICT calculation; or

2. Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.

e. The risk assessment approaches and methods shall be acceptable to the NRC. The plant PRA shall be based on the as-built, as-operated, and maintained plant; and reflect the operating experience at the plant, as specified in Regulatory Guide 1.200, Revision 2. Methods to assess the risk from extending the Completion Times must be PRA methods used to support this license amendment, or other methods approved by the NRC for generic use; and any change in the PRA methods to assess risk that are outside these approval boundaries require prior NRC approval.

to TXX-21093 Page 1 of 15 ATTACHMENT 4 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" Cross-Reference of TSTF-505 and CPNPP Technical Specifications to TXX-21093 Page 2 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments Completion Times 1.3 1.3 The CPNPP TS do not currently contain this example. Example to be Example 1.3-8 [NEW TS] 1.3-8 [NEW TS] 1.3-8 No added to CPNPP TS to be consistent with TSTF-505. This is a new definition only (i.e., there is no RICT directly applicable to the TS.)

RTS Instrumentation 3.3.1 3.3.1 One Manual Reactor Trip channel rrsTF-505 changes are incorporated. (Function 1, Manual Reactor 3.3.1.B.1 3.3.1.B.1 Yes inoperable. rrrip)

One Power Range Neutron Flux - High rrsTF-505 changes are incorporated. (Function 2.a, Power Range 3.3.1.D.1.2 3.3.1.D.2.1 Yes channel inoperable. Neutron Flux - High)

One Channel inoperable. 3.3 .1.E.1 3.3.1.E.1 Yes TSTF-505 changes are incorporated. [Note 1]

One channel inoperable. 3.3.1.M.1 3.3.1.L.1 Yes TSTF-505 changes are incorporated. [Note 2]

Required Action and associated

[New TS] [New TS]

Completion Time of Condition M not No This a new TS "default" condition added consistent with TSTF-505.

3.3.1 N.l 3.3.1.M.1 met.

TSTF-505 Changes are incorporated. The wording of TSTF-505 One Low Fluid Oil Pressure Turbine tvaries from CPNPP TS (i.e., TS specifies One Low Fluid 3.3.1.0.1 3.3.1.R .1 Yes rrrip channel inoperable Oil Pressure Turbine Trip channel inoperable.) (Function 16.a, rrurbine Trip - Low Fluid Oil Pressure) rrsTF-505 Changes are incorporated. The wo rding of TSTF-505 One or more Turbine Stop Valve Closure tvaries from CPNPP TS (i.e., TS specifies One or more Turbine Stop 3.3.1.P.1 3.3.1.R.1 Yes rrurbine Trip channel(s) inoperable. Valve Closure Trip channel(s) inoperable.) (Function 16.b, Turbine Trip - Turbine Stop Valve Closure)

Required Action and associated

[New TS] [New TS]

Completion Time of Condition O or P not No This a new TS "default" condition added consistent with TSTF-505.

3.3.1 Q 3.3.1.S.l met.

One train inoperable. 3.3.1.R.1 3.3.1.T.1 Yes TSTF-505 changes are incorporated. [Note 3]

rrsTF-505 changes are incorporated. (Function 19, Reactor Trip One RTB train inoperable. 3.3.1.S.l 3.3.1.U .l Yes Breakers (RTBs))

One or more required channel(s) 3.3.1.T.1 3.3.1.V.1 No rrsTF-505 changes are incorporated. [Note 4]

inoperable.

to TXX-21093 Page 3 of 15 Tech Spec Description CPNPPTS TS-505 TS ApplyRICT? Comments One or more required channel(s) 3.3.1.U.1 3.3.1.W.1 No il"STF-505 changes are incorporated . [Note SJ inoperable.

One trip mechanism inoperable for one TSTF-505 changes are incorporated. (Function 20, Reactor Trip 3.3.1.V.1 3.3.1.Y.1 Yes RTB. Breaker Undervoltage and Shunt Trip Mechanisms)

Required Action and associated

[New TS] [New TS]

Completion Time of Condition B, D, E, R, No This a new TS "default" condition added consistent with TSTF-505.

3.3.1 W.1 3.3.1.Z.1 S, Tor V not met.

Required Action and associated

[New TS] [New TS]

Completion Time of Condition U not No This a new TS "default" condition added consistent with TSTF-505.

3.3.1.X.1 3.3.1.X.1 met.

ESFAS Instrumentation 3.3.2 3.3.2 One channel or train inoperable. 3.3.2.B.1 3.3.2.B.1 Yes rTSTF-505 changes are incorporated. [Note 6]

One train inoperable. 3.3.2.C.1 3.3 .2.C.1 Yes il"STF-505 changes are incorporated . [Note 7]

One channel inoperable. 3.3.2.D.1 3.3.2.D.1 Yes rTSTF-505 changes are incorporated. [Note 8]

One Containment Pressure channel 3.3.2.E.1 3.3.2.E.1 No TSTF-505 changes are incorporated. [Note 9]

inoperable One channel or train inoperable. 3.3.2.F.1 3.3.2.F.1 Yes TSTF-505 changes are incorporated. [Note 10]

One train inoperable. 3.3.2.G.1 3.3.2.G.l Yes TSTF-505 changes are incorporated. [Note 11]

One train inoperable. 3.3.2.H.1 3.3.2.H.1 Yes TSTF-505 changes are incorporated . [Note 12]

One channel inoperable. 3.3.2.1.1 3.3.2.1.1 Yes TSTF-505 changes are incorporated. [Note 13]

One Main Feedwater Pumps trip 3.3.2.J.1 3.3.2.J.1 Yes [TSTF-505 changes are incorporated. [Note 14]

channel inoperable.

One channel inoperable. 3.3.2.K.1 3.3.2.K.1 No iTSTF-505 changes are incorporated . [Note 15]

One or more channels inoperable 3.3 .2.L.1 3.3.2.L.1 No TSTF-505 changes are incorporated . [Note 16]

Required Action and associated

[New TS] [New TS]

Completion Time of Conditions B, C or K No This a new TS "default" condition added consistent with TSTF-505.

3.3.2.M.1 3.3.2.M.1 not met.

to TXX-21093 Page 4 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments Required Action and associated

[New TS] [New TS]

Completion Time of Conditions D, E, F, G No This a new TS "default" condition added consistent with TSTF-505.

3.3.2.N.1 3.3.2.N.1 or L not met.

Required Action and associated

[New TS] [New TS]

Completion Time of Conditions H, I, or J No This a new TS "default" condition added consistent with TSTF-505.

3.3.2 0.1 3.3.2.0.1 not met.

LOP DG Start Instrumentation 3.3.5 3.3.5 One or more Functions with one 3.3.5.A.1 3.3.5.A.1 Yes TSTF-505 changes are incorporated .

channel per bus inoperable.

rTSTF-505 changes are incorporated. The wording of TSTF-505 rrwo channels per bus for the Preferred

~aries from CPNPP TS (i.e., TS specifies the Preferred offsite source offsite source bus undervoltage function 3.3.5.B.1 3.3.5.B.1 Yes bus undervoltage function inoperable; and TSTF-505 refers to one inoperable.

or more Functions inoperable.) [Note 17]

iTSTF-505 changes are incorporated. The wording ofTSTF-505 lfwo channels per bus for the Alternate

~aries from CPNPP TS (i.e., TS specifies the Alternate offsite source offsite source bus undervoltage function 3.3.5.C.1 3.3.5.B.1 Yes bus undervoltage function inoperable; and TSTF-505 refers to one inoperable.

or more Functions inoperable.) [Note 18]

TSTF-505 changes are incorporated. The wording ofTSTF-505 Two channels per bus for the 6.9 kV bus varies from CPNPP TS (i.e., TS specifies the 6.9kV buss loss of 3.3.5.D.1 3.3.5.B.1 Yes loss of voltage function inoperable voltage function inoperable; and TSTF-505 refers to one or more Functions inoperable.) [Note 19]

TSTF-505 changes are incorporated. The wording of TSTF-505 Two channels per bus for one or more

~aries from CPNPP TS (i.e., TS specifies the degraded voltage or low degraded voltage or low grid 3.3.5.E.1 3.3.5.B.1 Yes

~rid undervoltage function inoperable; and TSTF-505 refers to one undervoltage function inoperable or more Functions inoperable.) [Note 20]

One or more Automatic Actuation Logic 3.3.5.F.1 3.3.5.B.1 Yes TSTF-505 changes are incorporated. The wording of TSTF-505 and Actuation Relays trains inoperable. varies from CPNPP TS (This Function is treated similar TS 3.3.2.C.1 with a 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> CT) [Note 21]

to TXX-21093 Page 5 of 15 Tech Spec Description CPNPPTS TS-505 TS ApplyRICT? Comments Pressurizer 3.4.9 3.4.9 One required group of pressurizer TSTF-505 changes are incorporated.

heaters inoperable. 3.4.9.B.1 3.4.9.B.1 Yes Pressurizer Power Operated Relief 3.4.11 3.4.11 Valves (PORVs)

One PORV inoperable and not capable 3.4.11.B.3 3.4.11.B.3 Yes TSTF-505 changes are incorporated .

of being manually cycled.

One block valve inoperable. 3.4.11.C.2 3.4.11.C.2 Yes TSTF-505 changes are incorporated .

ECCS -- Operating 3.5.2 3.5.2 rrsTF-505 Changes are incorporated. The wording of TSTF-505 One train inoperable because ofthe rvaries from CPNPP TS (i.e., TS refers to one train inoperable due to inoperability of a centrifugal charging 3.5.2.A.1 N/A Yes inoperability of a centrifugal charging pump; and TSTF-505 refers pump. ~o one or more trains and does not specify the cause of inoperability)

One or more trains inoperable for reasons other than one inoperable TSTF-505 changes are incorporated. The wording of TSTF-505 centrifugal charging pump.

varies from CPNPP TS (i.e., TS includes AND At least 100% ofthe

~ 3.5.2.B.1 3.5.2.A.1 Yes ECCS flow equivalent to a single OPERABLE ECCS train available.

At least 100% of the ECCS flow TSTF-505 does not include this statement.)

equivalent to a single OPERABLE ECCS

~rain available.

Containment Air Locks 3.6.2 3.6.2 One or more containment air locks 3.6.2.C.3 3.6.2.C.3 Yes TSTF-505 changes are incorporated.

inoperable for reasons other than Condition A or B.

to TXX-21093 Page 6 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments I

Containment Isolation Valves 3.6.3 3.6.3 One or more penetration flow paths with one containment isolation valve TSTF-505 changes are incorporated. The wording of TSTF-505 inoperable except for containment varies from CPNPP TS (i.e., TSTF-505 states One or more 3.6.3.A.1 3.6.3.A.1 Yes purge, hydrogen purge or containment penetration flow paths with one containment isolation valve pressure relief valve leakage not within inoperable [for reasons other than Condition[s] D [and E)) .

limit.

One or more penetration

• low paths with one containment 3.6.3.C.1 3.6.3.C.1 Yes TSTF-505 changes are incorporated.

isolation valve inoperable.

Containment Spray System 3.6.6 3.6.6 irSTF-505 changes are incorporated. CPNPP TS did not contain the One containment spray 3.6.6.A.1 3.6.6.A.1 Yes second Completion Time for this condition and therefore it was not

~rain inoperable.

included in the LAR to adopt TSTF-439.

Main Steam Isolation Valves (MSIVs) 3.7.2 3.7.2 One MSIV inoperable in MODE 1. 3.7.2.A.1 3.7 .2.A.1 Yes TSTF-505 changes are incorporated .

Steam Generator Atmospheric Relief 3.7.4 3.7.4 Valves (ARVs) irSTF-505 changes are incorporated. The wording of TSTF-505 One required ARV line inoperable. 3.7.4.A.1 3.7.4.A.1 Yes ~aries from CPNPP TS (i.e., TS refers to ARV line and TSTF-505 refers to ADV line.)

irSTF-505 changes are incorporated . The wording of TSTF-505 irwo required ARV lines inoperable. 3.7.4.B.1 3.7.4.B.1 Yes varies from CPNPP TS (i.e., TS refers to ARV line and TSTF-505 refers to ADV line.)

to TXX-21093 Page 7 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments rrhis is a CPNPP-specific condition with restoration action (i.e.,

lfhree or more required ARV lines Restore at least two ARV lines to operable status) and a completion 3.7.4.C.1 N/A Yes inoperable. time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Vistra OpCo proposes to apply RICT to the existing CPNPP TS 3.7.4, Action C.l.

Auxiliary Feedwater (AFW) System 3.7.5 3.7.5 TSTF-505 changes are incorporated. The wording of TSTF-505 varies from CPNPP TS (i.e., TS does not include OR One turbine One steam supply to turbine driven AFW driven AFW pump inoperable in Mode 3 for refueling). The second 3.7.5.A.1 3.7.5.A.1 Yes pump inoperable. Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No. ML073400037).

rTSTF-505 changes are incorporated. The wording ofTSTF-505

~aries from CPNPP TS (i.e., TS refers to One AFW train inoperable for reasons other than Condition A and TSTF-505 refers to One One AFW train inoperable for reasons ~FW train inoperable in MODE 1, 2, or 3 for reasons other than 3.7.5.B.1 3.7.5.B.1 Yes other than Condition A. Condition A) . The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037)

Component Cooling Water (CCW) 3.7.7 3.7.7 System One CCW train inoperable. 3.7.7.A.1 3.7.7.A.1 Yes lfSTF-505 changes are incorporated.

Station Service Water System (SSWS) 3.7.8 3.7.8 rrsTF-505 Changes are incorporated. The wording of TSTF-505 Required SSW Pump on the opposite

~aries from CPNPP TS (i.e., TS refers to Required SSW Pump on the unit or its associated cross-connects 3.7.8.A.l NA Yes opposite unit or its associated cross-connects inoperable and TSTF-inoperable.

505 refers to one SWS train inoperable.)

Attachment 4 to TXX-21093 Page 8 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments ITSTF-505 Changes are incorporated. The wording of TSTF-505 Required SSW Pump on the opposite rvaries from CPNPP TS (i.e ., TS refers to Required SSW Pump on the unit or its associated cross-connects 3.7.8.A.2 NA Yes opposite unit or its associated cross-connects inoperable and TSTF-inoperable.

505 refers to one SWS train inoperable.)

TSTF-505 Changes are incorporated. The wording of TSTF-505 One SSWS train inoperable. 3.7.8.B.1 3.7.8.A.1 Yes varies from CPNPP TS (i.e., TS refers to One SSWS train inoperable and TSTF-505 refers to one SWS train inoperable.)

Removal of one-time change to TS 3.7.8, Required Action B. 1 Note and Required Action B.2 (LA 178 - ML21015A212) . This change is One SSWS train inoperable. 3.7.8.B.1 NA NA not related to TSTF-505, Rev 2 as stated in Attachment 1 to original submittal (ML21131A233).

Safety Chilled Water 3.7.19 N/A IThis is a CPNPP-specific Condition with restoration action (i.e.,

One safety chilled water train Restore safety chilled water train to OPERABLE status.) and a 3.7.19.A.1 N/A Yes inoperable. completion time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Vistra OpCo proposes to apply a RICT to the existing CPNPP TS 3.7.19, Action A.l.

Removal of one-time change to TS 3.7.8, Condition A.2 (LA 175 -

One safety chilled water train 3.7.19.A.1 NA NA ML20223A349). This change is not related to TSTF-505, Rev 2 as inoperable.

stated in Attachment 1 to original submittal (ML21131A233).

IAC Sources -- Operating 3.8.1 3.8.1 ITSTF-505 changes are incorporated . The second Completion Time

~or this condition was addressed by Vistra OpCo LAR to Adopt One required offsite circuit inoperable. 3.8.1.A.3 3.8.1.A.3 Yes ITSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037)

ITSTF-505 changes are incorporated . The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt One DG inoperable. 3.8.1.B.4 3.8.1.B.4 Yes ITSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037) to TXX-21093 Page 9 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments Remova l of one-time change to TS 3.8.1, Condition B. 4 Notes and Required Action B. 4.2 (LA 178 - M L21015A212) . This change is not One DG inoperable. 3.8.1.B.4 NA NA related to TSTF-505, Rev 2 as stated in Attachment 1 to original submittal (ML21131A233).

tfwo required offsite circuits inoperable. 3.8.1.C.2 3.8.1.C.2 Yes tfSTF-505 changes are incorporated .

One requi red offsite circuit inoperable.

AND 3.8.1.D.1 3.8.1.D.1 Yes TSTF-505 changes are incorporated .

One DG inoperable.

One required offsite circuit inoperable.

AND 3.8.1.D.2 3.8.1.D.2 Yes TSTF-505 changes are incorporated.

One DG inoperable.

tfSTF-505 Changes are incorporated . The wording of TSTF-505

~aries from CPNPP TS (i .e., TS refers to One SI sequencer One SI sequencer inoperable. 3.8.1.F.1 3.8.1.F.1 Yes inoperable and TSTF-505 refers to One required automatic load sequencer inoperable.

DC Sources -- Operating 3.8.4 3.8.4 TSTF-505 changes are incorporated . The wording ofTSTF-505 One or two required battery chargers on varies from CPNPP TS (i.e., TS refers to One or two required battery 3.8 .4.A.3 3.8.4.A.3 Yes one train inoperable. chargers on one t rain inoperable and TSTF-505 does not use the tword "requ ired." )

One or two batteries on one train 3.8.4.B.1 3.8.4.B.1 Yes tfSTF-505 changes are incorporated.

inoperable.

Removal of one-time change to TS 3.8.4, Condition B. 2 Note and One or two batteries on one train Required Action B.2 (LA 170 - ML18267A384). This change is not 3.8.4.B.1 NA NA inoperable. related to TSTF-505, Rev 2 as stated in Attachment 1 to original submittal (ML21131A233).

to TXX-21093 Page 10 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments One DC electrical power subsystem inoperable for reasons other than 3.8.4.C.1 3.8.4.C.1 Yes rT"STF-505 changes are incorporated.

Condition A or B.

Inverters -- Operating 3.8.7 3.8.7 One required inverter inoperable. 3.8.7.A.1 3.8.7.A.1 Yes TSTF-505 changes are incorporated.

Distribution Systems -- Operating 3.8.9 3.8.9 TSTF-505 changes are incorporated. The wording of TSTF-505 Ktaries from CPNPP TS (i.e., TS refers to One AC electrical power distribution subsystem inoperable and TSTF-505 refers to one or One AC electrical power distribution 3.8.9.A.1 3.8.9.A.1 Yes more AC electrical power distribution subsystems inoperable). The subsystem inoperable.

second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No. ML073400037) .

TSTF-505 changes are incorporated. The wording ofTSTF-505 varies from CPNPP TS (i. e., TS refers to One AC vital bus subsystem inoperable and TSTF-505 refers to One or more AC vital buses One AC vital bus subsystem inoperable. 3.8.9.B.1 3.8.9.B.1 Yes inoperable). The second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No.

ML073400037).

to TXX-21093 Page 11 of 15 Tech Spec Description CPNPPTS TS-505 TS Apply RICT? Comments lfSTF-505 changes are incorporated. The wording ofTSTF-505 rvaries from CPNPP TS (i.e., TS refers to One DC electrical power distribution subsystems inoperable and TSTF-505 refers to One or One DC electrical power distribution 3.8.9.C.1 3.8.9.C.1 Yes more DC electrical power distribution subsystems inoperable). The subsystem inoperable.

second Completion Time for this condition was addressed by Vistra OpCo LAR to Adopt TSTF-439 submitted December 19, 2006. (ADAMS Ascension No. ML073400037).

Programs and Manuals 5.5 5.5 The CPNPP TS do not currently contain this program. The new RICT

[New TS] [New TS]

Programs and Manuals No Program will be added to the CPNPP TS 5.5 consistent with TSTF-5.5.23 5.5.18 505.

to TXX-21093 Page 12 of 15 NOTES

1. TS 3.3.1 Condition E applies to the following trip inputs;

• Power Range Neutron Flux - Low (Function 2.b)

• Power Range Neutron Flux Rate High Positive Rate (Function 3)

• Overtemperature N-16 (Function 6)

• Overpower N-16 (Function 7)

• Pressurizer Pressure - High (Function 8.b)

• Steam Generator (SG) Water Level - Low-Low (Function 14)

2. TS 3.3.1 Condition M applies to the following trip inputs;

• Pressurizer Pressure - Low (Function 8.a)

• Pressurizer Water Level - High (Function 9)

• Reactor Coolant Flow - Low (Function 10)

• Undervoltage RCPs (Function 12)

• Underfrequency RCPs (Function 13)

3. TS 3.3.1 Condition R applies to the following trip inputs;

• Safety Injection (SI) from Engineered Safety Feature Actuation System (ESFAS) (Function 17)

• Automatic Trip Logic (Function 21)

4. TS 3.3.1 Condition T applies to the following Reactor Trip System Interlocks;

• Intermediate Range Neutron Flux, P-6 (Function 18.a)

• Power Range Neutron Flux, P-10 (Function 18.e)

5. TS 3.3.1 Condition U applies to the following Reactor Trip System Interlocks;

• Low Power Reactor Trips Block, P-7 (Function 18.b)

• Power Range Neutron Flux, P-8 (Function 18.c)

• Power Range Neutron Flux, P-9 (Function 18.d)

• Turbine First Stage Pressure, P-13 (Function 18.f) to TXX-21093 Page 13 of 15

6. TS 3.3.2 Condition B applies to the following ES FAS inputs;

• Safety Injection Manual Initiation (Function 1.a)

• Containment Spray Manual Initiation (Function 2.a)

• Containment Isolation Phase A Manual Initiation (Function 3.a.(1))

• Containment Isolation Phase B Manual Initiation (Function 3.b.(1))

7. TS 3.3.2 Condition C applies to the following ESFAS inputs;

• Safety Injection Automatic Actuation Logic and Actuation Relays (Function l.b)

• Containment Spray Automatic Actuation Logic and Actuation Relays (Function 2.b)

• Containment Isolation Phase A Automatic Actuation Logic and Actuation Relays (Function 3.a .(2))

• Containment Isolation Phase B Automatic Actuation Logic and Actuation Relays (Function 3.b.(2))

• Automatic Switchover to Containment Sump Automatic Actuation Logic and Actuation Relays (Function 7.a)

8. TS 3.3.2 Condition D applies to the following ESFAS inputs;

• Safety Injection Containment Pressure - High 1 (Function 1.c)

• Safety Injection Pressurizer Pressure - Low (Function 1.d)

• Safety Injection Steam Line Pressure - Low (Function 1.e)

• Steam Line Isolation Containment Pressure - High 2 (Function 4.c)

• Steam Line Isolation Steam Line Pressure - Low (Function 4.d.(1))

• Steam Line Isolation Steam Line Pressure Negative Rate - High (Function 4.d.(2))

• Auxiliary Feedwater SG Water Level - Low-Low (Function 6.c)

9. TS 3.3.2 Condition E applies to the following ESFAS inputs;

• Containment Spray Containment Pressure - High 3 (Function 2.c)

• Containment Isolation Phase B Containment Pressure - High 3 (Function 3.b.(3))

10. TS 3.3.2 Condition F applies to the following ESFAS inputs;

• Steam Line Isolation Manual Initiation (Function 4.a)

• Auxiliary Feedwater Loss of Offsite Power (Function 6.e)

• ESFAS Interlocks Reactor Trip, P-4 (Function 8.a) to TXX-21093 Page 14 of 15

11. TS 3.3.2 Condition G applies to the following ESFAS inputs;

• Steam Line Isolation Automatic Actuation Logic and Actuation Relays (Function 4.b)

• Auxiliary Feedwater Automatic Actuation Logic and Actuation Relays (Solid State Protection System) (Function 6.a)

12. TS 3.3 .2 Condition H applies to the following ESFAS inputs;

• Turb ine Trip and Feedwater Isolation Automatic Actuation Logic and Actuation Relays (Function 5.a)

13. TS 3.3.2 Condition I applies to the following ESFAS inputs;

• Turbine Trip and Feedwater Isolation SG Water Level High-High (P-14) (Function 5.b)

14. TS 3.3.2 Condition J applies to the following ESFAS inputs;

• Auxiliary Feedwater Trip of all Main Feedwater Pumps (Function 6.g)

15. TS 3.3.2 Condition K applies to the following ESFAS inputs;

• Automatic Switchover to Containment Sump Refueling Water Storage Tank (RWST) Level Low-Low (Function 7.b)

16. TS 3.3.2 Condition L applies to the following ESFAS inputs;

• ESFAS Interlocks Pressurizer Pressure, P-11 (Function 8.b)

17. TS 3.3.5 Condition B applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions;

• Preferred offsite source bus undervoltage (Function 2)

18. TS 3.3.5 Condition C applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions;

• Alternate offsite source bus undervoltage (Function 3)

19. TS 3.3.5 Condition D applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions;

• 6.9 kV Class 1E bus undervoltage (Function 4) to TXX-21093 Page 15 of 15

20. TS 3.3.5 Condition E applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions;

• 6.9 kV Class lE bus degraded voltage (Function 5)

• 480 V Class lE bus low grid undervoltage (Function 6)

• 480 V Class lE bus degraded voltage (Function 7)

21. TS 3.3.5 Condition F applies to the following Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions;

• Automatic Actuation Logic and Actuation Relays (Function 1) to TXX-21093 Page 1 of 71 ENCLOSURE 1 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" List of Required Actions to Corresponding PRA Functions to TXX-21093 Page 2 of 71 1.0 Introduction Section 4.0, "Limitations and Conditions", Item 2 of the NRC Final Safety Evaluation [Ref. 1] for NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk Managed Technical Specifications (RMTS) Guidelines", Revision O [Ref. 2], identifies the following needed content:

• The license amendment request (LAR) will provide identification of the TS Lim iting Conditions for Operation (LCOs) and action requirements to which the RMTS will apply.

• The LAR will provide a comparison of the TS functions to the PRA modeled functions of the structures, systems, and components (SSCs) subject to those LCO actions.

• The comparison should justify that the scope of the PRA model, including applicable success criteria such as number of SSCs required , flow rate , etc. , are consistent with licensing basis assumptions (i.e ., 50.46 [Emergency Core Cooling System (ECCS)]

flowrates) for each of the TS requirements , or an appropriate disposition or programmatic restriction will be provided.

This enclosure provides confirmation that the Comanche Peak Nuclear Power Plant (CPNPP)

PRA models include the necessary scope of SSCs and their functions to address each proposed application of the Risk-Informed Completion Time (RICT) Program to the proposed scope TS LCO Conditions, and provides the information requested for Section 4.0, Item 2 of the NRC Final Safety Evaluation. The scope of the comparison includes each of the TS LCO conditions and associated required actions within the scope of the RICT Program.

2.0 In Scope TS/LCO to Corresponding PRA Functions Table E1-1, "In Scope TS/LCO Conditions to Corresponding PRA Functions" lists each TS LCO Condition to which the RICT Program is proposed to be applied and documents the following information regarding the TSs with the associated safety analyses , the analogous PRA functions ,

and the results of the comparison:

• Column "Tech Spec Description": Lists all LCOs and cond ition statements within the scope of the RICT Program.

• Column "SSCs Covered by TS LCO Condition": Lists SSCs addressed by each action requirement.

• Column "Modeled in PRA?": Indicates whether the SSCs addressed by the TS LCO Condition are included in the PRA.

• Column "Function Covered by TS LCO Condition": Lists a summary of the required functions from the design basis analyses.

• Column "Design Success Criteria": A summary of the success criteria from the design basis analyses.

• Column "PRA Success Criteria" : The function success criteria modeled in the PRA.

• Column "Comments": Provides the justification or resolution to address any inconsistencies between the TS and PRA functions regarding the scope of SSCs and the success criteria. Where the PRA scope of SSCs is not consistent with the TS, additional information is provided to describe how the LCO condition can be evaluated using appropriate surrogate events. Differences in the success criteria for TS functions are addressed to demonstrate the PRA criteria provide a realistic estimate of the risk of the TS condition as required by NEI 06-09-A, Revision 0.

The corresponding SSCs for each TS LCO and the associated TS functions are identified and compared to the PRA. This description also includes the design success criteria and the applicable PRA success criteria . Any differences between the scope or success criteria are described in the table. Scope differences are justified by identifying appropriate surrogate events which permit a risk evaluation to be completed using the Configuration Risk Management Program tool for the RICT Program. Differences in success criteria typically arise due to the requirement in the American Society of Mechanical Engineers (ASME)/American Nuclear Society to TXX-21093 Page 3 of 71 (ANS) RA-Sa-2009 PRA Standard (hereafter "ASME/ANS PRA Standard") to make PRAs realistic rather than bounding , whereas design basis criteria are necessarily conservative and bounding.

The use of realistic success criteria is necessary to conform to capability Category II of the ASME/ANS PRA standard as required by NEI 06-09-A, Revision 0.

3.0 In Scope TS/LCO Conditions RICT Estimate Table E1-2, "In Scope TS/LCO Conditions RICT Estimate" provides examples of calculated RICT for each individual Condition to which the RICT applies (assuming no other SSCs modeled in the PRA are unavailable). These example calculations demonstrate the scope of the SSCs covered by TSs modeled in the PRA. RICTs were calculated for both units and while the results were generally similar, the most limiting RICT is shown in Table E1-2 . Also note that the more limiting of the core damage frequency (CDF) and large early release frequency (LERF) RICT result is shown.

Following implementation of the RICT Program, the actual RICT values will be calculated on a unit-specific basis, using the actual plant configuration and the current revision of the PRA model representing the as-built, as-operated condition of the plant, as required by NEI 06-09-A and the NRC Final Safety Evaluation . The actual RICT values may differ from the RICTs presented in this enclosure.

Table E1-3, "Conditions Requiring Additional Technical Justification," contains a list of Required Actions proposed for inclusion in the RICT Program. Additional technical justification is provided to explain why the Condition would not represent a loss of specified safety function as used in the RICT program.

4.0 Evaluation of Instrumentation and Control Systems In accordance with TSTF-505, Revision 2, Safety Evaluation "Evaluation of Instrumentation and Control Systems" the following is intended to describe the redundant, diverse, and defense-in-depth attributes of the functions for the Reactor Trip System (RTS) Instrumentation, the Engineered Safety Feature Actuation System (ESFAS) Instrumentation , and the LOP DG Start Instrumentation systems.

For the purposes of this evaluation the following definitions are provided ;

Redundancy - Parameters that are used for indication of an unsafe condition have redundant measurement systems. Sufficient redundant measurements are provided to allow a coincident logic scheme so that a spurious measurement on one channel will not cause nor prevent a reactor trip or safeguard feature actuation. (Example: the use of four separate Power Range Channels to monitor Reactor Power.)

One exception to this rule is the source and intermediate range instruments. They have a coincidence in which actuation of protective features occurs on a single input, but these instruments are not in service at power.

The degree of redundancy is the difference between the number of channels monitoring a Function and the number of channels which when tripped will cause a reactor trip, an ESFAS actuation, or a LOP DG start.

Further redundancy is provided by having two trains of protection logic, two trains of SSPS, with either train being capable of initiating a full train of protective functions. The minimum degree of redundancy is the degree of redundancy below which operation is prohibited or otherwise restricted by Technical Specifications.

RTS and ESFAS are each redundant safety systems. No single failure will cause or prevent a reactor trip or ESFAS actuation. Each redundant channel is powered by an independent power to TXX-21093 Page 4 of 71 supply, and a loss of power will place the channel output bistable in a trip condition . The three exceptions to this scheme are Containment Spray, RWST Auto Switchover, and permissive P-6.

The instrumentation and control systems provide equipment diversity and functional diversity.

Equipment diversity provides different types of instruments to achieve the same Function.

Functional diversity uses different variables to achieve a backup Function . For example, a loss of RCS flow is primarily monitored , and the reactor is tripped due to low RCS flow. The undervoltage and underfrequency RCP trips provide diversity to the RCS low flow trip .

This feature and the other listed features meet the "single failure" criteria for RPS , by meeting the IEEE Standard 279 1971 's single failure criteria. IEEE 279 1971 requires that any single failure within the protection system not prevent proper protection system action when required.

Redundant channels and trains are electrically isolated and physically separated so that any single failure with in a channel or train will not prevent protective action at the system level when required. Channel independence is carried throughout the systems.

Independence - Each channel of measurement and each train of protection is physically and electrically independent. Components of different channels are physically separated, penetrate the containment at different locations, and are supplied by independent electrical power supplies.

Independence ensures that a single malfunction or casualty will interrupt only one of the redundant channels or trains . The systems (channels and trains) are also designed such that no single failure will cause a loss of Function.

Physical separation is used to the maximum extent practical to maintain the integrity of redundant protection system instrument channels, providing independence for each channel. There are four separate process protection analog sets. Physical separation of the redundant analog protection channels originates at the process sensors and continues through the field wiring and containment penetrations to the analog protection racks.

Diversity - Several different methods are used to perform similar functions or to indicate the same casualty. For example: Excessive localized fuel element power (KW/FT) protection is provided by both the Power Range Nuclear Instruments and by ion chambers measuring gamma flux in the reactor coolant from Nitrogen 16 decay (N-16 Detectors). Several parameters are also used for protection against a departure from nucleate boiling (DNB) in the Reactor Core.

Certain reactor trips are automatically or manually bypassed at low power when they are not required for safety. For a function to be bypassed, a series of conditions or permissives must be met. The bypass circuit design is such that the bypass is automatically removed whenever the permissive conditions are not met.

Defense-In-Depth (DID) - For this evaluation the seven considerations from Regulatory Guide 1.174, Revision 3, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis" are used to review impact of proposed change on function defense-in-depth philosophy.

1. Preserve a reasonable balance among the layers of defense.

2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.

3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.

4. Preserve adequate defense against potential CCFs.

5. Maintain multiple fission product barriers.

6. Preserve sufficient defense against human errors .

7. Continue to meet the intent of the plant's design criteria.

to TXX-21093 Page 5 of 71 DID is enhanced by minimizing the chances for a common mode failure through the use of anticipatory trips such as that provided when the turbine trips above 50% power which initiates a reactor trip signal from the turbine tripping independent of any process signals.

Anticipatory trips function to prevent or minimize the severity of an undesired plant event (transient) . The systems also use alarms and actions in a layered approach for DID. For example, Overtemperature N-16 and Overpower N-16 provide reactor trip signals at specified setpoints.

The two parameters also provide turbine run backs at a setpoint below the setpoints of the trips.

Automatic Actuation Logic and Actuation Relays are provided in the Solid State Protection System (SSPS).

The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements , two trains of SSPS , each performing the same functions , are provided . If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation ; generates the electrical output signals that initiate the required actuation ; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a requi red logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition.

The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices.

Each of the analyzed accidents can be detected by one or more ESFAS Functions. One of the ESFAS Functions is the primary actuation signal for that accident. An ESFAS Function may be the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure-Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment.

Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function . The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation . Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS. The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents.

4.1 3.3.1 Reactor Trip System (RTS) Instrumentation The RTS initiates a unit shutdown , based on the values of selected unit parameters , to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The RTS design creates defense-in-depth due to the redundancy of the channels for each Function in Table 3.3.1-1 , "Reactor Trip System Instrumentation."

to TXX-21093 Page 6 of 71

• Each Function has multiple channels.

• Each Function will cause a reactor trip with one-out-of-two (1/2), two-out-of-three (2/3) , or two-out-of-four (2/4) coincidence trip signals.

• A bypassed channel does not initiate a trip signal. It reduces the number of total available channels from (1/2) to (1), (2/3) to (2/2), or (2/4) to (2/3) coincidence to trip.

• A channel placed in a tripped condition will provide a tripped input for the applicable Function .

• Manual reactor trip handswitches provide diversity and DID for all automatic reactor trips See Table E1-5, "Reactor Trip Systems (RTS) Instrumentation Functions" for redundancy discussion.

4.2 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.

The ESFAS design creates defense-in-depth due to the redundancy of the channels for each Function in Table 3.3.2-1, "Engineered Safety Feature Actuation System Instrumentation."

• Each Function has multiple channels.

• Each Function will cause an ESFAS actuation with one-out-of-two (1/2), two-out-of-three (2/3), or two-out-of-four (2/4) coincidence trip signals.

• A bypassed channel does not initiate an actuation signal. It reduces the number of total available channels from (1/2) to (1), (2/3) to (2/2), or (2/4) to (2/3) coincidence to actuate.

• A channel placed in a tripped condition will provide a tripped input for the applicable Function.

ESFAS redundant channels and trains are electrically isolated and physically separated so that any single failure within a channel or train will not prevent protective action at the system level when required. Channel independence is carried throughout the system.

No single failure will prevent the ESFAS from generating the proper actuation signal on demand for an engineered safety feature. Failures are either in the safe direction or a redundant channel or train ensures the necessary actuation capability.

See Table E1-6, "Engineered Safety Features Actuation System (ESFAS) Instrumentation Functions" for redundancy discussion .

The following information is from CPNPP Design Bases Document, EE-DBD-021 , Reactor Protection and NSSS Related Control Systems, Table 1, "Reactor Protection System Diversity."

This augments the information provided in Table E1-4, "Evaluation of Instrumentation and Control Systems." Table E1-4 only covers the accidents from CPNPP FSAR, Chapter 15, "Accident Analysis." The following table includes the accidents analyzed as well as other events that rely on TS Instrumentation systems.

See Table E1-8, "Event Protection and Diverse Functions" for redundancy, independence, diversity, and defense-in-depth Functions discussion .

4.3 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation The DGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation . Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the 6.9 kv bus.

to TXX-21093 Page 7 of 71 For each unit, the undervoltage protection system, leading to the start of the diesel generators on loss of power, consists of the following functions:

Preferred offsite source undervoltage,

• Alternate offsite source undervoltage, 6.9kV Class 1E buses loss of voltage,

• 480V Class 1E buses low grid undervoltage,

• 6.9 kV Class 1E buses degraded voltage, and

• 480V Class 1E buses degraded voltage.

Each function consists of two sensing relays per bus that provide input to two-out-of-two logic.

The required channels of LOP DG start instrumentation, in conjunction with the ESF systems powered from the DGs , provide unit protection in the event of any of the analyzed accidents , in which a loss of offsite power is assumed.

The LCO for LOP DG start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP DG start instrumentation supports safety systems associated with the ESFAS . The two-out-of-two logic minimizes the probability of spurious DG starts due to instrument failure while maintaining a robust LOP DG Start system. Two trains of Automatic Actuation Logic and Actuation Relays shall also be OPERABLE in MODES 1, 2, 3 and 4.

The six Functions described above provide redundant signals to start a DG due to undervoltage or degraded voltage on the 6.9 kV buses. This provides defense-in-depth by, preserving adequate capability of design features without an overreliance on programmatic activities as compensatory measures and preserves system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty. When any of the six Functions described above become inoperable or when one or more Automatic Actuation Logic and Actuation Relays trains become inoperable, within one hour the Function must be restored or entry into LCO 3.8.1, "AC Sources -- Operating" for the applicable Condition is required for offsite power sources or diesel generator. For the Functions that are bus related entry into LCO 3.8.9, "Distribution Systems -- Operating" is entered.

The LOP DG Start design creates defense-in-depth due to the redundancy of the channels for each Function in Table 3.3.5-1 , "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation."

• Each Function has multiple channels.

• Functions 2, 3, 4, 5, 6, and 7 (LCO 3.3.5 , Conditions B, C, D, and E) are considered as a functional grouping . Not more than one Condition will be entered at one time . The following NOTE will be added;

---

NOT E-------------------------------------------------------------

RIC T entry is not permitted for more than one Condition at a time for Conditions B, C, D or E.

This will ensure that multi-layered, redundant inputs are available for LOP DG Start Instrumentation . With this new NOTE the intent of NUREG-1431, "Standard Technical Specifications - Westinghouse Plants" is maintained . CPNPP utilizes Conditions B, C, D, and E to administer Condition B in the standard . Please refer to Attachment 2, "Proposed Technical Specification Changes - Supplement."

See Table E1-7, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions" for redundancy discussion.

to TXX-21093 Page 8 of 71 In summary, CPNPP instrumentation systems as described in TS 3.3, employ input parameters and equipment that provide redundancy, independence, diversity, and a defense-in-depth (DID) philosophy as described in Regulatory Guide 1.174, Revision 4.

1. Preserve a reasonable balance among the layers of defense.

The RTS, ESFAS and LOP DG Start instrumentation systems use multiple layers of defense as they rely on redundant, independent, and diverse means to trip the reactor, actuate ESF components, and provide a LOP DG start. In all cases manual operator action provides a final layer of defense if all automatic actions fail. Plant response to events normally has at least one primary protection input with backups as described in preceding table, Event Protection and Diversity, for RTS and ESFAS. Preceding Table, LOP DG Start Signals indicates that train redundancy provides independent and diverse layers of defense from a partial loss of Function as given in TS 3.3.5, Conditions A and F. Conditions B, C, D, and E are viewed as providing layers of redundancy by utilizing undervoltage or degraded voltage from diverse signals.

2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.

The RTS , ESFAS, and LOP DG Start instrumentation systems only rely on programmatic actions and compensatory measures when no other action is available. For the RTS and ES FAS systems programmatic actions are confined to actions taken to comply with Required Actions in their respective Technical Specifications which are captured in Operations Administrative procedure ODA-308, "LCO Tracking Program." Also, the TS provides actions to take when a Completion Time will not be met. The LOP DG Start Instrumentation confines actions to those required by LCO 3.3.5 which restore the channel or declare associated offsite power source, applicable 6.9 kV buses, or the associated DG inoperable.

3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.

For the RTS, a loss of RCS flow/Locked rotor shows the redundancy, independence, and diversity commensurate with a loss of Reactor Coolant flow. Two low flow trip signals are provided; above P-7 (10% power) but below P-8 (48% power) two-out-of-four low flow channels are required to trip the reactor, above P-8 one-out-of-four low flow channels are required to trip the reactor.

A Reactor Coolant Pump (RCP) undervoltage trip is provided which anticipates a loss of RCS flow and is independent from the flow channels. An RCP underfrequency trip is provided which anticipates a loss of RCS flow and is independent from the flow channels and the RCP undervoltage channel. Also , a Pressurizer Pressure high is provided that could trip the reactor during an RCS loss of flow or locked rotor.

For the ESFAS, a Safety Injection (SI) is initiated by the redundant, independent, and diverse inputs commensurate with the accidents that cause a safety injection. An SI can be initiated by one-of-two handswitches on the Main Control Board (MCB) . An SI is automatically initiated by a Containment Pressure - High 1, a Pressurizer Pressure Low, or a Steam Line Pressure Low. All of these signals are independent from each other, they are diverse in that monitor and actuate on completely different parameters, and they provide DID as they are layered. Depending on the event; LOCA, SGTR, Main Steam Line fault, or Main Feedwater Line Break each of the independent signals could be the first to respond .

For the LOP DG Start, the inputs are redundant, independent, and diverse. Power to the safety-related 6.9 kV buses is protected by the system design . A single channel cannot cause or prevent a DG start. A single Function failure must be restored or placed in a tripped condition within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Automatic Actuation Logic and Actuation Relays trains inoperable must be to TXX-21093 Page 9 of 71 restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the associated DG is declared inoperable. In both cases the other redundant train maintains the safety function . The other LOP DG starts are a group of inputs that will start the associated DG under the following conditions;

• Preferred offsite source bus undervoltage

• Alternate offsite source bus undervoltage

• 6.9 kV Class 1E bus undervoltage

• 6.9 kV Class 1E bus degraded voltage

• 480 V Class 1E bus low grid undervoltage

• 480 V Class 1E bus degraded voltage These channels are independent from each other and are a diverse group of parameters which can cause a DG start. The DID layering begins at the source for 1E power with the two offsite source undervoltage, a second layer adds 6.9 kV 1E bus undervoltage, a third layer provides for 6.9 kV 1E bus degraded voltage, a fourth layer adds the 480 V 1E bus grid undervoltage, and a fifth layer provides for 480 V 1E bus degraded voltage.

4. Preserve adequate defense against potential CCFs.

Common Cause Failures (CCF) are avoided by the redundancy, independence, diversity, and DID philosophy that are in the plant design . The preceding tables provide primary trip and ESFAS signals fo r Functions. The tables show how diverse signals are available to support the Function and that the diversity minimizes or eliminates CCFs. System and Function diversity and DID are also shown when the required coincidence changes based on interlocks with the RTS and ESFAS systems . Most CCFs are eliminated by train related Functions. The remaining train can actuate the required signal when needed.

5. Maintain multiple fission product barriers .

The RTS provides trips that are designed to maintain the fuel cladding intact. Specifically, the Power Range Neutron Flux High, Power Range Neutron Flux Rate Positive High , Overtemperature N-16, and Overpower N-16 trips respond to power excursions minimizing the stress to the fuel cladding . These trips act to protect the fuel cladding (fission product barrier) .

The Pressurizer Pressure High and the Pressurizer Water Level High in conjunction with the Pressurizer Power Operated Relief Valves (PORV) and Pressurizer Safety Valves to limit the pressure in the RCS.

These trips and components act to protect the RCS piping (fission product barrier) .

The ESFAS actuations focus on keeping the reactor core cooled and maintaining the Containment below design temperature and pressure. The three automatic SI actuation signals respond to potential challenges to Containment integrity. Containment Pressure High 1 initiates a safety injection based on rising pressure in the Containment. Pressurizer Pressure Low is an indication that a LOCA is in progress that could challenge Containment integrity. Steam Line Pressure Low is an indication of either a steam line break or a feedwater line break. Either break if inside Containment could challenge Containment integrity.

Containment isolation signals are designed to protect Containment integrity. When a Safety Injection is actuated , Containment Phase A Isolation is actuated to isolate non-essential penetrations. Containment Phase A Isolation actuates a Containment Ventilation Isolation to ensure ventilation into and out of Containment are isolated . Steam Line Isolation is actuated by either Steam Line Pressure Low or Containment Pressure High 2 to close the Main Steam Isolation Valves (MSIV) to further ensure Containment integrity. Containment Pressure High 3 initiates Containment Spray and Containment Phase B Isolation. Containment Spray acts to lower Containment temperature and pressure. Containment Phase B isolation isolates Component Cooling Water (CCW) to the RCPs inside Containment. CCW will not be required in this condition as the RCPs are secured. With Containment isolated and Containment Spray actuated the Containment integrity is maintained (Fission product barrier).

to TXX-21093 Page 10 of 71

6. Preserve sufficient defense against human errors.

Operator errors are minimized by a multi-layered approach. Most actions taken by operators are given in written procedures that have gone through 10 CFR 50.59 review. Control board and plant labelling minimize errors as they provide a positive component verification prior to operation. The protection system is designed so that a single failure will not cause or prevent an actuation when needed. The test procedures for the protection system ensure the steps taken will not lead to an inadvertent actuation. There is also a "fail-safe" element in the design . For example, most components actuated by the protection system are actuated when an input de-energizes, so a loss of power takes the system to a safe position. There are some exceptions and they are based on positive actions to initiate Containment Spray and switchover of the suctions for ECCS and Containment Spray pumps to the Containment Sumps when RWST level reaches a specific level.

These signal energize to actuate. This is a case also where the operator may play a significant role if the automatic actuation fails.

7. Continue to meet the intent of the plant's design criteria .

The plant design criteria are not changed by the license amendment request to adopt TSTF-505 ,

Revision 2. The PRA and design review have not identified any significant safety concern by extending the Completion Times when implemented by the submitted program . Any LCOs that may have challenged the plant's design criteria have not been submitted for inclusion in the RICT program. Particularly, CPNPP has not submitted changes for low MODE conditions.

5.0 Tables E1-1 , "In Scope TS/LCO Conditions to Corresponding PRA Functions" E1-2, "In Scope TS/LCO Conditions RICT Estimate" E1 -3, "Conditions Requiring Additional Technical Justification" E1-4, "Evaluation of Instrumentation and Control Systems" E1 -5, "Reactor Trip System (RTS) Instrumentation Functions" E1-6, "Engineered Safety Features Actuation System (ESFAS) Instrumentation Functions" E1-7, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation Functions" E1-8, "Event Protection and Diverse Functions" to TXX-21093 Page 11 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria One Manual Mapped to modeled Two Manual Reactor Trip One of two reactor components.

3.3.1.B Reactor Trip Yes Reactor Trip Initiation Same channel trip channels channels inoperable (Note 4)

RTS is modeled in the CPNPP PRA using two generic RX Trip logics, one four channel instrument loop and one three channel instrument loop based on One Power every trip that would generate Range Four Power at least two sets of signals.

Neutron Range Neutron Two of four 3.3.1.D Yes Reactor Trip Initiation Same For the RICT program, if the Flux-High Flux-High channels components were not channel channels explicitly modeled , they were inoperable.

mapped to one of the two logics based on the number of channels and their impact on the function .

(Notes 1 and 2) to TXX-21093 Page 12 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Two of Four Four Power Power Range Flux RTS is modeled in the Range Flux Low Low channels CPNPP PRA using two channels generic RX Trip logics, one Two of Four four channel instrument loop Four Power Power Range and one three channel Range Neutron Neutron Flux Rate instrument loop based on Flux Rate High High Positive Rate every trip that wou ld generate Positive Rate channels at least two sets of signals .

channels For the RICT program , if the Two of Four components were not Four Overtemperature explicitly modeled , they were One channel Overtemperature N-16 channels mapped to one of the two 3.3.1.E Yes Reactor Trip Initiation Same inoperable. N-16 channels logics based on the number Two of Four of channels and thei r impact Four Overpower Overpower N-16 on the function .

N-16 channels channels Four Pressurizer Two of Four (Notes 1 and 2)

Pressure- High Pressurizer channels Pressure- High channels Four SG Water Level Low-Low Two of Four SG channels Water Level Low-Low channels to TXX-21093 Page 13 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success Comments by TS LCO Success Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Two of Four Pressurizer Four Pressurizer Pressure Low RTS is modeled in the Pressure Low channels CPNPP PRA using two channels generic RX Trip logics, one Two of Three four channel instrument loop Three Pressurizer Pressurizer Water and one three channel Water Level High Level Low instrument loop based on channels channels every trip that would generate at least two sets of signals.

One channel Three Reactor Two of Three For the RICT program, if the 3.3.1.M Yes Reactor Trip Initiation Same inoperable. Coolant Flow Low Reactor Coolant components were not channels per loop Flow Low explicitly modeled, they were channels per loop mapped to one of the two Four Undervoltage logics based on the number RCPs Two of Four of channels and their impact Undervoltage on the function.

Four RCPs Underfrequency (Notes 1 and 2)

RCPs channels Two of Four Underfrequency RCPs channels RTS is modeled in the CPNPP PRA using two generic RX Trip logics, one four channel instrument loop and one three channel One Low instrument loop based on Fluid Oil every trip that would generate Three Low Fluid Two of Three Pressure Yes Reactor Trip Initiation Same at least two sets of signals.

3.3.1.0 Oil pressure channels Turbine Trip For the RICT program , if the channels channel components were not inoperable. explicitly modeled , they were mapped to one of the two logics based on the number of channels and their impact on the function .

to TXX-21093 Page 14 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success Comments by TS LCO Success Spec Description in PRA? TS LCO Condition Criteria Condition Criteria RTS is modeled in the CPNPP PRA using two generic RX Trip logics, one four channel instrument loop One or more and one three channel Turbine Stop instrument loop based on Four Turbine Stop every trip that would generate Valve Four of Four Valve Closure Reactor Trip Initiation Same at least two sets of signals.

3.3.1.P Closure Yes channels channels (One for For the RICT program , if the Turbine Trip each valve) components were not channel(s) inoperable. explicitly modeled, they were mapped to one of the two logics based on the number of channels and their impact on the function. (Note 11)

RTS is modeled in the CPNPP PRA using two generic RX Trip logics, one One of Two Safety four channel instrument loop Two Safety Injection (SI) Input Injection (SI) Input and one three channel from Engineered instrument loop based on from Engineered Safety Feature Safety Feature every trip that would generate One train Actuation System at least two sets of signals.

3.3.1.R Actuation System Yes Reactor Trip Initiation Same inoperable. (ESFAS) trains For the RICT program, if the (ESFAS) trains components were not One of Two Two Automatic explicitly modeled , they were Automatic Trip mapped to one of the two Trip Logic trains Logic trains logics based on the number of channels and their impact on the function.

Mapped to modeled One RTB Two Reactor Trip One of Two RTBs components .

3.3.1 .S train Breaker (RTB) Yes Reactor Trip Initiation Same open inoperable. trains (Note 3)

One trip Mapped to modeled RTB Undervoltage One trip components.

mechanism Reactor Trip Initiation Same 3.3.1.V and Shunt trip Yes mechanism inoperable mechanisms (Note 4) for one RTB .

to TXX-21093 Page 15 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria One of Two Manual Initiation Two Manual Safety Injection Initiation Safety channels Injection channels One of Two Two Manual Manual Initiation Initiation Containment Containment Spray channels Spray channels (per train )

One channel (per train)

Mapped to modeled 3.3.2.B or train Yes ESF Actuation Same One of Two components.

inoperable. Two Manual Manual Initiation Initiation Phase A Phase A Containment Containment Isolation channels Isolation channels Two Manual One of Two Initiation Phase B Manual Initiation Containment Phase B Isolation channels Containment Isolation channels to TXX-21093 Page 16 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success Comments by TS LCO Success Spec Description in PRA? TS LCO Condition Criteria Condition Criteria One of Two Safety Two Safety Injection Injection Automatic Automatic Actuation Logic Actuation Logic and Actuation and Actuation Relays trains Relays trains One of Two Two Containment Containment Spray Automatic Spray Automatic Actuation Logic Actuation Logic and Actuation and Actuation Relays trains Relays trains Two Phase A One of Two Phase Containment A Containment Isolation ESF Actuation, P- 14: Isolation Mapped to modeled Automatic Trips Main Feed Pumps, Automatic components. Surrogates One train Actuation Logic Trips Main Turbine, Actuation Logic used for certain components 3.3.2.C Yes Same inoperable. and Actuation Closes Feedwater and Actuation (relays) are conservatively Relays trains Isolation and Discharge Relays trains mapped based on their effect Valves on the function .

Two Phase B One of Two Phase Containment B Containment Isolation Isolation Automatic Automatic Actuation Logic Actuation Logic and Actuation and Actuation Relays trains Relays trains Two Automatic One of Two Switchover to Automatic Containment Switchover to Sump Automatic Containment Actuation Logic Sump Automatic and Actuation Actuation Logic Relays trains and Actuation Relavs trains to TXX-21093 Page 17 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success Comments by TS LCO Success Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Two of Three Three Safety Safety Injection Injection Containment Containment Pressure - High 1 Pressure - High 1 channels channels Two of Four Four Safety Safety Injection Injection Pressurizer Pressurizer Pressure - Low Pressure - Low channels channels Two of Three (per Three (per line) line) Safety Safety Injection Injection Steam Steam Line Line Pressure Low Pressure Low channels channels Two of Three Three Steam Line Steam Line Isolation Isolation Mapped to modeled One channel ESF Actuation Same 3.3.2.D Containment Yes Containment components.

inoperable.

Pressure - High 2 Pressure - High 2 channels channels Three (per line) Two of Three (per Steam Line line) Steam Line Isolation Steam Isolation Steam Line Pressure Low Line Pressure Low channels channels Three (per line) Two of Three (per Steam Line line) Steam Line Isolation Negative Isolation Negative Rate- High Rate - High channels channels Four (per SG) Two of Four (per Auxiliary SG) Auxiliary Feedwater SG Feedwater SG Water Level Low- Water Level Low-Low channels Low channels to TXX-21093 Page 18 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria One of Two Two Steam Line Steam Line Isolation Manual Isolation Manual Initiation channels Initiation channels Mapped to modeled Two Auxiliary One of Two Safety components. Surrogates One channel Feedwater Loss of Injection Loss of used for certain components 3.3.2.F or train Offsite Power Yes ESF Actuation Same Offsite Power (hand switch/relays) are inoperable. channels channels conservatively mapped based on their effect on the function.

Two ESFAS One of Two Interlocks Reactor ESFAS Interlocks Trip channels Reactor Trip (P-4) channels One of Two Two Steam Line Steam Line Isolation Isolation Automatic Automatic Actuation Logic Actuation Logic Mapped to modeled and Actuation and Actuation components. Surrogates Relays trains Relays trains One train used for certain components 3.3.2.G Yes ESF Actuation Same inoperable. (hand switch/relays) are Two Auxiliary One of Two conservatively mapped based Feedwater Auxiliary on their effect on the function.

Automatic Feedwater Actuation Logic Automatic and Actuation Actuation Logic Relays trains and Actuation Relavs trains One of Two Two Turbine Trip Turbine Trip and Mapped to modeled and Feedwater Feedwater components. Surrogates Isolation Isolation used for certain components One train Yes ESF Actuation Same 3.3.2 .H Automatic Automatic are conservatively mapped inoperable Actuation Logic Actuation Logic based on their effect on the and Actuation and Actuation function .

Relays trains Relays trains to TXX-21093 Page 19 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Three (per SG) Two of Three (per Turbine Trip and SG) Turbine Trip Feedwater and Feedwater One channel Mapped to modeled 3.3 .2.1 Isolation SG Yes ESF Actuation Isolation SG Same inoperable. components.

Water Level - Water Level -

High-High (P-14) High-High (P-14) channels channels Mapped to modeled One Main components. Surrogates Feedwater All Main One of two per used for certain components 3.3.2.J Pump trip Feedwater Pumps Yes ESF Actuation Same AFWpump (switch/relays) are channel trip channels conservatively mapped based inoperable.

on their effect on the function .

One of Two channels (per bus)

Sustained of the loss of undervoltage One or more voltage and Mapped to modeled (SUR) , Transient Functions undervoltage components. Surrogates undervoltage (TU) Diesel Generator Start with one Functions used for certain components 3.3.5.A and Loss of Yes Instrumentation - Loss of Same channel per (relays) are conservatively voltage (LOV) Power bus One of two trains mapped based on their effect sensors on safety inoperable of Automatic on the function .

related 6.9kV Actuation Logic buses and Actuation Relavs Two channels per Surrogates used for bus for the Two (per bus) Two of Two components (relays) are Preferred preferred offsite Diesel Generator Start undervoltage conservatively mapped based 3.3.5.B offsite source source bus Yes Instrumentation - Loss of channels on each Same on their effect on the function .

bus undervoltage Power preferred offsite undervoltage channels source bus (Notes 5 and 6) function inoperable.

Two channels per Surrogates used for bus for the Two (per bus) Two of Two components (relays) are Alternate Alternate offsite Diesel Generator Start undervoltage conservatively mapped based 3.3.5.C offsite source source bus Yes Instrumentation - Loss of channels on each Same on their effect on the function .

bus undervoltage Power alternate offsite undervoltage channels source bus (Notes 5 and 6) function inoperable.

to TXX-2 1093 Page 20 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success Comments by TS LCO Success Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Two channels per Two of Two bus for the Two (per bus) 6.9 Mapped to modeled Diesel Generator Start undervoltage 6.9 kV bus kV Class 1E bus components .

3.3.5.D Yes Instrumentation - Loss of channels on each Same loss of undervoltage Power 6.9 kV Class 1E voltage channels (Notes 5 and 6) bus function inoperable Two of Two degraded voltage Two (per bus) 6.9 channels on each kV Class 1E 6.9 kV Class 1E Two bus Degraded voltage channels per channels Surrogates used for certain bus for one Two of Two or more components (relays) are Two (per bus) 480 Diesel Generator Start degraded voltage conservatively mapped based degraded Yes Instrumentation - Loss of channels on each Same 3.3.5.E V Class 1E bus on thei r effect on the function.

voltage or Power 480 V Class 1E degraded voltage low grid bus channels (Notes 5 and 6) undervoltage functions Two of Two low Two (per bus) 480 inoperable grid undervoltage V Class 1E bus low grid channels on each undervoltage 480 V Class 1E bus One or more Surrogates used for certain Automatic One of Two components (relays) are Two Automatic Diesel Generator Start Automatic Actuation conservatively mapped based Actuation Logic Instrumentation - Loss of Actuation Logic Same 3.3.5.F Logic and Yes on their effect on the function .

and Actuation Power and Actuation Actuation Relays trains Relays trains Relays trains (Notes 5 and 6) inoperable.

Surrogates used for components are mapped based on their effect on the One requ ired One of two groups function. For the RICT, the group of Two groups of PRA does of pressurizer impact has been mapped to 3.4.9.B pressurizer pressurizer No RCS subcooling not model heaters with a an increase in the likelihood heaters heaters PRZ heaters.

capacity :::: 150 kW of a plant trip due to inoperable. degraded pressure control.

(Note 9) to TXX-21093 Page 21 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria One PORV OPERABLE One PORV inoperable RCS depressurization for One PORV with and not SGTR response two CCPs Mapped to modeled 3.4.11 .B capable of Two PORVs Yes Same components.

being Feed and bleed core OR manually cooling cycled. Two PORVs with one CCPAND one SI pump _

One PORVand associated block valve OPERABLE One PORVand associated block Isolate associated PORV valve with two One block Two PORV block CCPs Mapped to modeled 3.4.11 .C valve Yes Open to allow PORV Same valves components .

inoperable. functions in Function OR 3.4.11.B Two PORVs and associated block valves with one CCP AND one SI pump to TXX-21093 Page 22 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following One train accidents: Mapped to modeled inoperable a. Loss of coolant components.

because of accident (LOCA), coolant the leakage greater than the The centrifugal charging Two centrifugal 1 of 2 centrifugal 3.5.2.A inoperability Yes capability of the normal Same subsystem consists of two charging pumps charging pumps.

of a charging system ; redundant, 100% capacity centrifugal b. Rod ejection accident; trains.

charging c. Loss of secondary pump. coolant accident, (Note 8) including uncontrolled steam release or loss of feedwater; and

d. Steam generator tube rupture (SGTR).

to TXX-21093 Page 23 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Provide core cooling and negative reactivity to ensure that the reactor core is protected after Mapped to modeled any of the following components. Surrogates One or more accidents: used for certain components trains a. Loss of coolant (pump/valves) are inoperable Two ECCS trains conservatively mapped based accident (LOCA), coolant for reasons consisting of, leakage greater than the on their effect on the function other than safety injection One of two ECCS 3.5 .2.B Yes capability of the normal Same one pump, RHR trains charging system; TS 3.5.2 Condition B requires inoperable Pump, RHR heat 100% flow equivalent to a

b. Rod ejection accident; centrifugal exchangers single OPERABLE ECCS

c. Loss of secondary charging coolant accident, train is available.

pump. including uncontrolled steam release or loss of (Note 8) feedwater; and

d. Steam generator tube rupture (SGTR).

Surrogates used for components are conservatively mapped based on their effect on the function.

For RICT, the impact for this condition will be assumed One or more that one end of the containment containment air lock has air locks been verified to be able to One of two perform its function 3.6.2.C .1.

inoperable Containment Not containment air Same 3.6 .2.C Containment integrity The components will for reasons Airlocks explicitly lock doors closed.

other than therefore be mapped to a Condition A surrogate representing a loss or B. of a single CIV for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> requirement.

TS 3.6.2 Condition C Action 1 initiates action to evaluate overall containment leakage rate oer LCO 3.6.1.

to TXX-21093 Page 24 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria One or more penetration flow paths with one containment isolation valve Mapped to modeled inoperable Two active or components. Surrogates except for passive isolation Containment boundary One of two used for certain components containment 3.6.3.A devices on each Yes and minimization of RCS isolation devices Same (CIV not explicitly modeled) purge, fluid penetration inventory loss per penetration are conservatively mapped hydrogen line based on their effect on the purge or function.

containment pressure relief valve leakage not within limit.

One or more penetration See LCO Condition 3.6.3.A flow paths with one 3.6.3.C containment isolation valve inoperable.

Mapped to modeled components. Surrogates used for certain components (breakers/valves) are One conservatively mapped based Two Containment containment Containment atmosphere on their effect on the function 3.6.6.A Spray System Yes One of two trains Same spray train cooling trains inoperable. The Containment Spray System for each unit consists of two separate and completely redundant safety trains.

to TXX-21093 Page 25 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Mapped to modeled components.

The design of the secondary One MSIV Main Steam One MSIV closure system precludes the 3.7.2.A inoperable in Isolation Valves Yes Isolate Main Steam Lines per steam Same uncontrolled blowdown of Mode 1 (MSIVs) generator more than one steam generator, assuming a single active component failure (e.g ., the failu re of one MSIV to close on demand .)

Steam Generator Mapped to modeled One required One of fou r Atmospheric Pressure relief and plant Two of fou r SG components .

3.7.4.A ARV line Yes for Transient Relief Valves cooldown ARVs inoperable /SGTR (Note 7)

(ARVs)

Steam Generator Mapped to modeled Two requ ired One of four Atmospheric Pressure relief and plant Two of four SG components.

3.7.4.B ARV lines Yes for Transient Relief Valves cooldown ARVs inoperable. /SGTR (Note 7)

(ARVs)

Three or Steam Generator One of fou r SG Mapped to modeled more One of four Atmospheric Pressure relief and plant ARVs and CST components.

3.7.4.C required ARV Yes for Transient Relief Valves cooldown cooling water lines /SGTR (ARVs) supply (Note 7) inoperable.

One steam Mapped to modeled supply to the Turbine driven components. Surrogates turbine AFW steam Supply steam to turbine One of two steam used for certain components 3.7.5.A Yes Same driven AFW supply line valves driven AFW pump feed lines (CIV valves) are pump and flowpath conservatively mapped based inoperable on their effect on the function.

to TXX-21093 Page 26 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria All transients:

One of three AFW pumps supplying 1 Three AFW trains SG OneAFW Mapped to modeled (two motor driven All LOCAs:

train components. Surrogates pumps and Supply feedwater to One of three AFW :One of three inoperable used for certain components 3.7.5.B flowpath , one Yes steam generators to trains supplying AFWpumps for reasons (CIV valves) are turbine driven remove RCS decay heat two SGs supplying 2 other than conservatively mapped based pump and SGs Condition A on their effect on the function.

flowpath) SGTR: :One of three AFW pumps supplying 1 SG Two CCW trains comprised of a full Heat sink for removing One CCW capacity pump, process and operating One of two CCW Mapped to modeled 3.7.7 .A train Yes Same heat exchanger, heat from safety related trains components.

inoperable.

piping , valves , and components instrumentation Required SSW Pump Two 100%

on the capacity SSW Heat sink for removal of One of two opposite unit cooling water process and operating opposite unit SSW Mapped to modeled 3.7.8.A or its pumps and Yes heat from safety related Same trains with cross- components associated associated cross components during OBA ties open .

cross- connects on or transient connects opposite unit inoperable.

Heat sink for removal of Two 100%

One SSWS process and operating capacity SSWS One of two unit Mapped to modeled 3.7.8.B train Yes heat from safety related Same cooling water SSWS trains components.

inoperable. components during OBA trains or transient to TXX-21093 Page 27 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Mapped to modeled Provide water to components.

emergency fan coil units One safety (EFCUs) to maintain chilled water Two safety chilled One of two safety The Safety Chilled Water 3.7.19.A Yes ambient air temperature Same train water chilled water trains System for each unit consists within design limits of the inoperable. of two separate and essential equipment in completely redundant safety ESF pump rooms trains.

Two trains with One qualified two qualified circuit between circuits between the offsite the offsite Provide power from One required transmission transmission offsite transmission Mapped to modeled 3.8.1 .A offsite circuit Yes network and the Same network and the network to onsite Class components.

inoperable. onsite 1E AC onsite 1E AC 1E buses.

Electrical Power Electrical Power - Distribution Distribution System .

System.

Two independent DGs per train Provide power to safety capable of OneDG related buses when 1 of 2 DGs per Mapped to modeled 3.8.1.B supplying onsite Yes Same inoperable. offsite power to them is unit components.

1E AC Electrical lost.

Power Distribution System Two trains with two qualified circuits between Two required the offsite Provide power from 1 of 2 DGs per offsite transmission offsite transmission unit when offsite Mapped to modeled 3.8.1.C Yes Same circuits network and the network to onsite Class power is components.

inoperable. onsite 1E AC 1E buses. unavailable.

Electrical Power Distribution System.

to TXX-21093 Page 28 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria Two trains with two qualified One qualified circuits between circuit between the offsite the offsite transmission transmission One required network and the network and the offsite circuit onsite 1E AC Provide power from onsite 1E AC inoperable. Electrical Power offsite transmission Electrical Power Mapped to modeled 3.8.1.D Yes Same AND Distribution network to onsite Class Distribution components.

One DG System and Two 1E buses. System if offsite inoperable. independent DGs power available.

per train capable of supplying onsite One DG per unit if 1E AC Electrical offsite power Power Distribution unavailable.

Svstem One SI See LCO Condition 3.8.1.B 3.8.1.F sequencer inoperable .

One or two Mapped to modeled Ensure availability of required One 100% components. Surrogates Two 100% required DC power to battery capacity battery used for certain components 3.8.4 .A capacity chargers Yes shut down the reactor Same chargers on for one of two DC (inverters) are conservatively per battery and maintain it in a safe one train trains mapped based on their effect condition inoperable. on the function. (Note 10)

Mapped to modeled One or two Ensure availability of components. Surrogates batteries on required DC power to One battery Two batteries per used for certain components 3.8.4.B one Yes shut down the reactor available for one Same train (inverters) are conservatively train and maintain it in a safe of two DC trains mapped based on their effect inoperable. condition on the function.

One DC electrical power Mapped to modeled Ensure availability of subsystem components. Surrogates Two DC electrical required DC power to inoperable One of Two DC used for certain components 3.8.4.C power distribution Yes shut down the reactor Same for trains (inverters) are conservatively subsystems and maintain it in a safe reasons mapped based on their effect condition other than on the function.

Condition A or B.

to TXX-21093 Page 29 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions SSCs Covered PRA Tech Tech Spec Modeled Function Covered by Design Success by TS LCO Success Comments Spec Description in PRA? TS LCO Condition Criteria Condition Criteria One of two Mapped to modeled inverters components. Surrogates One required Four inverters per Provide AC power to vital supplying AC vital used for certain components 3.8.7.A inverter Yes Same train. buses bus electrical (INSTR Panel) are inoperable.

power distribution conservatively mapped based system. on their effect on the function.

One AC electrical One of two AC Two AC electrical power Provide power to safety electrical power Mapped to modeled 3.8.9.A power distribution Yes Same distribution related equipment. distribution components.

subsystems subsystem subsystems inoperable.

Mapped to modeled One AC vital One of two AC components. Surrogates bus Two AC vital bus Provide power to safety vital bus used for certain components 3.8.9.B Yes Same subsystem subsystems related equipment. distribution (INSTR Panel) are inoperable. subsystems conservatively mapped based on their effect on the function.

One DC Ensure availability of electrical Two DC electrical required DC power to One of two DC power Mapped to modeled 3.8.9.C power distribution Yes shut down the reactor power distribution Same distribution components.

subsystems and maintain it in a safe subsystems subsystem condition inoperable.

Notes:

1. The Reactor Trip System instrumentation is segmented into four distinct but interconnected modules: field transmitters and process sensors, Signal Process Control and Protection System, Solid State Protection System (SSPS) , and reactor trip switchgear. Field transmitters provide measurement of the unit parameters to the Signal Process Control and Protection System via separate, redundant channels. The Signal Process Control and Protection System forwards outputs to the SSPS , which consists of two redundant trains , to indicate a reactor trip or actuate Engineering Safety Functions.

2. Depending on the measured parameter, three or four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a trip logic. Failure of any one trip logic does not result in an inadvertent trip. Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient.

3. A trip breaker train consists of all trip breakers associated with a single Reactor Trip System logic train that are racked in , closed, and capable of supplying power to the Rod Control System. Consistent with the requirements in WCAP-15376-P-A to include Tier 2 insights into the decision-making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a RTB train is inoperable for maintenance are included.

to TXX-21093 Page 30 of 71 Table E1-1, In Scope TS/LCO Conditions to Corrsponding PRA Functions

4. Each RTB is equipped with a shunt trip device that is energized to trip the RTB open upon receipt of a manual reactor trip signal , thus providing a redundant and diverse trip mechanism . Two Manual Reactor Trip channels provide the signal from reactor trip switches located in the Main Control Room to the RTBs.

5. Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1E buses. If the Preferred offsite power source is lost, the 6.9kV Class 1E buses are automatically energized from the Alternate offsite power source. If the transfer fails , or if the Alternate offsite power source is not available, the diesel generators are started to energize the 6.9kV Class 1E buses.

6. For each unit, the undervoltage protection system, leading to the start of the diesel generators (DG) on loss of offsite power (LOOP), consists of the following functional groups: Preferred offsite source undervoltage, alternate offsite source undervoltage, 6.9kV Class 1E buses loss of voltage, 480V Class 1E buses low grid undervoltage , 6.9kV Class 1E buses degraded voltage, and 480V Class 1E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable. Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable. The required channels of LOP DG start instrumentation , in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed. A NOTE will be added to LCO 3.3.5 limits the use of the RICT for Conditions B, C, D, or E to only one of these Conditions at any one time.

7. The unit can be cooled to residual heat removal (RHR) entry conditions with only one steam generator and one ARV, utilizing the cool ing water supply available in the CST.

8. The ECCS consists of three separate subsystems: centrifugal charging (high head), safety injection (intermediate head), and residual heat removal (low head) . Each of the three subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100% of the flow required to mitigate accident consequences.

9. The unavailability of one required group of pressurizer heaters would not have any significant impact on plant transient response so there is no quantifiable impact to CDF or LERF . While mitigation of a SGTR is enhanced by the availability of pressurizer heaters, ECA-3.3A/B provides for mitigation of a SGTR without pressurizer heaters, if necessary.

Degraded pressurizer heater capability is supplemented by the availability of the remaining heaters for plant pressure control, and the availability of plant procedures which provide plant shutdown and cooldown guidance with pressurizer heaters. If the available heaters are sufficient to maintain RCS pressure control, normal plant operations can continue. For the RICT, the impact has been mapped to an increase in the likelihood of a plant trip (factor of 10) due to degraded pressure control.

10. With both chargers inoperable on a single train of DC power the battery becomes the source of DC power until at least one changer can be restored to OPERABLE status. TS 3.8.4 also provides that the opposite train will provide the safety function .

11 . The turbine stop valve trip is a backup for the turbine low oil pressure trip. The stop valve trip is not required to operate in the presence of a single or more channel failure. With a loss of load , the Pressurizer Pressure High trip and the Pressurizer safety valves protect the core and RCS integrity.

to TXX-21093 Page 31 of 71 Table E1-2, In Scope TS/LCO Conditions RICT Estimate Tech RICT LCO Condition Spec Estimate 1 *2 *3 3.3.1.B One Manual Reactor Trip channel inoperable. 30 days 3.3.1.D One Power Ranqe Neutron Flux-Hiqh channel inoperable. 30 days 3.3.1.E One channel inoperable 30 days 3.3.1.M One channel inoperable. 30 days 3.3.1.0 One Low Fluid Oil Pressure Turbine Trip channel inoperable. 30 days 3.3.1.P One Turbine Trip channel inoperable. 30 days One or more Turbine Stop Valve Closure Turbine Trip 3.3.1.R 30 days channel(s) inoperable.

3.3 1 S One RTB train inoperable. 30 days 3.3.1.V One trip mechanism inoperable for one RTB. 30 days 3.3.2.B One channel or train inoperable. 30 days 3.3.2.C One train inoperable. 30 days 3.3.2.D One channel inoperable. 30 days 3.3.2.F One channel or train inoperable. 30 days 3.3.2.G One train inoperable. 30 days 3.3.2.H One train inoperable. 30 days 3.3.2.1 One channel inoperable . 30 days 3.3.2.J One Main Feedwater Pumps trip channel inoperable. 30 days 3.3.5.A One or more Functions with one channel per bus inoperable. 30 days Two channels per bus for the Preferred offsite source bus 3.3.5.B 30 days undervoltaqe function inoperable.

Two channels per bus for the Alternate offsite source bus 3.3.5.C undervoltage function inoperable. 30 days Two channels per bus for the 6.9 kV bus loss of voltage 3.3.5.D 30 days function inoperable.

Two channels per bus for one or more degraded voltage or 3.3.5.E 30 days low grid undervoltaqe function inoperable.

One or more Automatic Actuation Logic and Actuation Relays 3.3.5.F 30 days trains inoperable.

3.4.9.B One required group of pressurizer heaters inoperable. 30 days One PORV inoperable and not capable of being manually 3.4.11 .B 30 days cycled.

3.4.11.C One block valve inoperable. 26.7 days One train inoperable because of the inoperability of a 3.5 .2.A 30 days centrifugal charqinq pump .

One or more trains inoperable for reasons other than one inoperable centrifugal charging pump.

3.5.2.B AND 30 days At least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train avai lable .

One or more containment air locks inoperable for reasons 3.6.2.C 30 days other than Condition A or B.

One or more penetration flow paths with one containment isolation valve inoperable except for containment purge ,

3.6.3.A 30 days hydrogen purge or containment pressure relief valve leakage not within limit.

One or more penetration flow paths with one containment isolation valve inoperable except for containment purge, 3.6.3.C 30 days hydrogen purge or containment pressure relief valve leakage not within limit.

to TXX-21093 Page 32 of 71 Table E1-2, In Scope TS/LCO Conditions RICT Estimate Tech RICT LCO Condition Spec Estimate 1 *2 *3 3.6 .6.A One containment spray train inoperable. 30 days 3.7.2.A One MSIV inoperable in MODE 1. 30 days 3.7.4.A One required ARV line inoperable 30 days 3.7.4.B Two required ARV lines inoperable. 30 days 3.7.4.C Three or more required ARV lines inoperable. 30 days 3.7.5.A One steam supply to turbine driven AFW pump inoperable. 30 days 3.7.5 .B One AFW train inoperable for reasons other than Condition A. 30 days 3.7.7.A One CCW train inoperable. 27.5 days Required SSW Pump on the opposite unit or its associated 3.7.8.A 30 days cross-connects inoperable.

3.7.8.B One SSWS train inoperable. 12.2 days 3.7.19.A One safety chilled water train inoperable. 24.8 days 3.8.1.A One required offsite circuit inoperable. 30 days 3.8.1.B One DG inoperable. 30 days 3.8.1.C Two required offsite circuits inoperable . 29.9 days One required offsite circuit inoperable.

3.8.1.D AND 28.1 days One DG inoperable.

3.8.1.F One SI sequencer inoperable. 30 days

3. 8.4.A One or two required battery charqers on one train inoperable. 13.4 days

3. 8.4.B One or two batteries on one train inoperable. 28 days One DC electrical power subsystem inoperable for reasons other 3 . 8.4.C 30 days than Condition A or B.

3. 8.7.A One required inverter inoperable. 30 days

3. 8. 9.A One AC electrical power distribution subsystem inoperable. 30.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 3.8 .9.B One AC vital bus subsystem inoperable. 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> 3.8.9.C One DC electrical power distribution subsystem inoperable. 86 hours9.953704e-4 days <br />0.0239 hours <br />1.421958e-4 weeks <br />3.2723e-5 months <br /> Notes:

1. The actual RICT values will be calculated using the existing plant configuration and the current revision of the PRA model representing the as-built, as-operated condition of the plant, as required by NEI 06-09-A, Revision 0-A and the NRC safety evaluation, and may differ from the pre-calculated RICT values presented here.

2. RICTs are based on the internal events , internal flood, and internal fire PRA model calculations with seismic and high winds CDF and LERF penalties. RICTs calculated to be greater than 30 days are capped at 30 days based on NEI 06-09-A, Revision 0-A.

RICTs not capped at 30 days are rounded to nearest number of hours.

3. Per NEI 06-09-A, Revision 0-A, for cases where the total CDF or LERF is greater than 1E-03/yr or 1E-04/yr, respectively , the RICT Program will not be entered.

to TXX-21093 Page 33 of 71 Table E1-2, In Scope TS/LCO Conditions RICT Estimate 2.0 References

1. Letter from Jennifer M. Golder (NRC) to Biff Bradley (NEI), "Final Safety Evaluation for Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06-09-A, 'Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines,"'

dated May 17, 2007 (ADAMS Accession No. ML071200238)

2. Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines,"

Revision 0-A, dated October 12, 2012 (ADAMS Accession No. ML12286A322) to TXX-21093 Page 34 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

• Tech S~ec Descriotion One Power 3.3.1 .D.1.2 3.3.1.D.2.1 Licensee must justify that the condition does not Notes 1 and 2 Range represent the inability to perform the safety function Neutron Flux - assumed in the FSAR given the loss of spacial High channel distribution of the remaining Power Range detectors.

inoperable. The justification can include that the Actions require periodic monitoring of spacial power distribution and imposition of compensatory limits and reduced power.

One RTB 3.3.1 .S.1 3.3.1.U .1 The licensee must include information regarding how Note 3 train the TSTF-411 conditions and limitations will be inoperable. implemented (or similar conditions if TSTF-411 has not been adopted), including discussion of ATWS Mitigation System Actuation (AMSAC), and why those actions are sufficient, including a discussion of defense in depth.

Two channels 3.3.5.B.1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required the Preferred trains or subsystems of a TS required system are offsite source inoperable or modify the Action to not apply a RICT bus when all required trains or subsystems are undervoltage inoperable. [See attached Safeguards UV Operation function diagram, Figure E1 .1]

inoperable.

to TXX-21093 Page 35 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

• Tech S12ec Descriotion Two channels 3.3.5.C.1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required the Alternate trains or subsystems of a TS required system are offsite source inoperable or modify the Action to not apply a RICT bus when all required trains or subsystems are undervoltage inoperable. [See attached Safeguards UV Operation function diagram , Figure E1 .1]

inoperable.

Two channels 3.3.5.D .1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required the 6.9 kV trains or subsystems of a TS required system are bus loss of inoperable or modify the Action to not apply a RICT voltage when all required trains or subsystems are function inoperable. [See attached Safeguards UV Operation inoperable. diagram , Figure E1 .1]

Two channels 3.3.5.E.1 3.3.5.B.1 Licensee must justify that two or more channels per Notes 4 and 5 per bus for bus inoperable is not a condition in which all required one or more trains or subsystems of a TS required system are degraded inoperable or modify the Action to not apply a RICT voltage or low when all required trains or subsystems are grid inoperable. [See attached Safeguards UV Operation undervoltage diag ram , Figure E1 .1]

function inoperable to TXX-21093 Page 36 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

• Tech S12ec Descriotion One or more 3.3 .5.F.1 3.3.5.B .1 Licensee must justify that one or more channels per Notes 4 and 5 Automatic bus inoperable is not a condition in which all required Actuation trains or subsystems of a TS required system are Logic and inoperable or modify the Action to not apply a RICT Actuation when all required trains or subsystems are Relays trains inoperable.

inoperable.

One required 3.4.9.B .1 3.4 .9.B.1 Pressurizer is typically not modeled in the PRA. Note 6 group of Licensee must justify the ability to calculate a RICT pressurizer for the condition, including how the system is heaters modeled in the PRA, whether all functions of the inoperable. system are modeled, and , if a surrogate is used, why that modeling is conservative.

to TXX-21093 Page 37 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

• Tech S~ec Descriotion One or more 3.5 .2.B 3.5.2.A Licensee must justify that one or more ECCS trains The Condition trains inoperable is not a condition in which all required acknowledges that inoperable for trains or subsystems of a TS required system are individual component reasons other inoperable. Acceptable justification is TS Condition failures could affect both than one requiring 100% flow equivalent to a single ECCS trains but 100% flow inoperable train . equivalent to that of a centrifugal single train is still required.

charging pump.

AND At least 100%

of the ECCS flow equivalent to a single OPERABLE ECCS train available.

One or more 3.6.2.C.3 3.6.2.C.3 Licensee must justify that an inoperable containment TS 3.6.2 Condition C containment air lock is not a condition in which all required trains Action C.1 initiates action air locks or subsystems of a TS required system are to evaluate the overall inoperable for inoperable. An acceptable argument may be that a containment leakage rate reasons other note in TS 3.6.2 requires the condition to be per LCO 3.6.1 . While also than assessed in accordance with TS 3.6.1, Containment verifying a door is closed in Condition A or Integrity, and excessive leakage would require an the affected air lock and B. immediate plant shutdown under that TS . restore the air lock to OPERABLE status in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If air lock is not restored , be in MODE 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

to TXX-21093 Page 38 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

• Tech S~ec Descriotion One 3.6.6.A.1 3.6.6A Licensee must justify the ability to calculate a RICT Note 7 containment for the condition, including how the system is spray train modeled in the PRA, whether all functions of the inoperable. system are modeled, and , if a surrogate is used, why that modeling is conservative. [See attached Containment Spray One-Line diaqram, Fiqure E1 .21 One MSIV 3.7.2.A.1 3.7.2.A.1 Licensee must justify that the condition would not The design of the inoperable in prevent performance of the steam line break secondary system MODE 1. isolation function assumed in the accident analysis. precludes the uncontrolled An acceptable method may be a second MSIV per blowdown of more than steam line, another design feature, or an alternate one steam generator, method of preventing blowdown of more than one assuming a single active steam generator. component failure (e .g.,

the failure of one MSIV to close on demand.) This is accomplished by closing the other three MS IVs manually or automatically.

Two required 3.7.4.B.1 3.7.4.B.1 Licensee must justify that two or more inoperable Note 8 ARV lines ADVs is not a condition in which all required trains or inoperable. subsystems of a TS required system are inoperable or modify the Action to not apply a RICT when all required trains or subsystems are inoperable.

to TXX-21093 Page 39 of 71 Table E1-3, Conditions Requiring Additional Technical Justification TSTF-505 CPNPP TS TSTF-505 TS TSTF-505 Reguired Justification Justification

• Tech S~ec Descriotion Three or more 3.7.4.C.1 N/A Licensee must justify that three or more inoperable Note 8 required ARV ADVs is not a condition in wh ich all required trains or lines subsystems of a TS required system are inoperable inoperable. or modify the Action to not apply a RICT when all required trains or subsystems are inoperable.

One SSWS 3.7.8.B.1 N/A Licensee must justify that one SSWS train is not a Note 9 train condition in which all required trains or subsystems inoperable. of a TS required system are inoperable.

One safety 3.7.19.A.1 N/A Licensee must justify that one safety chilled water The Safety Chilled Water chilled water train inoperable is not a condition in which all System for each unit train required trains or subsystems of a TS required consists of two separate inoperable. system are inoperable. [See attached Safety and completely redundant Chilled Water One-Line diagram, Figure E1 .3] safety trains .

Notes:

• Justification for applying the RICT to any Completion Time must recognize a key fundamental for Technical Specification use.

Once in a Condition with Required Actions no additional failures are considered . So, when applying the RICT Completion Time extensions, CPNPP will evaluate if the risk to be in the Condition for the extended time is acceptable .

1. The Reactor Trip System (RTS) instrumentation is segmented into four distinct but interconnected modules: field transmitters and process sensors, Signal Process Control and Protection System, Solid State Protection System (SSPS) , and reactor trip switchgear. Field transmitters provide measurement of the unit parameters to the Signal Process Control and Protection System via separate, redundant channels. The Signal Process Control and Protection System forwards outputs to the SSPS ,

to TXX-21093 Page 40 of 71 Table E1-3, Conditions Requiring Additional Technical Justification which consists of two redundant trains , to actuate a Reactor Trip or an Engineered Safety Feature (ESF). This redundancy maintains safety function.

2. Depending on the measured parameter, three or four instrumentation channels are provided to ensure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a trip logic. Failure of any one trip logic does not result in an inadvertent trip. Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If a parameter is used for input to the SSPS and a control function , four channels with a two-out-of-four logic are sufficient. In both cases , a single failure will neither cause nor prevent the protective safety function actuation. With a failed power range instrument and rated thermal power greater than 75% the Quadrant Power Tilt Ratio must be verified 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the channel became inoperable and then every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> until the channel is restored to OPERABLE status.

3. A trip breaker train consists of all trip breakers associated with a single Reactor Trip System logic tra in that are racked in ,

closed , and capable of supplying power to the Rod Control System. Consistent with the requirement in WCAP-15376-P-A to include Tier 2 insights into the decision-making process before taking equipment out of service , restrictions on concurrent removal of certain equipment when an RTB train is inoperable for maintenance are included . Multiple SSPS outputs provide trip signals to the trip logic which in turn opens the trip breakers. Additionally, CPNPP has ATWS Mitigation System Actuation Circuitry (AMSAC) . At CPNPP the ATWS is referred to as the Anticipated Transient Without Trip (ATWT). AMSAC is independent of SSPS. AM SAC actuation will occur if turbine load is greater than 40% and three of four Steam Generator (SG) narrow range levels are less than 10%. There is a built in time delay to allow SSPS time to actuate. The AM SAC output will trip the main turbine , start all Auxiliary Feedwater (AFW) pumps , isolate SG blowdown and sample lines, and close the Condensate Storage Tank (CST) discharge valves. Due to a different main feedwater design on Unit 2, AMSAC also close the Feedwater Split-flow Bypass Valves (FSBVs) . The system design is to provide AFW flow to the SGs and conserve feedwater while responding to an ATWT.

CPNPP adopted TSTF-411 with License Amendment 114 (ML050460331). It can be seen that the CPNPP SSPS which provides protection through actuation of required reactor trips and engineered safety features and the adoption the AM SAC system described above, there is defense-in-depth should the reactor not trip. AMSAC actuation is delayed allowing SSPS the opportunity to trip the reactor and actuate ESF components. If SSPS fails to perform its safety function , AMSAC will actuate to preserve a heat sink, preventing core damage. A manual reactor trip from two different handswitches and a manual turbine trip in the Control Room are available, providing diversity and defense-in-depth .

4. Each unit has a designated Preferred offsite power source and a designated Alternate offsite power source. The Preferred offsite power source normally energizes the 6.9kV Class 1E buses. If the Preferred offsite power source is lost, the 6.9kV to TXX-21093 Page 41 of 71 Table E1-3, Conditions Requiring Additional Technical Justification Class 1E buses are automatically energized from the Alternate offsite power source . If the transfer fails , or if the Alternate offsite power source is not available , the diesel generators are started to energize the 6.9kV Class 1E buses. For Conditions B, C, D, E, and F separate entries are allowed by TS 3.3.5. Currently each of these Conditions call for restoring one channel per bus to OPERABLE status within 1 hou r. "Two channels per bus" is acceptable as each bus must have both channels to initiate the start signal for the DG in Conditions B, C, D, or E.

Condition F allows for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore Automatic Actuation Logic and Actuation Relays train(s) whether one or both trains are inoperable. One train is sufficient to start the train-related DG and satisfy the required functionality. If one or both Automatic Actuation Logic and Actuation Relays train(s) are inoperable, then the associated DG(s) are declared inoperable after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. If both buses are found to be inoperable per Conditions B, C, D, or E, then actions for the inoperable source or bus will be required . In applying the RICT, the 1 hou r Completion Times may be extended based on plant configuration and acceptable risk. Failure to meet the Completion Time will cause entry into TS 3.8.1 for an inoperable Diesel Generator in accordance with TS 3.3.5, Condition G.

This TS LCO (3.3 .5) will have a NOTE that states that the RICT may only be applied to one Condition from Conditions B, C, D or E at a time to maintain Function redundancy, independence, diversity, and defense-in-depth .

5. For each unit, the undervoltage protection system , leading to the start of the diesel generators (DG) on loss of offsite power (LOOP) , consists of the following functional groups: Preferred offsite source undeNoltage, alternate offsite source undeNoltage, 6.9kV Class 1E buses loss of voltage , 480V Class 1E buses low grid undeNoltage, 6.9kV Class 1E buses degraded voltage, and 480V Class 1E buses degraded voltage. Each of these groups consists of two sensing relays per bus that provide input to two-out-of-two logic. In general, sensing relays for each train feed a network of logic and actuation relays for their respective trains. The start instrumentation requires that two channels per bus of the loss of voltage and degraded voltage Functions shall be operable . Two trains of Automatic Actuation Logic and Actuation Relays shall also be Operable.

The required channels of LOP DG start instrumentation , in conjunction with the ESF systems powered from the DGs, provide unit protection in the event of any of the analyzed accidents in which a loss of offsite power is assumed .

6. Safety analyses do not take credit for pressurizer heaters. The initial assumption is that the RCS is at normal pressure . Any RICT application will evaluate the anticipated demand for more than one group of heaters. The current model of record does not explicitly model the pressurizer heater directly, instead , we use a surrogate to represent its function/impact in the RICT model. For the RICT, this is done by increasing the likelihood of a reactor trip by a factor of 10 (conseNative modeling). The unavailability of one required group of pressurizer heaters would not have any significant impact on plant transient response so there is no quantifiable impact to CDF or LERF. While mitigation of a SGTR is enhanced by the availability of pressurizer heaters, ECA-3.3A/B, "SGTR without Pressurizer Pressure Control" provides for mitigation of a SGTR without pressurizer heaters, if necessary.

to TXX-21093 Page 42 of 71 Table E1-3, Conditions Requiring Additional Technical Justification Degraded pressurizer heater capability is supplemented by the availability of the remaining heaters for plant pressure control, and the availability of plant procedures which provide plant shutdown and cooldown guidance with pressurizer heaters. If the available heaters are sufficient to maintain RCS pressure control , normal plant operations can continue. CPNPP design includes one control heater group and three backup heater groups. Only two groups of heaters are required with an output of 150 KW each .

7. The Containment Spray (CT) System for each unit consists of two separate and completely redundant safety trains. Each Containment Spray train has two pumps. The CPNPP model of record / RICT model requires two CT spray pumps per train to meet its success criteria (only one train is required to meet the PRA success criteria). As this is explicitly modeled , when either pump (in a train) is removed from service the function is failed for that train and the RICT will be calculated based on the new configuration.

8. The unit can be cooled to residual heat removal (RHR) entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST. Currently the Completion Time for one ARV inoperable is 7 days, for two ARVs inoperable is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, and for three or more ARVs inoperable is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The design basis of the ARVs for the minimum relief capacity is established by the capability to cool the unit to RHR entry conditions and the capability to mitigate a SGTR, The design basis for the maximum relief capacity is established by the 10CFR100 limits for SGTR and the capacity of the MSSVs assumed in the accident analyses . The design cooldown rate of 50°F per hour is applicable for a natural circulation cooldown using two steam generators, each with one ARV. The unit can be cooled to RHR entry conditions with only one steam generator and one ARV, utilizing the cooling water supply available in the CST.

9. The SSWS consists of two separate , 100% capacity, safety related , cooling water trains. Each train consists of one 100%

capacity pump, piping, valving, and instrumentation. The pumps and valves are remote and manually aligned to be operable in the unlikely event of a loss of coolant accident (LOCA). The pumps aligned to their respective loops are automatically started upon receipt of a safety injection signal. An automatic valve in the discharge of each pump is interlocked to open on a pump start. An automatic valve in the SSWS cooling water flow path for each emergency diesel generator automatically opens on a diesel generator start. All other valves are manual valves operated locally. The SSWS also is the backup water supply to the Auxiliary Feedwater System.

Cross-connections are provided between trains and between units such that any pump can supply any other pump's required flow.

to TXX-21093 Page 43 of 71 SAFEGUARDS UNDERVOLTAGE OPERATION OVERVIEW

~ ~

XST1 X y X y XST2 138KV/ 6.9KV EDGl-1

,-y---,. ,-y---,. 345KV/ 6.9KV 5185 Volts 5185 Volts Notes:

~- l EAl-1 and lEAl -2 open automatica lly under the fo llowing conditions:

A. An 86-1 or 86-2 lockout of t heir respective transformer occurs.

B. An 86-1 or 86-2 lockout on 6.9KV Bus lEAl occurs.

cause the applicable bus C. An undervoltage condition occurs as sensed by the applicable Alternate Offsite Source Bus Undervoltage feeder breake r to open. undervoltage relays. (see notes next to the re lays)

NO) lEAl-2 NO) lEGl BTlEAl Preferred Offsite Source Bus Undervoltage NC) lEAl-1 2. l EG l will close in AUTO under the following condit ions:

I

.....,iiiiii,,i,ii..,...

1EA1

_____._ 1

___nNC _ _ _ _ _ _ _ _ _ _...,_1__ A. Th e EOG is at operating Frequency and Voltage.

B. Both lEAl -1 and lEAl -2 are open.

~ 6.9 KV Class 1E Bus Undervoltage I I C. If either Bus l EAl and/or the EOG have a 86-2 lockout, THEN the diesel MUST have started due to either a Safety Injection or Blackout (Emergency Start).

PT/lEAl-1 Setpoint:

2022 Volts Ca use th e following :

1. Starts applicable EDG after 1 sec time delay.

2. Load Shed of Bus lEAl.

3 . Enables permissive to close L L TlEBl NC

)

NC

)

T1EB3 tl . If an 86-1 lockout occurs on Bus lEAl, then all feeder breakers will open and cannot be reclosed until the condition has been reset.

Blackout Sequencer lEAl-2.

4. If not reset within 1 sec then

14. If an 86-1 lockout occurs on EDGl-1, then l EG l will open and Undervoltage EDG starts in Emergen cy cannot be rec losed until the condition has been reset. If an 86-2 Mode. lockout occurs lEGl ca n be closed as long as as the EOG started because of an SI or Blackout (Emergency Start).

ca use t he following:

1. St.a rts 60 sec tim er.

Ca use the following: . 2. At the end of 60 secs, l EAl-1 ~ - The following ou tl ines the normal sequence of events that should

1. Energizes Operator Lockouts & Automatic Setpo1nt: opens. occur on a loss of the normal feeder to the bus.

Lockouts. 6163.2 Volts 3 . 2 secs later if voltage NOT A. l EAl -1 opens either due to low voltage or an 86 lockout of XSTl.

2. Once voltage restored , THEN loads are sequenced restored, THEN lEAl-2 opens.

B. As voltage degrades the Blackout Sequencer will energize all OL and bus a nd Operat or Lockouts are a utom atica lly reset. 6.9 KV Class 1E Bus Degraded Voltage AL contacts.

3. Automatic Lockouts must be ma nually reset. C. Once 2022 volts is reached (a) l EAl load shed occurs, (bl the close permissive for l EAl-2 is enabled (breaker should close) and (c) the EOG gets an emergency start signal AFTER a 1 sec time delay.

N0 lEBl- 1 NC) 1EB3-1 0 . Normally lEAl -2 shou ld close and re-energize the bus before the EOG ever starts. However if the bus is not re-energized in 1 sec the EOG will start and come up to rated voltage and frequency within 1EB1 I 1EB3 I 10 secs.

E. Once voltage drops below 6163.2 volts and l EAl- 1 is open then X vJ voltage must be above the reset voltage within 2 secs or lEAl-2 will LNO PT/lEBl XPT/1EB3 open or if already closed it will be tripped open.

F. I n the event lEAl -2 does not restore voltage then t he lEGl will 336 Volts BT1EB13 336 Volts close as long as its permissives are met (see note 2 above).

G. Once voltage is restored t he BOS wi ll then sequence on all loads onto the bus.

480 V Class 1E Bus Degraded Voltage Figure E1 .1 480 V Class 1E Low Grid Undervoltage to TXX-21093 Page 44 of 71 IRC ORC SPRAY NOZZLES

~  :

RWST

~  : ToS Pl uCT-0050

~  : To SFPCS Refueling Water Purification Pumps PUMPS u-HV-4759 uct:*0078 uCT-0028 CONTAINMENT SUMPS (i:\ ,CT-0026 r;,x-0,L.....-- ~ ~ ~ ,-HV4783: . , . . _ _ __ __

Containment Spray System Figure E1 .2 to TXX-21093 Page 45 of 71 Rx Make-up --.-..--",f-~-...,.....;i_/7'--'---- Demin Water Water Safety ch*ned W ter System Figure E1 .3 U-2 Safety Chill Water Train "A" Train "A" Eva porator Safety Chiller

,--~-:---'---...,,,---1-~ Component Condenser Cooling

'--===_,,.--r-- Water AFW SIP RHR CSP CSP CCP ccw Pump Pump Pump Pump Pump Room Room Room Room Room Safety Chill Water Recirc Pump Tr "A" SFGDs 810' Electrical Switchgear Room From Unit 2 Train "A" Safety Chill SFGDs 852' Electrical Water System Train "B" Chem Add Switchgear Room Tank AFW SIP RHR CSP CSP Safety Chill Water Pump Pump Pump Pump Pump Pump Pump Recirc Pump Tr "B" Room Room Room Room Room Room Room U-2 Safety Chill Water Train "B" to TXX-21093 Page 46 of 71 Table E1-4, Evaluation of Instrument and Control Systems LOP DG Start Accident RTS Function ESFAS Function Equipment ESF Equipment Function 15.1 INCREASE IN HEAT REMOVED BY THE SECONDARY SYSTEM Feedwater system

• Overpower N-16 malfunctions that result

• Power range high flux in a decrease in

• Overtemperature feedwater temperature N-16

• Manual Feedwater system

• Power range high flux

• High SG level

• FWIVs malfunctions that result

• High SG level (P-14) produced in an increase in

• Manual FWI & Turbine feedwater flow Trio Excessive increase in

• Power range high flux

• PRZR Safety secondary steam flow

• Overtemperature Valves N-16

• MSSVs

• Overpower N-16

• Manual Inadvertent opening of a

• Low PRZR Press

• Low PRZR Press

• FWIVs

• AFW System steam generator relief or safety valve

• Manual

• SI siqnal

• Low MSL Press

• Manual

• MSIVs

• SI System Steam system piping

• SI signal

• Low PRZR Press (Note 1)

• FWIVs

• AFW System failure

• Low PRZR Press

• Low MSL Press

• MSIVs ie SI System

• Manual

• CNTMT Press High 1

• Manual to TXX-21093 Page 47 of 71 Table E1-4, Evaluation of Instrument and Control Systems LOP DG Start Accident RTS Function ESFAS Function Equipment ESF Equipment Function 15.2 DECREASE IN HEAT REMOVAL BY THE SECONDARY SYSTEM Loss of external

• High PRZR Press le PRZR Safety electrical load / turbine

• Overtemperature Valves trip N-16 le MSSVs

• Manual Loss of non-emergency

• Low-Low SG level

• Low-Low SG level Note 2 1e MSSVs

• AFW System AC power to the station

• Manual (AFW Initiation) auxiliaries Loss of normal feedwater

• Low-Low SG level

• Low-Low SG level MSSVs AFW System flow

• Manual Feedwater system pipe

• Low-Low SG level

• CNTMT Press Note 1

• MSIVs le AFW System break

• High PRZR Press High 1

• Low-Low SG level

• Feedline isolation 1e SI System

• SI signal

• PRZR Safety

• Manual

• Low MSL Press Valves

• MSSVs 15.3 DECREASE IN REACTOR COOLANT SYSTEM FLOW RATE Partial and complete

• RCS low flow le MSSVs loss of forced reactor

• RCP undervoltage coolant flow

• RCP underfrequency

• Manual Reactor coolant pump

• RCS low flow

• PRZR Safety shaft seizure (locked

• Manual Valves rotor)

• MSSVs to TXX-21093 Page 48 of 71 Table E1-4, Evaluation of Instrument a1n d Control Systems LOP DG Start Accident RTS Function ESFAS Function Equipment ESF Equipment Function 15.4 REACTIVITY AND POWER DISTRIBUTION ANOMALIES Uncontrolled rod cluster

• Power range high flux control assembly bank (Low setpoint) withdrawal from a

• Manual subcritical or low power startup condition Uncontrolled rod cluster

• Power range high flux

• PRZR Safety control assembly bank

• Power range high flux Valves withdrawal at power rate

• MSSVs

• Overtemperature N-16

• Overpower N-16

• High PRZR Press

• Manual Rod cluster control assembly misalignment

• • Overtemperature Low PRZR Press N-16

• Manual Chemical and Volume

• Source range high

• Rod insertion limit Control System flux alarms malfunction that results

• Power range high flux

• VCT high level in a decrease in boron

• Power range high flux

• CVCS/RMWS concentration in the (Low setpoint) alarms reactor coolant

• Overtemperature N-16

• Manual Spectrum of rod cluster

• Power range high flux control assembly

• Power range high flux ejection accidents (Low setpoint)

• Power range high flux rate

• Manual to TXX-21093 Page 49 of 71 Table E1-4, Evaluation of Instrument and Control Systems LOP DG Start Accident RTS Function ESFAS Function Equipment ESF Equipment Function 15.5 INCREASE IN REACTOR COOLANT INVENTORY Inadvertent operation of

• Low PRZR Press

• SI System the ECCS during power

• Manual operation

• SI signal 15.6 DECREASE IN REACTOR COOLANT INVENTORY Inadvertent opening of a

• Low PRZR Press pressurizer safety or

• Overtemperature relief valve N-16

• Manual Steam generator tube

• Low PRZR Press

• Low PRZR Press Note 1

• SSW System

• ECCS failu re

• Overtemperature

• Manual

• CCW System

• AFW System N-16

• MSSVs / ARVs

• MSSVs / ARVs

• Manual

• MSIVs

• Emergency

• PORVs Power Loss of coolant accidents

• RTS

• ESFAS Note 1

• SSW System

• ECCS resulting from the

• CCW System

• AFW System spectrum of postulated

• MSSVs / ARVs

• CNTMT Spray piping breaks within the

• Emergency reactor coolant pressure Power boundary Notes

1. The emergency Diesel Generators (DG) have two automatic starts outside of the starts provided in TS LCO 3.3.5, LOP DG Start Instrumentation ; Blackout (undervoltage) and Safety Injection (SI). If the SI is the event initiator the SI starts the DG . If a loss of all offsite power (LOOP) is the event initiator the Blackout will start the DG. The starts provided in LCO 3.3.5 are anticipatory to a loss of offsite power. Separate relays provide the starts form LCO 3.3.5 Functions.

to TXX-21093 Page 50 of 71 Table E1-4, Evaluation of Instrument and Control Systems

2. A loss of non-emergency offsite power will likely be accompanied by a loss of safety related offsite power. If that is so the Blackout (undervoltage) will start the DGs. If the Blackout start malfunctions, then any of the LCO 3.3.5 will start the DGs due to degraded voltage or undervoltage.

to TXX-21093 Page 51 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either 1 Manual Reactor Trip (Two handswitches) 1/2 of two reactor trip switches in the control room . A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions.

The Power Range Neutron Flux-High trip Function ensures that protection is provided , from all power levels, against a 2.a Power Range Neutron Flux High setpoint 2/4 positive reactivity excursion leading to DNB during power operations. These can be caused by rod withdrawal or reductions in RCS temperature .

[Required below P-10]

The LCO requirement for the Power Range Neutron Flux-2.b Power Range Neutron Flux Low setpoint Low trip Function ensures that 2/4 protection is provided against a positive reactivity excursion from low power or subcritical conditions.

The Power Range Neutron Flux-High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA or an Power Range Neutron Flux Rate High uncontrolled RCCA bank 3 2/4 withdrawal during power (Positive Rate) operation . This Function complements the Power Range Neutron Flux-High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range or an uncontrolled RCCA bank withdrawal during power operation.

to TXX-21093 Page 52 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence

[Required above P-6 and below P-10)

The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an 4 Intermediate Range Neutron Flux uncontrolled RCCA bank rod 1/2 withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function.

[Required below P-6)

The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod 5 Source Range Neutron Flux withdrawal accident from a 1/2 subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux trip Functions.

The Overtemperature N-16 trip Function is provided to ensure that the design limit DNBR is met. The inputs to the Overtemperature N-16 trip 6 Overtemperature N-16 2/4 include pressure, coolant temperature, axial power distribution , and reactor power as indicated by loop N-16 power monitors, assuming full reactor coolant flow.

The Overpower N-16 trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all 7 Overpower N-16 possible overpower conditions.

2/4 This trip Function also limits the required range of the Overtemperature N-16 trip Function and provides a backup to the Power Range Neutron Flux-High Setpoint trip.

to TXX-21093 Page 53 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence

[Required above P-7]

The Pressurizer Pressure-Low trip Function ensures that 8.a Pressurizer Pressure Low 2/4 protection is provided against violating the DNBR limit due to low pressure.

The Pressurizer Pressure-High trip Function ensures that protection is provided against overpressurizing the RCS . This 8.b Pressurizer Pressure High 2/4 trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

[Required above P-7]

The Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip and also provides 9 Pressurizer Water Level High 2/3 protection against water relief through the pressurizer safety valves. These valves are designed to pass steam in order to achieve their design enerqy removal rate .

[Required above P-8]

The Reactor Coolant Flow-Low trip Function ensures that protection is provided against 10 Reactor Coolant Flow Low (1 of 4 loops) 2/3 violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow.

[Required above P-7 and below P-8]

The Reactor Coolant Flow-Low trip Function ensures that protection is provided against 10 Reactor Coolant Flow Low (2 of 4 loops) 2/3 violating the DNBR limit due to low flow in two or more RCS loops, while avoiding reactor trips due to normal variations in loop flow.

to TXX-21093 Page 54 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence

[Required above P-7]

The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit 12 Undervoltage RCPs (1 per RCP) 2/4 due to a loss of flow in two or more RCS loops.

This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low Trip Setpoint is reached.

[Required above P-7]

The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the 13 Underfrequency RCPs (1 per RCP) 2/4 pumps, thereby reducing their coastdown time following a pump trip. An adequate coastdown time is required so that reactor heat can be removed immediately after reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low Trip Setpoint is reached.

The SG Water Level-Low Low trip Function ensures that protection is provided against a 14 SG Water Level Low-Low (1 of 4 SGs) 2/4 loss of heat sink and actuates the AFW System prior to uncoverinQ the SG tubes.

to TXX-21093 Page 55 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence

[Required above P-9]

The Turbine Trip-Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient 16.a Turbine Trip - Low Fluid Oil Pressure on the reactor. Any turbine trip 2/3 from a power level below the P-9 setpoint of 50% power will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System . A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip.

[Required above P-9]

The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip . The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. This trip 16.b Turbine Trip - Turbine Stop Valve Closure 4/4 Function will not and is not required to operate in the presence of a single channel failure. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Fluid Oil Pressure triJ:>. Function.

The SI Input from ESFAS ensures that if a reactor trip has not already been generated by 17 SI signal from ESFAS (2 trains) 1/2 the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any automatic signal that initiates SI.

to TXX-21093 Page 56 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions 18 RTS Interlocks under which the safety analysis assumes the Functions are not bypassed . Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES.

The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel P-6, Intermediate Range Neutron Flux goes approximately one decade 18.a 1/2 above the minimum channel reading . If both channels drop below the setpoint, the permissive will automatically be defeated .

[Required when P-10 or P-13 :::_

10%]

The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine First Stage Pressure, P-13 interlock. Above 18.b P-7, Low Power Reactor Trip Blocks 1/2 P-7 the following reactor trips are enabled, below P-7 they are blocked automatically;

• PRZR Pressure Low

• PRZR Water Level High

• RCS Flow Low

• Undervoltage RCPs

• Underfrequencv RCPs to TXX-21093 Page 57 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence The Power Range Neutron Flux, P-8 interlock is actuated at approximately 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low reactor trip on low 18.c P-8, Power Range Neutron Flux 2/4 flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than 48% power.

The Power Range Neutron Flux, P-9 interlock is actuated at approximately 50% power as determined by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip-Low Fluid Oil Pressure and Turbine Trip-Turbine Stop Valve Closure 18.d P-9, Power Range Neutron Flux 2/4 reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacities of the Steam Dump and Rod Control Systems. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.

The Power Range Neutron Flux, P-10 interlock is actuated at 10% power, as determined by two-out-of-four NIS power 18.e P-10, Power Range Neutron Flux 2/4 range detectors. If power level

- falls below 10% RTP on 3 of 4 channels , the nuclear instrument trips will be automatically unblocked .

to TXX-21093 Page 58 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence The Turbine First Stage Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than approximately 10% of the full power pressure. The full power P-13, Turbine First Stage Pressure 18.f 1/2 pressure corresponds to the first stage pressure at 100%

RTP. The interlock is determined by one-out-of-two pressure detectors . The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of 19 Reactor Trip Breakers (RTB) (2 trains) 1/2 supplying power to the CRD System. Thus, the train may consist of the main breaker or the main breaker and bypass breaker, depending upon the system configuration . Two OPERABLE trains ensure no single random fa ilure can disable the RTS trip capability.

The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service.

The trip mechanisms are not required to be OPERABLE for trip breakers that are open ,

racked out, incapable of RTB Undervoltage & Shunt Trip 20 1/2 supplying power to the Rod Mechanisms (1 per RTB)

Control System or declared inoperable under Function 19.

OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

to TXX-21093 Page 59 of 71 Table E1-5, Reactor Trip System (RTS) Instrumentation Functions Degree of RTS Function Redundancy- Notes Coincidence The LCO requirement for the RTBs (Functions 19 and 20) and Automatic Trip Logic (Function 21) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core.

Each RTB is equipped with an undervoltage coil and a shunt 21 Automatic Trip Logic (2 trains) 1/2 trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

to TXX-21093 Page 60 of 71 Table E1 -6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence Provides two primary functions;

1. Remove heat via water addition ; and 1 Safety Injection

2. Add boron to recover and maintain core reactivity neqative.

Each handswitch actuates both 1.a Manual (2 handswitches) 1/2 trains. Also initiates a manual reactor trio.

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 1.b 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Provides no input to any control functions . Thus, three OPERABLE channels are 1.c Containment Pressure High 1 2/3 sufficient to satisfy protective requirements with a two-out-of-three logic.

Provides both control and protection functions: input to the 1.d Pressurizer Pressure Low 2/4 Pressurizer Pressure Control System , reactor trip , and SI.

May block below P-11 Provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to Steam Line Pressure Low (1 of 4 steam 1.e 2/3 satisfy the protective lines) requirements with a two-out-of-three logic on each steam line. May block below P-11 Provides three primary functions :

1. Lower CNTMT pressure &

temperature ;

2 Containment Spray

2. Reduce CNTMT atmosphere iodine; and

3. Adjust pH of CNTMT sump water after LB LOCA to TXX-21093 Page 61 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence The operator can initiate containment spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train .

Because an inadvertent actuation of containment spray could have such serious consequences, two switches 2.a Manual (2/2 handswitches) 1/2 locations must be turned simultaneously to initiate containment spray.

There are two sets of two switches each in the control room. Simultaneously turning the two switches in either set will actuate containment spray in both trains in the same manner as the automatic actuation siqnal.

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 2.b 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the CNTMT Spray equipment.

This Function requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be 2.c Containment Pressure High 3 2/4 serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation .

Four channels are used in a two-out-of-four logic confiquration.

to TXX-21093 Page 62 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the 3 Containment Isolation environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a LB LOCA.

Phase A containment isolation is actuated automatically by SI, or manually via the automatic 3.a Phase A Isolation actuation logic. All process lines penetrating containment, with the exception of CCW (RCP CoolinQ), are isolated.

Accomplished by either of two switches in the control room . Either switch actuates 3.a.(1) Manual (2 handswitches) 1/2 locations both trains . Also actuates Containment Ventilation Isolation (CVI).

Requires two trains to be OPERABLE . Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 3.a.(2) 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the Phase A equipment.

Initiated by all Functions 3.a.(3) Safety Injection (Any SI signal) that initiate SI. (Function 1)

Actuated by Containment Pressure-High 3 or manually.

3.b Phase B Isolation RCPs need to be secured as CCW will be isolated.

Accomplished by the same switches that actuate Containment Spray. When the two switches in either set are 3.b.(1) Manual (2/2 handswitches) 1/2 locations turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

to TXX-21093 Page 63 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence Requires two trains to be OPERABLE. Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 3.b.(2) 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the Phase B equiQment.

This Function requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of 3.b.(3) Containment Pressure High 3 containment spray could be 2/4 serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation .

Four channels are used in a two-out-of-four logic configuration .

Provides protection in the event of an SLB inside or outside containment. Rapid isolation of 4 Steam Line Isolation the steam lines will limit the steam break accident to the blowdown from one SG, at most.

Accomplished from the control room . There are two switches in 4.a Manual (2 handswitches) 1/2 the control room and either switch can initiate action to immediately close all MSIVs.

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 4.b 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the SU equipment.

Actuates closure of the MS IVs in the event of a LOCA or an SLB inside containment to 4.c Containment Pressure High 2 maintain at least one 2/3 unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

to TXX-21093 Page 64 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence Provides closure of the MS IVs in the event of an SLB to maintain at least one unfaulted 4.d Steam Line Pressure SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of 4.d.(1) Low 2/3 steam for the turbine driven AFW pump. May block below P-11 Provides closure of the MS IVs for an SLB when less than the P-11 setpoint to maintain at 4.d .(2) Negative Rate - High (1/4 steam lines) 2/3 least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment.

The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent 5 Turbine Trip & Feedwater Isolation damage to the turbine due to water in the steam lines and to stop the excessive flow of feedwater into the SGs .

Requires two trains to be OPERABLE. Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 5.a 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating turbine trip and FWI.

P-14 (Protection Grade Signal) provides protection against excessive feedwater flow.

5.b SG Water Level High-High P-14 2/3 Trips MFW pumps (1 of 4 SGs)

Trips Main Turbine Generates FWI siqnal Initiated by all Functions that 5.c Safety Injection (Any SI signal) initiate SI.

Provide a secondary side heat sink for the reactor in the event 6 Auxiliary Feedwater that the MFW System is not available.

to TXX-21093 Page 65 of 71 Table E1-6, Engineered Safety Features Actuation System {ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence Requires two trains to be OPERABLE. Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 6.a 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the AFW equipment.

Provides protection against a loss of heat sink. A feed line break, inside or outside of 6.c SG Water Level Low-Low ( 1 of 4 SGs) 2/4 containment, or a loss of MFW, would result in a loss of SG water level.

Initiated by all Functions that 6.d Safety Injection (Any SI signal) initiate SI.

During a loss of offsite power, to both safety related busses feeding the motor driven AFW pumps, the loss of power to the bus feeding the turbine driven AFW pump valve control motor will start the turbine driven AFW 6.e Loss of Offsite Power (1 per train) 1/2 pump to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. Blackout undervoltaqe starts the DGs.

A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for Trip of All Main Feedwater Pumps 6.g 2/2 some method of decay heat (2 per pump) and sensible heat removal to bring the reactor back to no load temperature and pressure.

At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the Automatic Switchover to Containment ECCS to remove decay heat.

7 Sump The source of water for the RHR pumps is semi-automatically switched to the containment recirculation sumos.

to TXX-21093 Page 66 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence Requires two trains to be OPERABLE . Actuation logic consists of all circuitry Automatic Actuation Logic and Actuation housed within the actuation 7.a 1/2 Relays (2 trains) subsystems, including the initiating relay contacts responsible for actuating the Auto-Switchover equipment.

During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low-low level in the RWST coincident with an SI 7.b Refueling Water Storage Tank 2/4 signal provides protection (RWST) Level Low-Low against a loss of water for the ECCS pumps and indicates the end of the ECCS injection phase of the LOCA.

Interlock Functions back up manual actions to ensure by passable functions are in 8 ESFAS Interlocks operation under the conditions assumed in the safety analyses.

The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open . The P-4 permissive also prevents re-actuation of safety injection after a manual reset of safety injection following at least a 60 second delay time. This Function allows operators to 8.a P-4 , Reactor Trip (1 per train) 1/2 take manual control of SI systems after the initial phase of injection is complete. Once SI is blocked, automatic actuation of SI cannot occur until the RTBs have been manually closed.

• Trips main turbine

• FWI with low Tavg

• Arms Steam Dumps

• Prevents openinq FWIVs to TXX-21093 Page 67 of 71 Table E1-6, Engineered Safety Features Actuation System (ESFAS)

Instrumentation Functions Degree of ESFAS Function Redundancy- Notes Coincidence Permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. Below setpoint operator can manually block; 8.b P-11, Pressurizer Pressure 2/3

• PRZR Press low SI ,

• MSL Press low SI, and

• Enables MSL Negative rate Above setpoint blocks are automatically removed.

to TXX-21093 Page 68 of 71 Table E1-7, Loss of Power (LOP) Diesel Generator (DG) Start lnstrumentaion Functions Degree of LOP DG Start Function Redundancy- Notes Coincidence Sensing relays for each train feed a network of logic and actuation relays for their Automatic Actuation Logic and Actuation respective trains. The network 1 1/2 Relays (2 trains) of logic and actuation relays actuate the offsite power source breakers and generator start siqnals.

If not restored to OPERABLE within one hour declare preferred offsite power sou rce 2 Preferred offsite source bus undervoltage 2/2 inoperable and within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> open supply breaker to exit applicability. Requires entry into LCO 3.8.1.

If not restored to OPERABLE within one hour declare alternate offsite power source 3 Alternate offsite source bus undervoltage 2/2 inoperable and within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> open supply breaker to exit applicability. Requires entry into LCO 3.8.1.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the 6.9kv 4 6.9 kV Class 1E bus undervoltage 2/2 bus. Group consists of two sensing relays per bus that provide input to two-out-of-two loqic.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the 6.9kv 5 6.9 kV Class 1E bus degraded voltage 2/2 bus. Group consists of two sensing relays per bus that provide input to two-out-of-two logic.

Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the 6.9kv 6 480 V Class 1E low grid undervoltage 2/2 bus . Group consists of two sensing relays per bus that provide input to two-out-of-two logic.

to TXX-21093 Page 69 of 71 Table E1-7, Loss of Power (LOP) Diesel Generator (DG) Start lnstrumentaion Functions Degree of LOP DG Start Function Redundancy- Notes Coincidence Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs in the 6.9kv 7 480 V Class 1E bus degraded voltage 2/2 bus. Group consists of two sensing relays per bus that provide input to two-out-of-two loqic.

to TXX-21093 Page 70 of 71 Table E1-8, Event Protection and Diverse Functions Event Primary Protection Diverse/DID Protection Uncontrolled RCCA Bank 2.b. Power Range Neutron Flux 3. Power Range Neutron Flux Withdrawal from Subcritical Low setpoint Rate High (Positive Rate)

4. Intermediate Range Neutron Flux High

5. Source Range Neutron Flux High Uncontrolled RCCA Bank 2.a. Power Range Neutron Flux 8.b. Pressurizer Pressure High Withdrawal at Power High setpoint 9. Pressurizer Water Level

6. Overtemperature N-16 High

7. Overpower N-16 RCCA Drop 6. Overtemperature N-16 8.b. Pressurizer Pressure High eves Malfunction Resulting in 2.b. Power Range Neutron Flux 6. Overtemperature N-16 Boron Dilution Low setpoint 7. Overpower N-16 2.a . Power Range Neutron Flux HiQh setpoint Startup of Inactive Loop 10. Reactor Coolant Flow Low 12. Undervoltage RCPs (1 of 4 loops above P-9)) 13. Underfrequency RCPs

10. Reactor Coolant Flow Low (2 of 4 loops below P-9))

Feedwater Enthalpy Reduction 2.a. Power Range Neutron Flux 8.a. Pressurizer Pressure Low Incident High setpoint

6. Overtemperature N-16

7. Overpower N-16 Excessive Feedwater Flow ESF 2.a. Power Range Neutron Flux 5.b. SG Water Level High-High High setpoint (P-14) 6. Overtemperature N-16

7. Overpower N-16 16.a. Low Fluid Oil Pressure 16.b. Turbine Stop Valve Closure Excessive Load Increase 2.a. Power Range Neutron Flux 8.a. Pressurizer Pressure Low Incident High setpoint

6. Overtemperature N-16

7. Overpower N-16 Loss of Flow/Locked Rotor 10. Reactor Coolant Flow Low 8.b. Pressurizer Pressure High (1 of 4 loops above P-9)) 12. Undervoltage RCPs

10. Reactor Coolant Flow Low 13. Underfrequency RCPs (2 of 4 loops below P-9))

Loss of External Electrical 6. Overtemperature N-16 9. Pressurizer Water Level Load/Turbine Trip 7. Overpower N-16 High 8.b. Pressurizer Pressure High 16.a. Low Fluid Oil Pressure 16.b. Turbine Stop Valve Closure

14. SG Water Level Low-Low ESF 6.c. SG Water Level Low-Low to TXX-21093 Page 71 of 71 Table E1-8, Event Protection and Diverse Functions Event Primary Protection Diverse/DID Protection Loss of Normal Feedwater 14. SG Water Level Low-Low 8.b. Pressurizer Pressure High ESF 9. Pressurizer Water Level 6 .c. SG Water Level Low-Low High Loss of AC Power (Station 14. SG Water Level Low-Low 8.b. Pressurizer Pressure High Blackout) ESF 9. Pressurizer Water Level 6.c. SG Water Level Low-Low High Feedwater Linebreak 14. SG Water Level Low-Low 6. Overtemperature N-16 ESF 7. Overpower N-16 6.c. SG Water Level Low-Low 8.b. Pressurizer Pressure High

9. Pressurizer Water Level High ESF 1.e. Steam Line Pressure Low 4 .d.(1) Steam Line Pressure Low Steamline Break ESF 2.a. Power Range Neutron 4.d.(1) Steam Line Pressure Flux High setpoint Low 6. Overtemperatu re N-16 1.d . Pressurizer Pressure Low 7. Overpower N-16 ESF 1.c. Containment Pressure High 1 4.c. Containment Pressure High 2 RCCA Ejection 2.a . Power Range Neutron Flux 3. Power Range Neutron Flux High setpoint Rate High (Positive Rate)

4. Intermediate Range Neutron Flux High

5. Source Range Neutron Flux High ESF 1.c. Containment Pressure High 1 1.d. Pressurizer Pressure Low Loss of Coolant Accident ESF ESF 1.d. Pressurizer Pressure Low 1.c. Containment Pressure High 1 Steam Generator Tube Rupture 6. Overtemperature N-16 8.a. Pressurizer Pressure Low

7. Overpower N-16 ESF 1.d. Pressurizer Pressure Low Spurious SI 8.b. Pressurizer Pressure High The PRZR PORVs and PRZR Safety Valves provide protection during a spurious SI event.

RCS Depressurization 8.a. Pressurizer Pressure Low 6. Overtemperature N-16 ESF 7. Overpower N-16 1.d. Pressurizer Pressure Low to TXX-21093 Page 1 of 3 ENCLOSURE 7 License Amendment Request Comanche Peak Nuclear Power Plant, Units 1 and 2 NRC Docket Nos. 50-445 and 50-446 Revise Technical Specifications to Adopt Risk Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" PBA Model Update Process to TXX-21093 Page 2 of 3 1.0 Introduction Section 4.0, Item 8 of the Nuclear Regulatory Commission's (NRC) Final Safety Evaluation [Ref. 1] for NEI 06-09-A, Revision 0-A, "Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS)

Guidelines," [Ref. 2] requires that the license amendment request (LAR) provide a discussion of the licensee's programs and procedures which assure the PRA models which support the RMTS are maintained consistent with the as-built/as-operated plant.

This enclosure describes the administrative controls and procedural processes applicable to configuration control of the PRA model used to support the Risk-Informed Completion Time (RICT) Program , which will be in place to ensure that these models reflect the as-built/as-operated plant. Plant changes , including physical modifications and procedure revisions, will be identified and reviewed prior to implementation to determine if they could impact the PRA models per STA-762 [Ref. 3] and STl-762.02

[Ref. 4]. The configuration control program will ensure these plant changes are incorporated into the PRA models as appropriate. The process will include discovered conditions associated with the PRA models, which will be addressed by the site Corrective Action Program.

Should a plant change or a discovered condition be identified that has a significant impact to the RICT Program calculations as defined by the above procedure, an unscheduled update of the PRA model will be implemented . Otherwise, the PRA model change is incorporated into a subsequent periodic model update. Such pending changes are considered when evaluating other changes until they are fully implemented into the PRA models.

2.0 PRA Model Update Process 2.1 Internal Event, Internal Flood, and Fire PRA Model Maintenance and Update The risk management process ensures that the applicable PRA model used for the RICT Program reflects the as-built/as-operated plant for each of the Comanche Peak units. The PRA configuration control process delineates the responsibilities and guidelines for updating the full power internal events, internal flood , and fire PRA models, and includes both periodic and unscheduled PRA model updates.

The process includes provisions for monitoring potential impact areas affecting the technical elements of the PRA models (e.g ., due to plant changes, plant/industry operational experience, or errors or limitations identified in the model), assessing the individual and cumulative risk impact of unincorporated changes, and controlling the model and necessary computer files , including those associated with the Real Time Risk model.

2.2 Review of Plant Changes for Incorporation into the PRA Model

1. Plant changes or discovered conditions are reviewed for potential impact to the PRA models, including the Real Time Risk Monitor model (NEI 06-09-A, Section 2.3.4 , Items 7.2 and 7.3, and 2.3.5, Items 9.2 and 9.3).

2. Plant changes that meet the criteria defined in Reference 4 (including consideration of the cumulative impact of other pending changes) will be incorporated in the applicable PRA model(s), consistent with the NEI 06-09-A guidance. Otherwise, the change is assigned a priority and is incorporated at a subsequent periodic update consistent with procedural requirements. (NEI 06 A , Section 2.3.5, Item 9.2) to TXX-21093 Page 3 of 3

3. PRA updates for plant changes are performed at least once every 48 months. A single PRA model is used fo r both Comanche Peak units. Each Comanche Peak unit has a nominal 18-month refueling cycle ; the outages are staggered by approximately 6 to 9 months. Therefore , a standard frequency of 48 months for PRA model updates is specified.

In order to captu re input from both units across two refueling cycles it could take between 42 and 45 months based on variations in operating cycles. With CPNPP periodic basis at 48 months we ensure that the update includes two refueling cycles for each unit while not exceeding two refueling cycles on either unit.

4. If a PRA model change is required for the Real Time Risk Monitor model, but cannot be immediately implemented for a significant plant change or discovered condition , either:

a. Interim analyses to address the expected risk impact of the change will be performed . In such a case, these interim analyses become part of the RICT Program calculation process until the plant changes are incorporated into the PRA model during the next update. The use of such bounding analyses is consistent with the guidance of NEI 06-09-A.

b. Appropriate administrative restrictions on the use of the RICT Program for extended Completion Times are put in place until the model changes are completed , consistent with the guidance of NEI 06-09-A.

These actions satisfy NEI 06-09-A , Section 2.3.5, Item 9.3.

3.0 References

1. Letter from Jennifer M. Golder (NRC) to Biff Bradley (NEI), "Final Safety Evaluation for Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06 A , 'Risk-Informed Technical Specifications Initiative 4b , Risk-Managed Technical Specifications (RMTS) Guidelines,"' dated May 17, 2007 (ADAMS Accession No. ML071200238)

2. Nuclear Energy Institute (NEI) Topical Report (TR) NEI 06-09-A, "Risk-Informed Technical Specifications Initiative 4b , Risk-Managed Techn ical Specifications (RMTS) Guidelines," Revision 0-A, dated October 12, 2012 (ADAMS Accession No. ML12286A322)

3. STA-762, "Risk Informed Completion Time Implementation"

4. STl-762.02, "Risk-Informed Completion Times - PRA Model Configuration Control"