Text

Response to NRC Request for Additional Information Regarding License Amendment Request Proposing Changes to the Technical Specification 3.8.1
	ML18337A277
Person / Time
Site:	Mcguire, McGuire
Issue date:	12/03/2018
From:	Capps S; Duke Energy Carolinas
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	RA-18-0229
	Download: ML18337A277 (98)
	v • d • e

( ~ DUKE Steven Capps ENERGY 526 S. Church Street Charlotte, NC 28202 Mailing Address:

EC07H / P.O. Box 1006 Charlotte, NC 28202 980.373.1295 Steven.Capps@duke-energy.com Serial: RA-18-0229 10 CFR 50.90 December 3, 2018 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 MCGUIRE NUCLEAR STATION, UNIT NOS. 1 AND 2 DOCKET NOS. 50-369 AND 50-370 RENEWED LICENSE NOS. NPF-9 AND NPF-17

SUBJECT:

RESPONSE TO NRC REQUEST FOR ADDITIONAL INFORMATION (RAI)

REGARDING LICENSE AMENDMENT REQUEST PROPOSING CHANGES TO THE TECHNICAL SPECIFICATIONS 3.8.1 FOR MCGUIRE NUCLEAR STATION

REFERENCES:

1. Duke Energy letter, License Amendment Request Proposing Changes to Catawba and McGuire Technical Specification 3.8.1, AC Sources - Operating, dated May 2, 2017 (ADAMS Accession No. ML17122A116).

2. Duke Energy letter, Supplement to License Amendment Request Proposing Changes to Catawba and McGuire Technical Specification 3.8.1, AC Sources - Operating, dated July 20, 2017 (ADAMS Accession No. ML17201Q132).

3. Duke Energy letter, Supplement to License Amendment Request Proposing Changes to Catawba and McGuire Technical Specification 3.8.1, AC Sources - Operating, dated November 21, 2017 (ADAMS Accession No. ML17325A588).

4. Duke Energy letter, Supplement to License Amendment Request Proposing Changes to Catawba and McGuire Technical Specification 3.8.1, AC Sources - Operating, dated July 10, 2018 (ADAMS Accession Nos. ML18191A500, ML18191A564, ML18191A545).

5. NRC E-Mail, Request for Additional Information - McGuire Nuclear Station, Units 1 and 2 - ESPS LAR, dated November 2, 2018 (ADAMS Accession No. ML18306A937).

Ladies and Gentlemen:

In Reference 1, as supplemented by References 2, 3, and 4, Duke Energy Carolinas, LLC (Duke Energy) submitted a License Amendment Request (LAR) for McGuire Nuclear Station (MNS), Units 1 and 2. The proposed change would extend the Completion Time for an

U.S. Nuclear Regulatory Commission RA-18-0229 Page2 inoperable diesel generator in Technical Specification (TS) 3.8.1, "AC Sources - Operating" at the station. The proposed change would also alter the AC power source operability requirements for the Nuclear Service Water System (NSWS), Control Room Area Ventilation System (CRAVS), Control Room Area Chilled Water System (CRACWS) and Auxiliary Building Filtered Ventilation Exhaust System (ABFVES) (i.e., shared systems).

By correspondence dated November 2, 2018 (Reference 5), the Nuclear Regulatory Commission (NRC) staff requested additional information from Duke Energy that is needed to complete the LAR review. provides Duke Energy's response to the NRC RAI. Attachment 2 contains proposed markups of MNS TS 3.8.1, which supersede all previous submittals. Attachment 3 contains proposed markups of TS 3.8.1 Bases. Attachment 4 provides the comprehensive list of regulatory commitments that are associated with the LAR.

The conclusions of the original No Significant Hazards Consideration and Environmental Consideration in the original LAR are unaffected by this RAI response.

In accordance with 10 CFR 50.91, Duke Energy is notifying the state of North Carolina of this LAR by transmitting a copy of this letter and attachments to the designated state official. Should you have any questions concerning this letter, or require additional information, please contact Art Zaremba, Manager - Nuclear Fleet Licensing, at 980-373-2062.

I declare under penalty of perjury that the foregoing is true and correct. Executed on Sincerely, Steven Capps Senior Vice President, Nuclear Operations NDE Attachments:

1. Response to NRC Request for Additional Information

2. Revised McGuire Technical Specification 3.8.1 Marked Up Pages

3. Revised McGuire Technical Specification Bases 3.8.1 Marked Up Pages

4. Regulatory Commitments

U.S. Nuclear Regulatory Commission RA-18-0229 Page 3 cc: (all with Attachments unless otherwise noted)

C. Haney, Regional Administrator USNRC Region II G.A. Hutto, USNRC Senior Resident Inspector M. Mahoney, NRR Project Manager W.L. Cox, III, Section Chief, NC DHSR

U.S. Nuclear Regulatory Commission RA-18-0229 Page 4 bcc: (with all Attachments, unless otherwise noted)

S.D. Capps M.C. Nolan A.H. Zaremba N.D. Edwards J.L. Vaughan R.I. Rishel ELL File: (Corporate)

T. Ray N.E. Kunkel S. Snider J. Glenn J. Thomas J.F. Hussey L. Hentz P. Howell (For MNS Licensing/Nuclear Records)

MNS Master File 801.01 - MG02DM

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 1 of 51 Attachment 1 Responses to the NRC Request for Additional Information

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 2 of 51 NRC Request for Additional Information:

By letter dated May 2, 2017 (Agencywide Documents Access management System (ADAMS)

Accession No. ML17122A116), as supplemented by letters dated July 20, 2017 (ADAMS Accession No. ML17201Q132), November 21, 2017 (ADAMS ML17325A588), and July 10, 2018 (ADAMS Accession No. ML18192A002), Duke Energy Carolinas, LLC (Duke Energy, the licensee), requested an amendment to Renewed License Nos. NPF-9 and NPF-17 for McGuire Nuclear Station (McGuire), Units 1 and 2. The proposed amendment would revise the McGuire Technical Specifications (TS) 3.8.1, AC [Alternating Current] Sources - Operating, to allow the extension of the Completion Time (CT) for an inoperable diesel generator (DG) from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to 14 days, and to ensure that at least one train of shared components has an operable emergency power supply. The proposed changes to TS 3.8.1 in the July 10, 2018 letter superseded the proposed TS 3.8.1 changes in the November 21, 2017 and May 2, 2017 letters.

The proposed TS changes in the July 10, 2018 letter would revise McGuire TS 3.8.1 by adding

1) new LCOs for the opposite unit AC power sources to supply power for the required shared systems; 2) new Required Actions (RAs) and CTs associated with Condition B (inoperable DG);

and 3) new Conditions and associated RAs and CTs to address new the LCOs for shared systems. To support the 14-day extended CT request, McGuire will add a supplemental AC power source (i.e., two supplemental diesel generators (SDGs) per station) with the capability to power any emergency bus. The SDGs will have the capacity to bring the affected unit to cold shutdown. The supplemental AC power source will be referred to as the Emergency Supplemental Power Source (ESPS).

The LAR for McGuire, Units 1 and 2, dated May 2, 2017, states that the proposed change to the TS completion time (CT) has been developed using the risk-informed processes described in Regulatory Guide (RG) 1.174, Revision 2, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis" ADAMS Accession No. ML100910006), and RG 1.177, Revision 1, An Approach for Plant-Specific, Risk-Informed Decision-making: Technical Specifications (ADAMS Accession No. ML100910008). Based on Section 2.3.1 of RG 1.177, the technical adequacy of the probabilistic risk assessment (PRA) must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. The RG 1.177 endorses the guidance provided in RG 1.200, Revision 2, "An Approach for Determining the Technical Adequacy of PRA Results for Risk-Informed Activities (ADAMS Accession No. ML090410014), on PRA technical adequacy. The RG 1.200 describes a peer review process utilizing American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) PRA standard RA-Sa-2009, "Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, Addendum A to RA-S-2008," as one acceptable approach for determining the technical adequacy of the PRA once acceptable consensus approaches or models have been established for evaluations that could influence the regulatory decision.

The NRC staff conducted an audit at Duke Energy offices in Charlotte, North Carolina from May 8 - 10, 2018 (ADAMS Accession No. ML18249A046). The Duke Energy staff was provided a set of audit questions that were discussed during the audit. NRC staff provided a verbal brief to Duke Energy at the end of the audit about what changes it intended to make to audit questions to develop requests for additional information (RAIs). Subsequent to the audit, Duke Energy submitted an LAR supplement, dated July 10, 2018, addressing a majority of the McGuire, Units 1 and 2, audit questions. The NRC staff reviewed the

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 3 of 51 material provided in the July 10, 2018 letter and determine that the supplemental information did not address all of the concerns raised during the audit.

Regulatory Requirements The NRCs regulatory requirements related to the content of the TS are contained in Title 10 of the Code of Federal Regulations (10 CFR) at 10 CFR 50.36. For Limiting Conditions of Operation at 10 CFR 50.36(c)(2)(i), Limiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When a limiting condition for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specifications until the condition can be met, (emphasis added).

Applicable regulatory guidance for McGuire, Units 1 and 2, is contained in: 1. Standard Technical Specifications for Westinghouse Plants, NUREG-1431, Revision 4 (STS, ADAMS Accession Number ML12100A222), and 2. Final Policy Statement (FPS) on Technical Specifications Improvements for Nuclear Power Reactors (FPS, 58 FR 39132). 10 CFR, Appendix A of Part 50, General Design Criterion (GDC) 17, Electric Power Systems, requires, in part, that an onsite electric power system and an offsite electric power system be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. The onsite electric power supplies shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure.

The NRC staff also considered the following guidance document to evaluate the LAR:

Branch Technical Position (BTP) 8-8, "Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions," was developed to provide guidance to the NRC staff for reviewing license amendment requests for Allowed Outage Time (AOT) or CT extensions for the onsite and offsite power AC sources to perform online maintenance of the power sources. In the May 2, 2017 letter, the licensee stated that the LAR provides a deterministic technical justification for extending the CTs and has been developed using the guidelines established in NUREG-0800, Branch Technical Position (BTP) 8-8.

Regulatory Guide (RG) 1.93, Availability of Electric Power Sources, Revision 1, which provides guidelines that the NRC staff considers acceptable when the number of available electric power sources are less than the number of sources required by the limiting conditions for operation (LCOs) for a facility.

In order to complete its review, the NRC staff requests the following additional information.

Request for Additional Information (RAI)-1 In Attachment 1, McGuire Technical Specification Marked Up Pages, of the supplemental LAR dated July 10, 2018, the licensee proposed a new LCO 3.8.1.d that would require the operability

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 4 of 51 of the DG(s) from the opposite unit necessary to supply power to the Nuclear Service Water System (NSWS), Control Room Air Ventilation System (CRAVS), Control Room Area Chilled Water System (CRACWS), and Auxiliary Building Filtered Ventilation Exhaust System (ABFVES).

In Attachment 1 of the July 10, 2018 letter, the licensee proposed to add new Required Actions (RAs) B.1 and to revise and renumber existing RAs for TS 3.8.1 Condition B (one LCO 3.8.1.b DG inoperable).

New RA B.1 would state Verify LCO 3.8.1.d DG(s) operable, with a CT of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter.

Revised and renumbered RA B.4.2 would state: Perform SR 3.8.1.2 for operable DG(s).

The NRC staff notes:

It appears that the proposed RA B.1 is similar to the revised and renumbered RA B.4.2 with respect to the operability of the LCO 3.8.1.d DGs because the existing Surveillance Requirements (SR) 3.8.1.2 in RA B.4.2 verifies the operability of the remaining DGs including LCO 3.8.1.d DG (s) by verifying that each DG can start from standby conditions and achieve steady state voltage and frequency within the required ranges.

It does not appear that a discussion of the basis for the 1-hour and 12-hour CTs for the new RA B.1 was provided.

a. Provide a discussion that explains how the operability of the LCO 3.8.1.d DGs will be verified by RA B.1.

b. Provide a discussion that describes the basis and derivation of the CTs (1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter) for RA B.1.

Duke Energy RAI-1 Response

a. The proposed RA B.1 is for an administrative verification of OPERABILITY. There is reasonable expectation of OPERABILITY for the LCO 3.8.1.d DG(s) when licensed operators verify that all the following conditions exist:

The DG Surveillance Requirements are met.

The normal operator rounds for the DG are up-to-date and have been performed satisfactorily.

The DG and its support systems have not been logged as inoperable or non-functional.

There are no items being tracked via the Adverse Condition Monitoring and Contingency Planning sheet that calls into question OPERABILITY of the DG.

There are no in-progress OPERABILITY determinations or functionality assessments for the DG and its support systems.

b. The initial CT of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for RA B.1 is based on the recognized importance of ensuring the LCO 3.8.1.d DG(s) is OPERABLE to power one train of shared systems during the time the LCO 3.8.1.b DG is inoperable. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allows sufficient time to perform this verification if the inoperability of the LCO 3.8.1.b DG

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 5 of 51 was unplanned.

The proposed 12-hour Completion Time (CT) of RA B.1 was chosen due to the McGuire operator shifts being 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In addition, BTP 8-8 states:

The availability of AAC or supplemental power source shall be checked every 8-12 hours (once per shift).

The proposed change includes provisions for McGuire to ensure availability of ESPS once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . Thus, once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for the RA B.1 CT allows McGuire to verify operability of LCO 3.8.1.d DG(s) and availability of ESPS at the same time intervals.

The Calvert Cliffs precedent that was closely followed uses 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. McGuire has proposed a more conservative CT (12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months vice 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ).

RAI-2

In Attachment 1 of the July 10, 2018 letter, the licensee proposed to revise TS 3.8.1 Condition B (i.e., one LCO 3.8.1.b DG inoperable) to extend the CT for restoring the DG to operable status beyond the existing 72-hour and up to 14 days, provided the ESPS is available. The licensee proposed CTs to restore the inoperable LCO 3.8.1.b DG to operable status (RA B.6).

Proposed RA B.6 would state: Restore DG to operable status, with the following CTs:

72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from discovery of unavailable ESPS AND 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of unavailable ESPS when in extended Completion Time AND 14 days AND 17 days from discovery of failure to meet LCO 3.8.1.a or LCO 3.8.1.b Proposed RA B.5 would state: Ensure availability of Emergency Supplemental Power Source (ESPS), with the following CT:

Prior to entering the extended CT of Action B.6 AND Once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter.

In Section 2.1, McGuire Evaluation of the TS 3.8.1 Change Request, of the July 10, 2018 letter, the licensee states:

The CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from discovery of unavailable ESPS of new RA B.6 (formerly RA 8.4) is based on the existing CT for an inoperable DG. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months CT of new RA B.6 is based on Branch Technical Position 8-8 and indicates that if the ESPS unavailability occurs sometime after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of continuous DG inoperability (i.e., after entering the extended CT for an inoperable DG), then the remaining time to restore the ESPS to available status or restore the DG to operable status is limited to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 6 of 51 In the McGuire current TS, the existing 72-hour CT is based on RG 1.93 (as stated in the TS Bases), which states, in part:

If the available onsite ac power sources are one less than the LCO, power operation may continue for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , provided that the redundant diesel generator is assessed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to be free from common-cause failure or is verified to be operable in accordance with plant-specific technical specifications.

The guidance in RG 1.93 relates to redundant power sources. The allowed power operation period of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months starts from the time the available onsite ac power sources (i.e., DGs) are found to be one less than the LCO (i.e., one DG is inoperable).

The proposed CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from discovery of unavailable ESPS of new RA B.6 (inoperable DG) would begin on discovery that both an inoperable DG exists and the ESPS is unavailable, as stated in the LAR, whereas the existing 72-hour CT for an inoperable DG begins when the DG is inoperable based on RG 1.93. Thus, the proposed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from discovery of unavailable ESPS would not be based on the existing CT for an inoperable DG, as stated in the LAR.

The proposed CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from discovery of unavailable ESPS would allow the DG to remain inoperable beyond the existing 72-hour CT without an available ESPS or a supplemental AC power source since the proposed 72-hour CT would begin on discovery that both an inoperable DG exists and the ESPS is unavailable.

The proposed CTs for RA B.6 do not identify a non-extended CT or a time for entering the extended CT that would indicate when the RA B.5 (ensure the availability of ESPS) would be performed within the first CT (i.e., prior to entering the extended CT of RA B.6) and when the proposed 24-hour CT (i.e., 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of unavailable ESPS when in extended CT) of RA B.6 would be applicable.

a. Provide a discussion that explains how the proposed CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from discovery of unavailable ESPS of RA B.6 is based on the existing 72-hour CT for an inoperable DG that begins when the DG is found inoperable. Otherwise, provide a revised CT for RA B.6 so that the CT for restoring the inoperable LCO 3.8.1.b DG to operable status would not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from the time the LCO 3.8.1.b DG was found inoperable (i.e., Condition B) or provide a justification for the new CT

b. Provide a discussion that explains how entry into the 14-day extended CT is identified in the proposed CTs for RA B.6 to allow the performance of RA B.5 prior to entering the extended CT of RA B.6, and to apply the 24-hour CT of RA B.6.

Duke Energy RAI-2 Response Duke Energy proposes the following changes in red (also shown in Attachment 2):

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 7 of 51 The CT for proposed RA B.5 is revised as follows:

B.5 Evaluate availability of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Emergency Supplemental Prior to entering the Power Source (ESPS). extended Completion Time of ACTION B.6 AND Once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter The existing RA B.4 is renamed B.6. The associated CT is revised to state:

72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from discovery of unavailable ESPS**

AND 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of Condition B entry 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months concurrent with unavailability of ESPS unavailable ESPS when in extended Completion Time AND 14 days AND 17 days from discovery of failure to meet LCO 3.8.1.a or LCO 3.8.1.b Since proposed RA B.5 specifies to evaluate, discovering the ESPS unavailable does not result in the RA being not met. On discovery of an unavailable ESPS, the CT for RA B.6 starts the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and/or 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months clock. This change is consistent with Brunswick Steam Electric Plant TS 3.8.1 precedent (ADAMS Accession No. ML13329A362).

If the ESPS is unavailable upon entry into Condition B, inoperable LCO 3.8.1.b DG, then action is required to restore the ESPS to available status or to restore the DG to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from entry into Condition B. If the ESPS unavailability occurs sometime after 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months from initial entry into Condition B and less than or equal to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from initial entry into Condition B, then the remaining time to restore the ESPS to available status or to restore the DG to OPERABLE status is limited to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from initial entry into Condition B. However, if the ESPS unavailability occurs sometime after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from initial entry into Condition B, then the remaining time to restore the ESPS to available status or to restore the DG to OPERABLE status is limited to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time allow for an exception to the normal time zero for beginning the allowed outage time clock.

RAI-3

BTP 8-8 recommends that the time to make the supplemental or alternate AC (AAC) power source available, including cross-connection, should be approximately 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to enable

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 8 of 51 restoration of battery chargers and control reactor coolant system inventory. Also, plants must assess their ability to cope with loss of all AC power (i.e., SBO) for one hour independent of an AAC power source to support the one-hour time for making this supplemental power source available In the May 2, 2017 letter, the licensee states:

The ESPS will constitute two supplemental DGs capable of powering any one of the 4160 V essential buses on either unit during a SBO within one hour from the time that the emergency procedures direct their use as the emergency power source. []

The SDGs will become one of the options in ECA-0.0 for restoring AC power.

Observations of the operators on the plant simulator show that it takes about 20 minutes for the operators to get to the point in the procedure to attempt to restore power from any source. If the ESPS is the chosen source of power, operators would be dispatched to place it in service. []

[] MNS take[s] credit for its respective SSF [Standby Shutdown Facility] diesel generator as the AAC Source for coping with a SBO within 10 minutes of a SBO event.

BTP 8-8 states that plants must assess the capability to cope with the loss of all AC power for one hour independent of a supplemental AC power source. [] MNS ha[s] []

performed calculations for SBO coping that demonstrate each [unit] is a 4-hour coping plant.

It appears that the ESPS would be connected to supply power to the 4160 volts (V) bus within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 20 minutes from the start of the SBO event since the ESPS would power the 4160 V bus within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months from the time that the emergency procedures direct ESPS use as the emergency power source, and the licensee states it would take 20 minutes for the operators to get to the point [] to attempt to restore power from any source. This indicates that the time to make the ESPS available to supply power to the station would not be within the approximately one hour timeframe described in the LAR.

The 4-hour SBO coping duration for McGuire is the time the plant can cope with an SBO event using the SSF. The availability of the SSF within 10 minutes of an SBO event indicates that McGuire can cope with the SBO without (or independent of) the SSF for 10 minutes and not for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , as recommended in BTP 8-8.

a. Clarify the estimated time it would take to connect the ESPS power source (i.e., the two supplemental DGs) to the stations safety bus from the start of an SBO event.

b. Provide a discussion that summarizes the calculations or analysis performed to assess the McGuire ability to cope with the loss of all AC power (i.e., SBO) for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or the period of time clarified in above question until the ESPS is connected to the shutdown buses, as stated in BTP 8-8. Also, include in the discussion a summary of the coping analysis conclusions.

Duke Energy RAI-3 Response

a. Since the original application for ESPS was submitted, MNS has completed sufficient installation of ESPS equipment and facility tie-ins during the Fall 2018 Unit

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 9 of 51 2 outage. A time line was obtained and validated by licensed and auxiliary operators, for implementation of the emergency procedure for station blackout (SBO) and aligning ESPS to power an essential bus on the SBO unit. A team consisting of a licensed operator and Auxiliary operators simulated the operator dispatch times and the time it takes to energize the 4160V safety bus once local actions are completed. Multiple local validations, for both units, were obtained and documented. A breaker at the training center was used to obtain the length of time it takes to rack in and rack out the breakers. The longest and most conservative local times were used.

The validated total time from the loss of power to the 4160V safety busses to re-energize a 4160V safety bus through a unit transformer using ESPS was 42 minutes. The validated total time from the loss of power to the 4160V safety busses to re-energize a 4160V safety bus through a shared transformer using ESPS was 57.5 minutes. A more conservative time limit, taking into account the MNS standard desired margin for time critical actions of 20% and the 57.5-minute case, is 70 minutes from time power is lost to the 4160V busses. Duke Energy meets the approximately one hour requirement and the operators will be held accountable to a 70 minute timeframe to account for desired margin.

b. Duke Energy has an approved calculation for MNS that assesses the ability to cope with a SBO event without taking any credit for the Standby Shutdown Facility (SSF). The calculation determined the amount of time available for recovery actions to take place to restore onsite power before the core uncovers and fuel damage becomes imminent. The calculation included a reactor coolant pump seal leak, no primary mass addition, no secondary heat sink and assumed that the SSF is unavailable. The calculation concludes that the length of time between SBO event initiation and the onset of significant core uncover is approximately 2.4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Therefore, MNS clearly demonstrates the ability to cope with the SBO event for the 70-minute duration cited in response to part a. above until the ESPS is connected to a 4160V safety bus.

RAI-4

Deleted

RAI-5

In Attachment 1 of the July 10 letter, the licensee proposed a new Condition C that would state Required Action and associated Completion Time of Required Action B.1 not met. Two alternate RA C.1.1 and RA C.1.2 are proposed for Condition C.

RA C.1.2 would state Restore the LCO 3.8.1.b DG to operable status, with a CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

The proposed RA B.1 would state: Verify LCO 3.8.1.d DG(s) operable. The CT for RA B.1 would state: 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter.

In Section 2.1 of the July 10, letter, the licensee stated that the 72-hour CT for new RA C.1.2 is in accordance with RG 1.93, which indicates operation may continue in this condition for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 10 of 51 RG 1.93 states, in part:

If the available onsite ac power sources are one less than the LCO, power operation may continue for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , provided that the redundant diesel generator is assessed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to be free from common-cause failure or is verified to be operable in accordance with plant-specific technical specifications.

The guidance in RG 1.93 relates to redundant power sources. The power operation period of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed per RG 1.93 starts from the time the available onsite ac power sources (i.e., DGs) are one less than the LCO (i.e., one DG is inoperable).

The NRC staff notes that the proposed RA C.1.2 and associated CT would allow the LCO 3.8.1.b DG to remain inoperable for a time longer than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months because the proposed 72-hour CT for C.1.2 would start from the time of discovery of inoperable LCO 3.8.1.d DG by RA B.1 (i.e., 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter), and not from the time of discovery of inoperable LCO 3.8.1.b DG, as described in RG 1.93. This indicates that the proposed 72-hour CT for RA C.1.2 would not be in accordance with RG 1.93, as stated in the LAR.

Provide a discussion that explains how the 72-hour CT for RA C.1.2 (Restore LCO 3.8.1.b DG to operable status) is in accordance with RG 1.93 so that the CT for RA C.1.2 would not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from the time the LCO 3.8.1.b DG is found inoperable.

Duke Energy RAI-5 Response RA C.1.2 was not in accordance with RG 1.93 as cited in the July 10, 2018 submittal because the CT could exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Therefore, the proposed Condition C in the July 10, 2018 submittal is deleted from the MNS TS 3.8.1. Condition D from the July 10, 2018 submittal is now renamed to Condition C (Shown in Attachment 2).

RAI-6

In Attachment 1 of the July 10, letter, the licensee proposed a new Condition D that would state:

one LCO 3.8.1.c offsite circuit is inoperable. The RAs would be modified by a Note.

The proposed Note would state: Enter applicable Conditions and Required Actions of LCO 3.8.9, Distribution Systems - Operating, when Condition D is entered with no AC power source to a train.

RA D.3 would state: Declare NSWS, CRAVS, CRACWS and ABFVES supported by the inoperable offsite circuit inoperable, with a CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

In Section 2.1 of the July 10, 2018 letter, the licensee stated that the Note would allow new Condition D to provide requirements for the loss of a LCO 3.8.1.c offsite circuit and LCO 3.8.1.d DG without regard to whether a train is de-energized.

The NRC staff notes that the new Condition D is not related to the loss of an LCO 3.8.1.d DG, and as such, would not provide the requirements for the loss of an LCO 3.8.1.d DG. In addition, the proposed RAs would not require the restoration of the LCO 3.8.1.c offsite circuit to operable status to meet the TS LCO 3.8.1.c, as required by 10 CFR 50.36(c)(2).

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 11 of 51

a. Clarify how the proposed Note for the new Condition D would allow the new Condition D to provide requirements for the loss of a LCO 3.8.1.d DG, as stated above.

b. Provide a discussion that explains the purpose of RA D.3, and how the proposed RAs for the new Condition D would allow the TS LCO 3.8.1 to be met, as required by 10 CFR 50.36(c)(2).

Duke Energy RAI-6 Response

a. (Note: Condition D in Attachment 2 is marked up and now renamed to Condition C)

The Note above the Required Actions associated with Condition C is consistent with the Calvert Cliffs precedent. Condition C addresses the inoperability of one LCO 3.8.1.c qualified offsite circuit between the offsite transmission network and the opposite units Onsite Essential Auxiliary Power System. If Condition C is entered for one LCO 3.8.1.c offsite circuit inoperable concurrently with one LCO 3.8.1.d DG inoperable associated with the same train of shared systems, then the NOTE requires the licensed operator to enter all applicable Conditions and Required Actions of TS 3.8.9 "Distribution Systems - Operating". Specifically, in the case where an inoperable LCO 3.8.1.c qualified offsite circuit and an inoperable LCO 3.8.1.d DG both support the same train of shared systems, TS 3.8.9 Condition A must be entered because there is no longer assurance that the train of "Distribution Systems - Operating" can be energized to the proper voltage. Both units would enter TS 3.8.9 Condition A in this instance since there is no power source to a train of shared systems (refer to MNS LCO 3.0.9). This action is consistent with MNS current application of TS 3.8.9 with the concurrent inoperability of a DG and inoperability of a qualified offsite circuit impacting the same train of Distribution Systems - Operating aligned to power shared systems.

b. Proposed RA D.3 (renamed to C.3) from the July 2018 submittal would not allow LCO 3.8.1 to be met. In order to comply with 10 CFR 50.36(c)(2), RA C.3 has been revised as follows:

CD.3 Declare NSWS, CRAVS, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months CRACWS or ABFVES supported by the inoperable offsite circuit inoperable. Restore LCO 3.8.1.c offsite circuit to OPERABLE status.

Consistent with the time provided in ACTION A, operation may continue in Condition C for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one required LCO 3.8.1.c offsite circuit inoperable. the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class 1 E Distribution System. If the LCO 3.8.1.c required offsite circuit cannot be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , then Condition K (now

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 12 of 51 renamed as Condition I in Attachment 2) must be entered immediately.

RAI-7

In Attachment 1 of the July 10, letter, the licensee proposed a new Condition E that would apply when one LCO 3.8.1.d DG is inoperable. The RAs for new Condition E would be modified by a Note.

The Note would state: Enter applicable Conditions and Required Actions of LCO 3.8.9, Distribution Systems - Operating, when Condition E is entered with no AC power source to a train.

RA E.1 would state: verify both LCO 3.8.1.b DGs are operable and the ESPS is available, with a CT of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter.

RA E.4.2 would state: Perform SR 3.8.1.2 for operable DG(s).

RA E.5 would state: Declare NSWS, CRAVS, CRACWS and ABFVES supported by the inoperable DG inoperable, with a CT of 14 days.

In Section 2.1 of the July 10, 2018 letter, the licensee states:

[The Note] allow new Condition E to provide requirements for the loss of a LCO 3.8.1.c offsite circuit and LCO 3.8.1.d DG without regard to whether a train is de-energized.

The verification in this RA [E.1] provides assurance that the LCO 3.8.1.b safety-related DGs and the ESPS are capable of supplying the Class 1E AC Electrical Power Distribution System.

The CT of 14 days is justified by new RA E.1 (verify both unit-specific DGs are operable and the ESPS is available). The 14 day CT is also consistent with the proposed CT in ACTION B when ESPS is available.

10 CFR 50.36(c)(2) states:

When an LCO of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specifications until the condition can be met.

The NRC staff has identified the following discrepancies:

The new Condition E is not related to the loss of an LCO 3.8.1.c offsite circuit, and as such, it appears to not provide the requirements for the loss of an LCO 3.8.1.c offsite circuit.

It appears that the proposed RA E.1 is similar to the proposed RA E.4.2 with respect to the operability of the two LCO 3.8.1.b DGs because the existing SR 3.8.1.2 in RA E.4.2 verifies the operability of the remaining DGs including LCO 3.8.1.b DG(s) by verifying that each DG can start from standby conditions and achieve steady state voltage and frequency within the required ranges.

It does not appear that a discussion of the basis for the 1-hour and 12-hour CTs for the new RA E.1 was provided.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 13 of 51 It does not appear that a CT for the proposed for RA E.5 when the ESPS is unavailable consistent with the proposed 72-hour CT and 24-hour CT for Condition B (i.e., one LCO 3.8.1.b DG inoperable) was provided.

The proposed RAs for the new Condition E appear to not require the restoration of the LCO 3.8.1.d DG to operable status to meet the TS LCO 3.8.1, as required by 10 CFR 50.36(c)(2).

a. Clarify how the proposed Note for the new Condition E would allow the new Condition E to provide requirements for the loss of a LCO 3.8.1.c offsite circuit, as stated above.

b. Provide a discussion that explains the basis for the proposed CTs (i.e., 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter) for new RA E.1.

c. Provide a discussion about the RAs and associated CTs for Condition E for the case when the ESPS is unavailable.

d. Provide a discussion that explains the purpose of RA E.5, and how the proposed RAs for the new Condition E would allow the TS LCO 3.8.1 to be met, as required by 10 CFR 50.36(c)(2).

e. Provide a discussion that explains how the operability of the LCO 3.8.1.b DGs will be verified by RA E.1.

Duke Energy RAI-7 Response (Note: Condition E in Attachment 2 is marked up and renamed to Condition D)

a. The Note above the Required Actions associated with Condition D is consistent with the Calvert Cliffs precedent. Condition D addresses the inoperability of one LCO 3.8.1.d DG aligned to the opposite unit Onsite Essential Auxiliary Power System that is supplying power to a train of shared systems. If Condition D is entered for one LCO 3.8.1.d DG concurrently with one LCO 3.8.1.c offsite circuit inoperable associated with the same train of shared systems, then the Note requires the licensed operator to enter all applicable Conditions and Required Actions of TS 3.8.9 "Distribution Systems - Operating".

Specifically, in the case where an inoperable LCO 3.8.1.d DG and an inoperable LCO 3.8.1.c qualified offsite circuit both support the same train of shared systems, TS 3.8.9 Condition A must be entered because there is no longer assurance that the train of "Distribution Systems - Operating" can be energized to the proper voltage. Both units would enter TS 3.8.9 Condition A in this instance since there is no power source to a train of shared systems (refer to MNS LCO 3.0.9). This action is consistent with MNS current application of TS 3.8.9 with the concurrent inoperability of a DG and inoperability of a qualified offsite circuit impacting the same train of "Distribution Systems - Operating" aligned to power shared systems.

b. The initial CT of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for RA D.1 is based on the recognized importance of ensuring the LCO 3.8.1.b DGs are OPERABLE when a LCO 3.8.1.d DG is inoperable. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allows sufficient time to perform this verification if the inoperability of the LCO 3.8.1.d DG was unplanned.

The proposed 12-hour Completion Time (CT) of RA D.1 was chosen due to the McGuire operator shifts being 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In addition, BTP 8-8 states:

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 14 of 51 The availability of AAC or supplemental power source shall be checked every 8-12 hours (once per shift).

The proposed change includes provisions for McGuire to ensure availability of ESPS once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . Thus, once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for the RA D.1 CT allows McGuire to verify operability of the unit DGs.

The Calvert Cliffs precedent that was closely followed uses 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. McGuire has proposed a more conservative CT (12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months vice 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ).

c. RA D.1 is revised to Verify both LCO 3.8.1.b DGs OPERABLE. The availability of ESPS has been removed, as shown in Attachment 2.

d. Proposed RA E.5 from the July 2018 submittal would not allow LCO 3.8.1 to be met. In order to comply with 10 CFR 50.36(c)(2), RA E.5 has been revised as follows:

E.5 Declare NSWS, CRAVS, 14 days CRACWS or ABFVES supported by the inoperable DG inoperable.

D.5.1 Restore LCO 3.8.1.d DG to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months OPERABLE status.

OR D.5.2 Align NSWS, CRAVS, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months CRACWS and ABFVES supported by the inoperable LCO 3.8.1.d DG to an OPERABLE DG.

In Condition D, the remaining OPERABLE DGs and offsite power circuits are adequate to supply electrical power to the Class 1E Distribution System.

If the LCO 3.8.1.d DG cannot be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or the NSWS, CRAVS, CRACWS and ABFVES components supported by the inoperable LCO 3.8.1.d DG cannot be re-aligned to be supplied by an OPERABLE DG within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , then Condition I is entered. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

e. The proposed RA D.1 is for an administrative verification of OPERABILITY. There is reasonable expectation of OPERABILITY for the LCO 3.8.1.b DG(s) when licensed operators verify that all the following conditions exist:

The DG Surveillance Requirements are met.

The normal operator rounds for the DG are up-to-date and have been performed satisfactorily.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 15 of 51 The DG and its support systems have not been logged as inoperable or non-functional.

There are no items being tracked via the Adverse Condition Monitoring and Contingency Planning sheet that calls into question OPERABILITY of the DG.

There are no in-progress OPERABILITY determinations or functionality assessments for the DG and its support systems.

RAI-8

The licensee proposed a new Condition F that would be applicable when the RA E.1 (verify both LCO 3.8.1.b DGs operable and ESPS available) and associated CT (1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter) are not met. Three alternate RAs including RAs F1.1 and F.1.2 are proposed for the new Condition F.

RA F.1.1 would state Restore both LCO 3.8.1.b DGs to operable status and ESPS to available status, within the CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

RA F.1.2 would state Restore both LCO 3.8.1.d DG to operable status within the CT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

In Section 2.1 of the July 10, 2018 letter, the licensee states:

The 72-hour CT for RA F.1.1 and RA F.1.2 is consistent with Regulatory Guide 1.93.

New RA F .1.3 reflects that if the opposite unit DG that is necessary to supply power to the NSWS, CRA VS, CRACWS and ABFVES cannot be restored to operable status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , then the NSWS, CRAVS, CRACWS and ABFVES components associated with the inoperable DG must be declared inoperable.

RG 1.93 states, in part:

If the available onsite ac electric power sources are two less than the LCO, power operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

If the available onsite ac power sources are one less than the LCO, power operation may continue for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , provided that the redundant diesel generator is assessed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to be free from common-cause failure or is verified to be operable in accordance with plant-specific technical specifications The guidance in RG 1.93 relates to redundant power sources. The power operation period of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is applicable to two inoperable AC power sources, and the period of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months starts from the time the available onsite ac power sources (i.e., DGs) are one less than the LCO (i.e., one DG is inoperable).

The NRC staff has identified the following discrepancies:

Two redundant LCO 3.8.1.b DGs would be inoperable in Condition F, and as such, the CT for restoring one or two inoperable LCO 3.8.1.b DGs to operable status (RA F.1.1) would be 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , as recommended in RG 1.93. However, the proposed CT for RA F.1.1 is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and does not appear in accordance with RG 1.93.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 16 of 51 The proposed RA F.1.2 and associated CT (i.e., restore the LCO 3.8.1.d DG to operable status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) would allow the McGuire power operation to exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months if the LCO 3.8.1.d DG would become inoperable (proposed Condition E) because the proposed 72-hour for F.1.2 would start from the time the RA E.1 (i.e., verify both LCO 3.8.1.b DGs operable and ESPS available) and associated CT (i.e., 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months [from discovery of LCO 3.8.1.d DG inoperability] and once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter) are not met, and not from the time the LCO 3.8.1.d DG is found inoperable. It would appear that the proposed 72-hour CT for RA C.1.2 would not be in accordance with RG 1.93.

Two DGs that supply power to the trains of shared systems would be inoperable if one LCO 3.8.1.b DG that provides power to the shared systems (NSWS, CRAVS, CRACWS, and ABFVES) and one LCO 3.8.1.d DG are inoperable. For this case, the CT for restoring the LCO 3.8.1.d DG to operable status (RA F.1.2) would be 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , as recommended in RG 1.93.

However, the proposed CT for RA F.1.2 is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and does not appear in accordance with RG 1.93.

It does not appear that a discussion of the specific inoperable DG which supported shared systems would be declared inoperable in RA F.1.3 was provided, as more than one DG would be inoperable in Condition F.

a. Provide a discussion of how the proposed 72-hour CT for new RA F.1.1 (restore both LCO 3.8.1.b DGs to operable status and ESPS to available status) is consistent with RG 1.93 with respect to two inoperable LCO 3.8.1.b DGs.

b. Provide a discussion that explains how the proposed 72-hour CT for new RA F.1.2 is consistent with RG 1.93 so that the CT for RA F.1.2 would not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from the time the LCO 3.8.1.d DG is found inoperable.

c. Provide a discussion of how the proposed 72-hour CT for new RA F.1.2 (restore LCO 3.8.1.d DG to operable status) is consistent with RG 1.93 with respect to two inoperable DGs (i.e., one LCO 3.8.1.b DG and one LCO 3.8.1.d DG) that supply power to the shared systems.

d. Provide a discussion that explains the specific inoperable DG of which the supported shared systems would be declared inoperable in RA F.1.3. Also, provide a discussion that clarifies whether the trains of shared systems supported by all inoperable DGs would be declared inoperable, as more than one DG (i.e., LCO 3.8.1.d DG and LCO 3.8.1.b DG(s))

would be inoperable in Condition F; and provide the basis for the CTs for declaring the train of shared systems supported by each inoperable DG inoperable.

Duke Energy RAI-8 Response If one LCO 3.8.1.b DG is inoperable when in Condition D, then Condition B will be entered for that LCO 3.8.1.b DG. If both LCO 3.8.1.b DGs are inoperable when in Condition D, then the proposed Condition G will be entered. Thus, the proposed Condition F in the July 10, 2018 submittal is deleted from TS 3.8.1. Condition H from the July 10, 2018 submittal is now renamed to Condition F (Shown in Attachment 2).

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 17 of 51

RAI-9

The proposed Condition K would apply when the RA and associated CT of Condition A, C, F, G, H, I, or J are not met; or RA and associated CT of RA B.2, B.3, B.4.1, B.4.2, or B.6 are not met; or RA and associate CT of RA E.2, E.3, E.4.1, E.4.2, or E.5 are not met.

The proposed RA K.1 would state Be in Mode 3 within a CT of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The proposed RA K.2 would state Be in Mode 5 within a CT of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The NRC staff notes that the proposed Condition K does not address the case when an RA and associated CT of the proposed new Condition D are not met. In addition, the proposed TS changes does not discuss actions when the RA D.1, D.2, or D.3 and associated CT of Condition D are not met.

The NRC staff also notes that in case the ESPS would not be restored to available status as required by the proposed new RA F.1.1 within the proposed 72-hour CT, MNS would enter Condition K to bring the unit to Mode 3 in 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months and Mode 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This would subject the unit to transients associated with the orderly shutdown. Provide a discussion of the applicable actions when an RA and associated CT of the new Condition D are not met.

a. Provide a discussion that explains the reasons for entering Condition K to shut down the unit and, as a result, subject the unit to transients associated with the shutdown when the ESPS cannot be restored to available status, as required by the proposed RA F.1.1.

Duke Energy RAI-9 Response Condition K is renamed to Condition I and revised as follows (Shown in Attachment 2):

I.K. Required Action and IK.1 Be in MODE 3.

Associated Completion Time of Condition A, C, E, AND F, G, or H not met.

IK.2 Be in MODE 5.

OR Required Action and Associated Completion Time of Required Action B.2, B.3, B.4.1, B.4.2, or B.6 not met.

OR Required Action and Associated Completion Time of Required Action D.2, D.3, D.4.1, D.4.2, D.5.1, or D.5.2 not met.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 18 of 51 Condition C (previously named Condition D) has been added to Condition I (previously named Condition K). Condition F from the July 10, 2018 submittal has been deleted.

RAI-10

The proposed note to the SRs section would state:

Note: SR 3.8.1.1 through SR 3.8.1.20 are only applicable to LCO 3.8.1.a and LCO 3.8.1.b AC sources. SR 3.8.1.21 is only applicable to LCO 3.8.1.c and LCO 3.8.1.d AC sources.

The proposed SR 3.8.1.21 would state:

SR 3.8.1.21 For the LCO 3.8.1.c and LCO 3.8.1.d AC electrical sources. SR 3.8.1.1, SR 3.8.1.2, SR 3.8.1.4, SR 3.8.1.5, and SR 3.8.1.6 are required to be met.

The NRC staff notes that a discussion about the reasons for excluding SR 3.8.1.3, SR 3.8.1.7, SR 3.8.1.8, SR 3.8.1.9, SR 3.8.1.10, SR 3.8.1.11, SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.14, SR 3.8.1.15, SR 3.8.1.16, SR 3.8.1.17, SR 3.8.1.18, SR 3.8.1.19, and SR 3.8.1.20 from the SRs required for the LCO 3.8.1.c and LCO 3.8.1.d AC electrical power sources was not provided.

Provide a discussion that explains why the performance of SR 3.8.1.3 and SR 3.8.1.7 through SR 3.8.1.20 are not required for the LCO 3.8.1.c and LCO 3.8.1.d AC power sources.

Duke Energy RAI-10 Response The proposed Note and SR 3.8.1.21 have been deleted, as shown in Attachment 2 All SRs associated with TS 3.8.1 are applicable to LCO 3.8.1.c and LCO 3.8.1.d AC power sources for the proposed change.

RAI-11

According to the FPS each remedial action should have bases for inclusion into the TS.

The FPS gives the following questions as examples that the bases for each required action should answer e.g. why should the remedial action be taken if the associated LCO cannot be met?, how does this action relate to other actions associated with the LCO?, and what justifies continued operation of the system or component at the reduced state from the state specified in the LCO for the allowed time period?

Rationale provided for proposed Required Action (RA) B.1 on page 11 of 15 of the enclosure to supplement 3 of July 10, 2018 is:

New RA B.1 provides assurance that the LCO 3.8.1.d DG is operable when a LCO 3.8.1.b DG is inoperable.

It appears that revised RA B.4 already requires this determination of operability for all other DGs, including a DG on the opposite unit.

Please explain. If this is correct understanding, please consider conforming changes to proposed Condition C.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 19 of 51 Duke Energy RAI-11 Response The once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter Completion Time for proposed RA B.1 is based on the recognized importance of ensuring the LCO 3.8.1.d DG(s) is OPERABLE to power one train of shared systems during the time a LCO 3.8.1.b DG is inoperable. The verification of OPERABILITY of a TS 3.8.1.d DG is an administrative verification. There is reasonable expectation of OPERABILITY for the LCO 3.8.1.d DG when licensed operators verify the SRs are met, the normal operator rounds are up-to-date, the DG and its support systems have not been logged as inoperable or non-functional, there are no items being tracked via the Adverse Condition Monitoring and Contingency Planning sheet, and there are no in-progress OPERABILITY determinations or functionality assessments for the DG and its support systems.

Proposed RA B.1 is necessary when a TS 3.8.1.b DG is being removed from service for preplanned maintenance or testing. As specified in the existing TS 3.8.1 Bases, the RAs B.3.1 and B.3.2 (proposed RAs B.4.1 and B.4.2) are not required to be entered if the inoperability of the TS 3.8.1.b DG is due to preplanned testing or maintenance. Thus, the staff assertion in the RAI that RA B.4 already requires this determination of operability for all other DGs, including a DG on the opposite unit is not necessarily true for preplanned testing or maintenance of a TS 3.8.1.b DG.

Rather, proposed RA B.4.1 or B.4.2 is taken for emergent inoperability of a TS 3.8.1.b DG to ensure the remaining OPERABLE DGs, (i.e., the remaining unit-related DG and the LCO 3.8.1.d DG(s) on the opposite unit), are not inoperable due to common mode failure. Furthermore, the one-time check for a common mode failure of the remaining OPERABLE DGs in proposed RA B.4.1 or B.4.2 does not provide the continued assurance of TS 3.8.1.d DG(s) OPERABILITY afforded by proposed RA B.1.

RAI-12 Modeling Alternative Alignments The LAR for McGuire, Units 1 and 2, dated May 2, 2017, states that the proposed change to the TS CT has been developed using the risk-informed processes described in RG 1.174, Revision 2, and RG 1.177, Revision 1. Based on Section 2.3.1 of RG 1.177, the technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. RG 1.177 endorses the guidance provided in RG 1.200, Revision 2, on PRA technical adequacy. The RG 1.200 describes a peer review process utilizing ASME/ANS PRA standard RA-Sa-2009 as one acceptable approach for determining the technical adequacy of the PRA once acceptable consensus approaches or models have been established for evaluations that could influence the regulatory decision. The PRA standard Supporting Requirement (SR) SY-A5 requires that both the normal and alternate alignments be modelled to the extent needed for core damage frequency (CDF) and large early release frequency (LERF) determination.

The July 10, 2018 supplement, in response to audit question 2.a, provides a table summarizing an evaluation of the impact of system asymmetries and modeling just one system alignment for many systems in the McGuire, Units 1 and 2, PRAs. LAR Table 2 of the response identifies twelve systems, structures, and components (SSCs) included in the evaluation that were determined important to the 14-day CT and describes their impact to the PRA modeling. However, other SSCs appear to be risk-significant to the emergency diesel generator (EDG) CT based on information presented in Tables 7-21, 7-23, 7-26, 7-30, 7-39, 7-42, and 7-57 of the LAR. These include, for example, 4160V switchgear, 600V components, 125 V direct current (dc) distribution (including batteries), battery charger,

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 20 of 51 ESFAS components (i.e. load shed, blackout logic), 6900 V switchgear, transformers, vital instrumentation and control power, and seal water injection. Also, there could be asymmetries in how systems support risk-important frontline systems that are not addressed in the Table 2 evaluation provided in the response.

Additionally, the response states that the system analyst considers all possible system alignments, and determines whether the system failure probability would be different for one alignment versus another. It is not clear to NRC staff how these system configurations were modeled in the PRAs, when the failure probabilities were determined to be different for one alignment versus another. Moreover, it is not clear whether the most limiting configurations are always modeled in the PRAs from the point of calculating the incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP). Because the LAR indicates that the ICCDP and ICLERP for the proposed TS change meet the risk acceptance guidelines in RG 1.177 by a small margin, uncertainty in modeling assumptions could impact the conclusions of the application.

To address the observations above, the NRC staff requests the following additional information:

a) For the systems cited above that appear to be risk-significant to the EDG CT, provide an evaluation of the impact on ICCDP/ICLERP for the EDG CT due to system asymmetries and modeling just one system alignment. Also, include evaluation of other support systems not identified above if they can impact the ICCDP/ICLERP for the EDG CT.

b) For SSCs addressed in LAR Table 2 of the response and added in the response to part (a) above, identify system configurations determined to have different failure probabilities for one alignment versus another. For each of these alignments, explain whether the most limiting configuration was modelled in the PRAs (in terms of calculating the ICCDP and ICERP for the EDG CT) and provide the basis for those determinations. If the most limiting configuration was not modelled in the PRAs, then justify why this treatment is acceptable for this application.

c) If the most limiting configurations were not modeled and it cannot be justified to be acceptable for this application, then incorporate the most limiting configurations into the PRA models used for this LAR that aggregate the PRA updates requested in RAI-22 Duke Energy RAI-12 Response a) System asymmetries have been evaluated by reviewing important SSCs to identify asymmetries and by performing a sensitivity to verify the previously evaluated configuration is bounding or equivalent.

Table 1 below identifies model asymmetries (if any) for the SSCs. The impact of the modeling asymmetries on the ICCDP/ICLERP for the EDG CT is determined holistically by performing a sensitivity study to align ESPS to EDG-1A rather than to EDG-1B. The PRA model was updated to enable aligning ESPS to EDG 1A and to address PRA RAI 13 (see PRA RAI 13 response for details). The evaluated impact on ICCDP/ICLERP for the EDG CT, as well as on overall CDF/LERF with and without credit for ESPS, is provided in Tables 2 - 5.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 21 of 51 Table 1 Additional MNS SSCs Important to the 14 Day EDG Completion Time SSC Modeling Asymmetries (If Any) Model Impact 6900 V switchgear The 6900 V Unit Normal Aux. Power System consists of None four independent 6.9 kV switchgear assemblies, 1TA, 1TB, 1TC, and 1TD. Each switchgear has a designated normal and standby power supply. Normally, each 24/6.9 kV auxiliary transformer supplies two switchgear assemblies. However, each auxiliary transformer is fully sized to carry a maximum of all four switchgear loads.

4160 V switchgear The 4160 V Essential Aux. Power System consists of None two independent 4160 V ac switchgear assemblies, 1ETA and 1ETB, and their associated diesel generators. Each switchgear is supplied by its respective 6.9 kV auxiliary power switchgear through a 6.9/4.16 kV station auxiliary transformer (1ATC, 1ATD, or shared transformers SATA and SATB). A kirk-key interlock scheme is provided to prevent the units from being tied together and to prevent the paralleling of the normal and shared power sources.

transformers The various transformer that step voltage down for both None trains of emergency power are normally energized.

600 V components 600 V components are highly symmetric. However, Sensitivity motor control center 1EMXA4, which provides power to evaluates impact the train A hydrogen igniters, has a back-up power by aligning ESPS source. If normal power is unavailable to 1EMXA4, the to train A.

operators can align alternate power from the Standby Shutdown Facility, and this alternate alignment is modeled. There is no analogous alignment for B-train power.

125 V dc distribution The 125 V dc Vital Instrumentation and Control Power None (including batteries) system is symmetric, with four independent channels, A

- D, each with a battery, charger, and distribution center. Train A loads are fed from channels A and C, and train B loads are fed from channels B and D.

battery chargers The channel A and channel C battery chargers are None energized by the train A 600 V ac Essential Auxiliary Power System, and the channel B and channel D battery chargers are energized by the train B 600 V ac Essential Auxiliary Power System. The spare battery charger can be connected to any one of the four channels as needed, should the normal charger have to be removed from service, and this alternate alignment is modeled for each channel.

ESFAS components ESFAS is modeled symmetrically (with both trains in None standby) vital instrumentation and 120 V ac Vital Instrumentation and Control (I&C) Power None control power system is symmetric, with four independent channels, A

- D, each with a static inverter and panelboard. Train A loads are fed from channels A and C, and train B loads are fed from channels B and D.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 22 of 51 Table 1 Additional MNS SSCs Important to the 14 Day EDG Completion Time SSC Modeling Asymmetries (If Any) Model Impact seal water injection The model assumes that NV train A is operating to Sensitivity provide RCP seal injection and NV train B is in standby. evaluates impact The logic for NV train B includes start failure and by aligning ESPS maintenance unavailability. to train A.

PORVs MNS has three reactor coolant system power-operated Sensitivity relief valves (PORVs). Two receive B-train power and evaluates impact the other A-train power. This design asymmetry is by aligning ESPS modeled. to train A.

System general The McGuire PRA models normal system configuration Sensitivity alignment for running as train A running, and historical maintenance evaluates impact train systems unavailabilities for both A- and B-train components are by aligning ESPS lumped onto train B components. (See part b of this to train A.

response for more information.)

Table 2 RG 1.177 ICCDP Summary, ESPS to Train A Hazard 14 Day CT Base Multiplier ICCDP Internal Events 2.87E-06 3.00E-06 14/365 -4.99E-09 Internal Flooding 9.30E-06 7.74E-06 14/365 5.98E-08 High Winds 2.08E-05 7.77E-06 14/365 5.00E-07 Fire (limiting Unit) 4.86E-05 4.55E-05 14/365 1.19E-07 Seismic 6.68E-07 5.31E-08 14/365 2.36E-08 Sum = 6.97E-07 Table 3 RG 1.177 ICCDP Summary, ESPS to Train B Hazard 14 Day CT Base Multiplier ICCDP Internal Events 3.45E-06 3.00E-06 14/365 1.73E-08 Internal Flooding 9.43E-06 7.74E-06 14/365 6.48E-08 High Winds 2.12E-05 7.77E-06 14/365 5.15E-07 Fire (limiting Unit) 4.72E-05 4.55E-05 14/365 6.52E-08 Seismic 6.68E-07 5.31E-08 14/365 2.36E-08 Sum = 6.86E-07

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 23 of 51 Table 4 RG 1.177 ICLERP Summary, ESPS to Train A Hazard 14 Day CT Base Multiplier ICCDP Internal Events 4.40E-07 4.49E-07 14/365 -3.45E-10 Internal Flooding 5.94E-07 3.46E-07 14/365 9.51E-09 High Winds 2.00E-06 8.11E-07 14/365 4.56E-08 Fire (limiting Unit) 4.36E-06 4.09E-06 14/365 1.04E-08 Seismic 2.68E-07 2.18E-08 14/365 9.44E-09 Sum = 7.46E-08 Table 5 RG 1.177 ICLERP Summary, ESPS to Train B Hazard 14 Day CT Base Multiplier ICCDP Internal Events 5.08E-07 4.49E-07 14/365 2.26E-09 Internal Flooding 5.99E-07 3.46E-07 14/365 9.70E-09 High Winds 2.01E-06 8.11E-07 14/365 4.60E-08 Fire (limiting Unit) 4.20E-06 4.09E-06 14/365 4.22E-09 Seismic 2.68E-07 2.18E-08 14/365 9.44E-09 Sum = 7.16E-08 Table 6 351 Day ICCDP Risk Contribution Summary, ESPS to Train A Hazard ESPS credit Base Multiplier ICCDP Internal Events 2.83E-06 3.00E-06 351/365 -1.63E-07 Internal Flooding 7.72E-06 7.74E-06 351/365 -1.92E-08 High Winds 4.10E-06 7.77E-06 351/365 -3.53E-06 Fire (limiting Unit) 4.54E-05 4.55E-05 351/365 -9.62E-08 Seismic 5.31E-08 5.31E-08 351/365 0.00E+00 Sum = -3.81E-06 Table 7 351 Day ICCDP Risk Contribution Summary, ESPS to Train B Hazard ESPS credit Base Multiplier ICCDP Internal Events 2.84E-06 3.00E-06 351/365 -1.54E-07 Internal Flooding 7.72E-06 7.74E-06 351/365 -1.92E-08 High Winds 4.16E-06 7.77E-06 351/365 -3.47E-06 Fire (limiting Unit) 4.53E-05 4.55E-05 351/365 -1.92E-07 Seismic 5.31E-08 5.31E-08 351/365 0.00E+00 Sum = -3.84E-06

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 24 of 51 Table 8 351 Day ICLERP Risk Contribution Summary, ESPS to Train A Hazard ESPS credit Base Multiplier ICLERP Internal Events 4.23E-07 4.49E-07 351/365 -2.50E-08 Internal Flooding 3.40E-07 3.46E-07 351/365 -5.77E-09 High Winds 4.25E-07 8.11E-07 351/365 -3.71E-07 Fire (limiting Unit) 4.08E-06 4.09E-06 351/365 -9.62E-09 Seismic 2.18E-08 2.18E-08 351/365 0.00E+00 Sum = -4.12E-07 Table 9 351 Day ICLERP Risk Contribution Summary, ESPS to Train B Hazard ESPS credit Base Multiplier ICLERP Internal Events 4.23E-07 4.49E-07 351/365 -2.50E-08 Internal Flooding 3.39E-07 3.46E-07 351/365 -6.73E-09 High Winds 4.25E-07 8.11E-07 351/365 -3.71E-07 Fire (limiting Unit) 4.07E-06 4.09E-06 351/365 -1.92E-08 Seismic 2.18E-08 2.18E-08 351/365 0.00E+00 Sum = -4.22E-07 Table 10 CDF For Entire Change, ESPS to Train A Hazard 14 Day CT 351 Day CDF Internal Events -4.99E-09 -1.63E-07 -1.68E-07 Internal Flooding 5.98E-08 -1.92E-08 4.06E-08 High Winds 5.00E-07 -3.53E-06 -3.03E-06 Fire (limiting Unit) 1.19E-07 -9.62E-08 2.27E-08 Seismic 2.36E-08 0.00E+00 2.36E-08 Sum = -3.11E-06 Table 11 CDF For Entire Change, ESPS to Train B Hazard 14 Day CT 351 Day CDF Internal Events 1.73E-08 -1.54E-07 -1.37E-07 Internal Flooding 6.48E-08 -1.92E-08 4.56E-08 High Winds 5.15E-07 -3.47E-06 -2.96E-06 Fire (limiting Unit) 6.52E-08 -1.92E-07 -1.27E-07 Seismic 2.36E-08 0.00E+00 2.36E-08 Sum = -3.15E-06

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 25 of 51 Table 12 LERF For Entire Change, ESPS to Train A Hazard 14 Day CT 351 Day DLERF Internal Events -3.45E-10 -2.50E-08 -2.53E-08 Internal Flooding 9.51E-09 -5.77E-09 3.74E-09 High Winds 4.56E-08 -3.71E-07 -3.26E-07 Fire (limiting Unit) 1.04E-08 -9.62E-09 7.40E-10 Seismic 9.44E-09 0.00E+00 9.44E-09 Sum = -3.37E-07 Table 13 LERF For Entire Change, ESPS to Train B Hazard 14 Day CT 351 Day DLERF Internal Events 2.26E-09 -2.50E-08 -2.27E-08 Internal Flooding 9.70E-09 -6.73E-09 2.97E-09 High Winds 4.60E-08 -3.71E-07 -3.25E-07 Fire (limiting Unit) 4.22E-09 -1.92E-08 -1.50E-08 Seismic 9.44E-09 0.00E+00 9.44E-09 Sum = -3.51E-07 The evaluation started with the models developed in response to RAI 14 (from the first round of RAIs). All of the hazard models were then enhanced to include alignment of ESPS to EDG 1A. The models were also revised to include the PRA updates required by RAI 22.

The fire results were obtained from updated fire model used in RAI 20.

The results reported for EDG-1B are lower than reported previously in the response to PRA RAI 14 due to RN system flow path modeling refinement, as discussed in the response to PRA RAI 13.

The tables above also include the impact of the sensitivity study values for the ESPS human error probabilities (i.e., their nominal values have been increased by a factor of two).

The tables above indicate that the ICCDP and ICLERP for the proposed TS change meet the risk acceptance guidelines in RG 1.177 with ESPS aligned to either train of emergency power. The results also show that installation of ESPS results in decreases in CDF and LERF with ESPS aligned to either train. In addition, the tables indicate that the B-train CDF and LERF results are generally larger or equivalent to their A-train counterparts.

b) The McGuire PRA models normal system configuration and operation. Since train A is modeled as the running train, historical maintenance unavailabilities for both A- and B-train components are lumped onto train B components. Alternate alignments, such as aligning the standby battery charger, are modeled symmetrically; asymmetrical alignments, such as back-up power from the SSF to MCC 1EMXA4, are included as well.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 26 of 51 The sensitivity for PRA RAI 12.a was performed to investigate the impact of model asymmetry on the ICCDP and ICLERP for the EDG CT. The results of the study indicate that the CDF and LERF values are slightly larger when ESPS is aligned to train B of emergency power rather than when aligned to train A. However as seen in the response to PRA RAI 12.a, both alignments meet the risk acceptance guidelines in RG 1.177 and the results are in general agreement.

c) In the LAR (ML17122A116), the base case PRA model was modified to credit ESPS as a power source to EDG-1B. Since the McGuire PRA models are asymmetric, the sensitivity study performed for PRA RAI 12.a developed logic to align ESPS to EDG-1A. The results of the study indicate that both configurations meet the risk acceptance guidelines in RG 1.177, and the delta risk results are in general agreement. Use of these results will be addressed in RAI 22.

RAI-13 Nuclear Service Water System (RN) Asymmetry Analysis The July 10, 2018 supplement describes, in response to audit question 2.a, an asymmetry between Train A and B of Nuclear Service Water (RN). Specifically, Train A is not required to shift alignment of its water supply given a loss of power to its safeguards bus, whereas Train B is required to shift to the Standby Nuclear Service Water Pond (SNSWP) when it loses power to its respective bus. The statement continues by stating that Train B would not be able to swap to the SNSWP because of the loss of power to the Unit 2 Train B safeguards bus. The NRC staff notes that the McGuire SE for, Changes to Technical Specifications to Address an A Train Nuclear Service Water Non-Conforming Condition (ADAMS Accession No. ML18030A682), states that the normal supply for both trains of NSWS is Lake Norman and the SNSWP alignment is only required for severe postulated seismic events including the safe shutdown earthquake (SSE). It appears to the NRC staff that Train B of NSWS would be available for all other events when it remains aligned to Lake Norman, therefore, negating the need to swap to the SNSWP. Additionally, the supplement response only refers to one initiator, dual unit loss of offsite power, and does not address other initiators applicable to this analysis. From the information provided in the supplement, the impact on the application regarding the exclusion of other possible plant alignments and system asymmetries associated with the RN trains are not clear. Also, it is not clear that the alignment modelled in the PRA is the most limiting in terms of the calculated ICCDP and ICLERP.

Justify that the alignment modelled in the PRA (Train A operating / Train B standby) and corresponding asymmetries is the most limiting in terms of the calculated ICCDP and ICLERP compared to the other normal alternative alignments. Include discussion of how the limiting alignment is different for the significant accident scenarios.

Duke Energy RAI-13 Response As noted in the discussion above for this RAI, Train B of NSWS (RN) would be available for non-seismic events when it remains aligned to Lake Norman, thus negating the need to swap to the SNSWP. However, the base case PRA model does not currently apply this credit.

Consistent with plant design, the model assumes that if a Loss of Offsite Power (LOOP) or Safety Injection (SI) occurs, then the applicable flow path is from the SNSWP to RN Train B back to the SNSWP. The B-Train valves that must reposition to accomplish the swap are powered from Unit 1 and Unit 2 Train A of essential power. Thus, the base case model counts sequences involving a LOOP and loss of emergency power on Train A (but not Train B) as

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 27 of 51 failures, because power is not available to support alignment of Train B to the SNSWP. In reality, with emergency power available to the RN Train B and the pump still aligned to Lake Norman, RN train B would not be failed. As part of the sensitivity study performed in response to PRA RAI 12.a, the PRA models were modified to allow credit for the flow path to Lake Norman, thereby eliminating invalid failure combinations.

To justify that the alignment modelled in the PRA (Train A operating / Train B standby) is the most limiting in terms of the calculated ICCDP and ICLERP associated with EDG CT, the sensitivity study described in the response to PRA RAI 12.a was performed by aligning ESPS to Train A power instead of to Train B. The study found that the results for Train B Operating /

Train A standby are bounding.

RAI-14 Basic Event Failure Rate Anomalies Section 5, Quality Assurance, of RG 1.174, Revision 2, states, [w]hen a risk assessment of the plant is used to provide insights into the decision-making process, the PRA is to have been subject to quality control. RG 1.174, Revision 2, states, the results of the sensitivity studies should confirm that the guidelines are still met even under the alternative assumptions.

a) SR DA-C1 in the ASME/ANS 2009 PRA standard, as qualified by RG 1.200, Revision 2, requires that use of generic parameter estimates (also referred to as industry failure rates) should come from recognized sources. The NRC staff notes that the current industry failure rates for Class 1E EDGs are higher than that presented in the July 10, 2018 supplement in response to audit question 05.a for the McGuire, Units 1 and 2, PRA model [e.g., for EDG fail-to-run after load, the current industry failure rate in NUREG-6928 (2015 Update of Component Reliability Data Sheets, dated December 2016) is 1.52E-03/hour, while the same failure rate presented for McGuire, Units 1 and 2, is 7.77E-04/hour].

To address this observation, the NRC staff requests the following additional information:

i. Explain how the EDG failure rates (i.e., fail-to-load/run, fail-to-run after load) used in the risk evaluations for the July 10, 2018 supplement were developed or provide industry reference. Explain why they are significantly lower than the current Industry failure rates. As part of this discussion, justify how these EDG failure rates meet SRs DA-C1 and DA-D1 at capability category (CC) II of the ASME/ANS 2009 PRA standard, as qualified by RG 1.200, Revision 2, and provide the source(s) for any generic parameter estimates used.

ii. If the generic parameter estimate(s) for the EDG cited in Part (i) above are not consistent with current industry failure rates [e.g., NUREG-6928 (2015 Update of Component Reliability Data Sheets, dated December 2016)], then justify that use of current industry failure rates in Part (i) (i.e., a reasonable alternative assumption) does not change the conclusions of the LAR (e.g., describe and provide the results of an appropriate sensitivity study using the PRA models from the aggregate analysis requested in RAI-22).

iii. Alternatively to Parts (i) and (ii), incorporate the appropriate probabilities for the EDGs into the PRA models used for this LAR that aggregate the PRA updates requested in RAI-22.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 28 of 51 b) In the July 10, 2018 supplement in response to audit question 05.a, it states that EDG failure rates were updated; however, it is unclear to the NRC staff whether the common cause failure (CCF) probabilities were also updated.

i. Confirm that the CCF probabilities associated with EDG failures were updated in response to audit question 05.a and Part (a) of this RAI.

ii. Alternatively, incorporate the appropriate CCF probabilities for the diesel generators into the PRA models used for this LAR that aggregate the PRA updates requested in RAI-22.

Duke Energy RAI-14 Response a)

i. Generic failure rates for the McGuire data were obtained from NUREG/CR-6928, Component Reliability Data Sheets 2010 Update, dated January 2012, and Bayesian updated with plant-specific experience. The data analysis for McGuire was performed in 2015, based on the 2010 Data Sheets, using the method that was peer reviewed. The 2015 data sheets were not released until February of 2017, which was after the analysis was developed. The Bayesian update resulted in a decrease in the failure rate values in the model from the generic values.

This meets the requirement by using component failure rates and probabilities from the recognized industry source NUREG/CR-6928 (as listed in the requirement). Reg guide 1.200 has no clarifications that affect these requirements. The Bayes process used in the data update meets the requirement of DA-D1.

ii. Not applicable.

iii. Not applicable.

b)

i. The internal events, flooding and high wind CCF probabilities included in the base probability analysis are consistent with the base data development presented in Part (a) of this response.

The diesel failure rates in the fire model were updated to be consistent with the other MNS models used for the LAR Audit RAI 14 response using the data developed in Part (a). The common cause failure probabilities were not updated for the LAR Audit RAI 22 response, for reasons given in (ii) of this response.

ii. Common Cause failure is removed for the CT cases quantified for this response, as a safety related diesel will need to be evaluated for the potential of common cause failure before entering the extended CT, resulting in a probability of 0 for the diesel generator CCF probabilities. This is due to proposed Technical Specification 3.8.1 required action D.4 which requires that an inoperable safety related diesel be evaluated for common cause within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the start of the CT, which is before entering the extended CT.

Evaluation of the fire model with the same common cause factors as used in the

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 29 of 51 internal events model produced a 0.5% increase in total CT ICCDP (8.52E-7 to 8.56E-7) and a 0.5% increase in total CT ICLERP (8.49E-9 to 8.52E-9) for the sensitivity case that was presented in the Audit RAI 14 results. The updated CT metrics remain below the 1E-6 and 1E-7 RG-1.177 thresholds for CT ICCDP and CT ICLERP RAI-15 ESPS Operator Action Human Reliability Analysis Anomalies Section 5, Quality Assurance, of RG 1.174, Revision 2, states, [w]hen a risk assessment of the plant is used to provide insights into the decision-making process, the PRA is to have been subject to quality control.

As discussed in Attachment 6 of the LAR, two human failure events (HFEs) were developed for ESPS in the McGuire, Units 1 and 2, PRAs. One HFE is applied to the extended CT model case and is described in LAR Attachment 6, Section 6.1.4.1 as, Operator Fails to Power 4kV Bus from ESPS during 14 Day AOT [allowed outage time].

The other HFE is applied when the EDG is available (e.g., non-extended CT model case) and is described as, Operator Fails to Power 4kV from ESPS when Not Aligned for 14 Day AOT.

The MNS ESPS Alignment Action table provided in the July 10, 2018 supplement in response to audit question 06.a shows the recovered value for the AOT HFE to be the same for the internal events, fire, and high winds PRA models. Clarify whether the human reliability analysis for the fire and high winds PRAs evaluated this operator action for hazard/scenario specific conditions. If these ESPS HFEs did not account for hazard/scenario specific conditions in the fire and high winds PRA models, justify that correcting the HFEs will not impact the conclusions of the LAR.

Duke Energy RAI-15 Response The performance shaping factors were evaluated as part of the process for modeling the ESPS system in the PRA. The HFE were developed using conservative assumptions to provide upper bound HEP values for the analysis. These values were doubled for the sensitivity analysis presented. The performance shaping factors for ESPS HFE did not need to be modified for the fire and high winds models.

The basis for the conclusion that the performance shaping factors did not need to be adjusted is provided below.

In the high winds case, the action is performed inside structures and can be performed more than one hour after the initiating event allowing for adequate time to diagnose conditions and a system window of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months allowing the normal stress levels to be assumed.

The timing window for the HFE in the fire case results in negligible HEP impact for the same reasons.

RAI-16 Seismic Analysis Contribution to the Application Section 2.3.2 of RG 1.177, Revision 1, states, [t]he scope of the analysis should include all hazard groups (i.e., internal events, internal flood, internal fires, seismic events, high winds, transportation events, and other external hazards) unless it can be shown that the

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 30 of 51 contribution from specific hazard groups does not affect the decision.

The July 10, 2018 supplement, in response to audit question 08.a, presents an approach for determining the bounding seismic core damage frequency (CDF) and large early release frequency (LERF) increase for the impact of the 14-day EDG outage. As part of the approach, the seismic hazard was divided into six hazard bins and a mean frequency of exceedance was determined for each seismic bin. It appears that these bin frequencies were then combined with conditional core damage probabilities (CCDPs) estimated by using the CCDP resulting from an internal events PRA loss of offsite power (LOOP) initiating event. The response states that seismic events are assumed to result in a LOOP event or to be low enough in magnitude to be subsumed as an internal event. It is not clear to NRC staff that this approach of using internal event CCDPs as a surrogate for seismic event CCDPs produces bounding seismic risk estimates for a number of reasons. Of primary concern, is that this approach does not account for seismically-induced SSC failures including those that could coincide with the unavailability of an EDG producing potentially significant seismic risk contributions. Also, the response states that human error probabilities (HEPs) are not adjusted to account for seismic scenario specific conditions.

NRC staff acknowledges that at a certain magnitude (seismic bin), the fragility of the EDGs may be 100% correlated if they are located on the same elevation and location. In this case, all EDGs either fail or are successful for a given seismic bin, and if all EDGs fail then it is irrelevant whether an EDG is unavailable for test or maintenance. However, for seismic bins in which all EDGS are successful, then the unavailable EDG could coincide with a seismically-induced failure of a non-EDG SSC that produces a significant seismic risk contribution. In light of these observations:

a) Provide justification (e.g., describe and provide the results of an appropriate sensitivity study) that the seismic risk impacts produced by the analysis provided in the July 10, 2018 supplement are bounding. As part of this justification, address how the risk contribution of seismic-induced SSC failures and seismic-impacted HFEs are considered b) Alternatively, appropriately update the bounding analysis and provide the revised seismic risk estimates with the new PRA results generated in response to RAI-22.

Duke Energy RAI-16 Response a) RG-1.177 Risk Limits The delta risk contribution for CDF/LERF (RG-1.177 CT delta risk limits) is bounded using the method used for the audit question 08.a response for the following reasons:

1) Seismically correlated equipment in redundant trains would experience correlated failure regardless of a diesel generator being unavailable. Not including the seismic failures results in maximizing the random failure contribution of the individual components to the delta risk. This is as a result of not including the impact of the correlated seismic failure probabilities of other components or support systems that would have resulted in failure of the mitigation function. When processing the cutsets with the ACUBE software, the random failure contribution would be reduced by the seismic failures. This would be of more impact in the higher magnitude seismic initiator bins.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 31 of 51

2) Offsite power was chosen as the appropriate initiator to drive the model since it would challenge the diesels which are the components taken out of service for the CT. Also, offsite power is generally one of the least seismically rugged functions in the plant and it directly impacts both Units and all trains of equipment that have dependency on the diesel generators. So, the impact on delta plant risk for having a diesel generator unavailable is best represented by using the failure of this function as the initiator.

3) Additional conservatism in the modeling is produced as the SSF, ESPS system and FLEX equipment are not credited (assumed failed) for all seismic events. All of these components and systems have some seismic capacity. They were excluded as their seismic capacities were not assessed.

4) Since the major component groups are expected to experience correlated failures, the same actions would need to be performed in both the CT and non-CT cases resulting in delta CDF/LERF of zero as the same cutset with the same HFE would appear in the CT and non-CT cases.

Justification of Equipment Correlation Since McGuire is a very symmetric plant, nearly all the equipment that would be used to mitigate a loss of offsite power, and is dependent on a diesel generator for power, is correlated. Below is a listing of those major component groups that would be highly correlated due to being located on the same elevation, in the same building and in the same orientation.

Emergency Diesel Generators Auxiliary Feedwater motor driven pump trains Chemical and Volume Control CCP pump trains Component Cooling Water pump trains Residual Heat Removal pump trains Safety Injection pump trains Vital Batteries The Nuclear Service Water pump trains are in the same elevation and building but are in different orientations. They would still be considered correlated.

The emergency buses are located in the same building but are on different elevations.

They would still be considered correlated as the difference in floor elevations is only one floor and they are in the same building and orientation.

b) No revision of the analysis is required based on the response to part a of this RAI.

RAI-17 Avoiding Plant Configurations that Contribute to Significant Risk Section 2.3 of RG 1.177, Revision 1, cites the need to avoid risk-significant plant configurations and discusses Tier 2 of a three-tiered approach for evaluating risk associated with proposed TS CT changes. According to Tier 2, the licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. Once the specific plant equipment are identified, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk-significant

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 32 of 51 plant configurations. In addition, Section 2.4 of RG 1.177 states, as part of the TS acceptance guidelines specific to permanent CT changes, the licensee should demonstrate that there are appropriate restrictions on dominant risk-significant configurations associated with the change.

The LAR indicates that the ICCDP and ICLERP for the proposed TS change meet the risk acceptance guidelines in RG 1.177 by a small margin, and therefore, in accordance with Tier 2, it is important that plant configurations contributing to risk be avoided when the EDGs are taken out of service for the extended CT. Section 3.12.2 of the LAR provides a discussion of Tier 2 (Avoidance of Risk-Significant Plant Configurations) and identifies in LAR Table 2 those SSCs for McGuire, Units 1 and 2, that are important to the 14-day EDG CT based on SSC risk importance values presented in LAR Attachment 7. LAR Section 3.12.2 states that unavailability of the identified SSCs should be avoided during the extended CT. In the July 10, 2018 supplement in response to audit question 10, several methods are relied upon to avoid risk-significant plant configurations: Technical Specifications (TS), Selected License Commitments (SLCs), cycle schedules, protected equipment schemes, and the Electronic Risk Assessment Tool (ERAT).

Propose a mechanism that ensures (e.g., license condition that implements the cited methods) the SSCs listed in LAR Table 2 will not be removed from service for planned maintenance or testing during the extended EDG CT.

Duke Energy RAI-17 Response The SSCs listed in Table 2 of the May 2, 2017 LAR submittal have been added to the Regulatory Commitments, as shown in Attachment 4. Commitment #4, which aligns with the BTP 8-8, is revised to include the equipment listed from Table 2, to be controlled as protected equipment. Protected equipment plans have been developed for important SSCs. These plans are maintained by the Operations group. AD-OP-ALL-0201, Protected Equipment provides guidance for the management of protected equipment. Duke Energy has in place a Commitment Management procedure (AD-LS-ALL-0010) that provides the instructions for implementing, tracking, and controlling Duke Energys regulatory commitments. All outgoing docketed correspondence are reviewed and the commitments are entered into a Commitment Tracking Database. AD-DC-ALL-0202, Writers Manual for Procedures and Work Instructions, provides instructions for the development of Administrative and Technical Procedures and guides the procedure writer in ensuring Technical Specifications and regulatory commitments are met. Adding the Table 2 SSCs to the regulatory commitment, along with the procedures Duke Energy has in place to control commitments, will ensure the SSCs will not be removed from service for planned maintenance or testing during an extended EDG CT.

RAI-18 Risk Calculations for the EDG CT Extension Section 2.3 of RG 1.177, Revision 1, provides guidance on PRA modeling detail needed for TS changes. Section 2.3.3.1 of RG 1.177 states that the PRA model should also be able to treat the alignments of components during periods when testing and maintenance are being carried out. It also states that [s]ystem fault trees should be sufficiently detailed to specifically include all the components for which surveillance tests and maintenance are performed and are to be evaluated.

It is not clear how certain aspects of the risk evaluation in support of the LAR meet the guidelines in RG 1.174, Revision 2, and RG 1.177, Revision 1. Specifically, the McGuire, Units 1 and 2, internal events, internal flooding and high winds PRA risk results reported in

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 33 of 51 LAR Attachment 6 are unchanged across units. Therefore, the NRC staff requests the following additional information:

a) Explain why the McGuire, Units 1 and 2, internal events, internal flooding and high winds PRA risk results reported in LAR Attachment 6 are identical between units. If these PRAs are single unit PRA models assumed to represent both units, then explain how the single unit PRA models are representative or bounding (e.g., the most limiting) for Units 1 and 2. Include a discussion of how SSCs that are shared between both units were implicitly or explicitly modeled in the single unit PRA models, and how differences between the single unit PRA models and Units 1 and 2 for risk-significant systems do not change the conclusions of the LAR. (Risk-significant systems considered by the NRC staff are those systems identified in LAR Table 2 and the additional systems cited in RAI-01.)

b) If the current modeling cannot be justified because the PRAs do not reflect the differences between units, then update the PRAs to reflect the difference between units in the McGuire, Units 1 and 2, PRA models used for this LAR that aggregate the PRA updates requested in RAI-22.

Duke Energy RAI-18 Response a) The internal events, internal flooding and high winds PRA risk results reported in LAR Attachment 6 were derived from the McGuire Unit 1 model.

Internal Events Systems at Unit 2 have been investigated for similarity with Unit 1 to ensure that the same PRA results generally apply to both units. Because of the similarities in the containments at Unit 1 and Unit 2 and because the initiating event analysis is similar, the investigation focused on the individual plant systems modeled in the plant fault tree.

The unit comparison focused on differences in the system design or in component fault exposure times which would result in differences in the system fault trees. Design Basis Documents, Technical Specifications, system flow diagrams, and electrical drawings were examined and compared. This comparison was used as a basis to determine if further investigation was warranted. Cognizant system engineers were interviewed for additional information.

Shared Systems Instrument Air (VI) System The instrument air system is shared between both units. Because of this, there are no unit differences and interdependencies except the power supplies to the VI compressors and other VI components, which are powered from different units to minimize the impact from an event on any given unit. The same information applies to the Recirculation Cooling Water system, which is included in the VI fault tree. The plant responses to initiating events that may affect both units are not significantly different.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 34 of 51 Standby Shutdown System (SSS)

During an emergency, the Standby Shutdown Facility (SSF) is used to achieve and maintain hot standby on one or both units. Operators can establish natural circulation in the NC System, initiate auxiliary feedwater, and line up SSS valves either in the control room or locally. Plant control is then to be shifted to the SSF. Primary and secondary inventory is controlled and primary natural circulation is verified once SSF control is established.

Electrical power needed to achieve and maintain hot standby is supplied by the SSF diesel generator. Non-LOOP initiators do not require the SSF diesel generator to be started for electrical power to the SSF functions. For those initiators, station power is sufficient.

Control Power The vital and aux. control power systems are shared systems. That is, they may be supplied with power from either unit and they supply control power to both units.

A dual-unit event such a tornado could result in a loss of control power on both units.

The ac power model considers the impact of such events on the availability of ac power to each unit. The aux. control power model includes dependencies on the normal power supplies, whether they are from Unit 1 or Unit 2. For modeling simplicity, the vital control power model assumes Unit 1 is the power supply.

600 V Normal Auxiliary Power System This system includes twenty-eight shared motor control centers (MCCs) that feed shared or station loads. Twenty-three of the motor control centers are double-ended.

The remaining five MCCs are SMXE, SMXIA, SMXLA, BMXG and SMXG. SMXE provides power to the on-site Technical Support Center and is fed from EPE system essential MCCs 1EMXA (Normal) and 2EMXA (Alternate) via an automatic transfer switch. SMXIA and SMXLA are sub-fed from SMXI and SMXL, respectively. BMXA and SMXG are fed from 1SLXG located in the SSF. Load center 1SLXG is alternatively fed from the SSF Diesel Generator, providing an alternate feed to the load center and thus to MCCs BMXA and SMXG. Normal and alternate sources for an MCC are fed from physically and electrically separated shared load centers.

Other equipment throughout the electrical distribution systems, such as 6.9/4.16 kV shared aux. transformers SATA and SATB, may be fed from either unit and power loads on either unit.

Unit Differences

Within the 600V Essential Aux. Power System, there is one MCC, 1EMXH, that can be supplied from either unit and supplies loads on both units.

Within the 600V Normal Aux. Power System, there are fourteen 600 V load centers on Unit 1 (seven feed unit loads and seven feed shared or station loads) and fifteen load centers on Unit 2 (seven feed unit loads and eight feed shared or station loads).

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 35 of 51 The Unit 1 internal events results are deemed applicable to Unit 2 due to nearly identical SSC design and operation, and similar spatial configuration. System flow diagrams and electrical drawing are highly symmetric across the units. Similar procedures exist for the systems at both units, and the same Technical Specifications apply. Because of this, fault exposure times are considered the same for each system across both units. Shared system components are modeled. Therefore, it is reasonable to conclude that the Unit 1 internal event fault tree results also apply to Unit 2.

Internal Flood The MNS IFPRA includes all Unit 1 and Unit 2 differences inherently. The IFPRA was built on the model of record, which is based on the Unit 1 configuration; however, the IFPRA also evaluated Unit 2 as well in several ways. First, Unit 2 specific areas were evaluated to determine whether scenarios could impact Unit 2 only or both units. If both units could be impacted (e.g. dual-unit trip), the scenario was included in the model. In addition, Unit 2 specific or shared unit piping was included in the analysis for initiating event analysis. If Unit 2 piping was found to impact both units it was included in the model. Shared or cross tied systems were also evaluated when developing scenarios as to whether they would be successful for the given scenario. Unit differences identified in the internal events model were also evaluated. As the internal events model identified no significant changes, there would be no differences for the IFPRA analysis as well.

High Winds McGuires high wind analysis models Unit 1 SSCs and shared unit SSCs. The applicability of the results to Unit 2 is realistic due to the high level of symmetry between units. In addition, two plant walkdowns were conducted to observe and document locations and conditions of all SSCs identified for inclusion in the HW PRA, as well as to conduct a detailed survey of potential missile sources in and around MNS in both outage and non-outage conditions for both units. The missile count applied includes impact from both Unit 1 and Unit 2 outage missiles. High wind targets were walked down in both units to validate the symmetry of the units.

Conclusion Per the model reviews discussed above for internal events, internal flood and high winds, the single unit PRA models are representative for Units 1 and 2. SSCs that are shared between both units are implicitly modeled in the single unit PRA models. A review of the differences between the single unit PRA models and Units 1 and 2 for risk-significant systems, which included those identified in LAR Table 2 and the additional systems cited in RAI-01, determined that the conclusions of the LAR remain valid.

b) As discussed in the response to RAI 18.a, the Unit 1 internal events, internal flood and high wind results are deemed applicable to Unit 2. Therefore, there are no changes for this RAI necessary to be included in the aggregate RAI-22.

RAI-19 Implementation Verification of ESPS System Regulatory Guide 1.174, Revision 2, provides quantitative guidelines on CDF, LERF, and

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 36 of 51 identifies acceptable changes to these frequencies that result from proposed changes to the plants licensing basis and describes a general framework to determine the acceptability of risk-informed changes. The NRC staffs review of the information in the LAR, as supplemented, has identified additional information that is required to fully characterize the risk estimates.

The estimated risk associated with the EDG CT extension is based on assumptions about an ESPS system that has not yet been installed and operator actions for which procedures have not been completed. Upon completion of these plant modifications and procedures, the PRA models will need to be assessed against the as-built, as-operated plant and updated, as necessary. Then new risk estimates will need to be generated and evaluated to confirm that the conclusions of the LAR have not changed.

In the July 10, 2018 supplement in response to audit question 12, the licensee identifies eight assignments that involve the review and update of specific aspects of ESPS PRA modeling after the installation of the ESPS and completion of associated operating procedures. The NRC staff interprets these assignments as commitments; however, completing these assignments is necessary to ensure that the PRA modeling represents the as-built, as-operated ESPS system and the risk acceptance guidelines in RG 1.177 and RG 1.174 are met upon completion of the ESPS plant modifications and associated procedures.

Propose a license condition requiring that after the ESPS system is installed and applicable procedures updated and prior to implementing the 14-day EDG CT: (1) update the risk estimates associated with this LAR, as necessary (including results of sensitivity studies) using PRA models that reflect the as-built, as-operated plant, and (2) confirm these updated risk estimates meet the risk acceptance guidelines of RG 1.174 and RG 1.177.

Duke Energy RAI-19 Response The risk estimates associated with the 14-day EDG Completion Time LAR will be updated, as necessary to incorporate the as-built, as-operated ESPS modification. Duke Energy will confirm that any updated risk estimates continue to meet the risk acceptance guidelines of RG 1.174 and RG 1.177 (See Attachment 4).

RAI-20 Updated Internal Events Logic Transferred to Other Hazard Models The LAR states that the proposed change to the TS CT has been developed using the risk-informed processes described in RG 1.174, Revision 2, and RG 1.177, Revision 1. Based on Section 2.3.1 of RG 1.177, the technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. The RG 1.177 endorses the guidance provided in RG 1.200, Revision 2, on PRA technical adequacy. Section 1 in Regulatory Position C of RG 1.200 states, the PRA results used to support an application must be derived from a baseline PRA model that represents the as-built, as-operated plant to the extent needed to support the application. Consequently, the PRA needs to be maintained and upgraded, where necessary, to ensure it represents the as-built, as-operated plant.

In the July 10, 2018 supplement, the response to audit question 13.a states the high winds PRA has been updated to Revision 4. In contrast to that, the response to 13.c states that the fire and high winds PRAs are based on Revision 3 of the internal events PRA with

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 37 of 51 minor changes. The NRC staff is unclear which revision of the internal events model is incorporated in the high winds PRA model. The response to 13.a and elsewhere states that there are [s]ignficant internal events model changes between Revisions 3 and 4. The supplement lists a few of the significant changes that could impact the fire and high winds PRAs, including: updated model data, updated human reliability analysis (HRA) (change in HEP values), and incorporation of a plant modification related to a LERF pathway.

Accordingly, it is not clear how the McGuire, Units 1 and 2, fire and high winds PRAs address the modeling updates performed for the internal events PRAs. These internal events updates appear to represent modeling improvements that result in a more realistic representation of the as-built, as-operated plant as prescribed in RG 1.200, Revision 2. To address the above observations, provide the following information.

a) Clarify which revision of the internal events model is currently incorporated in the high winds PRA model used for this application.

b) Describe all model changes made to the internal events PRA (since Revision 3) that were not incorporated into the fire and high winds PRA models. Also include description of model updates that were performed to resolve F&Os from the 2015 peer review.

c) Provide detailed justification (e.g., describe and provide the results of an appropriate sensitivity study using the PRA models from the aggregate analysis requested in RAI-

22) that incorporating the model changes described in part (b) into the fire and high winds PRA models does not impact the conclusions of the LAR, as supplemented.

Alternatively, incorporate these internal events PRA updates, as applicable, into the McGuire, Units 1 and 2, fire and high winds PRA models used for this LAR that aggregate the PRA updates requested in RAI-22.

Duke Energy RAI-20 Response a) The high winds model utilized Revision 4 of the MNS model of record (MOR).

b) As described in RAI 20.a the MNS high winds uses the Revision 4 of the MNS model of record.

The modeling changes performed to the MNS model from Revision 3 to Revision 4 are extensive. The following were changed or added for Revision 4 of the MNS model of record (including changes required for resolution of peer review findings). These are presented below.

Data:

Performed Bayesian update on generic data used to represent plant operating experience

Updated operating capacity factor

Generic data was updated and component boundaries were updated to match the applied data

Updated type codes to divide components by mission type/service condition

Type codes were further credited to cover more specific equipment

Type codes were added to differentiate components never tested

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 38 of 51

Removed orifice plugging failures from applicable clean water systems Initiating Events

Updated initiating event time period for plant specific initiating event frequency calculations and for Bayesian update of generic initiating event frequencies

Updates LOOP frequency using the most recent data and operating experience HRA

Converted HRA and pre-initiator to the use of the EPRI HRA Calculator

Converted the dependency analysis to using the EPRI HRA Calculator

Additional human failure actions were added to the model as needed to support model or sequence changes The following system changes are listed below. An effort to condense the changes has been made such that only fault tree changes are listed. In every case the system model had minor corrections to basic events, component boundary updates, data updates, common cause failure updates, testing and maintenance updates and general modeling clean-up (e.g. fix basic event description). The following are meant to present a high level summary of changes.

AC System

Replaced simplified logic with detailed logic including Unit 2 power supply paths

Updated and added maintenance events for existing and new component respectively

Added new top gates for the addition of normal control power system EDG System

Added additional basic events for relay or other support system electrical failures that could fail the EDGs

Added additional modeling of the fuel transfer system AFW System

Updated fault tree logic for AFW motor driven pumps in relation to support systems (e.g. electrical and cooling)

Updated fault tree logic for AFW turbine driven pump in relation to support systems (e.g. electrical and cooling)

Added logic for modeling loss of DC power from the standby shutdown facility

Changed logic to reflect changes in the sole source of non-safety related condensate

Removed auto swap and replaced it with an operator action

Updated AFW for extended loss of all power events ESFAS System

Added additional components to the ESFAS system model

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 39 of 51 CVCS System

Added logic such that three injection paths are required to successfully mitigate all scenarios requiring CVCS injection and recirculation

Added an alternate method to cool CVCS pump motors

Changed RCP pump seal injection water filter path alignment CCW System

Added additional failures that could lead to the failure of the CCW system Instrument Air System

Updated recirculation cooling water system model from point estimate to fully developed system fault tree

Removed reciprocating compressors from model

Included compressor control air failure mode into the system model Residual Heat Removal System

Failure of standby motor equipment separated into failure to run during the first hour and then the rest of the of the mission time

Added logic to allow for the use of the containment spray heat exchanger in case the residual heat removal heat exchanger fails

Remove sump screen plugging from the model Hydrogen Mitigation System

Deleted unneeded point estimates in the system model

Updated fault tree to model control switches, fuses and alternate power from the SSF Service Water System

Made fault tree changes to incorporate failures of all four service water pumps

Implemented logic associated with valve closure and common cause failure

Implement logic changes to account for the recovery of service water

Added action to start standby service water pump when the operating pump fails Containment Spray System

Deleted fault tree tops during injection phase because this is no longer permitted per the water management strategy

Split run failures of components into 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months mission times followed by the remainder of the mission time

Deleted modeling related to sump clogging as this is not an issue Reactor Coolant System

Added new top event to capture the code SRVs failing to open

Developed system specific modeling to replace previous point estimates

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 40 of 51

Performed model changes to ensure fault tree modeling is consistent with system assumptions Reactor Protection System

Updated fault tree modeling for the reactor protection system to follow industry guidance

Added additional events for model completeness (undeveloped events or point estimates)

Safety Injection System

Added logic for failure to isolate refueling water storage tank during recirculation

Added additional components to the fault tree for injection phase of the accident (previously screened)

Removed orifice and related valve plugging failures modes for injection and recirculation phases.

Standby Shutdown Facility System

Added HVAC and room cooling modeling

Added previously screened breakers for SSF functionality

Added logic needed for the AFW system support from the SSF Control Power System

Restructured logic to separate battery charger and battery failure modes

Added top gates for representing 120v auxiliary control power system and 125v auxiliary control power system Sequence Logic Update

Updated SGTR sequences in line with WCAP-15955, Rev. 0

Updated ATWS modeling using reference WCAP-15831-P, Rev. 2

Implemented crediting post-LOCA cooldown procedures due to modifications resulting from the ECCS water management strategy

Split reactor coolant pump LOCA initiator per RCP to eliminate model symmetry

MSLB inside containment were grouped for initiators that cause ECCS actuation

Updated success criteria to use MAAP 5.0.1

ISLOCA methodology updated to use WCAP-17154-P

Logic for injection and recirculation phases addresses their respective dependencies independently

Fault tree updated to remove cross tie from opposite unit for seal LOCA sequences c) As described in RAI 20.a, the MNS high winds uses the Revision 4 of the MNS MOR.

For fire, the conclusions of the LAR are not impacted because, when determined to be relevant, the internal events PRA updates listed in the response to RAI 20.b were reviewed and generally incorporated, as appropriate, into the fire PRA used for the

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 41 of 51 aggregate analysis requested in RAI-22. Relevant changes included updated database changes (e.g., failure probabilities and type codes), and the updated model data described in RAI 20, were incorporated into the fire PRA. Relevant changes also included fault tree logic changes (e.g., ESPS; CA MDPs and TDP; RN supply unit cross connect; and reciprocating compressor) but may comprise equivalent modeling where the gate mapping was not one-to-one.

The updated human reliability analysis (HRA) HEP values and the plant modification related to a LERF pathway, both of which were also described in RAI 20, did not need to be incorporated into the updated fire PRA because those changes were already part of the fire PRA model used in the original ESPS LAR submittal. The fire PRA was also not updated to include changes (e.g., non-fire initiators; ATWS, MLOCA, and other non-fire accident sequences; and human failure events not appropriate for fire) when the review determined the change not to be relevant to the fire PRA or when the changes (e.g., gate or basic event naming) would have no impact on risk.

A review of the changes listed in the response to RAI 20.b identified only new Human Failure Events added to MR4 as potentially impacting the conclusions of the LAR if incorporated into the updated fire PRA. The impact of crediting those HFEs for fire would tend decrease the total risk results (i.e., CDF and LERF) and therefore not incorporating them would be conservative. With regard to the delta risk results (i.e.,

CDF and LERF), the justification for concluding that incorporating those HFEs would not impact the conclusion of the LAR was based on a consideration of their related risk contributions in internal events cutsets associated with initiators mapped to the fire event in the fire PRA. In particular, from a comparison of the respective Birnbaums for AOT cutsets and base cutsets, the limit of the delta risk is estimated to be 5E-9/yr and is considered negligible.

The conclusion is consistent with a significant risk insight of the updated fire PRA which is that the ESPS plant modification has a relatively small impact on the Fire PRA model because the dominant accident sequences of the fire PRA cannot be mitigated using ESPS. The strategy of protecting the CA TDP and SSF system has far more of a beneficial impact to the fire PRA response than crediting the ESPS system.

Consequently, the results of the updated fire PRA supports the assertion that incorporating the discrepancies between the internal events PRA model of record and the fire PRA model of record does not impact the conclusions of the ESPS LAR Application.

RAI-21 Sources of Model Uncertainty and Parametric Uncertainty The LAR for McGuire, Units 1 and 2, dated May 2, 2017, states that the proposed change to the TS CT has been developed using the risk-informed processes described in RG 1.174, Revision 2, and RG 1.177, Revision 1. Regulatory Position C of RG 1.174 states:

In implementing risk-informed decision-making, LB [licensing basis] changes are expected to meet a set of key principles. In implementing these principles, the NRC staff expects [that]: Appropriate consideration of uncertainty is given in the analyses and interpretation of findings. NUREG-1855 provides further guidance.

Section 2.5.2 further elaborates, because of the way the [risk] acceptance

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 42 of 51 guidelines were developed, the appropriate numerical measures to use in the initial comparison of the PRA results to the acceptance guidelines are mean values. The mean values referred to are the means of the probability distributions [of the risk metrics] that result from the propagation of the uncertainties on the [PRA] input parameters and those model uncertainties explicitly represented in the model under certain circumstances, a formal propagation of uncertainty may not be required if it can be demonstrated that the state-of-knowledge correlation [SOKC] is unimportant.

a) Revision 0 of NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making (2009), primarily addressed sources of model uncertainty for internal events (including internal flooding) and references EPRI report 1016737, Treatment of Parameter and Modeling Uncertainty for Probabilistic Risk Assessments (2008), which provides a generic list of sources of model uncertainty and related assumptions for internal events. Revision 1 of NUREG-1855 (March 2017, ADAMS Accession No. ML17062A466) further clarifies the NRC staff decision-making process in addressing uncertainties and addresses all hazard groups (e.g., internal events, internal flooding, internal fire, seismic, low-power and shutdown, Level 2).

NUREG-1855, Revision 1, cites use of EPRI reports 1016737 and 1026511, Practical Guidance on the Use of Probabilistic Risk Assessment in RiskInformed Applications with a Focus on the Treatment of Uncertainty (2012), which complements the NUREG and provides a generic list of sources of model uncertainty for internal events, internal flooding, internal fires, seismic, low-power and shutdown, and Level 2 hazard groups.

While LAR Section 3.12.4 states a review of potential modeling uncertainties was performed using Revision 1 of NUREG-1855, the discussion in LAR Section 6.2 and the results provided in LAR Attachment 9 indicate that Revision 0 of NUREG-1855 (and EPRI report 1016737) was used to evaluate sources of uncertainty for only internal events (including internal flooding).

i. Clarify which version of NUREG-1855 was used for the uncertainties analysis described in the LAR.

ii. Provide a detailed summary of the process used to evaluate sources of model uncertainty and related assumptions [both generic sources (e.g., EPRI reports 1016737 and 1026511) and plant-specific sources] in the internal events, internal flooding, high winds, and internal fires PRAs for their potential impact on this application. Include in this discussion an explanation of how the process aligns with guidance in NUREG-1855, Revision 1, or other NRC-accepted method.

iii. In accordance with the process described in Part (a.ii) above, describe any additional sources of model uncertainty and related assumptions relevant to the application that were not provided in LAR Attachment 9, and describe their impact on the application results.

iv. In accordance with NUREG-1855, Revision 1, for those sources of model uncertainty and related assumptions that could potentially challenge the risk acceptance guidelines (i.e., key uncertainties and assumptions), provide qualitative or quantitative justification for why these key uncertainties and assumptions do not change the conclusions of the LAR (e.g., describe and provide the results of an appropriate sensitivity study(ies) using the PRA models

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 43 of 51 used to perform the aggregate analysis requested in RAI-22); describe and provide the results of a more detailed, realistic analysis to reduce the conservatism and uncertainty; propose compensatory measures and explain how they address the key uncertainties and assumptions).

b) Section 2.3.1 of Regulatory Guide 1.177 states that current good practice (i.e., CC II of the ASME/ANS PRA standard) is the level of detail needed for the PRA to be adequate for the majority of applications. Based on RG 1.174 and Section 6.4 of NUREG-1855, Revision 1, for a CC II risk evaluation, the mean values of the risk metrics (i.e., CDF, LERF) and the means of their incremental values (i.e., ICCDP, ICLERP) need to be compared against the risk acceptance guidelines. The mean values referred to are the means of the risk metrics probability distributions that result from the propagation of the uncertainties on the PRA input parameters and those model uncertainties explicitly represented in the model. In general, the point estimate CDF/LERF obtained by quantification of the cutset probabilities using mean values for each basic event probability does not produce a true mean of the CDF/LERF. Under certain circumstances, a formal propagation of uncertainty may not be required if it can be demonstrated that the SOKC is unimportant.

Attachment 6 of the LAR, as supplemented, provides the ICCDPs and ICLERPs for the proposed CT extension based on point estimate values of the risk metrics. The basis for using these point estimates is the results of an assessment provided in LAR Section 6.2.3, in which a parametric uncertainty analysis was performed on the internal events PRA to determine the baseline mean CDF and LERF which were then compared to the internal events baseline CDF and LERF determined using point estimate values. The comparison showed that the baseline CDF and LERF determined using point estimate values were within 10% of the means values. However, this approach is not consistent with NUREG-1855, Revision 1. For one reason, the licensees parametric uncertainty analysis did not include the other hazards (i.e., internal flooding, high winds, and internal fires) and its impact on ICCDP and ICLERP, which challenge the risk acceptance guidelines (i.e., Regime 3 in NUREG-1855, Revision 1) and could potentially impact the conclusions of the LAR. Additionally, the LAR states that the parametric uncertainty analysis was conducted on the internal events model before changes were made for this application and the point estimates in Figures 5 and 6 of LAR Attachment 6 appear not to match the base case CDF and LERF point estimates presented in LAR Tables 6-19 through 6-22.

i. Provide a detailed summary of the process used to evaluate parametric uncertainties in the calculation of ICCDP and ICLERP for the internal events, internal flooding, high winds, and internal fires PRAs. Include in this discussion an explanation of how the process aligns with guidance in Section 6, Stage D -

Assessing Parameter Uncertainty, of NUREG-1855, Revision 1, or other NRC accepted method. Justify any conclusions made that addressing the SOKC is not important to the quantitative conclusions of this application.

ii. In accordance with the process described in Part (b.i) above, provide the ICCDPs and ICLERPs for internal events, internal flooding, high winds, and

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 44 of 51 internal fires as requested in RAI-22.

Duke Energy RAI-21 Response a)

i. Revision 0 of NUREG-1855 was used for the uncertainties analysis described in the LAR.

ii. The process described in NUREG-1855 Revision 0 was used to evaluate the model uncertainties and assumptions associated with the PRAs that were presented in the LAR. Subsequently, the results were compared to NUREG-1855, Revision 1, as a gap analysis.

As part of the gap assessment, the plant-specific model uncertainties documented in the notebooks associated with the internal flooding, high winds, and internal fires PRAs were assessed with respect to the ESPS application. The generic sources taken from EPRI reports 1016737 and 1026511 were also assessed.

iii. No additional sources of model uncertainty and related assumptions relevant to the application were identified.

iv. No additional sensitivity runs were required, beyond those given in the LAR, due to no additional sources of model uncertainty and related assumptions relevant to the application were identified.

b)

i. The parametric uncertainties for all the hazards were evaluated by using the EPRI UNCERT code which samples the basic event / basic event type code parameter uncertainty distributions to propagate the uncertainty and develop a mean estimate and distribution for the CDF and LERF values presented. This code effectively accounts for the SOKC impacts as the sampling is performed on a failure mode (type code) basis.

Since the SOKC impacts are evaluated by the UNCERT code, the corrections applied to adjust the CAFTA point estimate are removed before running the code. This results in the point estimate listed for the UNCERT run being reduced from the CAFTA produced point estimate. No peer review findings were identified with the methods used to account for SOKC.

The results for representative train and unit are provided below, showing the mean value, point estimate and the percentage of difference between the two bases on the difference between the mean and point estimates divided by the point estimate.

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 45 of 51 Internal Events HEP sensitivity (without ACUBE)

Case I Mean I Point I Percent A Train, CT, CDF 3.02E-06 3.01E-06 0.4%

A Train, Base, CDF 3.12E-06 3.07E-06 1.6%

A Train, non-CT, CDF 2.90E-06 2.89E-06 0.5%

A Train, CT, LERF 4.65E-07 4.58E-07 1.6%

A Train, Base, LERF 4.61E-07 4.55E-07 1.3%

A Train, non-CT, LERF 4.3E-07 4.28E-07 1.7%

Internal Flood HEP Sensitivity Case I Mean I Point I Percent A Train, CT, CDF 9.28E-06 9.30E-06 -0.2%

A Train, Base, CDF 7.71E-06 7.74E-06 -0.5%

A Train, non-CT, CDF 7.72E-06 7.72E-06 -0.1%

A Train, CT, LERF 5.94E-07 5.94E-07 0.0%

A Train, Base, LERF 3.46E-07 3.46E-07 -0.2%

A Train, non-CT, LERF 3.40E-07 3.40E-07 0.0%

High Winds HEP Sensitivity Case I Mean I Point I Percent B Train, CT, CDF 2.18E-05 2.20E-05 -0.8%

B Train, Base, CDF 8.02E-06 7.94E-06 1.0%

B Train, non-CT, CDF 4.20E-06 4.20E-06 -0.1%

B Train, CT, LERF 2.05E-06 2.05E-06 0.0%

B Train, Base, LERF 8.32E-07 8.24E-07 1.0%

B Train, non-CT, LERF 4.30-07 4.29E-07 0.2%

Fire CDF HEP Sensitivity Case I Mean I Point I Percent Unit 1, B Train, CT, CDF 4.80E-05 4.71E-05 1.9%

Unit 1, B Train, non-CT, CDF 4.68E-05 4.54E-05 3.2%

Unit 2, B Train, CT, CDF 4.43E-05 4.40E-05 0.8%

Unit 2, B Train, non-CT, CDF 4.43E-05 4.31E-05 2.8%

Unit 1, B Train, CT, LERF 4.34E-06 4.31E-06 0.7%

Unit 1, B Train, non-CT, LERF 4.30E-06 4.17E-06 3.1%

Unit 2, B Train, CT, LERF 4.63E-06 4.60E-06 0.7%

Unit 2, B Train, non-CT, LERF 4.65E-06 4.52-06 2.9%

ii. The differences between the mean and point estimates are less than 2% for the CT cases and 3.2% for the non-CT and base cases. As such, the impact of parametric uncertainty has no impact on the conclusions presented for the RG-1.174 and RG-1.177 acceptance guidelines.

RAI-22 Aggregate Update Analysis Regulatory Guide 1.174, Revision 2, provides quantitative guidelines on CDF and LERF

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 46 of 51 and identifies acceptable changes to these frequencies that result from proposed changes to the plants licensing basis and describes a general framework to determine the acceptability of risk-informed changes. Regulatory Guide 1.177, Revision 1, provides risk acceptance guidelines on ICCDP and ICLERP and identifies acceptable changes to these probabilities that result from proposed changes to permanent changes to the licensees TSs. The NRC staff review of the information in the LAR, as supplemented, has identified additional information that is required to fully characterize the risk estimates.

The PRA methods and treatments discussed in the following RAIs may need to be revised to be acceptable by the NRC staff:

RAI-012.c regarding the incorporation of the most limiting plant configurations.

RAI-14.a regarding the use of appropriate failure rates for EDGs.

RAI-14.b regarding the update of CCFs related to updated component failure rates.

RAI-16.b regarding the seismic bounding analysis.

RAI-18.b regarding modeling the differences between units in the McGuire, Units 1 and 2, PRAs.

RAI-20.c regarding incorporation of internal events PRA modeling into the McGuire, Units 1 and 2, fire and high winds PRA models.

RAI-21.b on providing ICCDP and ICLERP for all hazard groups in accordance with Section 6, Stage D - Assessing Parameter Uncertainty, of NUREG-1855, Revision 1.

In the supplement letter of July 10, 2018 in response to audit question 14, an aggregate case study was provided that included resolution to audit questions as follows:

Incorporation of updated NUREG-2169 fire ignition frequencies in the fire PRA (audit question 04).

Consistent use of appropriate EDG, SSF, and ESPS failure probabilities across the McGuire, Units 1 and 2, hazard PRAs (audit question 05.a).

Incorporation of appropriate non-safety equipment failure probabilities for the ESPS DGs in the McGuire, Units 1 and 2, PRA models (audit question 05.b).

The NRC staff notes that no updated aggregate risk results and separate sensitivity studies results, such as the ESPS HRA study, were provided in the supplement. In addition, the supplement response did not provide unit specific results.

To fully address the RAIs and the July 10, 2018 supplement aggregate results cited above, provide the following:

a) Provide the results of an aggregate analysis for each unit (including individual results for each hazard group) that reflect the combined impact on the LAR risk results (i.e.,

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 47 of 51 change in CDF, change in LERF, ICCDP and ICLERP in accordance with NUREG-1855, Revision 1) of: (1) the PRA updates required in response to the RAIs cited above, and (2) those updates incorporated in the aggregate analysis specified in the July 10, 2018 supplement. Also, provide an update of the separate sensitivity studies (e.g., the sensitivity study referred to in LAR Section 6.2.5) discussed in the LAR that reflect the combined updates to the PRA described above.

b) For each RAI listed above, summarize briefly how the issue(s) cited in the RAI were resolved for the PRA or LAR. If the resolution involved an update to the PRA models, then briefly summarize the PRA update. Also, confirm the aggregate analysis in part (a) included the PRA updates from the July 10, 2018 supplement.

c) Describe any additional changes to the McGuire, Units 1 and 2, PRA models in support of the aggregate analysis in part (a) that were not described in the LAR dated May 2, 2017 or in part (b) of this RAI. Provide justification that these additional changes, if any, meet the requirement in RG 1.200 that the PRA results used to support an application must be derived from a baseline PRA model that represents the as-built, as-operated plant to the extent needed to support the application.

d) Confirm that the updated aggregate analysis and sensitivity results still meet the risk acceptance guidelines in RG 1.177, Revision 1, and RG 1.174, Revision 2.

e) If the risk acceptance guidelines are exceeded, then identify which guidelines are exceeded and provide qualitative or quantitative justification that support the conclusions of the LAR in accordance with NUREG-1855, Revision 1 (e.g., describe and provide the results of a more detailed, realistic analysis to reduce conservatism and uncertainty; propose compensatory measures and explain how they address the exceedance).

Duke Energy RAI-22 Response a) The most limiting plant and alignment configurations are included in the responses to RAI 12, 13, and 20. As a result the most limiting train and unit values are presented in the results tables below.

Similarly, the responses in RAI 12, 13, and 20, also demonstrate that the differences between Unit 1 and Unit 2 are negligible for High Wind, Seismic, and Internal Events.

The differences between Units have been determined and the most limiting cases are presented below.

The aggregate sensitivity results (including doubled HEPs and fire) are presented below:

RG 1.177 ICCDP Summary (Aggregate Sensitivity)

Hazard 14 Day CT Base Multiplier ICCDP Internal Events (limiting config.) 3.45E-06 3.00E-06 14/365 1.73E-08 Internal Flooding (limiting config.) 9.43E-06 7.74E-06 14/365 6.48E-08 High Winds (limiting config.) 2.12E-05 7.77E-06 14/365 5.15E-07 Fire (limiting config.) 4.86E-05 4.55E-05 14/365 1.18E-07 Seismic (limiting config.) 6.68E-07 5.31E-08 14/365 2.36E-08 Sum = 7.39E-07

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 48 of 51 RG 1.177 ICLERP Summary (Aggregate Sensitivity)

Hazard 14 Day CT Base Multiplier ICLERP Internal Events (limiting config.) 5.08E-07 4.49E-07 14/365 2.26E-09 Internal Flooding (limiting config.) 5.99E-07 3.46E-07 14/365 9.70E-09 High Winds (limiting config.) 2.01E-06 8.11E-07 14/365 4.60E-08 Fire (limiting config.) 4.36E-06 4.09E-06 14/365 1.05E-08 Seismic (limiting config.) 2.68E-07 2.18E-08 14/365 9.44E-09 Sum = 7.79E-08 The overall CDF and LERF impact of the AOT and addition of the ESPS system still represents a risk decrease. (The values presented include the conservatism and changes required for the aggregate risk calculation.

Since the seismic modeling does not credit the ESPS system, the ESPS credit and the base case models and values are the same.

351 Day ICCDP Risk Contribution Summary (Aggregate Sensitivity)

Hazard ESPS credit Base Multiplier ICCDP Internal Events (limiting config.) 2.84E-06 3.00E-06 351/365 -1.54E-07 Internal Flooding (limiting 351/365 config.) 7.72E-06 7.74E-06 -1.92E-08 High Winds (limiting config.) 4.16E-06 7.77E-06 351/365 -3.47E-06 Fire (limiting config.) 4.54E-05 4.55E-05 351/365 -1.12E-07 Seismic (limiting config.) 5.31E-08 5.31E-08 351/365 0.00E+00 Sum = -3.76E-06 351 Day ICLERP Risk Contribution Summary (Aggregate Sensitivity)

Hazard ESPS credit Base Multiplier ICLERP Internal Events (limiting config.) 4.23E-07 4.49E-07 351/365 -2.50E-08 Internal Flooding (limiting config.) 3.39E-07 3.46E-07 351/365 -6.73E-09 High Winds (limiting config.) 4.25E-07 8.11E-07 351/365 -3.71E-07 Fire (limiting config.) 4.08E-06 4.09E-06 351/365 -8.37E-09 Seismic (limiting config.) 2.18E-08 2.18E-08 351/365 0.00E+00 Sum = -4.11E-07 Total risk result from assuming a 14-day CT entry and ESPS nominal availability the remainder of the year.

CDF For Entire Change (Aggregate Sensitivity)

Hazard 14-day CT 351 Day CDF Internal Events (limiting config.) 1.73E-08 -1.54E-07 -1.37E-07 Internal Flooding (limiting config.) 6.48E-08 -1.92E-08 4.56E-08 High Winds (limiting config.) 5.15E-07 -3.47E-06 -2.96E-06 Fire (limiting config.) 1.18E-07 -1.12E-07 6.47E-09 Seismic (limiting config.) 2.36E-08 0.00E+00 2.36E-08 Sum = -3.02E-06

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 49 of 51 LERF For Entire Change (Aggregate Sensitivity)

Hazard 14-day CT 351 Day LERF Internal Events (limiting config.) 2.26E-09 -2.50E-08 -2.27E-08 Internal Flooding (limiting config.) 9.70E-09 -6.73E-09 2.97E-09 High Winds (limiting config.) 4.60E-08 -3.71E-07 -3.25E-07 Fire (limiting config.) 1.05E-08 -8.37E-09 2.09E-09 Seismic (limiting config.) 9.44E-09 0.00E+00 9.44E-09 Sum = -3.33E-07 The best estimate results are presented below:

RG 1.177 ICCDP Summary (Best Estimate)

Hazard 14 Day CT Base Multiplier ICCDP Internal Events (limiting config.) 3.28E-06 3.00E-06 14/365 1.09E-08 Internal Flooding (limiting config.) 9.42E-06 7.74E-06 14/365 6.42E-08 High Winds (limiting config.) 1.77E-05 7.77E-06 14/365 3.81E-07 Fire (limiting config.) 4.85E-05 4.55E-05 14/365 1.15E-07 Seismic (limiting config.) 6.68E-07 5.31E-08 14/365 2.36E-08 Sum = 5.95E-07 RG 1.177 ICLERP Summary (Best Estimate)

Hazard 14 Day CT Base Multiplier ICLERP Internal Events (limiting config.) 4.85E-07 4.49E-07 14/365 1.40E-09 Internal Flooding (limiting config.) 5.96E-07 3.46E-07 14/365 9.57E-09 High Winds (limiting config.) 1.66E-06 8.11E-07 14/365 3.25E-08 Fire (limiting config.) 4.36E-06 4.09E-06 14/365 1.04E-08 Seismic (limiting config.) 2.68E-07 2.18E-08 14/365 9.44E-09 Sum = 6.32E-08 The overall CDF and LERF impact of the AOT and addition of the ESPS system still represents a risk decrease. (The values presented include the conservatism and changes required for the aggregate risk calculation.

Since the seismic modeling does not credit the ESPS system, the ESPS credit and the base case models and values are the same.

351 Day ICCDP Risk Contribution Summary (Best Estimate)

Hazard ESPS credit Base Multiplier ICCDP Internal Events (limiting config.) 2.82E-06 3.00E-06 14/365 -1.72E-07 Internal Flooding (limiting config.) 7.72E-06 7.74E-06 14/365 -2.04E-08 High Winds (limiting config.) 3.66E-06 7.77E-06 14/365 -3.95E-06 Fire (limiting config.) 4.54E-05 4.55E-05 14/365 -9.62E-08 Seismic (limiting config.) 5.31E-08 5.31E-08 14/365 0.00E+00 Sum = -4.24E-06

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 50 of 51 351 Day ICLERP Risk Contribution Summary (Best Estimate)

Hazard ESPS credit Base Multiplier ICLERP Internal Events (limiting config.) 4.20E-07 4.49E-07 351/365 -2.79E-08 Internal Flooding (limiting config.) 3.39E-07 3.46E-07 351/365 -7.41E-09 High Winds (limiting config.) 3.74E-07 8.11E-07 351/365 -4.20E-07 Fire (limiting config.) 4.08E-06 4.09E-06 351/365 -9.62E-09 Seismic (limiting config.) 2.18E-08 2.18E-08 351/365 0.00E+00 Sum = -4.65E-07 Total risk result from assuming a 14-day CT entry and ESPS nominal availability the remainder of the year.

CDF For Entire Change (Best Estimate)

Hazard 14-day CT 351 Day CDF Internal Events (limiting config.) 1.09E-08 -1.72E-07 -1.61E-07 Internal Flooding (limiting config.) 6.42E-08 -2.04E-08 4.38E-08 High Winds (limiting config.) 3.81E-07 -3.95E-06 -3.57E-06 Fire (limiting config.) 1.15E-07 -9.62E-08 1.89E-08 Seismic (limiting config.) 2.36E-08 0.00E+00 2.36E-08 Sum = -3.65E-06 LERF For Entire Change (Best Estimate)

Hazard 14-day CT 351 Day LERF Internal Events (limiting config.) 1.40E-09 -2.79E-08 -2.65E-08 Internal Flooding (limiting config.) 9.57E-09 -7.41E-09 2.16E-09 High Winds (limiting config.) 3.25E-08 -4.20E-07 -3.88E-07 Fire (limiting config.) 1.04E-08 -9.62E-09 7.40E-10 Seismic (limiting config.) 9.44E-09 0.00E+00 9.44E-09 Sum = -4.02E-07 b)

RAI-012.c regarding the incorporation of the most limiting plant configurations.

The most limiting plant and alignment configuration results are included in responses to RAIs 12, 13, and 20.

RAI-14.a regarding the use of appropriate failure rates for EDGs.

Appropriate Bayesian updated industry values were used per response to RAI-14.a.

RAI-14.b regarding the update of CCFs related to updated component failure rates.

Appropriate CCFs were used for all hazards per response to RAI-14.b.

RAI-16.b regarding the seismic bounding analysis.

The seismic analysis as described in RAI-16 was used.

RAI-18.b regarding modeling the differences between units in the McGuire, Units 1 and 2, PRAs. The limiting Unit (from fire) was presented in the analysis. Response

U.S. Nuclear Regulatory Commission RA-18-0229, Attachment 1 Page 51 of 51 to RAI-18.b demonstrated no significant differences between the Units for Internal Events, High Winds, and Internal Flooding.

RAI-20.c regarding incorporation of internal events PRA modeling into the McGuire, Units 1 and 2, fire and high winds PRA models.

The updated fire analysis was included as described in RAI-20.

RAI-21.b on providing ICCDP and ICLERP for all hazard groups in accordance with Section 6, Stage D - Assessing Parameter Uncertainty, of NUREG-1855, Revision 1.

The aleatory (parameter) uncertainty values are presented in the response to RAI-21.b. They are not included in the values presented in the aggregated sensitivity and the best estimate case tables in the part a response due to computational limits of running the UNCERT code with ACUBE for the internal events cutsets. The maximum 4% difference in point and mean estimates from the response to RAI 21.b would not prevent the RG-1.174 and RG-1.177 guidelines from continuing to be met.

The modifications that were made for the previous July 10, 2018 supplement RAI-14 response continue to be included unless modified by the RAI responses in this response.

c) There are no changes beyond those described in the previous RAI responses.

d) The aggregate sensitivity and best estimate cases continue to meet the acceptance guidelines in RG 1.177, Revision 1, and RG 1.174, Revision 2.

e) The risk acceptance guidelines continue to be met. No additional actions required.

RA-18-0229 Attachment 2 Revised McGuire Technical Specification 3.8.1 Marked Up Pages

AC Sources - Operating 3.8.1 3.8 ELECTRICAL POWER SYSTEMS 3.8.1 AC Sources Operating LCO 3.8.1 The following AC electrical sources shall be OPERABLE:

a. Two qualified circuits between the offsite transmission network and the Onsite Essential Auxiliary Power System; and

b. Two diesel generators (DGs) capable of supplying the Onsite Essential Auxiliary Power Systems; and

c. The qualified circuit(s) between the offsite transmission network and the opposite units Onsite Essential Auxiliary Power System necessary to supply power to the Nuclear Service Water System (NSWS), Control Room Area Ventilation System (CRAVS), Control Room Area Chilled Water System (CRACWS) and Auxiliary Building Filtered Ventilation Exhaust System (ABFVES); and

d. The DG(s) from the opposite unit necessary to supply power to the NSWS, CRAVS, CRACWS and ABFVES; AND The automatic load sequencers for Train A and Train B shall be OPERABLE.

APPLICABILITY: MODES 1, 2, 3, and 4.

NOTE----------------------------------------------

The opposite unit electrical power sources in LCO 3.8.1.c and LCO 3.8.1.d are not required to be OPERABLE when the associated shared systems are inoperable.

McGuire Units 1 and 2 3.8.1-1 Amendment No. 221/203

AC Sources - Operating 3.8.1 ACTIONS

NOTE-------------------------------------------------------------

LCO 3.0.4.b is not applicable to DGs.

CONDITION REQUIRED ACTION COMPLETION TIME A. One LCO 3.8.1.a offsite A.1 Perform SR 3.8.1.1 for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months circuit inoperable. required OPERABLE offsite circuit(s). AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from A.2 Declare required feature(s) discovery of no with no offsite power offsite power to one available inoperable when train concurrent with its redundant required inoperability of feature(s) is inoperable. redundant required feature(s)

AND A.3 Restore offsite circuit to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months OPERABLE status.

AND 617 days from discovery of failure to meet LCO 3.8.1.a or LCO 3.8.1.b McGuire Units 1 and 2 3.8.1-2 Amendment No. 221/203

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. One LCO 3.8.1.b DG B.1 Verify LCO 3.8.1.d DG(s) 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months inoperable OPERABLE.

AND Once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter AND B.12 Perform SR 3.8.1.1 for the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months required offsite circuit(s).

AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND B.23 Declare required feature(s) 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from supported by the discovery of inoperable DG inoperable Condition B when its required concurrent with redundant feature(s) is inoperability of inoperable. redundant required feature(s)

AND B.34.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months DG(s) is not inoperable due to common cause failure.

OR 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months B.34.2 Perform SR 3.8.1.2 for OPERABLE DG(s).

AND (continued)

McGuire Units 1 and 2 3.8.1-3 Amendment No. 184/166

AC Sources - Operating 3.8.1 Evaluate ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months B. (continued) B.5 Ensure availability of Prior to entering the Emergency Supplemental extended Completion Power Source (ESPS). Time of ACTION B.6 AND Once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter AND B.4B.6 Restore DG to OPERABLE 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from status. discovery of unavailable ESPS **

AND 6 days from discovery of failure to meet LCO Condition B 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from entry 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months discovery of concurrent with unavailable ESPS unavailability of when in extended ESPS Completion Time AND 14 days AND 17 days from discovery of failure to meet LCO 3.8.1.a or LCO 3.8.1.b McGuire Units 1 and 2 3.8.1-4 Amendment No. 308/287

AC Sources - Operating 3.8.1 ACTIONS C. Required Action and C.1.1 Restore LCO 3.8.1.d DG to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months associated Completion OPERABLE status.

Time of Required Action B.1 not met. OR C.1.2 Restore LCO 3.8.1.b DG to OPERABLE status.

C D. One LCO 3.8.1.c offsite ------------------NOTE--------------------

circuit inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.9, C

Distribution Systems - Operating, when Condition D is entered with no AC power source to a train.

C.1 D.1 Perform SR 3.8.1.1 for the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months required offsite circuit(s).

AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND C.2 D.2 Declare NSWS, CRAVS, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from CRACWS or ABFVES with discovery of no no offsite power available offsite power to one inoperable when the train concurrent with redundant NSWS, CRAVS, inoperability of CRACWS or ABFVES is redundant required inoperable. feature(s)

AND D.3 Declare NSWS, CRAVS, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months CRACWS and ABFVES supported by the inoperable offsite circuit inoperable.

C.3 Restore LCO 3.8.1.c offsite circuit to OPERABLE status.

McGuire Units 1 and 2 3.8.1-5 Amendment No. 308/287

AC Sources - Operating 3.8.1 ACTIONS D E. One LCO 3.8.1.d DG ------------------NOTE--------------------

inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.9, D Distribution Systems - Operating, when Condition E is entered with no AC power source to a train.

D.1 E.1 Verify both LCO 3.8.1.b 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months DGs OPERABLE and ESPS available. AND Once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter AND D.2 E.2 Perform SR 3.8.1.1 for the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months required offsite circuit(s).

AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND D.3 E.3 Declare NSWS, CRAVS, 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from CRACWS or ABFVES discovery of supported by the Condition E inoperable DG inoperable concurrent with when the redundant inoperability of NSWS, CRAVS, CRACWS redundant required or ABFVES is inoperable. feature(s)

AND (continued)

McGuire Units 1 and 2 3.8.1-6 Amendment No. 308/287

AC Sources - Operating 3.8.1 ACTIONS D E. (continued) D.4.1 E.4.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months DG(s) is not inoperable due to common cause failures.

OR D.4.2 E.4.2 Perform SR 3.8.1.2 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE DG(s).

AND INSERT 1 E.5 Declare NSWS, CRAVS, 14 days CRACWS and ABFVES supported by the inoperable DG inoperable.

F. Required Action and F.1.1 Restore both LCO 3.8.1.b 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months associated Completion DGs to OPERABLE status Time of Required Action and ESPS to available E.1 not met. status.

OR F.1.2 Restore LCO 3.8.1.d DG to OPERABLE status.

OR F.1.3 Declare NSWS, CRAVS, CRACWS and ABFVES supported by the inoperable DG inoperable.

McGuire Units 1 and 2 3.8.1-7 Amendment No. 308/287

INSERT 1 D.5.1 Restore LCO 3.8.1.d DG to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months OPERABLE status.

OR D.5.2 Align NSWS, CRAVS, CRACWS 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and ABFVES supported by the inoperable LCO 3.8.1.d DG to an OPERABLE DG.

AC Sources - Operating 3.8.1 ACTIONS E E CG. Two LCO 3.8.1.a offsite CG.1 Declare required feature(s) 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from circuits inoperable. inoperable when its discovery of E

redundant required Condition CG OR feature(s) is inoperable. concurrent with inoperability of One LCO 3.8.1.a offsite redundant required circuit that provides feature(s) power to the NSWS, CRAVS, CRACWS and AND ABFVES inoperable and one LCO 3.8.1.c offsite CG.2 Restore one offsite circuit 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months circuit inoperable. to OPERABLE status.

OR E

Two LCO 3.8.1.c offsite circuits inoperable.

(continued)

- A Train EDGs are allowed to be inoperable for a total of 14 days to address a non-conforming condition on the 'A' Train supply piping from the Standby Nuclear Service Water Pond (SNSWP). The 14 days may be taken consecutively or in parts until completion of the activity, or by March 31, 2019, whichever occurs first. During the period in which the 'A' Train NSWS supply piping from the SNSWP is not available, the A Train NSWS will remain aligned to Lake Norman until the system is ready for post maintenance testing. Any maintenance that is performed on the remaining portions of A Train NSWS during the period in which the A NSWS from the SNSWP supply piping is not available will be limited to a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months completion time. The latter will not count against the 14 day completion time. Allowance of the extended Completion Time is contingent on meeting the Compensatory Measures as described in MNS LAR submittal correspondence letter MNS-17-031.

McGuire Units 1 and 2 3.8.1-8 Amendment No. 308/287

AC Sources - Operating 3.8.1 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME F

DH. One LCO 3.8.1.a offsite ------------------NOTE-------------------

circuit inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.9, F AND "Distribution Systems Operating," when Condition DH is One LCO 3.8.1.b DG entered with no AC power source inoperable. to any train.

F DH.1 Restore offsite circuit to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months OPERABLE status.

OR F

DH.2 Restore DG to OPERABLE 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months status.

G EI. Two LCO 3.8.1.b DGs EI.1 Restore one DG to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Inoperable. OPERABLE status.

OR G LCO 3.8.1.b DG that provides power to the NSWS, CRAVS, CRACWS and ABFVES inoperable and one LCO 3.8.1.d DG inoperable.

OR Two LCO 3.8.1.d DGs inoperable.

H FJ. One automatic load FJ.1 Restore automatic load 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months sequencer inoperable. sequencer to OPERABLE H status.

McGuire Units 1 and 2 3.8.1-9 Amendment No. 184/166

AC Sources - Operating 3.8.1 ACTIONS (continued) I I

GK. Required Action and GK.1 Be in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion Time of Condition A, B, AND C, D, E, orC, F, G, H, I, or J not met. GK.2 Be in MODE 5. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months E, or OR I Required Action and associated Completion Time of Required Action B.2, B.3, B.4.1, B.4.2, or B.6 not met.

OR Required Action and associated Completion Time of Required D.2, D.3, D.4.1, Action E.2, E.3, D.4.2, D.5.1, or E.4.1, E.4.2, or E.5 not met. D.5.2 J HL. Three or more LCO HL.1 Enter LCO 3.0.3. Immediately 3.8.1.a and LCO 3.8.1.b AC sources inoperable. J OR Three or more LCO 3.8.1.c and LCO 3.8.1.d AC sources inoperable.

McGuire Units 1 and 2 3.8.1-10 Amendment No. 184/166

No changes to this page AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS

NOTE----------------------------------------------------------------

SR 3.8.1.1 through SR 3.8.1.20 are only applicable to LCO 3.8.1.a and LCO 3.8.1.b AC sources. SR 3.8.1.21 is only applicable to LCO 3.8.1.c and LCO 3.8.1.d AC sources.

SURVEILLANCE FREQUENCY SR 3.8.1.1 Verify correct breaker alignment and indicated power In accordance with availability for each offsite circuit. the Surveillance Frequency Control Program SR 3.8.1.2 --------------------------------NOTES--------------------------------

1. Performance of SR 3.8.1.7 satisfies this SR.

2. All DG starts may be preceded by an engine prelube period and followed by a warmup period prior to loading.

3. A modified DG start involving idling and gradual acceleration to synchronous speed may be used for this SR as recommended by the manufacturer.

When modified start procedures are not used, the time, voltage, and frequency tolerances of SR 3.8.1.7 must be met.

Verify each DG starts from standby conditions and In accordance with achieves steady state voltage 3740 V and 4580 V, the Surveillance and frequency 58.8 Hz and 61.2 Hz. Frequency Control Program (continued)

McGuire Units 1 and 2 3.8.1-11 Amendment No. 261/241

No changes to this page AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)

SURVEILLANCE FREQUENCY SR 3.8.1.20 --------------------------------NOTES--------------------------------

All DG starts may be preceded by an engine prelube period.

Verify when started simultaneously from standby In accordance with condition, each DG achieves, in 11 seconds, voltage of the Surveillance 3740 V and frequency of 57 Hz and maintains steady Frequency Control state voltage 3740 V and 4580 V, and frequency Program 58.8 Hz and 61.2 Hz.

SR 3.8.1.21 For the LCO 3.8.1.c and LCO 3.8.1.d AC electrical In accordance with sources, SR 3.8.1.1, SR 3.8.1.2, SR 3.8.1.4, SR 3.8.1.5, the Surveillance and SR 3.8.1.6 are required to be met. Frequency Control Program McGuire Units 1 and 2 3.8.1-21 Amendment No. 261/241 RA-18-0229 Attachment 3 Revised McGuire Technical Specification Bases 3.8.1 Marked Up Pages (For Information Only)

AC SourcesOperating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC SourcesOperating BASES BACKGROUND The unit Essential Auxiliary or Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources, normal and alternate(s)), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not prevent the minimum safety functions from being performed. Each train has connections to two preferred offsite power sources and a single DG.

At the 600V level of the onsite Class 1E AC Distribution System, there are two motor control centers (MCC) per train (for a total of four MCCs) that supply all of the shared systems on both units. The MCCs 1EMXG and 1EMXH supply Train A shared systems. The MCCs 2EMXG and 2EMXH supply Train B shared systems. The term shared systems is defined as the shared components of Train A or Train B of Nuclear Service Water System (NSWS), Control Room Area Ventilation System (CRAVS),

Control Room Area Chilled Water System (CRACWS) and Auxiliary Building Filtered Ventilation Exhaust System (ABFVES). The MCCs 1EMXG and 1EMXH are normally aligned to receive power from load centers 1ELXA (1EMXH) and 1ELXC (1EMXG) but if desired or required to maintain operability of the Train A shared systems, can be swapped to receive power from load centers 2ELXA (1EMXH) and 2ELXC (1EMXG).

The MCCs 2EMXG and 2EMXH are normally aligned to receive power from load centers 2ELXB (2EMXH) and 2ELXD (2EMXG) but if desired or required to maintain operability of the Train B shared systems, can be swapped to receive power from load centers 1ELXB (2EMXH) and 1ELXD (2EMXG).

There are also provisions to accommodate the connecting of the Emergency Supplemental Power Source (ESPS) to one train of either units Class 1E AC Distribution System. The ESPS consists of two 50%

capacity non-safety related commercial grade DGs. Manual actions are required to align the ESPS to the station and only one of the stations four onsite Class 1E Distribution System trains can be supplied by the ESPS McGuire Units 1 and 2 B 3.8.1-1 Revision No. 115

AC Sources-Operating B 3.8.1 BASES BACKGROUND (continued) at any given time. The ESPS is made available to support extended Completion Times in the event of an inoperable DG as well as a defense-in-depth source of AC power to mitigate a station blackout event. The ESPS would remain disconnected from the Class 1E AC Distribution System unless required for supplemental power to one of the four 4.16 kV ESF buses.

Offsite power is supplied to the unit switchyard(s) from the transmission network by two transmission lines. From the switchyard(s), two electrically and physically separated circuits provide AC power, through step down station auxiliary transformers, to the 4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the UFSAR, Chapter 8 (Ref. 2).

A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus(es).

The offsite transmission systems normally supply their respective unit's onsite power supply requirements. However, in the event that one or both buslines of a unit become unavailable, or by operational desire, it is acceptable to supply that unit's offsite to onsite power requirements by aligning the affected 4160V bus of the opposite unit via the standby transformers, SATA and SATB in accordance with Regulatory Guides 1.6 and 1.81 (Ref. 12 and 13). In this alignment, each unit's offsite transmission system could simultaneously supply its own 4160V buses and one (or both) of the buses of the other unit.

Although a single auxiliary transformer (1ATA, 1ATB, 2ATA, 2ATB) is sized to carry all of the auxiliary loads of its unit plus both trains of essential 4160V loads of the opposite unit, the LCO would not be met in this alignment due to separation criteria.

Each unit's Train A and B 4160V bus must be derived from separate offsite buslinesqualified offsite circuits. The first offsite power supplyqualified offsite circuit can be derived from any of the four buslines (1A, 1B, 2A, or 2B). The second offsite power supplyqualified offsite circuit must not derive its power from the same busline qualified offsite circuit as the first. Additionally, the Train A and Train B Class 1E AC Distribution Systems providing power to the Train A and Train B shared systems must not derive their power from the same qualified offsite circuit.

McGuire Units 1 and 2 B 3.8.1-2 Revision No. 115

AC Sources-Operating B 3.8.1 BASES BACKGROUND (continued)

Acceptable train and unit specific breaker alignment options are described below:

Unit 1 A Train

1. BL1A-1ATA-1TA-1ATC-1ETA

2. BL1B-1ATB-1TA-1ATC-1ETA

3. BL1A-1ATA-1TC-SATA-1ETA

4. BL1B-1ATB-1TC-SATA-1ETA

5. BL2A-2ATA-2TC-SATA-1ETA

6. BL2B-2ATB-2TC-SATA-1ETA Unit 1 B Train

1. BL1B-1ATB-1TD-1ATD-1ETB

2. BL1A-1ATA-1TD-1ATD-1ETB

3. BL1B-1ATB-1TB-SATB-1ETB

4. BL1A-1ATA-1TB-SATB-1ETB

5. BL2B-2ATB-2TB-SATB-1ETB

6. BL2A-2ATA-2TB-SATB-1ETB Unit 2 A Train

1. BL2A-2ATA-2TA-2ATC-2ETA

2. BL2B-2ATB-2TA-2ATC-2ETA

3. BL2A-2ATA-2TC-SATA-2ETA

4. BL2B-2ATB-2TC-SATA-2ETA

5. BL1A-1ATA-1TC-SATA-2ETA

6. BL1B-1ATB-1TC-SATA-2ETA Unit 2 B Train

1. BL2B-2ATB-2TD-2ATD-2ETB

2. BL2A-2ATA-2TD-2ATD-2ETB

3. BL2B-2ATB-2TB-SATB-2ETB

4. BL2A-2ATA-2TB-SATB-2ETB

5. BL1B-1ATB-1TB-SATB-2ETB

6. BL1A-1ATA-1TB-SATB-2ETB Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the transformer supplying offsite power to the onsite Class 1E Distribution System. Typically (via accelerated sequencing), within 1 minute after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

McGuire Units 1 and 2 B 3.8.1-3 Revision No. 115

AC Sources-Operating B 3.8.1 BASES BACKGROUND (continued)

The onsite standby power source for each 4.16 kV ESF bus is a dedicated DG. DGs A and B are dedicated to ESF buses ETA and ETB, respectively. A DG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure or high containment pressure signals) or on an ESF bus degraded voltage or undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation").

After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with an SI signal. The DGs will also start and operate in the standby mode without tying to the ESF bus on an SI signal alone. Following the trip of offsite power, a sequencer strips loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG by automatic load application.

In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process.

Typically (via accelerated sequencing), within 1 minute after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.

Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each DG is 4000 kW with 10% overload permissible for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in any 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period. The ESF loads that are powered from the 4.16 kV ESF buses are listed in Reference 2.

APPLICABLE The initial conditions of DBA and transient analyses in the UFSAR, SAFETY ANALYSES Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);

and Section 3.6, Containment Systems.

McGuire Units 1 and 2 B 3.8.1-4 Revision No. 115

AC Sources-Operating B 3.8.1 BASES APPLICABLE SAFETY ANALYSES (continued)

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the Accident analyses and is based upon meeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during Accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power; and

b. A worst case single failure.

The AC sources satisfy Criterion 3 of 10 CFR 50.36 (Ref. 6).

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Power System and separate and independent DGs for each train ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA.

Additionally, the qualified circuit(s) between the offsite transmission network and the opposite unit onsite Essential Auxiliary Power System when necessary to power shared systems and the opposite unit DG(s) when necessary to power shared systems ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA.

Qualified offsite circuits are those that are described in the UFSAR and are part of the licensing basis for the unit.

In addition, one required automatic load sequencer per train must be OPERABLE.

Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses.

The 4.16 kV essential system is divided into two completely redundant and independent trains designated A and B, each consisting of one 4.16 kV switchgear assembly, two 4.16 kV/600 V load centers, and associated loads.

Normally, each Class 1E 4.16 kV switchgear is powered from its associated non-Class 1E train of the 6.9 kV Normal Auxiliary Power System as discussed in "6.9 kV Normal Auxiliary Power System" in Chapter 8 of the UFSAR (Ref. 2). Additionally, an alternate source of McGuire Units 1 and 2 B 3.8.1-5 Revision No. 115

AC Sources-Operating B 3.8.1 BASES LCO (continued) power to each 4.16 kV essential switchgear is provided from the 6.9 kV system via a separate and independent 6.9/4.16 kV transformer. Two transformers are shared between units and provide the capability to supply an alternate source of power to each unit's 4.16 kV essential switchgear from either unit's 6.9 kV system. A key interlock scheme is provided to preclude the possibility of connecting the two units together at either the 6.9 or 4.16 kV level.

Each train of the 4.16 kV Essential Auxiliary Power System is also provided with a separate and independent emergency diesel generator to supply the Class 1E loads required to safely shut down the unit following a design basis accident.

Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This will be accomplished within 11 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with the engine hot and DG in standby with the engine at ambient conditions.

Additional DG capabilities must be demonstrated to meet required Surveillance, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

Proper sequencing of loads is a function of Sequencer OPERABILITY.

Proper load shedding is a function of DG OPERABILITY. Proper tripping of non-essential loads is a function of AC Bus OPERABILITY (Condition A of Technical Specification 3.8.9).

The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, separation and independence are complete.

LCO 3.8.1.c and LCO 3.8.1.d both use the word necessary to clarify when and how to apply these LCOs on a per unit basis. The word necessary clarifies that the qualified offsite circuit(s) in LCO 3.8.1.c and the DG(s) from the opposite unit in LCO 3.8.1.d are aligned to the opposite unit Onsite Essential Auxiliary Power System that is supplying power to a train of shared systems.

LCO 3.8.1.c specifies that the qualified circuit(s) between the offsite transmission network and the opposite units Onsite Essential Auxiliary Power System be OPERABLE when necessary to supply power to the shared systems. LCO 3.8.1.d specifies that the DG(s) from the opposite unit be OPERABLE when necessary to supply power to the shared systems. The qualified offsite circuit necessary to supply power to one train of shared systems must be separate and independent (to the extent possible) of the qualified circuit which provides power to the other train of McGuire Units 1 and 2 B 3.8.1-6 Revision No. 115

AC Sources-Operating B 3.8.1 BASES LCO (continued) shared systems. These requirements, in conjunction with the requirements for the applicable unit AC electrical power sources in LCO 3.8.1.a and LCO 3.8.1.b, ensure that power is available to two trains of the shared NSWS, CRAVS, CRACWS and ABFVES.

For example, with both units in MODE 1, the normal power alignment per plant procedures with no inoperable equipment is to have the Train A shared systems powered from Unit 1 (1EMXG and 1EMXH) and the Train B shared systems powered from Unit 2 (2EMXG and 2EMXH). In this normal alignment, Unit 1 LCO 3.8.1.c is met by an OPERABLE 2B offsite circuit and LCO 3.8.1.d is met by an OPERABLE 2B DG. Since the 2A offsite circuit and 2A DG are not necessary to supply power to a train of shared systems in the normal power alignment, they are not Unit 1 LCO 3.8.1.c and LCO 3.8.1.d AC sources for this example. For Unit 2, LCO 3.8.1.c is met by an OPERABLE 1A offsite circuit and LCO 3.8.1.d is met by an OPERABLE 1A DG. Since the 1B offsite circuit and 1B DG are not necessary to supply power to a train of shared systems in the normal power alignment, they are not Unit 2 LCO 3.8.1.c and LCO 3.8.1.d AC sources for this example.

Another power alignment per plant procedures with no inoperable equipment is to have the Train A shared systems powered from Unit 1 and the Train B shared systems also powered from Unit 1. In this off-normal alignment, Unit 2 LCO 3.8.1.c is met by both an OPERABLE 1A offsite circuit and an OPERABLE 1B offsite circuit. Unit 2 LCO 3.8.1.d is met by both an OPERABLE 1A DG and an OPERABLE 1B DG.

Similarly, the Train A and Train B shared systems can both be powered from Unit 2. In this off-normal alignment, Unit 1 LCO 3.8.1.c is met by both an OPERABLE 2A offsite circuit and an OPERABLE 2B offsite circuit. Unit 1 LCO 3.8.1.d is met by both an OPERABLE 2A DG and an OPERABLE 2B DG.

Both normal and emergency power must be OPERABLE for a shared component to be OPERABLE. If normal or emergency power supplying a shared component becomes inoperable, then the Required Actions of the affected shared component LCO must be entered independently for each unit that is in the MODE of applicability of the shared component LCO.

The shared component LCOs are:

3.7.7 - Nuclear Service Water System (NSWS),

3.7.9 - Control Room Area Ventilation System (CRAVS),

3.7.10 - Control Room Area Chilled Water System (CRACWS), and 3.7.11 - Auxiliary Building Filtered Ventilation Exhaust System (ABFVES).

McGuire Units 1 and 2 B 3.8.1-7 Revision No. 115

AC Sources-Operating B 3.8.1 BASES APPLICABILITY The AC sources and sequencers are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

A Note has been added taking exception to the Applicability requirements for the required AC sources in LCO 3.8.1.c and LCO 3.8.1.d provided the associated shared systems are inoperable. This exception is intended to allow declaring the shared systems supported by the opposite unit inoperable either in lieu of declaring the opposite unit AC sources inoperable, or at any time subsequent to entering ACTIONS for an inoperable opposite unit AC source.

This exception is acceptable since, with the shared systems supported by the opposite unit inoperable and the associated ACTIONS entered, the opposite unit AC sources provide no additional assurance of meeting the above criteria.

The AC power requirements for MODES 5 and 6 are covered in LCO 3.8.2, "AC SourcesShutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.

There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 To ensure a highly reliable power source remains with one LCO 3.8.1.a offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.

However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition CE, for two offsite circuits inoperable, is entered.

McGuire Units 1 and 2 B 3.8.1-8 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features.

These features are powered from the redundant AC electrical power train.

This includes motor driven auxiliary feedwater pumps. The turbine driven auxiliary feedwater pump is required to be considered a redundant required feature, and, therefore, required to be determined OPERABLE by this Required Action. Three independent AFW pumps are required to ensure the availability of decay heat removal capability for all events accompanied by a loss of offsite power and a single failure. System design is such that the remaining OPERABLE motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis.

The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads; and

b. A required feature on the other train is inoperable.

If at any time during the existence of Condition A (one LCO 3.8.1.a offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

McGuire Units 1 and 2 B 3.8.1-9 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

A.3 According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCOLCO 3.8.1.a or LCO 3.8.1.b. If Condition A is entered while, for instance, a LCO 3.8.1.b DG is inoperable and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months s14 days. This could lead to a total of 144 hour0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months s17 days, since initial failure to meet the LCOLCO 3.8.1.a or LCO 3.8.1.b, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months s14 days (for a total of 9 31 days) allowed prior to complete restoration of the LCOLCOs 3.8.1.a and 3.8.1.b. The 6 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCOLCO 3.8.1.a or LCO 3.8.1.b. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 6 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This will result in establishing the "time zero" at the time that the LCOLCO 3.8.1.a or LCO 3.8.1.b was initially not met, instead of at the time Condition A was entered.

B.1 It is required to administratively verify the LCO 3.8.1.d DG(s) OPERABLE within one hour and to continue this action once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter McGuire Units 1 and 2 B 3.8.1-10 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued) until restoration of the required LCO 3.8.1.b DG(s) is accomplished. This verification provides assurance that the LCO 3.8.1.d DG is capable of supplying the onsite Class 1E AC Electrical Power Distribution System.

If one LCO 3.8.1.d DG is discovered to be inoperable when performing the administrative verification of operability, then Condition D is entered for that DG. If two LCO 3.8.1.d DGs are discovered to be inoperable when performing the administrative verification of operability, then Condition G is entered.

B.12 To ensure a highly reliable power source remains with an inoperable LCO 3.8.1.b DG, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.23 Required Action B.2 3 is intended to provide assurance that a loss of offsite power, during the period that a LCO 3.8.1.b DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related trains. This includes motor driven auxiliary feedwater pumps. The turbine driven auxiliary feedwater pump is required to be considered a redundant required feature, and, therefore, required to be determined OPERABLE by this Required Action. Three independent AFW pumps are required to ensure the availability of decay heat removal capability for all events accompanied by a loss of offsite power and a single failure. System design is such that the remaining OPERABLE motor driven auxiliary feedwater pump is not by itself capable of providing 100% of the auxiliary feedwater flow assumed in the safety analysis. Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable LCO 3.8.1.b DG.

The Completion Time for Required Action B.2 3 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable LCO 3.8.1.b DG exists; and McGuire Units 1 and 2 B 3.8.1-11 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

b. A required feature on the other train (Train A or Train B) is inoperable.

If at any time during the existence of this Condition (one LCO 3.8.1.b DG inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering one required LCO 3.8.1.b DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is Acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

B.34.1 and B.34.2 Required Action B.34.1 provides an allowance to avoid unnecessary testing of OPERABLE DG(s). If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), the other DG(s) would be declared inoperable upon discovery and Condition ED and/or G of LCO 3.8.1, as applicable, would be entered. Once the failure is repaired, the common cause failure no longer exists, and Required Action B.34.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s), performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG.

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.34.1 or B.34.2, the problem investigation process will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B.

McGuire Units 1 and 2 B 3.8.1-12 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

These Conditions are not required to be entered if the inoperability of the DG is due to an inoperable support system, an independently testable component, or preplanned testing or maintenance. If required, these Required Actions are to be completed regardless of when the inoperable DG is restored to OPERABLE status.

According to Generic Letter 84-15 (Ref. 8), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is reasonable to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG.

B.5 In order to extend the Completion Time for an inoperable DG from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to 14 days, it is necessary to verify the availability of the ESPS within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of entry into TS 3.8.1 LCO and every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter.

Since Required Action B.5 only specifies evaluate, discovering the ESPS unavailable does not result in the Required Action being not met (i.e. the evaluation is performed). However, on discovery of an unavailable ESPS, the Completion Time for Required Action B.6 starts the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and/or 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months clock.

ESPS availability requires that:

1) The load test has been performed within 30 days of entry into the extended Completion Time. The Required Action evaluation is met with an administrative verification of this prior to testing; and

2) ESPS fuel tank level is verified locally to be 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months supply; and

3) ESPS supporting system parameters for starting and operating are verified to be within required limits for functional availability (e.g., battery state of charge).

The ESPS is not used to extend the Completion Time for more than one inoperable DG at any one time.

B.4B.6 According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition B for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

In accordance with Branch Technical Position 8-8 (Ref. 14), operation may continue in Condition B for a period that should not exceed 14 days, provided a supplemental AC power source is available.

In Condition B, the remaining OPERABLE DGs, available ESPS and offsite circuits are adequate to supply electrical power to the onsite McGuire Units 1 and 2 B 3.8.1-13 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

Class 1E Distribution System. The 72 hour14 day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

If the ESPS is unavailable upon entry into Condition B, inoperable LCO 3.8.1.b DG, then action is required to restore the ESPS to available status or to restore the DG to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from entry into Condition B. If the ESPS unavailability occurs sometime after 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months from initial entry into Condition B and less than or equal to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from initial entry into Condition B, then the remaining time to restore the ESPS to available status or to restore the DG to OPERABLE status is limited to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from initial entry into Condition B. However, if the ESPS unavailability occurs sometime after 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months from initial entry into Condition B, then the remaining time to restore the ESPS to available status or to restore the DG to OPERABLE status is limited to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time allow for an exception to the normal time zero for beginning the allowed outage time clock.

Therefore, when one LCO 3.8.1.b DG is inoperable due to either preplanned maintenance (preventive or corrective) or unplanned corrective maintenance work, the Completion Time can be extended from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to 14 days if it is ensured that ESPS is available for backup operation.

The second fourth Completion Time for Required Action B.4B.6 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCOLCO 3.8.1.a or LCO 3.8.1.b. If Condition B is entered while, for instance, an a LCO 3.8.1.a offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 144 hour0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months s17 days, since initial failure to meet the LCOLCO 3.8.1.a or LCO 3.8.1.b, to restore the DG. At this time, an a LCO 3.8.1.a offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 9 20 days) allowed prior to complete restoration of the LCOLCO 3.8.1.a and LCO 3.8.1.b.

The 6 17 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCOLCO 3.8.1.a or LCO 3.8.1.b. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour14 day and 6 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

ACTIONS (continued)

McGuire Units 1 and 2 B 3.8.1-14 Revision No. 115

AC Sources-Operating B 3.8.1 BASES As in Required Action B.23, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCOLCO 3.8.1.a or LCO 3.8.1.b was initially not met, instead of at the time Condition B was entered.

C.1 Condition C addresses the inoperability of the LCO 3.8.1.c qualified offsite circuit(s) between the offsite transmission network and the opposite units Onsite Essential Auxiliary Power System when the LCO 3.8.1.c qualified offsite circuit(s) is necessary to supply power to the shared systems. If Condition C is entered concurrently with the inoperability of LCO 3.8.1.d DG(s) the NOTE requires the licensed operator to evaluate if the TS 3.8.9 Distribution Systems - Operating requirement that OPERABLE AC electrical power distribution subsystems require the associated buses, load centers, motor control centers, and distribution panels to be energized to their proper voltages continues to be met. In the case where the inoperable LCO 3.8.1.c qualified offsite circuit and inoperable LCO 3.8.1.d DG are associated with the same train there is no longer assurance that train of Distribution Systems - Operating can be energized to the proper voltage and therefore TS 3.8.9 Condition A must be entered.

To ensure a highly reliable power source remains with one required LCO 3.8.1.c offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuits on a more frequent basis. Since the Required Action only specifies perform, a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition A and E, as applicable, for the two offsite circuits inoperable, is entered.

C.2 Required Action C.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function for the NSWS, CRAVS, CRACWS or the ABFVES. The Completion Time for Required Action C.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal time zero for beginning the allowed outage time clock. In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads; and ACTIONS (continued)

McGuire Units 1 and 2 B 3.8.1-15 Revision No. 115

AC Sources-Operating B 3.8.1 BASES

b. NSWS, CRAVS, CRACWS or ABFVES on the other train that has offsite power is inoperable.

If at any time during the existence of Condition C (one required LCO 3.8.1.c offsite circuit inoperable) a train of NSWS, CRAVS, CRACWS or ABFVES becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one train of NSWS, CRAVS, CRACWS or ABFVES that is associated with the other train that has offsite power, results in starting the Completion Time for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable NSWS, CRAVS, CRACWS or ABFVES. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

C.3 Consistent with the time provided in ACTION A, operation may continue in Condition C for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one required LCO 3.8.1.c offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

If the LCO 3.8.1.c required offsite circuit cannot be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , then Condition I must be entered immediately.

D.1 Condition D addresses the inoperability of the LCO 3.8.1.d DG(s) aligned to the opposite unit Onsite Essential Auxiliary Power System that is supplying power to a train of shared systems. If Condition D is entered concurrently with the inoperability of LCO 3.8.1.c qualified offsite circuit the NOTE requires the licensed operator to evaluate if the TS 3.8.9 ACTIONS (continued)

McGuire Units 1 and 2 B 3.8.1-16 Revision No. 115

AC Sources-Operating B 3.8.1 BASES Distribution Systems - Operating requirement that OPERABLE AC electrical power distribution subsystems require the associated buses, load centers, motor control centers, and distribution panels to be energized to their proper voltages continues to be met. In the case where the inoperable LCO 3.8.1.d DG and inoperable LCO 3.8.1.c qualified offsite circuit are associated with the same train there is no longer assurance that train of Distribution Systems - Operating can be energized to the proper voltage and therefore TS 3.8.9 Condition A must be entered.

It is required to administratively verify the CO 3.8.1.b safety-related DGs OPERABLE within one hour and to continue this action once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter until restoration of the required LCO 3.8.1.d DG is accomplished. This verification provides assurance that the LCO 3.8.1.b safety-related DGs is capable of supplying the onsite Class 1E AC Electical Power Distribution System.

If one LCO 3.8.1.b DG is discovered to be inoperable when performing the administrative verification of operability, then Condition B is entered for that DG. If two LCO 3.8.1.b DGs are discovered to be inoperable or the LCO 3.8.1.b DG that provides power to the NSWS, CRAVS, CRACWS and ABFVES inoperable when performing the administrative verification of operability, then Condition G is entered.

D.2 To ensure a highly reliable power source remains with one required LCO 3.8.1.d DG inoperable, it is necessary to verify the OPERABILITY of the required offsite circuits on a more frequent basis. Since the Required Action only specifies perform, a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

D.3 Required Action D.3 is intended to provide assurance that a loss of offsite power, during the period one required LCO 3.8.1.d DG is inoperable, does not result in a complete loss of safety function for the NSWS, CRAVS, CRACWS or the ABFVES. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for exception to the normal time zero for beginning the allowed outage time clock. In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable LCO 3.8.1.d DG exists; and McGuire Units 1 and 2 B 3.8.1-17 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

b. NSWS, CRAVS, CRACWS or ABFVES on the other train that has emergency power is inoperable.

If at any time during the existence of this Condition (the LCO 3.8.1.d DG inoperable) a train of NSWS, CRAVS, CRACWS or ABFVES becomes inoperable, this Completion Time begins to be tracked.

Discovering the LCO 3.8.1.d DG inoperable coincident with one train of NSWS, CRAVS, CRACWS or ABFVES that is associated with the other train that has emergency power results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

In this Condition, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the NSWS, CRAVS, CRACWS or ABFVES may have been lost; however, function has not been lost. The four hour Completion Time also takes into account the capacity and capability of the remaining NSWS, CRAVS, CRACWS and ABFVES train, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

D.4.1 and D.4.2 Required Action D.4.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG(s), SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), the other DG(s) would be declared inoperable upon discovery and Condition B and I of LCO 3.8.1, as applicable, would be entered. Once the failure is repaired, the common cause failure no longer exists and Required Action D.4.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s),

performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of the DG(s).

In the event the inoperable DG is restored to OPERABLE status prior to completing either D.4.1 or D.4.2, the problem investigation process will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition D.

According to Generic Letter 84-15 (Ref. 8), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is reasonable to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG.

McGuire Units 1 and 2 B 3.8.1-18 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

D.5.1 and D.5.2 In Condition D, the remaining OPERABLE DGs and offsite power circuits are adequate to supply electrical power to the Class 1E Distribution System.

If the LCO 3.8.1.d DG cannot be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or the NSWS, CRAVS, CRACWS and ABFVES components supported by the inoperable LCO 3.8.1.d DG cannot be re-aligned to be supplied by an OPERABLE DG within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , then Condition I is entered.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

CE.1 and CE.2 Condition E is entered when both offsite circuits required by LCO 3.8.1.a are inoperable, or when the offsite circuit required by LCO 3.8.1.c and one offsite circuit required by LCO 3.8.1.a are concurrently inoperable, if the LCO 3.8.1.a offsite circuit is credited with providing power to the NSWS, CRAVS, CRACWS and ABFVES. Condition E is also entered when two offsite circuits required by LCO 3.8.1.c are inoperable.

Required Action CE.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that Regulatory Guide 1.93 (Ref. 7) allows a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are powered from redundant AC safety trains. This includes motor driven auxiliary feedwater pumps.

Single train features, such as turbine driven auxiliary pumps, are not included in the list.

The Completion Time for Required Action CE.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

McGuire Units 1 and 2 B 3.8.1-19 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

a. All required offsite circuits are inoperable; and

b. A required feature is inoperable.

If at any time during the existence of Condition C E (two LCO 3.8.1.a offsite circuits inoperable, or one LCO 3.8.1.a offsite circuit that provides power to the NSWS, CRAVS, CRACWS and ABFVES inoperable and the required LCO 3.8.1.c offsite circuit inoperable, or two offsite circuits required by LCO 3.8.1.c inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition C E for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

However, two factors tend to decrease the severity of this level of degradation:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Reference 6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A or C, as applicable.

McGuire Units 1 and 2 B 3.8.1-20 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

DF.1 and DF.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D F are modified by a Note to indicate that when Condition D F is entered with no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution SystemsOperating," must be immediately entered. This allows Condition D F to provide requirements for the loss of one offsite circuit and one DG, without regard to whether a train is de-energized. LCO 3.8.9 provides the appropriate restrictions for a de-energized train.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition D F for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

In Condition DF, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C E (loss of both two required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

EG.1 With Train A and Train B DGstwo LCO 3.8.1.b DGs inoperable, there are no remaining standby AC sources to provide power to most of the ESF systems. With one LCO 3.8.1.d DG inoperable and the LCO 3.8.1.b DG that provides power to the NSWS, CRAVS, CRACWS and ABFVES inoperable, or with two DGs required by LCO 3.8.1.d inoperable, there are no remaining standby AC sources to the NSWS, CRAVS, CRACWS and ABFVES. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown (the immediate shutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

McGuire Units 1 and 2 B 3.8.1-21 Revision No. 115

AC Sources-Operating B 3.8.1 BASES ACTIONS (continued)

According to Reference 7, with both LCO 3.8.1.b DGs inoperable, or with the LCO 3.8.1.b DG that provides power to the NSWS, CRAVS, CRACWS and ABFVES and the LCO 3.8.1.d DG inoperable, or with two DGs required by LCO 3.8.1.d inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

FH.1 The sequencer(s) is an essential support system to both the offsite circuit and the DG associated with a given ESF bus. Furthermore, the sequencer is on the primary success path for most major AC electrically powered safety systems powered from the associated ESF bus.

Therefore, loss of an ESF bus sequencer affects every major ESF system in the train. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining sequencer OPERABILITY. This time period also ensures that the probability of an accident (requiring sequencer OPERABILITY) occurring during periods when the sequencer is inoperable is minimal.

GI.1 and GI.2 If the inoperable AC electric power sources cannot be restored to OPERABLE status within the required Completion Time,If any Required Action and associated Completion Time of Conditions A, C, E, F, G, or H, are not met, the unit must be brought to a MODE in which the LCO does not apply. Furthermore, if any Required Action and associated Completion Time of Required Actions B.2, B.3, B.4.1, B.4.2, B.6, E.2, E.3, E.4.1, E.4.2, E.5.1 or E.5.2 are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

HJ.1 Condition HJ corresponds to a level of degradation in which all redundancy in the LCO 3.8.1.a and LCO 3.8.1.b AC electrical power supplies has been lost or in which all redundancy in LCO 3.8.1.c and LCO 3.8.1.d AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

McGuire Units 1 and 2 B 3.8.1-22 Revision No. 115

AC Sources-Operating B 3.8.1 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. UFSAR, Chapter 8.

3. Regulatory Guide 1.9, Rev. 3, July 1993.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 15.

6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).

7. Regulatory Guide 1.93, Rev. 0, December 1974.

8. Generic Letter 84-15, "Proposed Staff Actions to Improve and Maintain Diesel Generator Reliability," July 2, 1984.

9. 10 CFR 50, Appendix A, GDC 18.

10. Regulatory Guide 1.137, Rev. 1, October 1979.

11. IEEE Standard 308-1971.

12. Regulatory Guide 1.6, Rev. 0, March 1971.

13. Regulatory Guide 1.8.1, Rev. 1, January 1975.

14. Branch Technical Position 8-8, February 2012.

McGuire Units 1 and 2 B 3.8.1-36 Revision No. 115 RA-18-0229 Attachment 4 Regulatory Commitments RA-18-0229 The following table identifies the regulatory commitments in this document by Duke Energy Carolinas, LLC (Duke Energy) for the McGuire Nuclear Station, Units 1 and 2. Any other statements in this submittal represent intended or planned actions, and are provided for information purposes. They are not considered to be regulatory commitments.

TYPE SCHEDULED Continuing COMPLETION COMMITMENT One-time Compliance DATE

1. The preplanned diesel generator (DG) maintenance will not be scheduled if severe X weather conditions are anticipated. Weather Prior to conditions will be evaluated prior to intentionally implementing entering the extended DG Completion Time (CT) the approved and will not be entered if official weather forecasts Technical are predicting severe weather conditions (i.e.,

Specification thunderstorm, tornado or hurricane warnings).

3.8.1 diesel Operators will monitor weather forecasts each shift generator during the extended DG CT. If severe weather or Completion Time grid instability is expected after a DG outage extension.

begins, station managers will assess the conditions and determine the best course for returning the DG to operable status.

2. Component testing or maintenance of safety Prior to systems and important non-safety equipment in X implementing the offsite power systems that can increase the the approved likelihood of a plant transient (unit trip) or loss of Technical offsite power (LOOP) will be avoided during the Specification extended DG CT. 3.8.1 diesel generator Completion Time extension.

Page 1 of 4 RA-18-0229

3. No discretionary switchyard maintenance will be Prior to performed during the extended DG CT. X implementing the approved Technical Specification 3.8.1 diesel generator Completion Time extension.

4. The turbine-driven auxiliary feed water pump will not be removed from service for elective X maintenance activities during the extended CT.

Prior to The turbine-driven auxiliary feed water pump will implementing the be controlled as protected equipment during the approved extended DG CT. The Non-CT EDGs, ESPS, Technical Component Cooling System, Safe Shutdown Specification Facility, Nuclear Service Water System, Chemical 3.8.1 diesel and Volume Control System, Diesel Air generator Compressors, Residual Heat Removal System, Completion Time motor driven auxiliary feed water pumps, and the extension.

switchyard will also be controlled as protected equipment.

5. During the extended DG CT, the Emergency Prior to Supplemental Power Source (ESPS) will be X implementing routinely monitored during operator rounds, with the approved monitoring criteria identified in the operator rounds. Technical The ESPS will be monitored for fire hazards during Specification operator rounds. 3.8.1 diesel generator Completion Time extension.

Page 2 of 4 RA-18-0229

6. Licensed Operators and Auxiliary Operators will be Prior to trained on the purpose and use of the ESPS and X implementing the revised emergency procedure (EP) actions. the approved Personnel performing maintenance on the ESPS Technical will be trained. Specification 3.8.1 diesel generator Completion Time extension.

7. The system load dispatcher will be contacted once Prior to per day to ensure no significant grid perturbations X implementing (high grid loading unable to withstand a single the approved contingency of line or generation outage) are Technical expected during the extended DG CT. Specification 3.8.1 diesel generator Completion Time extension.

8. TS required systems, subsystems, trains, Prior to components and devices that depend on the X implementing remaining power sources will be verified to be the approved operable and positive measures will be provided to Technical preclude subsequent testing or maintenance Specification activities on these systems, subsystems, trains, 3.8.1 diesel components and devices during the extended DG generator CT. Completion Time extension.

9. Prior to entering the extended CT for an inoperable Prior to DG, when both units are in the TS 3.8.1 Modes of implementing X

APPLICABILITY, the station will ensure that each the approved train of shared systems is powered by an operable Technical Class 1E AC Distribution System with an operable Specification DG, from opposite units. 3.8.1 diesel generator Completion Time extension.

Page 3 of 4 RA-18-0229

10. The risk estimates associated with the 14-day Prior to EDG Completion Time LAR will be updated, as implementing X

necessary to incorporate the as-built, as-operated the approved ESPS modification. Duke Energy will confirm that Technical any updated risk estimates continue to meet the Specification risk acceptance guidelines of RG 1.174 and RG 3.8.1 diesel 1.177. generator Completion Time extension.

Page 4 of 4

v t e Letter Sequence Response to RAI
CAC:MF9667, Control Room Habitability (Approved, Closed) CAC:MF9669, (Approved, Closed)
Initiation Request, Request, Request, Request, Request Acceptance, Acceptance Supplement, Supplement, Supplement, Supplement, Supplement, Supplement Administration Meeting Questions Answers 10 July 2018 3 December 2018 10 July 2019 Results Approval, Approval, Approval Other: ML18046B077, ML18117A187, ML18249A046
MONTHYEAR2018-05-02 [Table View]

RA-18-0229, Response to NRC Request for Additional Information Regarding License Amendment Request Proposing Changes to the Technical Specification 3.8.1

Text

SUBJECT:

REFERENCES:

RAI-2

RAI-3

RAI-4

RAI-5

RAI-6

RAI-7

RAI-8

RAI-9

RAI-10

RAI-11

Navigation menu

RA-18-0229, Response to NRC Request for Additional Information Regarding License Amendment Request Proposing Changes to the Technical Specification 3.8.1

Text

SUBJECT:

REFERENCES:

RAI-2

RAI-3

RAI-4

RAI-5

RAI-6

RAI-7

RAI-8

RAI-9

RAI-10

RAI-11

Navigation menu

Search