AEP-NRC-2009-45, License Amendment Request for One-Time Extension of Technical Specification Completion Times for Inoperable Train of Reactor Trip System and Engineered Safety Feature Actuation System

From kanterella
Jump to navigation Jump to search
License Amendment Request for One-Time Extension of Technical Specification Completion Times for Inoperable Train of Reactor Trip System and Engineered Safety Feature Actuation System
ML092090262
Person / Time
Site: Cook American Electric Power icon.png
Issue date: 07/17/2009
From: Weber L
Indiana Michigan Power Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
AEP-NRC-2009-45
Download: ML092090262 (42)
v  d  e


Text

Indiana Michigan Power Company Nuclear Generation Group INDIANA One Cook Place MICHIGAN Bridgman, MI 49106 POWER aep.com July 17, 2009 AEP-NRC-2009-45 10 CFR 50.90 U. S. Nuclear Regulatory Commission, ATTN: Document Control Desk Washington, DC 20555-0001

SUBJECT:

Donald C. Cook Nuclear Plant Unit 2 Docket No. 50-316 License Amendment Request for One-Time Extension of Technical Specification Completion Times for Inoperable Train of Reactor Trip System and Engineered Safety Feature Actuation System

Dear Sir or Madam:

Pursuant to 10 CFR 50.90, Indiana Michigan Power Company (I&M), the licensee for Donald C. Cook Nuclear Plant Unit 2, proposes to amend the Appendix A Technical Specifications (TS) to Facility Operating License DPR-74. I&M proposes to modify the TS to allow a one-time extension of the Completion Times to restore an inoperable train of the Reactor Trip System (RTS) and an inoperable train of the Engineered Safety Feature Actuation System (ESFAS).

The proposed extension is requested as a contingency that may be needed if the currently installed Multiplexer Test Switch in Train A of the Unit 2 Solid State Protection System (SSPS) fails. The Multiplexer Test Switch is used for performance of TS Surveillance Requirement tests on RTS and ESFAS functions. The Multiplexer Test Switch controls the SSPS inputs to indications and alarms on the main control board from the associated train. The Multiplexer Test Switch mechanism appears to be degraded and may fail during future Surveillance Requirement testing. Both trains of the RTS and ESFAS are currently operable and failure of the switch would not render either train inoperable. However, failure of the Multiplexer Test Switch during future Surveillance Requirement.

testing could prevent completion of the testing and would result in abnormal main control board indicator and alarm conditions.

I&M will replace the currently installed Multiplexer Test Switch during the next refueling outage (fall 2010), or any unscheduled outage of sufficient duration that may occur prior to the next refueling outage. However, if the Multiplexer Test Switch fails during a TS surveillance test prior to being replaced, I&M plans to replace the Multiplexer Test Switch with the unit operating in Mode 1. The TS Surveillance Requirement testing which would reveal a failed Multiplexer Test Switch, the switch replacement, and the post replacement testing of the switch would all require that Train A of the RTS and ESFAS be inoperable. If unforeseeable problems occur during these activities, the period of inoperability may challenge the TS Completion Time to restore RTS and ESFAS Train A to operability within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. As a contingency, I&M is therefore requesting a 6-hour extension of that

U. S. Nuclear Regulatory Commission AEP-NRC-2009-45 Page 2 TS Completion Time to a total of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The proposed extension would be effective for a one-time replacement of the currently installed Multiplexer Test Switch if needed during the remainder of the current Unit 2 fuel cycle. The proposed change is risk-informed. Although the proposed extension would only be used one time, I&M's risk analysis has determined that the proposed amendment is consistent with Nuclear Regulatory Commission (NRC) guidance for permanent TS changes.

The next TS Surveillance Requirement tests which would challenge the Train A Multiplexer Test Switch are due August 26, 2009, based on their 92 day staggered test Frequency. Application of the 25% Frequency allowance provided by Surveillance Requirement 3.0.2 would extend the:due date to September 18, 2009. I&M plans toperform the tests on September 1, 2009, for consistency with Unit 2 Train A RTS and ESFAS Surveillance Requirement testing schedules established for 2009. I&M is therefore requesting NRC approval of the proposed TS change no later than August 28, 2009.

I&M intends to implement the amendment as soon as necessary' to support the next TS

-Surveillance Requirement tests for which the Train A Multiplexer Test Switch must be taken out of the Normal position following NRC approval. However, for. administrative flexibility, I&M requests that the amendment notice specify a 14 day implementation period.

Enclosure 1 to this letter provides an affirmation statement. Enclosure 2 provides I&M's evaluation of the proposed change. Enclosure 3 provides a table of the specific RTS and ESFAS Train A functions for which I&M is requesting an extension of the TS Completion Time to restore operability.

Attachment 1 to this letter provides the affected TS pages marked to show the proposed change.

Attachment 2 provides a list of the new regulatory commitments made in this letter.

Copies of this letter and its attachment are being transmitted to the Michigan Public Service Commission and Michigan Department of Environmental Quality, in accordance with the requirements of 10 CFR 50.91. Should you have any questions, please contact Mr. James M. Petro, Jr., Regulatory Affairs Manager, at (269) 466-2489.

Sincerely, Lawrence J. Weber Site Vice President J RW/rdw

U. S. Nuclear Regulatory Commission AEP-NRC-2009-45 Page 3

Enclosures:

1. Affirmation
2. Indiana Michigan Power Company's Evaluation
3. Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS)

Train A Functions for Which Indiana Michigan Power Company Is Requesting an Extension of the Technical Specification Completion Time to Restore Operability Attachments

1. Donald C. Cook Nuclear Plant Unit 2 Technical Specification Pages Marked To Show Proposed Change
2. Regulatory Commitments c: T. A. Beltz, NRC Washington DC K. D. Curry, Ft. Wayne AEP, w/o enclosures and attachments J. T. King, MPSC MDEQ - WHMD/RPS NRC Resident Inspector M. A. Satorius, NRC Region III

Enclosure 1 to AEP-NRC-2009-45 AFFIRMATION I, Lawrence J. Weber, being duly sworn, state that I am Site Vice President of Indiana Michigan Power Company (I&M), that I am authorized to sign and file this request with the Nuclear Regulatory Commission on behalf of I&M, and that the statements made and the matters set forth herein pertaining to I&M are true and correct to the best of my knowledge, information, and belief.

Indiana Michigan Power Company Lawrence J. Weber Site Vice President SWORN TO AND SUBSCRIBED BEFORE ME THIS /_7" DAY OF 2009 Notary Public My Commission Expires c?4'6//

Enclosure 2 to AEP-NRC-2009-45 INDIANA MICHIGAN POWER COMPANY'S EVALUATION

Subject:

License Amendment Request for One-Time Extension of Technical Specification Completion Times for Inoperable Train of Reactor Trip System and Engineered Safety Feature Actuation System

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

3.1 RTS, ESFAS, and SSPS 3.2 Multiplexer Test Switch and Input Error Inhibit Switch 3.3 Quarterly Train A TS Surveillance Requirements 3.4 Train A Multiplexer Test Switch Potential Failure and Replacement

4.0 TECHNICAL ANALYSIS

4.1 Multiplexer Test Switch Reliability 4.2 RTS, ESFAS, and ESF Train B Automatic Capability 4.3 ESF Train A Manual Capability 4.4 Risk Analysis 5.0 REGULATORY SAFETY ANALYSIS 5.1 No Significant Hazards Consideration 5.2 Applicable Regulatory Requirements/Criteria/Guidance

6.0 ENVIRONMENTAL CONSIDERATION

S 7.0 PRECEDENTS

8.0 REFERENCES

to AEP-NRC-2009-45 Page 2

1.0 DESCRIPTION

Pursuant to 10 CFR 50.90, Indiana Michigan Power Company (I&M), the licensee for Donald C. Cook Nuclear Plant (CNP) Unit 2, proposes to amend the Appendix A Technical Specifications (TS) to Facility Operating License DPR-74. I&M proposes to modify the TS to allow a one-time extension of the Completion Times to restore an inoperable train of the Reactor Trip System (RTS) and an inoperable train of the Engineered Safety Feature Actuation System (ESFAS).

The proposed extension is requested as a contingency that may be needed if the currently installed Multiplexer Test Switch in Train A of the Unit 2 Solid State Protection System (SSPS) fails. The Multiplexer Test Switch is used for performance of TS Surveillance Requirement tests on RTS and ESFAS functions. The Multiplexer Test, Switch controls the SSPS inputs to indication and alarms on the main control board from the associated train. The Multiplexer Test Switch mechanism appears to be degraded and may fail during future Surveillance Requirement testing. Both trains of the RTS and ESFAS are currently operable and failure of the switch would not render either train inoperable. However, failure of the Multiplexer Test Switch during future Surveillance Requirement testing could prevent completion of the testing and would result in abnormal main control board indicator and alarm conditions.

I&M will replace the currently installed Multiplexer Test Switch during the next refueling outage (fall 2010), or any unscheduled outage of sufficient duration that may occur prior to the next refueling outage. However, if the Multiplexer Test Switch fails during a TS surveillance test prior to being replaced, I&M plans to replace the Multiplexer Test Switch with the unit operating in Mode 1. The switch replacement and the post replacement testing of the switch would require that Train A of the RTS and ESFAS be inoperable. If unforeseeable problems occur during these activities, the period of inoperability may challenge the TS Completion Time to restore RTS and ESFAS Train A to operability within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. As a contingency, I&M is therefore requesting a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> extension of that TS Completion Time to a total of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The proposed extension would be effective for a one-time replacement of the currently installed Multiplexer Test Switch if needed during the remainder of the current Unit 2 fuel cycle, Fuel Cycle 18. The proposed change is risk-informed. Although the proposed extension would only be used one time, I&M's risk analysis has determined that the proposed amendment is consistent with Nuclear Regulatory Commission (NRC) guidance for permanent TS changes.

2.0 PROPOSED CHANGE

I&M proposes that the following footnote be added to the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time specified for TS 3.3.1 Condition J on Page 3.3.1-4 of the CNP Unit 2 TS:

If the Train A Solid State Protection System Multiplexer Test Switch that was in service at the beginning of Fuel Cycle 18 fails during the fuel cycle, the Completion Time to restore inoperable Train A Functions 17 and 21 of Table 3.3.1-1 may be extended to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, one time during Fuel Cycle 18, to complete replacement and testing of the switch.

TS 3.3.1 Condition N, which is displaced by the footnote, will be relocated, unchanged, to a new Page, 3.3.1-4a, immediately following Page 3.3.1-4.

to AEP-NRC-2009-45 Page 3 I&M proposes that the following footnote note be added to the Completion Time specified for TS 3.3.2 Condition C on Page 3.3.2-1:

If the Train A Solid State Protection System Multiplexer Test Switch that was in service at the beginning of Fuel Cycle 18 fails during the fuel cycle, the Completion Time to restore inoperable Train A Functions 1.b, 2.b, 3.a.(2), 3.a.(3), 3.b.(2), 4.b, 5.a, 5.c, 6.a, 6.d, and 7.b of Table 3.3.2-1 may be extended to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, one time during Fuel Cycle 18, to complete replacement and testing of the switch.

The attachment to this letter provides a copy of the !affected pages marked to show the changes. I&M will provide clean copies of the affected pages, with the change incorporated, to the NRC Licensing Project Manager upon request. Subsequent to replacement of the SSPS Train A Multiplexer Test Switch, I&M plans to submit another license amendment request to delete the footnotes and restore standard TS format and pagination. No changes to the associated TS Bases are planned because the proposed extension would be used only one time.

3.0 BACKGROUND

3.1 RTS, ESFAS, and SSPS The RTS initiates a rapid unit shutdown, based on the values of selected unit parameters, to

1) assure the reactor core fuel design limits are protected and the Reactor Coolant System (RCS) pressure boundary integrity is maintained during anticipated operational transients and
2) assist the Engineered Safety Features (ESF) in mitigating accidents.

The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and protect the RCS pressure boundary, and to mitigate accidents.

The RTS instrumentation and the ESFAS instrumentation both include the following distinct but interconnected elements:

" The field transmitters or process sensors provide a measurable electronic signal based upon the physical characteristics of the parameter being measured.

  • The Signal Process Control and Protection System provides signal conditioning, bistable setpoint comparison, process algorithm actuation, and compatible electrical signal output to protection system devices and main control board, control room, and miscellaneous indication.
  • The SSPS, including input, logic, and output bays, initiates rapid unit shutdown or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the Signal Process Control and Protection System.

The SSPS is the element involved in this proposed license amendment. The SSPS controls the decision logic for actuating a reactor trip or ESF actuation', generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and to AEP-NRC-2009-45 Page 4 annunciator output signals to the main control room of the unit. The bistable outputs from the Signal Process Control and Protection System are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is satisfied, the system will initiate a reactor trip or transmit actuation signals via master and slave relays to those components whose aggregate function best serves to alleviate the condition and restore the unit to a safe condition.

To meet the redundancy requirements, two trains of SSPS are provided. Each SSPS train actuates its associated train of ESF components (trip breakers, pumps, valves, etc.). If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is located in its own set of cabinets for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

3.2 Multiplexer Test Switch and Input Error Inhibit Switch There are two types of switches that are of interest with respect to this proposed amendment:

the Multiplexer Test Switch and the Input Error Inhibit Switch.

Multiplexer Test Switch A Multiplexer Test Switch is provided for each train in the associated SSPS cabinet. The Multiplexer Test Switch is used to minimize unnecessary control room distractions during testing of the associated SSPS train. The Multiplexer Test Switch controls the SSPS inputs to indication and alarms on the main control board from the associated train. The three positions of each Multiplexer Test Switch are, in sequence of operation, Normal, Inhibit, and A+B.

  • The Normal position is used during routine plant operation. Alarms on the main control board will actuate in response to signals from both trains of the SSPS.
  • In the Inhibit position, data from the train being tested is inhibited from actuating alarms on the main control board. Inhibiting of alarms on the main control board during testing minimizes operator distractions from alarms that result from test signals. Valid data from the train not being tested will continue to actuate main control board alarms, if appropriate.

Placing the Multiplexer Test Switch in the Inhibit position does not, of itself, affect the SSPS protective features or render the associated train of RTS or ESFAS inoperable.

Additionally, a signal is provided to the semiautomatic test circuit to verify its proper operation when the switch is in the Inhibit position. A General Warning alarm is generated on the main control board and at the SSPS panel when the Multiplexer Test Switch in either train is in the Inhibit position.

" In the A+B position, data from one train then the other train is alternately inhibited. This function is used during bistable testing to determine if both trains receive, process, and display the same data. If data differences exist, status lights on the main control board to AEP-NRC-2009-45 Page 5 flash. Placing the Multiplexer Test Switch in the A+B position does not, of itself, affect the SSPS protective features or render the associated train of RTS or ESFAS inoperable.

Additionally, a signal is provided to the semiautomatic test circuit to verify its proper operation when the switch is in the A+B position. A General Warning alarm is not generated when a Train A or Train B Multiplexer Test Switch is in the A+B position.

On June 8, 2009, technicians were performing a TS Surveillance Requirement test procedure which required placing the Train A Multiplexer Test Switch in the A+B position. Normally when taking the switch to A+B position, a General Warning alarm occurs momentarily as the switch passes through the Inhibit position. In this instance however, the General Warning alarm remained actuated after the Multiplexer Test Switch was in the A+B position. Additionally, an associated light emitting diode (LED) on a circuit card below the Multiplexer Test Switch remained illuminated, indicating the switch was in the Inhibit position even though it had physically been placed in the A+B position. As expected, two detents were felt and heard when the Multiplexer Test Switch was taken from Normal, through Inhibit, to the A+B position.

However, only one detent was felt when returning the Multiplexer Test Switch from A+B, through Inhibit, to Normal, and the switch felt "spongy" to the technician. The General Warning alarm and the LED de-energized when the Multiplexer Test Switch was returned to the Normal position.

These conditions were documented in the CNP Corrective Action Program. Since the TS Surveillance Requirement test being performed on June 8, 2009, could be performed by using either the Train A Multiplexer Test Switch or the Train B Multiplexer Test Switch, the applicable procedure was revised to use the Train B Multiplexer Test Switch, and the TS Surveillance Requirement test was successfully completed.

The electrical and mechanical SSPS Train A Multiplexer Test Switch responses observed on June 8, 2009, indicate that the switch mechanism may be degraded and that it may fail during future RTS and ESFAS TS Surveillance Requirement tests. The failure may be such that valid alarms and indication on the main control board are inhibited. Therefore, I&M is revising the procedures for those TS Surveillance Requirement tests that may be performed by using either the Train A or the Train B Multiplexer Test Switch such that only the Train B Multiplexer Test Switch will be used until the Train A Multiplexer Test Switch is replaced.

However, there are TS Surveillance Requirement tests with a quarterly Frequency (92 days on a staggered test basis) for which the Train A Multiplexer Test Switch must be taken out of the Normal position. Performance of these Surveillance Requirement tests also involve the second switch type of interest, the Input Error Inhibit Switch.

Input Error Inhibit Switch An Input Error Inhibit Switch is provided for each train in the associated SSPS cabinet to prevent invalid signals from actuating protective features (reactor trip, ESF actuation, etc.) for that train during testing. The Input Error Inhibit Switch has two positions, Normal and Inhibit.

  • The Normal position is used during routine plant operation. Protective features for the associated train will actuate in response to SSPS signals from that train.

to AEP-NRC-2009-45 Page 6 In the Inhibit position, signals from the associated train are inhibited from actuating protective features for that train, thereby rendering the associated RTS and ESFAS train inoperable. This prevents invalid protective feature actuation that would result from test signals. Valid signals from the train not being tested will continue to actuate protective features for the train not under test, if appropriate. A General Warning alarm is generated on the main control board and at the SSPS panel if the Input Error Inhibit Switch in either train is in the Inhibit position.

Therefore, the associated train of RTS and ESFAS is inoperable when the Input Error Inhibit Switch is in the Inhibit position.

3.3 Quarterly Train A TS Surveillance Requirements The quarterly Train A TS Surveillance Requirements that necessitate taking both the Multiplexer Test Switch and the Input Error Inhibit Switch out of their Normal positions are as follows:

1. TS Surveillance Requirement 3.3.1.5 for testing of RTS Train A Function 21 per TS Table 3.3.1-1.
2. TS Surveillance Requirements 3.3.1.6 for testing of RTS Train A Function 17 per TS Table 3.3.1-1.
3. TS Surveillance Requirements 3.3.2.3 and 3.3.2.4 for testing of ESFAS Train A Functions 1.b, 2.b, 3.a.(2), 3.a.(3), 3.b.(2), 4.b., 5.a, 5.c, 6.a, 6.d, and 7.b, per TS Table 3.3.2-1.
4. TS Surveillance Requirement 3.3.1.5 for testing of RTS Train A Function 18.b per TS Table 3.3.1-1.
5. TS Surveillance Requirements 3.3.6.2 and 3.3.6.3 for testing of Containment Purge and Supply Exhaust System Isolation Train A Function 2 TS Table 3.3.6-1.
6. TS Surveillance Requirements 3.3.2.3 and 3.3.2.4 for testing of Containment Purge and Supply Exhaust System Isolation Train A Function 4 per TS Table 3.3.6-1.
7. TS Surveillance Requirements 3.3.7.1 and 3.3.7.2 for testing of Control Room Emergency Ventilation Actuation Instrumentation Train A Functions 1 and 3 per TS Table 3.3.7-1.
8. TS Surveillance Requirements 3.3.2.3 and 3.3.2.4 for testing of Control Room Emergency Ventilation Actuation- Instrumentation Train A Function 2 per TS Table 3.3.7-1.
9. TS Surveillance Requirements 3.3.2.3 and 3.3.2.4 for testing of Unit 1 Control Room Emergency Ventilation Actuation Instrumentation Train A Function 4 per Unit 1 TS Table 3.,3.7-1.

These Surveillance Requirements are normally conducted concurrently during a scheduled period of inoperability for Train A components.

to AEP-NRC-2009-45 Page 7 The Train A TS functions identified above are inoperable during their quarterly Surveillance Requirement test because the Input Error Inhibit Switch is in the Inhibit position. The TS Train A functions identified in Items 1, 2, and 3 above are of concern because, with these functions inoperable and the unit in Mode 1 or 2, TS 3.3.1 Condition J and TS 3.3.2 Condition C would apply. The Required Action for both TS 3.3.1 Condition J and TS 3.3.2 Condition C is to restore the inoperable train to operable status, with a Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time is not met, TS 3.3.1 Condition Q, and TS 3.3.2 Condition I and Condition J would require that the unit be in Mode 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Descriptions of the functions identified in Items 1, 2, and 3 are provided in Enclosure 3 to this letter.

The TS Train A functions identified in Items 4 through 9 above are not of concern because, with these functions inoperable, the unit would not be required to exit Mode 1 to comply with the associated TS Required Actions.

3.4 Train A Multiplexer Test Switch Potential Failure and Replacement Based on the SSPS Train A Multiplexer Test Switch responses observed on June 8, 2009, the switch could potentially fail to return to the Normal position during performance of the above identified quarterly TS Surveillance Requirement tests. Failure of the Multiplexer Test Switch could prevent completion of the Surveillance Requirement tests and would result in abnormal main control board indicator and alarm conditions. Therefore, I&M would commence replacement of the Train A Multiplexer Test Switch immediately upon discovery of such a failure. Replacement and retest of the Train A Multiplexer Test Switch would require that the Input Error Inhibit Switch remain in the Inhibit position. The Notes in the Required Actions for TS 3.3.1 Condition J and TS 3.3.2 Condition C allow one train to be bypassed for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing. Therefore, the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of TS 3.3.1 Condition J and TS 3.3.2 Condition C would commence when the surveillance testing was halted upon discovery of the failed Multiplexer Test Switch. As shown in the following table, there is little margin between the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time of TS 3.3.1 Condition J and TS 3.3.2 Condition C, and the estimated time to replace and retest a failed Unit 2 SSPS Train A Multiplexer Test Switch.

Estimated Time to Replace and Retest a Failed SSPS Train A Multiplexer Test Switch Replacement of Multiplexer Test Switch. The Multiplexer Test Switch is a rotary switch with four sets of contacts resulting in eight soldered leads. The estimated 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> time is based on recent performance of a Multiplexer Test Switch replacement on Unit 1, which is currently in Mode 5.

Post installation test of a Multiplexer Test Switch. The estimated time is based 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> on past performance of the applicable TS Surveillance Requirements.

Total 3.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> The small margin between the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time required by TS 3.3.1 Condition J and TS 3.3.2 Condition C, and the estimated time to replace and retest a failed Unit 2 SSPS Train A to AEP-NRC-2009-45 Page 8 Multiplexer Test Switch may be inadequate to address unforeseeable problems that could occur during these activities. Therefore, I&M is requesting a one-time 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> extension of the TS 3.3.1 Condition J and TS 3.3.2 Condition C Completion Times to preclude a unit shutdown if such problems are encountered.

4.0 TECHNICAL ANALYSIS

4.1 Multiplexer Test Switch Reliability There are four installed SSPS Multiplexer Test Switches at CNP; one in each train for Unit 1 and Unit 2. A review of records has identified only one previous failure of an installed SSPS Multiplexer Test Switch at CNP (in 1997), indicating a high degree of reliability. To assure proper functioning, the replacement switch will undergo pre-installation checks that include verification of proper operation, continuity verification, and prewiring in accordance with Nuclear Steam Supplier drawings. The removed switch will be examined to determine, if possible, the nature and cause of the degradation.

4.2 RTS, ESFAS, and ESF Train B Automatic Capability and Reliability As required by TS, Train B of the RTS, ESFAS, and ESF will be fully operable and capable of performing their protective and/or mitigative functions during the period of Train A inoperability, thereby maintaining the consequences of analyzed accidents within the established limits. The CNP 10 CFR 50.65 (Maintenance Rule) Program monitors systems that are included in the SSPS and ESF. Both trains of these systems have been determined to meet the requirements of 10 CFR 50.65(a)(2). This demonstrates that the performance of these systems has been effectively controlled through the performance of appropriate preventive maintenance, such that system remains capable of performing its intended function.

Additionally, Mitigating Systems Performance Indicators for both trains of important Unit 2 ESF systems (Emergency Core Cooling System, Residual Heat Removal System, Essential Service Water (ESW) System, Component Cooling Water (CCW) System, and Auxiliary Feedwater System) have been in the highest performance category (green) for at the last 12 quarters or more.

4.3 ESF Train A Manual Capability The procedure for Surveillance Requirement testing of the affected functions instructs Operations personnel that ESF Train A pumps and valves would have to be operated with their associated control switches if an ESF actuation is required.

4.4 Risk Analysis The proposed TS Completion Time extension has been evaluated using a risk-informed approach as described in Regulatory Guide (RG) 1.177 (Reference 1). RG 1.177 describes methods acceptable to the NRC for assessing the nature and impact of proposed TS changes by considering engineering issues and applying risk insight, and provides guidance specifically for risk-informed TS changes (such as Completion Time extensions) consistent with, but more detailed than, the generally applicable guidance given in RG 1.174 (Reference 2). However, the to AEP-NRC-2009-45 Page 9 evaluations and conclusions described here are also consistent with the guidance of RG 1.174.

The three-tier risk assessment methodology of RG 1.177 and the external events assessment are discussed below.

4.4.1 Tier 1: Probabilistic Risk Assessment (PRA) Capability and Insights As stated in RG 1.177, Tier 1 is an evaluation of the impact of the proposed TS change on the core damage frequency (CDF), incremental conditional core damage probability (ICCDP), and, when appropriate, large early release frequency (LERF), and incremental conditional large early release probability (ICLERP) considering PRA validity, and PRA insights and findings.

Assumptions The following assumptions were made regarding plant conditions and specific equipment operation/Alignment:

" With CNP Unit 1 currently in an outage, one Unit 1 centrifugal charging pump (CCP) is administratively tagged out of service for low-temperature-over-pressure requirements. This CCP was considered unavailable in the assessment. Also, insufficient auxiliary steam exists to maintain condenser vacuum to support long term (more than in the "immediate" short term post-trip time frame) contingency operation of the Unit 2 Main Feed Pumps (MFPs) if required due to loss of all AFW following a Unit 2 trip. Thus, the Unit 2 Main Feed Pumps were also considered unavailable. Assumption of these conditions (Unit 1 CCP and Unit 2 MFPs unavailable) is conservative since the conditions will no longer apply when Unit 1 is returned to operation. The current CNP PRA model does not rely on condenser steam dumps for post-trip heat removal.

" It was assumed that the Unit 2 Train B (West) ESW pump, CCW pump, and CCP are in operation, although operation of the Train A (East) pumps reduces risk by approximately 1/3 as compared to the risk if the Train B pumps are operating. The ESW header cross-tie valves were assumed to be open for the duration of the event.

  • The PRA impact was evaluated using a 1E-09 truncation limit in the current CNP Safety Monitor PRA model.
  • The Unit 2 Train A Multiplexer Test Switch replacement has no potential for causing any flooding, seismic, or fire initiated event in Unit 2.
  • The Unit 2 Train A SSPS actuation logic was assumed to be wholly failed, e.g., no auto-actuations will occur and no credit is assumed for manual action to initiate SSPS functions.
  • A 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> extension of the existing TS Completion Time is allowed before the Unit 2 Train A SSPS Automatic Actuation logic is restored.

PRA Modelinq The CNP PRA model is a Level 1 model with associated LERF analysis, linked fault tree model (also called "large fault tree"). This type of analysis uses small event trees and large fault trees to develop core damage sequences and model the interaction of components within the systems analysis. Selected initiating events are also modeled via fault trees (in place of point estimates). In general, plant equipment is modeled at the component level, with multiple Basic Events representing various failure modes.

to AEP-NRC-2009-45 Page 10 Dependencies are modeled in a variety of ways. Common Cause Failures (CCFs) within a system are modeled using a parametric Multiple Greek Letter method to account for unspecified dependencies. Dependencies between and among systems are modeled via transfers to the supporting systems within the fault trees.

Component availability models include contributions from random failure, as well as test and maintenance (T&M) unavailability. CCFs are included where appropriate. Failure rates for the SSPS equipment were derived from the V.C. Summer SSPS. Comparisons of the Summer and CNP SSPS protection schemes have determined that Summer's models provide conservative failure rate values in comparison to the CNP protection scheme. The CNP PRA includes no provision for manual actuation of SSPS function as backup to failure of the automatic logic and actuation channels.

PRA metrics for the proposed TS Completion Time extension change were developed using the Safety Monitor software and associated CNP PRA model derived from the CNP average PRA model in a zero T&M configuration.

To ensure that the results obtained by the analysis were conservative and were not dominated by modeling assumptions, the PRA model did not credit the following:

  • No credit was taken for any contingency actions associated with having an additional operator in the control room, to monitor plant condition and assist in SSPS actuation as needed to augment the normal crew complement.
  • No credit was taken for guarding the Train B SSPS actuation trains and associated ESF equipment.
  • No credit was taken for review of the Train B ESF equipment to confirm equipment reliability.
  • All calculations (ICCDP, ICLERP, Delta CDF, Delta LERF) were performed using zero T&M rather than an average model since this is a request for a "one-time" TS Completion Time extension for on-line maintenance.

Model Alterations No CNP PRA modifications were made to evaluate this request beyond setting the failure rates for all SSPS Train A actuation relays and Train A ESF features pumps failure-to-start to "1 indicative of complete failure of the Train A SSPS train automatic actuation function. These modifications allowed I&M to evaluate the risk associated with the proposed SSPS TS Completion Time extension. The function of the CNP anticipated-transient-without-scram (ATWS) mitigation circuitry to trip the turbine and initiate auxiliary feedwater on low feedwater flow for a given power level occurs outside of the SSPS sensing logic and actuation channel function and is unaffected by the unavailability of the SSPS Train A logic and actuation relays.

However, in the CNP PRA model, this actuation shares Basic Events with the SSPS actuation logic. Thus, the Train A portion of the ATWS mitigation input is conservatively assumed to fail.

to AEP-NRC-2009-45 Page 11 Human Reliability No Human Reliability Analysis changes were made to support this one-time SSPS TS Completion Time extension.

Common Cause No changes to common cause factors were made associated with this TS Completion Time extension request.

Initiating Events The act of replacing the Train A SSPS Multiplexer Test Switch is incapable of causing all PRA initiating events except a reactor trip with heat removal available (TRA) and a reactor trip without heat removal available (TRS). Consideration has been given that there may be an elevated potential for a reactor trip due to personnel working within a protection channel; accordingly a standard environmental and test factor has been applied that effectively increases these two initiating event frequencies. This factor is being applied for this work situation even though actions are being taken to avoid unwarranted trips or actuations, i.e., closing the Train A reactor trip breaker bypass breaker (which is controlled' by the Train B SSPS that will remain functional), removing the Train A 120V SSPS relay bay actuation power to eliminate unwarranted actuation errors, and personnel practicing replacement of the same switch in the Unit 1 SSPS system prior to performing the work on Unit 2 so as to validate the expected work, interferences, and duration.

There are no specific external event risks (seismic, fire, or flood) that are related to the Unit 2 Train A SSPS Multiplexer Test Switch manual operation that has led to this request for a one-time TS Completion Time extension.

By prohibiting welding, burning, or grinding activities except as needed for Unit 1 main turbine recovery project work, I&M has attempted to remove fire as a potential external risk.

By prohibiting other significant Unit 2 plant work, the contribution of maintenance activity to flooding is reduced as much as possible. Switch replacement itself has no impact on flooding probability.

Seismic events are of extremely low probability and switch replacement has no impact on seismic capability of any other related plant equipment.

Results The results shown in the following table were generated using the CNP Safety Monitor PRA model based on the assumptions outlined in the previous section.

Enclosure 2 to AEP-NRC-2009-45 Page 12

SUMMARY

OF PRA RESULTS Scenario = Zero T&M CDF LERF Delta CDF Delta LERF ICCDP ICLERP Current Base Case 3 1.14E-05 2.38E-06 ,,

Train A SSPS Unavailable (relay failure rate = 1)1 7.48E-04 2.98E-05 7.73E-04 2.74E-05 5.29E-07 1.88E-08 Train A SSPS Failure Rate = 0.51'2 1.72E-04 1.23E-05 1.61 E-04 9.92E-06 1.10E-07 6.80E-09 Train A SSPS Failure Rate = 0.112 2.44E-05 3.87E-06 1.30E-05 1.49E-06 8.91E-09 1.02E-09 Train A SSPS Failure Rate = 0.011,2 1.37E-05 2.63E-06 2.30E-06 2.50E-07 1.58E-09 1.71E-10 Train A SSPS Failure Rate = 0.0011,2 1.30E-05 2.55E-06 1.60E-06 1.70E-07 1.10E-09 1.16E-10 Train A SSPS Unavailable (relay failure rate =1) and Unit 2 Train A ESW, CCW, and CCP aligned 2.86E-04 1.33E-05 2.85E-04 1.09E-05 1.88E-07 7.48E-09 as "running" pumps.

Footnotes:

1. The Train B ESW, CCW, and CCP aligned as running pumps in these analyses.
2. These varying failure rates demonstrate sensitivity to various assumed manual recovery action to manually start or align Train A equipment.
3. This is the true Zero T&M base case CDF and LERF. The Delta-CDF/LERF values for switch replacement include consideration that a Unit 1 CCP and the Unit 2 Main Feed Pumps are unavailable for the work configuration not as a result of, or related to the switch work, but due to other existing conditions. They are not included in the "Current Base Case" CDF/LERF values, thereby providing a conservative estimate of Delta-CDF/LERF. The CCP and Main Feed Pumps do not contribute significantly to the CDF and LERF over the base case values shown in this table.

An annualized CDF as a result of this one-time change is determined by the following relation:

CDFNEW = CDFOLD (8754hrs/8760hrs/yr) + CDFNEW(6hrs/8760hrs/yr)

A new, annualized, LERF would be similarly determined. This results in "new" CDF and LERF values of 1.19E-05/yr and 2.40E-06/yr, respectively. Thus, changes in annual CDF would be 5E-07/yr, and LERF would be approximately 2E-08/yr, well within the Region III Acceptance Guidelines for permanent changes indicated in Figures 3 and 4 of RG 1.174.

to AEP-NRC-2009-45 Page 13 These risk metrics associated with the Multiplexer Test Switch Replacement satisfy RG 1.174 limits for permanent plant changes by maintaining the risk associated with this one-time change well within the Region III Acceptance Guidelines shown in Figures 3 and 4 of the RG.

Additionally, these risk estimates contain significant conservatisms since the following major risk reduction characteristics were not credited in the underlying risk assessment analysis:

" No credit was taken for any contingency actions associated with this TS Completion Time extension, including no credit for a reduced probability of loss-of-offsite power (LOSP) because of prohibiting work in the switchyard and the Unit 2, Train B, ESF equipment and electrical supply buses.

  • No consideration has been given to the potential for operators to manually actuate equipment, as required, in place of the automatic actuations. It is reasonable to expect that operators would manually operate equipment since the Emergency Operating Procedures specifically require operators to determine if the proper equipment is operating and provide direction to start the equipment if it is not operating. Additionally, simulator training and qualification scenarios often include failed trains or components. These scenarios have been emphasizing failure of one or both RTS trains to initiate a reactor trip for various reasons, including relay/logic failures to trip breaker equipment failures. Although the Train A SSPS automatic actuation would be inoperable during replacement of the Multiplexer Test Switch, operators would be able to manually start or reposition individual ESF equipment via the component control switches in the control room. Sensitivity for this manual recovery was evaluated in Safety Monitor by estimating that the automatic actuation failure rate was set at intermediate values as indicated in the preceding table.

" No credit was taken for bypassing the Train A Reactor Trip Breaker such that either Train B RTS actuated break~er (the Train B Reactor Trip Breaker, or the Train A Reactor Trip Bypass Breaker) would be capable of initiating a reactor trip. Maintaining the Train A Reactor Trip Bypass Breaker closed also significantly reduces the likelihood of inadvertent trips that may result during replacement of the Train A Multiplexer Test Switch as a result of process or human errors. However, the analysis conservatively assumed higher frequency for TRS and TRA during the switch replacement in comparison to the baseline case.

  • No credit was taken in the risk analysis for the recent replacement of a SSPS Multiplexer Test Switch in the currently shutdown Unit 1, as a means to estimate an appropriate Completion Time.

Conclusion The risk analysis for the proposed one-time 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> extension of the TS Completion Time to restore Unit 2 Train A SSPS to operability demonstrates that the conservatively estimated increase in plant risk is within the permanent change guidelines of RG 1.174 for Delta CDF and Delta LERF, within the RG 1.177 permanent change guideline for ICLERP and very close to the RG 1.177 permanent change guideline for ICCDP.

4.4.2 Tier 2: Avoidance of Risk-Siqnificant Plant Confiqurations As stated in RG 1.177, Tier 2 is an identification of potentially high-risk configurations that could exist if equipment in addition to that associated with the change were to be taken out of service to AEP-NRC-2009-45 Page 14 simultaneously, or other risk significant operational factors such as concurrent system or equipment testing were also involved. The goal of the Tier 2 assessment is to provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS Completion Time extension. Until the currently installed Multiplexer Test Switch is replaced, I&M will perform the compensatory measures listed below for each performance of TS Surveillance Requirements that require placing both the Multiplexer Test Switch and the Input Error Inhibit Switch out of their Normal positions in Unit 2 SSPS Train A.

1. No planned power changes will be permitted.
2. No risk-significant equipment other than that assumed to be inoperable in the risk analysis will be scheduled to be unavailable on either unit.
3. Unless needed to address emergent equipment malfunction or failure, no significant switchyard work or intrusive plant maintenance, surveillance, or functional testing,, will be allowed.
4. Train B ESF equipment condition shall be reviewed to provide a basis for assuring that no Train B ESF equipment failures from previously known conditions may be expected.
5. Weather forecasts will be reviewed to ensure there are no expected conditions that would threaten the stability of the switchyard or the regional transmission network, or result in excessive debris in the ESW system.
6. Welding, burning, or grinding shall be confined to ongoing Unit 1 Main Turbine repairs.

Welding, burning, or grinding will not be permitted in any portion of the Unit 2 power block or the auxiliary building.

7. Alignment of major Unit 2 operating equipment that could introduce undesirable unit transients will not be changed, except in response to emergent equipment conditions or failures that require prompt action. Examples of such equipment are:
  • heater drain pumps,
  • condensate booster pumps,
  • hotwell pumps,
  • CCW pumps, and,
  • feedwater heater drain paths However, activities to maintain steady state power operation that are not considered as potential transient initiators, such as boration, dilution, or make-up plant operations, etc.,

may be performed.

8. Once started, the Unit 2 Train A SSPS Multiplexer Test Switch replacement work is to proceed without unnecessary interruption, to an identified plan and schedule.

to AEP-NRC-2009-45 Page 15

9. The CCW pumps, ESW pumps, Emergency Diesel Generators (EDGs), Supplemental Diesel Generators (SDGs), and switchyards will be designated as guarded equipment.

(The CNP procedural requirements for Guarded Equipment include a tour of the area, prior to posting, to verify that no work is in progress, and posting, to the extent possible, with signs and/or conspicuous tags stating that the equipment or area is guarded and entrance is not allowed without Shift Manager permission.)

10. The Unit 2 Train A Reactor Trip Bypass Breaker, operated by the Unit 2 Train B RTS, will be closed to prevent inadvertent reactor trips from the Train A SSPS.
11. The risk assessment was performed using a limiting assumption that the Unit 2 Train B (West) ESW pump, CCW pump, and CCP are in operation. However, operation of the Train A (East) pumps reduces risk by approximately 60% as compared to the risk if the Train B pumps are operating. Therefore, the Unit 2 Train A ESW pump, CCW pump, and CCP will be in service. All ESW cross-tie valves will be open.
12. The TS Surveillance Requirement testing and the Multiplexer Test Switch replacement will be treated as a High Risk Activity. (The CNP, procedural requirements for High Risk Activities include assignment. of a Management Sponsor, a review for just-in-time training, a detailed review of planning, identification of potential human performance errors, hands-on parts validation, review of work sequence and schedule ties and durations, verification of qualifications, and evaluation and development of contingencies.)
13. The TS Surveillance Requirement testing and the Multiplexer Test Switch replacement will be treated as an Infrequently Performed Test or Evolution. (The CNP procedural requirements for Infrequently Performed Test or Evolutions include performance of a briefing in accordance with a written evolution-specific briefing guide, assignment of a Management Oversight Designee who is present during the conduct of the evolution, and participation in the briefings by a licensed Senior Reactor Operator from the Operations Department.)

4.4.3 Tier 3: Risk-Informed Configuration Management As stated in RG 1.177, Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for. The goal of the Tier 3 portion of the assessment is to ensure that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. The program is intended to provide the ability to identify risk-significant plant equipment outage configurations in a timely manner during normal plant operation.

CNP has a CRMP that has been developed in accordance with 10 CFR 50.65(a)(4). This program is a proceduralized risk-informed assessment process to manage the risk associated with planned and unplanned plant maintenance activities. The procedure governing the to AEP-NRC-2009-45 Page 16 program requires an integrated (i.e., both quantitative and qualitative) review of maintenance activities to identify risk-significant plant equipment outage configurations. This review is required both during the work management process and for emergent conditions during normal plant operation. Appropriate consideration is given to equipment unavailability, operational activities such as testing, and weather conditions. The procedure includes provisions for performing a configuration-dependent assessment of the overall impact on risk of proposed plant configurations prior to, and during, the performance of maintenance activities that remove equipment from service. This includes consideration of appropriate defense-in-depth aspects associated with the activities.

A quantitative risk assessment is performed to ensure that the activity does not pose an unacceptable risk. For Modes 1-3, this assessment is performed using the Safety Monitor model, which is based on the CNP Level 2 PRA model. The Safety Monitor software is used to assess the impact on CDF and LERF for both scheduled maintenance activities and actual plant conditions. The results are used to support managing the risk associated with planned and unplanned plant maintenance activities. Risk assessment results are classified using a color code based on the increased risk of the activity. These color code classifications are described in the following table:

Color Risk Level/Status Green Normal Risk - The risk level is acceptable. No contingency planning is required.

(ICCDP < 1.0E-06 and ICLERP < 1.OE-07)

Yellow Elevated Risk - The risk to nuclear safety or likelihood of plant transient/trip is increased. At the discretion of the Operations Shift Manager, contingency actions may be specified.

(1.0E-06 < ICCDP < 1.OE-05 and 1.OE-07 < ICLERP <1.OE-06)

Red High Risk - The risk level is unacceptable without further review and approval.

The proposed schedule must be evaluated to determine if the plant configuration can be revised to reduce or eliminate risk.

(ICCDP > 1.OE-05 or ICLERP > 1.OE-06 or CDF > 1.OE-03 or LERF > 1.OE-04)

In addition, a risk assessment is performed for both units whenever the following systems/components, with cross-unit PRA impact (as applicable), become unavailable:

  • Plant air compressors (including backup air compressor)
  • Chemical and Volume Control to AEP-NRC-2009-45 Page 17
  • Alternating current (AC) and direct current (DC) electrical distribution systems, and EDGs and SDGs (as support systems for the above systems/components)

Proceduralized risk management actions restrict elective risk-significant plant equipment outage configurations compliant with the following comprehensive philosophy:

" Weather conditions are evaluated prior to starting significant maintenance activities.

" The condition of the offsite power sources and switchyard are assessed prior to starting significant maintenance activities that could potentially have an effect on offsite or onsite electric power.

  • Restrictions are imposed on switchyard maintenance.,i
  • Restrictions are imposed on elective maintenance activities on redundant components.
  • Restrictions are imposed on elective maintenance activities on components identified as risk-significant given the specific maintenance activity! and the current plant configuration.
  • Requirements for pre-job briefs are specified.
  • Risk is re-assessed if an equipment failure or malfunction, or emergent condition produces a plant configuration that has not been previously assessed.

For the proposed one-time TS Completion Time extension, the work will be controlled as noted in Section 4.4.2. Since the TS Completion Time extension will be used only one time, under special conditions, it will not introduce risk-significant' conditions during subsequent plant operation as would a permanent TS Completion Time extension.

4.4.4 PRA Quality Summary I&M's original 1992 Level 3 internal events PRA, a seismic PRA was revised in 1995. Additional PRA model updates to address plant modifications and to update data were completed in 1996 and 1997. The PRA was updated in 2001 and 2003, resulting in a number of significant changes to the internal events PRA model, which are applicable to both the average and the instantaneous versions. In September 2001, the updated PRA model received a certification review in accordance with the Westinghouse Owner's Group (WOG) certification process. The significance level A and B facts and observations from that review have been resolved in the average model. In 2004, an independent contractor performed a gap assessment of the updated model compared to RG 1.200 Revision 0. The gap assessment determined that the PRA was of sufficient quality and scope to be used to support regulatory activities. Revision of component operating data for a limited number of components was completed in 2009 for the average version of the model.

In 2009, Westinghouse LLC (Westinghouse) performed; a focused scope peer review of the most recently updated elements of the CNP average internal events PRA model to determine compliance with RG 1.200, Revision 1 and ASME PRA Standard RA-Sb-2005. Westinghouse identified five level C findings and five suggestions. Although changes to the average PRA model have not yet been incorporated into the Safety Monitor version of the PRA model used for the proposed TS Completion Time extension, I&M has reviewed these C findings, as well as the differences between the average and instantaneous PRA models, and determined that they to AEP-NRC-2009-45 Page 18 do not impact the risk analysis performed for the proposed TS Completion Time extension. I&M maintains a plant procedure that establishes the quality-assurance requirements for updating the PRA model, such that its representation of the as-built, as-operated plant is sufficient to support the regulatory applications.

Details In 1992, I&M submitted responses, including a Level 3 internal events PRA, a seismic PRA, and a fire PRA to fulfill the requirements of NRC Generic Letter 88-20 (Reference 3). In 1995, I&M submitted extensive revisions to the human reliability analysis (HRA), seismic, and fire models.

Additional PRA model updates to address plant modifications and to update data were completed in 1996 and 1997. In June 2001, I&M completed a project to update and improve the PRA. The overall purpose of this project was to enhance the use of the PRA model to support compliance with 10 CFR 50.65(a)(4) for managing risk during maintenance activities, and to support the new risk-informed, performance-based regulatory environment. This project included:

" Updating the PRA model to include new plant-specific data, making necessary model changes because of procedure and/or design changes, updating the treatment of common cause failures and removing unnecessary or unwarranted conservatisms and simplifications.

" Adding a LERF model to the PRA model.

  • Developing a separate Unit 2 model.
  • Developing a shutdown risk model that could be used to support assessment and management of shutdown risk.
  • Converting the PRA model for use with the WinNUPRA software. This is the "average" PRA model because it uses average T&M unavailability data values that assume normally running equipment operates 50% of the time.
  • Creating an on-line risk version of the average PRA model for use with the Safety Monitor software. This is the "instantaneous" PRA model because the operating alignment and equipment out-of-service are specified by the user.

In September 2001, the updated PRA model received a certification review in accordance with the Westinghouse Owner's Group (WOG) certification process. This review led to a number of Facts and Observations (F&Os), including three "A" Level significance F&Os and 24 "B" Level significance F&Os. At that time, the WOG certification process assigned "A" Level significance to F&Os that were considered extremely important and necessary to assure the technical adequacy or quality of the PRA model, while "B" Level significance was assigned to F&Os that are considered important and necessary to address, but were deferrable until the next PRA model update.

Following receipt of the draft WOG certification report, I&M undertook a model update that addressed all of the "A" and "B" Level F&Os, with the exception of an "A" Level F&O that concerned internal flooding. A detailed PRA flooding study has subsequently been completed and flooding has been incorporated into the CNP average PRA model, and accounts for approximately 1% of CDF and a much smaller portion of LERF. The flooding model has not yet been incorporated in the Safety Monitor PRA derived model used for on-line risk determination.

The goal of the initial F&O update was to assure that the F&Os were addressed sufficiently to to AEP-NRC-2009-45 Page 19 meet the criteria identified for American Society of Mechanical Engineers (ASME) Quality Category 2 (Reference 4). Implementation of the initial Peer Review F&O changes to the PRA notebooks was completed in October 2003. Quantification of the revisions was completed in April 2004. At that time, I&M had the F&O resolutions reviewed and validated as satisfactory by an independent contractor. The independent contractor also performed a gap assessment of the updated model compared to RG 1.200, Revision 0 (Reference 5). The gap assessment determined that the PRA was of sufficient quality and scope to be used to support 10 CFR 50.65(a)(4) On-line Risk Assessment, and regulatory activities such as Notices of Enforcement Discretion, the Significance Determination Process, and risk-informed submittals to the NRC.

The gap assessment concluded that the PRA was sufficiently documented to warrant an overall Capability Category of II.

The 2001 and 2003 PRA model updates resulted in a number of significant changes to the internal events PRA model, which are applicable to both the average and the instantaneous versions. The following areas were addressed during the 2001 and 2003 updates:

  • Event Trees

" Reliability Data

  • LERF Model These updates, as well as updates subsequent to 2003, further improved the quality of the PRA model as summarized below.

Update of Initiating Events Fifteen internal initiating event categories were evaluated in the PRA model. To provide sufficient resolution for plant maintenance risk evaluations, it was necessary to subdivide a number of the initiating event categories (large and medium loss of coolant accidents (LOCAs),

steam generator tube ruptures, and steam line breaks) into the individual contributions from each RCS loop. Four separate initiating events were then evaluated for each of these categories. Similarly, the analysis of a loss of a single DC power train was performed for each train separately.

LOSP was divided into LOSP to a single unit and loss to both units (dual unit LOSP). Similarly, the loss of ESW was split to consider the loss of a single unit's ESW separately from a total (dual unit) loss of ESW.

The frequencies of the initiating events were reassessed based on updated plant-specific data and new generic data. In addition, a number of the frequencies were obtained from models built into the overall PRA either as transfers from other initiators or as detailed system models. This included consequential medium and small break LOCAs resulting from a power operated relief valve or safety relief valve (SRV) failing to re-close, station blackouts, ATWS events and the special initiators, which are loss of ESW, loss of CCW, and loss of 250 V DC power.

to AEP-NRC-2009-45 Page 20 In response to F&Os, the transient initiating event groupings were reassessed resulting in a reevaluation of the frequency of the transient with the steam conversion system available and the transient with the steam conversion system not available. In addition, the interfacing system LOCA frequencies were revised based on industry references to include excessive valve leakage as well as ruptures.

Update of Event Trees In initial PRA model development, event trees were developed for each initiating event. To properly separate failure of injection into the RCS from failure to remove heat from the containment, and to provide a model which would allow analysis of maintenance activities that would disable the heat removal function but not the injection function, the heat removal functions were removed from the containment spray and high and low pressure recirculation functions and combined in a new long-term cooling function as part of the 2001 and 2003 updates.

A new "No Large Early Release" branch was added to all sequences where the probability of a LERF was different from zero or unity. Branches and transfers were added for consequential events and for special initiators. This was done to provide an integrated model of all events and to avoid double counting of failures of support systems during the mission time following a transient initiator.

An event tree, similar to the medium LOCA event tree with success in bleed and feed, was prepared for the consequential medium LOCA due to a stuck open SRV. This was necessary because the initiating event does not fail an injection path (as it does for a pipe break in a loop) and the amount of coolant loss is equivalent to the bleed flow from bleed and feed.

Consequently, high pressure injection essentially initiates bleed and feed.

Essentially, duplicate event trees were added to provide sufficient resolution for configuration risk management as follows:

  • Large and medium LOCAs, steam generator tube rupture, and steam line break were divided into four loop-specific event trees;

" LOSP was divided into two event trees to distinguish single-unit and dual-unit initiators;

  • Loss of ESW was split into two event trees to distinguish single-unit and dual-unit initiators;
  • Loss of a 250 volt DC train was divided into two event trees to distinguish train-specific effects; and

As a result of F&O resolutions, a number of new event trees were required. New event trees were developed to explicitly consider transfer from one event tree to another given failure of a support system. New event trees were developed for ATWS, medium LOCA caused by a stuck open pressurizer safety valve, small LOCA caused by a stuck open pressurizer relief valve, loss of ESW to both units' CCW System, loss of ESW to a single unit's CCW System, and loss of CCW. In addition, new event trees were developed to explicitly model the unique aspects of the four different interfacing system LOCA initiators.

to AEP-NRC-2009-45 Page 21 Event trees were subsequently updated to include capability for success in preventing core damage under some limited conditions by employing a single SDG rather both SDGs operating in tandem. The current Safety Monitor model has not been updated to include single SDG capability, which further serves to reduce CDF and LERF, since it represents increased flexibility to deal with specific LOSP events.

Update of Reliability Data As part of the 2001/2003 updates, component failure data was updated with CNP failure data for the time period from January 1, 1993, through December 31, 1999, including CCF data for all components. The scope of the data collection effort was determined by using a critical components list. The following critical component types were identified:

  • Turbine and Motor Driven Pumps
  • Motor Operated Valves
  • Air Operated Valves
  • Fans
  • Strainers Operating, demand, and failure data for these components was obtained from surveillance test procedures, control room logs, and diesel generator run logs and entered into a database. This information was combined with previously-collected CNP data and used to perform a Bayesian update of generic priors to generate a plant-specific failure rate or probability. Other failure data was taken from generic industry sources.

Revision of component operating data for a limited number of components was completed in 2009 for the WinNUPRA version of the model for the following components:

  • Safety Injection pumps

" CCW Pumps

  • ESW Pumps This update used plant-specific information from May 2003 through December 2007, Bayesian updated with generic data from NUREG/CR-6928 (Reference 6). These updated parameters have not yet been incorporated into the current Safety Monitor model used for this TS Completion Time extension request. However, evaluation of the overall CDF and LERF metrics for the Train A SSPS disabled condition (with Train A pumps fail-to-start and related SSPS Basic Events set to "1") using updated values for the above components for this extension application indicated an 8% reduction in CDF and 27% reduction in LERF. Baseline CDF was to AEP-NRC-2009-45 Page 22 reduced less than 0.9%, and baseline LERF 2%, thus, the Delta CDF and Delta LERF values for the configuration would be smaller considering the updated values.

Update of HRA As stated above, extensive revisions to the initial Individual Plant Examination (IPE) HRA analyses were submitted in 1995. For the June 2001 update, the human error probabilities evaluated were limited to those which were affected by changes in procedures or were new to the updated model. The principal re-evaluation involved the revised procedure for switching to cold leg recirculation. This affected the human errors associated with low and high pressure emergency core cooling system recirculation and containment spray recirculation. The revised procedure for a loss of CCW was also used to update the associated human error probabilities.

Following the changes in the event trees and system models, new human interactions were systematically identified and integrated into the existing quantification process. Following quantification, a review of cut-sets containing multiple human errors was conducted to ensure dependencies between operator actions were appropriately treated.

As a result of the resolution of F&Os, pre-initiator miscalibration human errors and human interactions for several sequences were updated. These were updated in sequences for low pressure recirculation for small and medium LOCAs and loss of ESW and CCW, reactor coolant pump trip following a loss of CCW or ESW, and RCS depressurization for small and medium LOCAs.

Three HRA values have been updated for use in the average model since the 2003 update.

These changes have not yet been made to the Safety Monitor HRA values. These HRA changes tend to reduce the contribution of steam generator tube rupture sequences and main steam line break sequences.

LERF Analysis The LERF model, added in the June 2001 update, was created based on the guidance set forth in NUREG/CR-6595 (Reference 7), which presents a simplified containment event tree for an ice condenser containment specifically created to address LERF calculation.

The event tree models included essentially all the functions needed to determine the relevant plant damage state and the conditional probability of a large early release. The conditional probability was determined for each damage state from the above referenced model. To fully integrate the determination of LERF within the PRA model, a LERF branch was added to most of the core damage event trees and each core damage sequence was designated as either a large early release or a no large early release sequence.

As a result of resolving an F&O, failure of containment isolation was explicitly included as a contributor to LERF via an external transfer in the fault tree.

There have been no significant changes in the Safety Monitor LERF model beyond the 2003 update.

to AEP-NRC-2009-45 Page 23 RG 1.200, Revision 1 Considerations In 2009, Westinghouse LLC (Westinghouse) performed a focused scope peer review of the most recently updated elements of the CNP average internal Events PRA model to determine compliance with RG 1.200, Revision 1 (Reference 8), and ASME PRA Standard RA-Sb-2005.

The review considered several model elements that have had changes incorporated into the average PRA model since the 2004 gap assessment. The results are documented in a Westinghouse report, currently in draft, dated April 2009. The Westinghouse report identified five findings and five suggestions. The five findings are assigned a "C"level of significance, i.e.,

"Recommended, and considered desirable to maintain maximum flexibility in PRA applications and consistency in the industry, but not likely to significantly affect results or conclusions."

Although changes to the average PRA model have not yet been incorporated into the Safety Monitor version of the PRA model, I&M has reviewed these five significance level C findings, as well as the differences between the average and instantaneous PRA models, and determined that they do not impact the risk analysis performed for the proposed TS Completion Time extension.

4.4.5 External Events Risk Assessment External event contributions to CDF and LERF are not included in the CNP Safety Monitor internal events PRA model used in this analysis of a TS Completion Time extension request.

External event CDF contributions for initiating events associated with internal fires, and seismic events were evaluated in the CNP Individual Plant Examination for External Events (IPEEE) analysis performed in response to Generic Letter 88-20, Supplement 4 (Reference 9). Level 2 and LERF evaluations were not performed as part of the IPEEE submittals. However, assuming that external event-initiated core damage sequences progress to LERF sequences with the same relative likelihood as do similar internal event-initiated core damage sequences allows estimation of external event-initiated LERF.

An update of the internal flooding analysis has determined that internal flooding contributes about 1% to CDF, with an insignificant contribution to LERF. Assuming that flooding contributes a value of 1.2% of baseline CDF, and using the current Safety Monitor baseline CDF, then flood would contribute about 1.37E-07 to CDF and not contribute at all to LERF.

The CDF and estimated LERF contributions from external events are summarized as follows:

External Event CDF LERF Fire 3.76E-06 1.50E-07 Seismic 3.17E-06 9.82E-07 Flooding 1.37E-07 0 Total 7.07E-06 1.13E-06 Other external event studies included in the PRA (but not part of the PRA Safety Monitor or WinNUPRA model) that are not affected by the proposed TS Completion Time extension are:

to AEP-NRC-2009-45 Page 24

  • External Flooding

" Aircraft Accidents

" Severe Winds (strong winds and tornados)

  • Ship Impact Accidents
  • Off-Site Hazardous Material Accidents
  • On-Site Hazardous Material Accidents

" External Fires (LOSP scenarios are included in the LOSP initiating event frequency)

The effect of the proposed TS Completion Time extension on the IPEEE analysis for seismic events, fire events, and flooding events is discussed below. The CNP IPE analysis performed in response to Generic Letter 88-20 specifically modeled Unit 1 as the representative unit due to the similarity in design between Unit 1 and Unit 2. The Unit 1 analysis is considered to be representative of both units. Accordingly, special consideration was given to dual unit issues (i.e., dual unit dependencies were considered and evaluated as appropriate). The fire and seismic external events IPEEE analyses used the IPE analysis as a foundation, specifically modeling Unit 1 as the representative unit with special consideration given to dual unit issues.

Therefore, the Unit 1 external event results discussed below are considered to be representative of both units.

Seismic In 1992, I&M submitted a probabilistic seismic analysis as part of the IPEEE. Following NRC review, the seismic IPEEE was updated in 1995 to resolve concerns with the methods and data used for seismic fragility calculations in the 1992 analysis. The 1995 seismic analysis is the current model of record.

The seismic analysis found the following components to be the dominant contributors to the seismic core damage frequency. The dominant components, in order of contribution are:

  • Auxiliary Building
  • 4 kV/600V Transformer OT-1 1 (influenced by proximity to block wall)
  • Fuel oil day tank for EDGs (influenced by proximity to block wall)
  • TDAFP (random failure) 9 250 volt DC battery racks
  • 250 volt DC battery charger
  • Miscellaneous motor control centers and reactor protection system racks 0 Miscellaneous ice condenser components The system for which I&M is requesting a one-time TS Completion Time extension (SSPS logic and automatic actuation disabled) is not on the list of dominant components and would not affect the seismic failure mode (gross structural failure that disables components). Thus, there is no significant impact from the requested TS Completion Time extension due to seismic concerns.

In summary, the SSPS plays no role in system failures due to seismic events. Therefore, the Train B SSPS equipment seismic response would not be affected by the SSPS Train A work to AEP-NRC-2009-45 Page 25 and could react to mitigate consequential events following seismic events. The SSPS Train A equipment left functional could also be manually actuated. The requested TS Completion Time extension for this system is not expected to have any significant impact on the seismic core damage frequency.

Fire The effects of the proposed TS Completion Time extension for the Train A SSPS Multiplexer Test Switch replacement on the results of the CNP IPEEE fire analysis have been qualitatively evaluated for this license amendment request. The current revision of the IPEEE fire analysis was updated in 1995 to address concerns raised by the NRC during its review of I&M's submittal in response to Generic Letter 88-20, Supplement 4. Fires in the control room dominate the CDF for internal fire events with a contribution of 1.81 E-06/yr.

The work to replace the Multiplexer Test Switch involves soldering eight wires, with requisite industrial safety precautions for personnel and fire such as draping areas in SSPS Train A.

SSPS Train A is a low voltage (120VAC, 48VDC, 15VDC) cabinet in the control room. This cabinet, and the specific work, is well separated from those control room cabinets and controls for ESW, CCW, and general AC/offsite power distribution functions, which are the primary failure mechanism in the IPEEE fire analysis. Thus, this work poses no significant risk from a fire initiation perspective.

Flooding Given the nature and location of the SSPS Multiplexer Test Switch replacement activities, the proposed TS Completion Time extension would have no affect on the CDF contribution due to flooding. Thus, the 1 to 1.2% portion of CDF attributable to flooding would not change for this work.

4.4.6 Dominant Risk Contributors The dominant risk contributors were determined from the top 50 CDF cutsets/sequences associated with the plant-specific configuration for the most conservative normal operating equipment alignment and the out-of-service Unit 2 Train A SSPS Logic and Actuation functions.

The 21 highest frequency cutsets are associated with a loss of CCW on Unit 2 and total loss of ESW to both units. Small LOCA initiating event, in the form of lack of an actuation signal in combination with failure of a single Train B ESF component in either the Residual Heat Removal system (which also serves as low pressure injection), or a failure in the Containment Spray System, makes up the remainder of these 50 highest frequency cutsets. These results do not include any allowance for manual action to start Train A equipment as would be expected of operators based on training and procedural guidance.

4.4.7 Conclusion The ICCDP and ICLERP for Unit 2 continuing full power operation with Train A SSPS automatic actuation logic disabled for 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> beyond that currently allowed by TS is well below the value that requires Risk Management Actions per the NUMARC 93-01, Section 11 criteria. In to AEP-NRC-2009-45 Page 26 addition, the ICCDP and ICLERP, in the most conservative equipment alignment, are comparable to the values considered by the NRC to be a small risk. Nevertheless, non-quantifiable risk management actions will be implemented to further reduce the risk involved in replacing the Unit 2 Train A SSPS Multiplexer Test Switch.

5.0, REGULATORY SAFETY ANALYSIS 5.1 No Significant Hazards Consideration Indiana Michigan Power Company (I&M) has evaluated whether a significant hazards consideration is involved with the. proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability of occurrence or consequences of an accident previously evaluated?

Response: No The proposed change consists of a contingent one-time 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> extension of the time that Train A of the Reactor Trip System (RTS) and the Engineered Safety Feature Actuation System (ESFAS) may be inoperable. The extension would be available for replacement and testing of a replaced Multiplexer Test Switch if the currently installed switch fails. The RTS and ESFAS provide only a mitigative function. The RTS and ESFAS are not initiators or precursors of any accident analyzed in Updated Final Safety Analysis Report (UFSAR).

Therefore, the inoperability of one of the two trains of RTS and ESFAS will not significantly increase the probability of an analyzed accident.

The redundant train of RTS and ESFAS, Train B, will be required to be fully operable and capable of performing its mitigative function during the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> time extension. I&M will institute compensatory measures prior to activities involving operation of the Train A Multiplexer Test Switch to assure RTS and ESFAS Train B remains operable and to minimize challenges to RTS and ESFAS Train B. The analyses in the UFSAR have demonstrated that a single train of RTS and ESFAS is fully capable of mitigating the consequences of analyzed accidents such that regulatory dose limits would not be exceeded. Therefore, the consequences of an analyzed accident will not be significantly increased.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No The proposed amendment will not change the design function or operation of the RTS and ESFAS. The RTS and ESFAS will not be operated in any new or different manner. The 6 to AEP-NRC-2009-45 Page 27 hour3.125e-4 days <br />0.0075 hours <br />4.464286e-5 weeks <br />1.02735e-5 months <br /> extension will not create new failure mechanisms, malfunctions, or accident initiators not considered in the current licensing basis.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No The margin of safety involved in the proposed amendment is the time during which only one of two trains of the RTS and ESFAS would be available to mitigate an accident. The existing Technical Specifications (TS) allow 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> in this condition. The proposed amendment would allow a one-time extension of an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Quantitative analyses have demonstrated that the risk resulting from this extension would be within, or very near, the risk levels established by regulatory guidance for a permanent extension of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

Therefore, the proposed change does not involve a significant reduction in the margin of safety.

Based on the above, I&M concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

5.2 Applicable Requlatory Requirements/Criteria/Guidance Regqulations 10 CFR 50.36 regulation requires that the TS include items in five specific categories. These categories include 1) safety limits, limiting safety system settings and limiting control settings, 2) limiting conditions for operation, 3) surveillance requirements, 4) design features, and 5) administrative controls. The proposed amendment will modify two limiting conditions for operation. The modified TS will continue to comply with this regulation.

Desigqn Criteria Donald C. Cook Nuclear Plant (CNP) was designed and constructed prior to final issuance of the General Design Criteria specified in Appendix A to 10 CFR 50. The CNP Plant Specific Design Criteria (PSDC) are described in Section 1.4 of the CNP UFSAR. The PSDC that are relevant to the proposed amendment are identified and restated, in part, below. Conformance to these PSDC is not affected by the proposed amendment because it involves no change in component design, function or use.

to AEP-NRC-2009-45 Page 28 UFSAR Section 1.4.4 Reliability and Testability of Protective Systems (PSDC 19 - PSDC 26)

Protective systems were designed with a degree of functional reliability and in-service testability, which is commensurate with the safety functions to be performed. System design incorporates such features as emergency power availability, preferred failure mode design, redundancy and isolation between control systems and protective systems. In addition, the protective systems were designed such that no single failure would prevent proper system action when required. For design purposes, multiple failures, which result from a single event, were considered single failures.

CRITERION 19 Protection Systems Reliability - Protection systems shall be designed for high functional reliability and in-service testability necessary to avoid undue risk to the health and safety of the public.

CRITERION 20 Protection Systems Redundancy and Independence - Redundancy and independence designed into protection systems: shall be sufficient to assure that no single failure or removal from service of any component or channel of such a system will result in loss of the protection function. The redundancy provided shall include, as a minimum, two channels of protection for each protection function to be served.

CRITERION 23 Protection Against Multiple Disability For Protection Systems - The effects of adverse conditions, to which redundant channels or protection systems might be exposed in common, either under normal conditions or those of an accident, do not result in loss of the protection function or shall be tolerable on some other basis.

CRITERION 25 Demonstration of Functional Operability Of Protection Systems - Means shall be included for suitable testing of the active components of protection systems while the reactor is in operation to determine if failure or loss of redundancy has occurred.

CRITERION 26 Protection System Failure Analysis Design - The protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g.,

electrical power, instrument air), or adverse environments (e.g., extreme heat or cold, fire, steam, or water) are experienced.

Regulatory Guidance Regulatory Guide (RG) 1.174 describes an acceptable method for the licensee and the Nuclear Regulatory Commission (NRC) staff to use in assessing the nature and impact of license basis changes when the licensee chooses to support or is requested by the staff to support the changes with risk information. The RG provides quantitative guidelines for acceptable changes in core damage frequency (CDF) and large early release frequency (LERF) resulting from such changes. As described in Section 4.4.1 above, the changes in CDF and LERF resulting from the proposed amendment are well within these guidelines.

to AEP-NRC-2009-45 Page 29 RG 1.177 describes an acceptable approach for assessing the nature and impact of proposed permanent TS changes in allowed outage times and surveillance test intervals by considering engineering issues and applying risk insights. The RG identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS allowed outage times changes.

Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in CDF and the incremental conditional core damage probability (ICCDP), and when appropriate, the change in LERF and the incremental conditional large early release probability (ICLERP). Tier 2 is an identification of potentially high-risk configurations that could exist if equipment in addition to that associated with the change were to be taken out of service simultaneously, or other risk-significant operational factors such as concurrent system or equipment testing were also involved. Tier 3 is the establishment of an overall configuration risk management program to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for. As described in Section 4.4.1 above, the ICCDP and the ICLERP resulting from the proposed amendment are within or very near the guidelines for permanent TS changes even though the proposed change is not permanent.

RG 1.200 describes an acceptable approach for determining whether the quality of the Probabilistic Risk Assessment (PRA), in total or the parts that are used to support an application, is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision making for light water-reactors. As described in Section 4.4.4 above, a 2004 gap assessment with respect to RG 1.200, Revision 0, determined that the PRA was of sufficient quality and scope to be used to support 10 50.65(a)(4) On-line Risk Assessment, and regulatory activities such as Notices of Enforcement Discretion, Significance Determination Programs, and risk-informed submittals to the NRC.

As also described in Section 4.4.4, a peer review of the average internal Events PRA model with respect to RG 1.200, Revision 1, was performed in 2009. Although changes to the average PRA model made since 2004 have not yet been incorporated into the Safety Monitor version of the PRA model, I&M has reviewed the five significance level C findings from that peer review, as well as the differences between the average and instantaneous PRA models, and determined that they do not impact the risk analysis performed for the proposed TS Completion Time extension.

6.0 ENVIRONMENTAL CONSIDERATION

S A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that maybe released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(b). Therefore, no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

to AEP-NRC-2009-45 Page 30 7.0 PRECEDENTS As documented in Reference 10, the NRC has previously approved a one-time extension to the time specified in the CNP TS for restoration of an inoperable system to provide a contingency in the event that a specific planned maintenance activity could not be completed within the TS limits.

As documented in References 11 and 12, the NRC has previously approved one-time extensions to the time specified in other licensees TS for restoration of an inoperable system to provide an additional time for a specific planned maintenance activity that could not be completed within the TS limits. Although these extensions were approved as emergency license amendments, this proposed amendment for CNP is not being requested on an emergency or exigent basis.

8.0 REFERENCES

1. RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decision - making: Technical Specifications," dated August 1, 1998 (ADAMS Accession No. ML003740176).
2. RG 1.174, "An Approach For Using Probabilistic Risk Assessment In Risk Informed Decisions on Plant-Specific Changes to The Licensing Basis," Revision 1, dated November 1, 2002 (ADAMS Accession No. ML003740133).
3. Generic Letter No. 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 50.54(f)," dated November 23, 1988, (ADAMS Accession No. ML031150465).
4. ASME RA-S-2002, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications," dated April 5, 2002; with Addenda RA-Sa-2003, dated December 5, 2003.
5. RG 1.200 "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," Revision 0, dated February 2004.
6. NUREG/CR-6928, "Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants," dated February 2007 (ADAMS Accession No. ML070650650).
7. NUREG/CR-6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," Revision 1, dated October 2004 (ADAMS Accession No. ML043240040).
8. RG 1.200 "An.Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," Revision 1, dated January 2007 (ADAMS Accession No. ML063170035).

to AEP-NRC-2009-45 Page 31

9. Generic Letter No. 88-20, Supplement 4, "Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities - 10CFR 50.54(f)," dated June 28, 1991, (ADAMS Accession No. ML031150485).
10. Letter from J. F. Stang, NRC, to A. C. Bakken, I&M, "Donald C. Cook Nuclear Plant, Units 1 And 2 - Issuance of Amendments (TAC Nos. MB5729 and MB5730)," dated September 9, 2002 (ADAMS Accession No. ML022420039).
11. Letter from J. F. Stang, NRC, to J. R. Morris, Duke Energy Carolinas, LLC, "Catawba Nuclear Station, Unit 1, Issuance of Emergency Amendment Regarding One-Time Extension of the Auxiliary Feedwater System and the Containment Spray System Allowed Outage Time (TAC No. MD9226)," dated July 15, 2008 (ADAMS Accession No. ML081980347).
12. Letter from J. F. Stang; NRC, to Mr. G. R. Peterson, Duke Power Company LLC, "McGuire Nuclear Station, Unit 1 - Issuance of Emergency Amendment Regarding One-Time Extension of Emergency Diesel Generator Allowed Outage Time (TAC No.

MD5724)," dated June 8, 2007 (ADAMS Accession No. ML071570599).

Enclosure 3 to AEP-NRC-2009-45 Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS)

Train A Functions for Which Indiana Michigan Power Company Is Requesting an Extension of the Technical Specification Completion Time to Restore Operability RTS Technical Specification Table 3.3.1-1 Function Description 17 Safety Injection (SI) Input from ESFAS 21 Automatic Trip Logic ESFAS Technical Specification Table 3.3.2-1 Function Description 1.b SI, Automatic Actuation Logic and Actuation Relays 2.b Containment Spray, Automatic Actuation Logic and Actuation Relays Containment Isolation - Phase A Isolation, Automatic Actuation Logic and 3.a(2) Actuation Relays 3.a(3) Containment Isolation - Phase A Isolation, SI Input from ESFAS Containment Isolation - Phase B Isolation, Automatic Actuation Logic and-3.b(2) Actuation Relays 4.b Steam Line Isolation, Automatic Actuation Logic and Actuation Relays Turbine Trip and Feedwater Isolation, Automatic Actuation Logic and Actuation Relays 5.c Turbine Trip and Feedwater Isolation, SI Input from ESFAS 6.a Auxiliary Feedwater, Automatic Actuation Logic and Actuation Relays (Solid State Protection System) 6.d Auxiliary Feedwater, SI Input from ESFAS Containment Air Recirculation/Hydrogen Skimmer System, Automatic Actuation Logic and Actuation Relays

Attachment 1 to AEP-NRC-2009-45 DONALD C. COOK NUCLEAR PLANT UNIT 2 TECHNICAL SPECIFICATION PAGES MARKED TO SHOW CHANGES 3.3.1-4 3.3.1-4a 3.3.2-1

RTS Instrumentation 3.3.1 CONDITION REQUIRED ACTION COMPLETION TIME I. One Source Range 1.1 Restore channel to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Neutron Flux channel OPERABLE status.

inoperable.

J. One train inoperable. J.-1 ---------- NOTE-------

One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE.

Restore train to OPERABLE 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> status.

K. One RTB train K.1 ---------- NOTE-------

inoperable. One train may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE.

Restore train to OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> status.

L. One or more channels L.1 Verify interlock is in required 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> inoperable, state for existing unit conditions.

M. One trip mechanism M.1 Restore inoperable trip 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> inoperable for one RTB. mechanism to OPERABLE status.

  • If the Train A Solid State Protection System Multiplexer Test Switch that was in service at the beginning of Fuel Cycle 18 fails during the fuel cycle, the Completion Time to restore inoperable Train A Functions 17 and 21 of Table 3.3.1-1 may be extended to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, one time during Fuel Cycle 18, to complete replacement and testing of the switch' Cook Nuclear Plant Unit 2 3.3.1-4 Amendment No. 269, 278, 283

RTS Instrumentation 3.3.11 CONDITION REQUIRED ACTION COMPLETION TIME N. Required Action and N.1 Reduce THERMAL POWER 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion to < P-7.

Time of Condition D not met for Function 8.a, 9, 10, 11, 12, or 13.

Cook Nuclear Plant Unit 2 3.3.1-4a Amendment No. 269, 278, 283

ESFAS Instrumentation 3.3.2 3.3 INSTRUMENTATION 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation LCO 3.3.2 The ESFAS instrumentation for each Function in Table 3.3.2-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.2-1.

ACTIONS N r-----------------------------------------------------------

Separate Condition entry is allowed for each Function.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions A.1 Enter the Condition Immediately with one or more referenced in Table 3.3.2-1 required channels or for the channel(s) or trains inoperable, train(s).

B. One required channel or B.1 Restore required channel or 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> train inoperable, train to OPERABLE status.

C. One train inoperable. C.1 ---------- NOTE-------

One tVain may be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE.

Restore train to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> OPERABLE status.

If the Train A Solid State Protection System Multiplexer Test Switch that was in service at the beginning of Fuel Cycle 18 fails during the fuel cycle, the Completion Time to restore inoperable Train A Functions 1 .b, 2.b, 3.a.(2),, 3.a.(3), 3.b.(2), 4.b, 5.a, 5.c, 6.a, 6.d, and 7.b of Table 3.3.2-1 may be extended to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, one time during Fuel Cycle 18, to complete replacement and testing of the switch.

Cook Nuclear Plant Unit 2 3.3.2-1 Amendment No. 269

Attachment 2 to AEP-NRC-2009-45 Regulatory Commitments The following table identifies those actions committed to by Indiana Michigan Power Company (I&M) in this document. Any other actions discussed in this submittal represent intended or planned actions by I&M. They are described to the Nuclear Regulatory Commission (NRC) for the NRC's information and are not regulatory commitments.

Commitment Date I&M will replace the Donald C. Gook Nuclear Plant Unit 2 Solid During the next refueling State Protection System Train A Multiplexer Test Switch that outage,. or any was in service at the beginning of Fuel Cycle 18. unscheduled outage of sufficient duration that may occur prior to the next refueling outage.

I&M will perform the compensatory measures listed below for Until the currently installed each performance of Technical Specification (TS) Surveillance Multiplexer Test Switch is Requirements that require placing both the Multiplexer Test replaced.

Switch and the Input Error Inhibit Switch out of their Normal positions in Unit 2 Solid State Protection System Train A.

1. No planned power changes will be permitted.
2. No risk-significant equipment other than that assumed to be inoperable in the risk-analysis will be scheduled to be unavailable on either unit.

,3. Unless needed to address emergent equipment malfunction or failure, no significant switchyard work or intrusive plant maintenance, surveillance, or functional testing, will be allowed.

4. Train B Engineered Safety Features (ESF) equipment condition shall be reviewed to provide a basis for assuring that no Train B ESF equipment failures from previously known conditions may be expected.
5. Weather forecasts will be reviewed to ensure there are no expected conditions that would threaten the stability of the switchyard or the regional transmission network, or result in excessive debris in the ESW system.
6. Welding, burning, or grinding shall be confined to ongoing Unit 1 Main Turbine repairs. Welding, burning, or grinding will not be permitted in any portion-of the Unit 2 power block or therauxiliary building.

to AEP-NRC-2009-45 Page 2 Commitment Date

7. Alignment of major Unit 2 operating equipment that could introduce undesirable unit transients will not be changed, except in response to emergent equipment conditions or failures that require prompt action. Examples of such equipment are:
  • heater drain pumps,
  • condensate booster pumps,
  • hotwell pumps,
  • centrifugal charging pumps (CCPs),
  • component cooling water (CCW) pumps, and,
  • feedwater heater drain paths However, activities to maintain steady state power operation that are not considered as potential transient initiators, such as boration, dilution, or make-up plant operations, etc., may be performed.
8. Once started, the Unit 2 Train A Solid State Protection System (SSPS) Multiplexer Test Switch replacement work is to proceed without unnecessary interruption, to an identified plan and schedule.
9. The Component Cooling Water pumps, Essential Service Water (ESW) pumps, Emergency Diesel Generators, Supplemental Diesel Generators, and switchyard will be designated as guarded equipment.
10. The Unit 2 Train A Reactor Trip Bypass Breaker, operated by the Unit 2 Train B Reactor Trip System, will be closed to prevent inadvertent reactor trips from the Train A SSPS system.
11. The Unit 2 Train A ESW pump, CCW pump, and CCP pump will be in service. All ESW cross-tie valves will be open.
12. The TS Surveillance Requirement testing and the Multiplexer Test Switch replacement will be treated as a High Risk Activity.
13. The TS Surveillance Requirement testing and the Multiplexer Test Switch replacement will be treated as an Infrequently Performed Test or Evolution.
Retrieved from "https://kanterella.com/w/index.php?title=AEP-NRC-2009-45,_License_Amendment_Request_for_One-Time_Extension_of_Technical_Specification_Completion_Times_for_Inoperable_Train_of_Reactor_Trip_System_and_Engineered_Safety_Feature_Actuation_System&oldid=2562535"