CNL-16-133, Response to NRC Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (BFN-TS-486) (CAC Nos. MF6738, MF6739, and MF6740) - Letter 7

From kanterella
Jump to navigation Jump to search

Response to NRC Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (BFN-TS-486) (CAC Nos. MF6738, MF6739, and MF6740) - Letter 7
ML16260A098
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 09/15/2016
From: James Shea
Tennessee Valley Authority
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
BFN-TS-486, CAC MF6738, CAC MF6739, CAC MF6740, CNL-16-133
Download: ML16260A098 (22)
v  d  e


Text

1101 Market Street, Chattanooga, Tennessee 37402 CNL-16-133 September 15, 2016 10 CFR 50.90 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Renewed Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 NRC Docket Nos. 50-259, 50-260, and 50-296

Subject:

Response to NRC Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (BFN-TS-486) (CAC Nos. MF6738, MF6739, and MF6740) - Letter 7

References:

1. Letter from TVA to NRC, CNL-15-073, "Application to Modify the Browns Ferry Nuclear Plant, Units 1, and 2 Technical Specifications by Adding New Specification TS 3.3.8.3, 'Emergency Core Cooling System Preferred Pump Logic, Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic,' and Unit 3 TS by adding New Specification TS 3.3.8.3, 'Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic,' (BFN-TS-486)," dated September 16, 2015 (ML15260B125)
2. Letter from NRC to TVA, "Browns Ferry Nuclear Plant, Units 1, 2, and 3 -

Request for Additional Information Related to License Amendment Request for Adding New Specifications to Technical Specification 3.3.8.3 (CAC Nos. MF6738, MF6739, and MF6740)," dated August 31, 2016 (ML16236A073)

By letter dated September 16, 2015 (Reference 1), Tennessee Valley Authority (TVA) submitted a license amendment request (LAR) for Browns Ferry Nuclear Plant (BFN),

Units 1, 2, and 3, to revise the BFN, Units 1 and 2, Technical Specifications (TS) by adding a new specification governing the safety functions for the Emergency Core Cooling System (ECCS) Preferred Pump Logic, Common Accident Signal Logic, and the Unit Priority Re-Trip Logic. In addition, the LAR relocated the BFN Unit 3 requirements for Common Accident Signal Logic and Unit Priority Re-trip Logic to a new specification governing the safety functions for the Common Accident Signal Logic, and the Unit Priority Re-Trip Logic for consistency with the changes to the BFN, Units 1 and 2 TS.

U. S. Nuclear Regulatory Commission CNL-16-133 Page 2 September 15, 2016 The NRC requested additional information in a letter dated August 31, 2016 (Reference 2). provides the seventh set of TVA responses to NRC RAIs. The responses provided in Enclosure 1 to this letter are due by September 16, 2016.

Consistent with the standards set forth in Title 10 of the Code of Federal Regulations (10 CFR), Part 50.92(c), TVA has determined that the additional information, as provided in this letter, does not affect the no significant hazards consideration associated with the proposed application previously provided in Reference 1.

There are no new regulatory commitments associated with this submittal. Please address any questions regarding this request to Edward D. Schrull at (423) 751-3850.

I declare under penalty of perjury that the foregoing is true and correct. Executed on this 15th day of September 2016.

Respectfully, J. W. Shea Vice President, Nuclear Licensing Enclosure

1. TVA Responses to NRC Request for Additional Information: Set 7 cc (Enclosure):

NRC Regional Administrator - Region II NRC Resident Inspector - Browns Ferry Nuclear Plant NRC Project Manager - Browns Ferry Nuclear Plant State Health Officer, Alabama Department of Public Health

ENCLOSURE TENNESSEE VALLEY AUTHORITY BROWNS FERRY NUCLEAR (BFN) PLANT UNITS 1, 2, AND 3 TVA Responses to NRC Request for Additional Information: Set 7 Probabilistic Risk Assessment (PRA) Licensing Branch (APLA), Division of Risk Assessment, Office of Nuclear Reactor Regulation APLA-RAl-17 1 Defense-in-Depth In response to APLA-RAl-2, 3, 4 and 6b, in TVA letters dated April 15 and May 11, 2016, the licensee summarized the effects on the plant's ability to support the ECCS loads with a combination of real and spurious accident signals in Units 1 and 2 when one division of ECCS PPL is out of service or one division of UPRTL is out of service. The assessment provided in response to APLA-RAl-6b, concluded that for some scenarios when one ECCS PPL division or one UPRT division is out of service, the low pressure safety injection pumps would not be available in the accident unit, due to overloading the diesel generators and the shutdown boards. Further, the response to APLA-RAl-3 states that if ECCS PPL is unavailable and a combination of real and spurious signals occurs in Units 1 and 2, all residual heat removal (RHR) and core spray pumps would not be available, and the high pressure injection systems would be lost due to depressurization, and therefore these scenarios proceed directly to core damage. Based on the RAI responses, one inoperable PPL division appears to be equivalent to both PPL divisions inoperable in that there is no mitigation for the design-basis scenario of a dual unit loss-of- coolant accident signals. That is, such accident scenarios that result in a PPL demand appear to result in core damage as a result of the initiating event. Regulatory Guide (RG) 1.174, Section 2.1.1 and RG 1.177, Section 2.2.1 describes defense in depth attributes which should be maintained for a proposed TS change.

Demonstrate mitigation for such initiating events in order to justify defense in depth, as described in RG 1.174 and RG 1.177, for the proposed TS amendment or remove the proposed TS amendment.

1 The NRC letter dated March 21, 2016, contains APLA RAls 1 through 16.

TVA Response to APLA-RAI-17

Background

The Preferred Pump Logic (PPL) was installed prior to initial operation in the early 1970s and was modified prior to Unit 1 re-start in 2007 (see Reference 1 for NRC Approval). PPL is only functional for BFN Units 1 and 2.

CNL-16-133 E- 1 of 20

The diesel generators and Standby AC Power System is designed to accommodate spurious accident signals from either unit and in any order, i.e., real followed by a spurious signal, real coincident with a spurious signal, and spurious followed by a real accident signal. If the Emergency Core Cooling System (ECCS) loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4KV shutdown boards and their associated diesel generators. Therefore, during combinations of real and spurious accident signals, the Units 1 and 2 ECCS PPL would assign the Unit 1 ECCS loads to the Division I 4KV shutdown boards and the Unit 2 ECCS loads to the Division II 4KV shutdown boards. If any RHR or Core Spray (CS) pumps were already running in the opposite unit (e.g., for shutdown cooling), the CS and RHR / Low Pressure Coolant Injection (LPCI) logic would send redundant signals to initiate the ECCS PPL to trip the opposite units running RHR and CS pumps.

The ECCS PPL signal also inhibits the RHR and CS pumps automatic start logic in the opposite unit (after 60 seconds manual control of the pumps is restored). This ensures that any running RHR or CS pumps in the opposite unit would be tripped, unloading the Unit 1/2 4KV shutdown boards prior to the accident unit starting its ECCS pumps on a real accident signal. For combinations of real and spurious accident signals, the Unit 1 and 2 ECCS PPL would allow the Unit 1 Division I RHR and CS pumps (1A and 1C) to start and load on the Division I 4KV shutdown boards, and the Unit 2 Division II pumps (2B and 2D) would load on the Division II 4KV shutdown boards. This action would ensure that the shared Unit 1/2 4KV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems.

Because the PPL functions are performed by components within the RHR (LPCI) and CS initiation logic, no specific Technical Specification (TS) was originally written to control the OPERABILITY of the PPL. TS 3.3.5.1 was applied to the RHR and CS components that provide the PPL function because the instrumentation that provides the CS and RHR initiation signals are controlled by TS 3.3.5.1.

For example, if the CS System components that performed the PPL logic function were to become INOPERABLE, the actions in Table 3.3.5.1-1 would be taken with regard to the PPL, which ultimately would require that the affected CS Subsystem be declared inoperable in accordance with TS 3.5.1. Similarly, if a portion of the RHR System affecting PPL logic becomes INOPERABLE, the action in Table 3.3.5.1-1 (i.e., Action C) would be taken with regard to the PPL. Action C requires actions within one hour and twenty four hours.

In order to preclude confusion with following the existing TS described above, TVA proposed a new TS 3.3.8.3 that would allow operators to follow explicit LCO actions and completion times given a PPL inoperability (Reference 2).

PPL Design Basis Defense-in-Depth Discussion This change seeks to align the TS with the existing plant configuration by recognizing the physical and functional separation of PPL into two divisions similar to the way other safety-related systems are separated into trains. This change would apply the same allowance for multiple failures within a division as is currently allowed within a safety system train. For example, for ECCS, the failure of a pump in conjunction with the failure of a valve in the same train has the same effect and the same TS action as the failure of either the pump or the valve. This change proposes the same TS action for multiple failures within a division as a CNL-16-133 E- 2 of 20

single failure in a division because the effect is the same. Since the effect is the same, the existing defense-in-depth (DID) and accident mitigation features remain unchanged for multiple failures within a division when compared to a single failure within a division.

For accident mitigation, redundancy and DID are provided by the two trains of ECCS. A single PPL failure would only affect one train of ECCS such that the other train of ECCS would be available to perform core cooling functions. However, a beyond-design-basis multiple failure scenario that adversely affects both divisions of PPL could affect both trains of ECCS and could result in less than the number of ECCS subsystems assumed in the accident analysis in UFSAR Table 6.5-3. A spurious accident signal is considered to be a single failure as stated in Supplement 4 to the BFN SER dated September 10, 1973. DID to accommodate the spurious accident signal is provided by the PPL function of the RHR or the CS subsystems. If a division of the PPL were inoperable due to a failure (either the RHR or the CS subsystem), a spurious accident signal to the other division would be considered a second failure that affected both divisions of ECCS and constitutes a beyond-design-basis condition. Operator action may still be taken to mitigate the effects of the accident.

To specifically respond to the statement in this RAI:

Based on the RAI responses, one inoperable PPL division appears to be equivalent to both PPL divisions inoperable in that there is no mitigation for the design-basis scenario of a dual unit loss-of-coolant accident signals.

TVAs position is that the design basis accident is a loss of coolant accident (LOCA) in one unit with a spurious LOCA signal in the other unit. However, GL-80-30 states that the single failure criterion is temporarily relaxed when in a TS out-of-service time. Additional failures, unless explicitly stated in the Current Licensing Basis, are considered a beyond-design-basis event. Therefore, a LOCA concurrent with a spurious LOCA signal in the other unit while a Division of PPL is inoperable and within its Completion Time, is a beyond-design-basis event. For illustrative purposes, the following describes the anticipated beyond-design-basis plant response for one PPL out-of-service concurrent with a LOCA.

Initial Conditions:

Unit 1 - Power Operations Unit 2 - Power Operation PPL Division I - INOPERABLE (Unit 1 or 2 in the new proposed 7 day LCO depending on which unit has the inoperable component)

Initiating Condition (occurs during the 7 day LCO period)

Unit 1 - LOCA Unit 2 - Spurious LOCA signal (Design Basis Single Failure)

Initial Plant Response:

Unit 1: Safety Injection Signals for Division I and Division II Unit 2: Safety Injection Signals for Division I and Division II PPL Division I fails to actuate because it is INOPERABLE CNL-16-133 E- 3 of 20

PPL Division 2 actuates Unit 1 ECCS Loads on the Division I Shutdown Boards load and sequence normally, as designed Unit 1 ECCS Loads on the Division II Shutdown Boards are unloaded and would not sequence due to actuation of PPL Division II, as designed Unit 2 ECCS Loads on the Division I Shutdown Boards load and sequence normally (incorrect response due to PPL Division I inoperability)

Unit 2 ECCS Loads on the Division I Shutdown Boards load and sequence normally, as designed Subsequent Plant Response Unit 1 and Unit 2 Division I Shutdown Boards over load (PPL Division I should have unloaded and have been prevented from sequencing Unit 2 Division I Shutdown Board loads)

Unit 1 ECCS Loads on the Division II Shutdown Board remains unloaded by Unit 1 Unit 2 ECCS Loads on the Division II Shutdown Board is supplying the Unit 2 ECCS loads as designed Final Plant Response Operator action results in the recovery of the Unit 1 and Unit 2 Division I Shutdown Boards Operator action notes that the Unit 2 ECCS initiation is due to a spurious accident signal based on control room indications and operators manually secure the Unit 2 ECCS loads Unit 1 ECCS Division I and Division II loads are manually sequenced in accordance with plant procedures In conclusion, a LOCA, concurrent with a spurious LOCA signal in the other unit, with one PPL division out-of-service, is a beyond-design-basis event that would require manual actions to mitigate the effects. This is considered a beyond-design-basis event because a spurious LOCA signal in the opposite unit is considered a single failure and the further concurrent failure of the PPL is not considered to be within the design basis per GL-80-30. An equivalent situation would be where a division of ECCS is inoperable and within the allowed outage time.

A single failure in the remaining division of ECCS would be considered a beyond-design-basis event.

Examples of Current TS Application Example - One CS Subsystem Inoperable:

Currently, in the event where one CS subsystem of the ECCS PPL is inoperable (i.e., SR 3.3.5.1.6 is not satisfied), the associated CS initiation capability for the affected subsystem is inoperable. The ECCS PPL relays are down-stream of the redundant initiation channels listed in TS Table 3.3.5.1-1, Functions 1a, 1b, and 1c for low reactor vessel water level (Level 1), high drywell pressure, and low reactor steam dome pressure, respectively. The redundant features CNL-16-133 E- 4 of 20

of the CS initiation capability are inoperable and depending on which CS initiating function (1a, 1b, and/or 1c), TS 3.3.5.1, Condition B and/or Condition C, must be entered to declare the supported ECCS feature(s) inoperable within one hour. This would only be applicable to the redundant instrumentation initiation signals in TS Table 3.3.5.1-1, Functions 1a, 1b, and 1c that input to the one-out-of-two-taken-twice initiation logic. Placing one of these redundant instrumentation channels in trip would not cause an ECCS initiation signal, but if the redundant instrument channel were to actuate the initiation signal would still occur. However, Condition B also requires placing the channel in trip within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The ECCS PPL relays cannot be placed in a trip status without actuating PPL, so TS 3.3.5.1 Condition H, would apply to declare the supported ECCS feature(s) inoperable. Condition C requires restoring the redundant instrumentation initiation signals in TS Table 3.3.5.1-1, Function 1c to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or declare the supported ECCS feature(s) inoperable. In the event the Required Actions and associated Completion Times of Condition B or Condition C are not met, TS 3.3.5.1 Condition H, requires declaring the associated ECCS feature(s) inoperable. This action would result in entering TS 3.5.1, Condition A, requiring restoration of the ECCS injection/spray subsystem(s) to operable status within seven days.

Example - One LPCI Subsystem Inoperable:

Likewise, currently in an event where one LPCI subsystem of the ECCS PPL is inoperable (i.e., SR 3.3.5.1.6 is not satisfied), the associated LPCI initiation capability for the affected subsystem is inoperable. The ECCS PPL relays are down-stream of the redundant initiation channels listed in TS Table 3.3.5.1-1, Functions 2a, 2b, and 2c for reactor vessel water level (Level 1), high drywell pressure, and low reactor steam dome pressure, respectively. The redundant features of the LPCI initiation capability are inoperable and TS 3.3.5.1 Condition B and/or Condition C must be entered to declare the supported ECCS feature(s) inoperable within one hour. This would only be applicable to the redundant instrumentation initiation signals in TS Table 3.3.5.1-1, Functions 2a, 2b, and 2c that input to the one-out-of-two-taken-twice initiation logic. Placing one of these redundant instrumentation channels in trip would not cause an ECCS initiation signal, but if the redundant instrument channel were to actuate the initiation signal would still occur. However, Condition B also requires placing the Function in trip within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The ECCS PPL relays cannot be placed in a trip status without actuating PPL, so TS 3.3.5.1 Condition H, would apply to declare the supported ECCS feature(s) inoperable.

Condition C requires restoring the redundant instrumentation initiation signals in TS Table 3.3.5.1-1, Function 2c to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> declare the supported ECCS feature(s) inoperable. In the event the Required Actions and associated Completion Times of Condition B or Condition C are not met, TS 3.3.5.1 Condition H, requires declaring the associated ECCS feature(s) inoperable. This action would result in entering TS 3.5.1, Condition A, requiring restoration of the ECCS injection/spray subsystem(s) to operable status within seven days.

Basis for the Risk Based TS Changes The above discussion provides a view of the evolution of the current usage of BFN TS and how it would be used and navigated should there be a need to use them for a possible PPL failure.

As can be seen from the above examples, the usage of current TS 3.3.5.1 and TS 3.5.1 can be somewhat confusing for operators to use with accuracy.

TVA recognized the confusion and launched an effort to alleviate it by creating a separate TS for the PPL that would provide a direct TS and Limiting Condition for Operation (LCO) required CNL-16-133 E- 5 of 20

actions that would appropriately address PPL failures. As a result of this effort, TVA requested a new proposed TS (3.3.8.3) in the original License Amendment Request (LAR) (Reference 2) that would address the possibility of PPL failures specifically and directly without proceeding from one TS to another in succession. During the investigation of creating the proposed TS, it was found that using the existing TS structure, different PPL failure conditions did not always result in similar LCO required action states. This inconsistency is a result of applying TS meant for instrumentation channels to the PPL subsystems that have different safety functions than the current TS were meant to govern. The proposed new TS 3.3.8.3 provides PPL specific LCO required actions for different failure conditions that could exist in the PPL subsystems.

The proposed TS 3.3.8.3 also provides a set of consistent LCO required actions that aligns equipment into their respective divisions, thereby minimizing confusion with the application of the proposed TS. By clarifying equipment alignment into divisions, some combinations of instrument inoperability within a division would result in a relaxed completion time because the effect of multiple failures within a division results in the same effect as an individual failure. A risk-based justification was used to show that the risks associated with these relaxed completion times are still within accepted NRC risk guidelines. The PRA evaluation results provided in the original LAR submittal (Reference 2) and subsequent RAIs have shown that the risk associated with these potential failures is extremely low and within NRC guidance.

Table 1 below provides a depiction of the proposed risk informed changes to implement TS 3.3.8.3. Note that the proposed changes that required a risk-informed evaluation are depicted in bold font.

Table 1 Comparison of Current TS to Proposed TS PPL Subsystem Proposed New TS Condition Current TS Inoperable 3.3.8.3 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (TS 3.3.5.1 B. or C.);

if not returned to operable 7 days (TS 3.3.8.3 A.);

status, then 7 days Any Single (DIV if not returned to operable 1 (TS 3.5.1 A.);

I or DIV II) status, then Mode 3 in if not returned to operable 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (TS 3.3.8.3 D.)

status, then Mode 3 in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (TS 3.5.1 B.)

7 days (TS 3.3.8.3 A.);

DIV 1 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (TS 3.3.5.1 B. or C.); if not returned to 2 AND another if not returned to operable operable status, then DIV II status, then 3.0.3 (TS 3.5.1 H.) Mode 3 in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (TS 3.3.8.3 D.)

7 days (TS 3.3.8.3 A.);

DIV II 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (TS 3.3.5.1 B. or C.); if not returned to 3 AND another if not returned to operable operable status, then DIV II status, then 3.0.3 (TS 3.5.1 H.) Mode 3 in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (TS 3.3.8.3 D.)

24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (TS 3.3.5.1 B. or C.);

DIV I 3.0.3 immediately 4 if not returned to operable AND another (TS 3.3.8.3 F.)

status, then 3.0.3 (TS 3.5.1 H.)

DIV II CNL-16-133 E- 6 of 20

The Division I PPL functions are performed by the Division I RHR (LPCI) and CS subsystems.

An INOPERABLE PPL component in either the Division I RHR (LPCI) or Division I CS subsystems could adversely impact the Division I 4kV Shutdown Boards A and B in the event of an accident with a spurious accident signal (Condition 1).

INOPERABLE Division I PPL components in both the Division I RHR (LPCI) and Division I CS subsystems have the same effect as a single INOPERABLE PPL component in that they could also adversely impact the same Division I 4kV Shutdown Boards A and B in the event of an accident with a spurious accident signal (Condition 2).

The Division II PPL functions are performed by the Division II RHR (LPCI) and CS subsystems.

An INOPERABLE PPL component in either the Division II RHR (LPCI) or Division II CS subsystems could adversely impact the Division II 4kV Shutdown Boards C and D in the event of an accident with a spurious accident signal (Condition 1).

INOPERABLE Division II PPL components in both the Division II RHR (LPCI) and Division II CS subsystems have the same effect as a single INOPERABLE PPL component in that they could also adversely impact the same Division II 4kV Shutdown Boards C and D in the event of an accident with a spurious accident signal (Condition 3).

In the event of multiple failures that affect both divisions, the plant would enter TS 3.0.3 immediately (proposed TS 3.3.8.3, Condition F). This action is similar to the current TS 3.5.1 Condition H, however, in the current TS, entry into TS 3.0.3 could be delayed for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Condition 4).

Because the completion times for Conditions 2 and 3 are relaxed from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (current TS) to seven days (proposed TS), a risk-based justification was used to show that the risks associated with these relaxed completion times are still within accepted NRC risk guidelines. Because Conditions 1 and 4 above are more restrictive than the current TS, no additional justification is needed for these conditions.

Note that although this proposed change (Conditions 2 and 3) is a reduction in requirements, it does not increase risk because the INOPERABILITY of two PPLs in the same Division has the same effect as the loss of only one PPL. Safety is improved by preventing an unwarranted unit shutdown.

As noted above, there is effectively no change in DID from the current plant design. The proposed TS 3.3.8.3 amendment changes the time that two components in the same division can be out of service (Conditions 2 and 3) but this does not affect DID. Further, the risk estimates are conservative because no credit is given for operator actions to realign the shutdown boards (effectively failing the shutdown boards). The BFN PRA thermal hydraulic calculation demonstrates that in most cases there is time available to credit some operator actions to recover these boards.

The PRA submitted in support of the original LAR (Reference 2) and subsequent RAIs have shown that the probability of a LOCA/LOOP in conjunction with a spurious accident signal as an additional failure during the seven day LCO required action completion time is extremely low.

CNL-16-133 E- 7 of 20

Discussion of PPL Defense-in-Depth Criteria for Proposed Technical Specification 3.3.8.3 Utilizing the criteria given in RGs 1.174 and 1.177 for DID, the proposed TS 3.3.8.3 change was evaluated to show that the DID principles have been maintained. Based on Reference 1, the NRC has evaluated the PPL physical changes to BFN Units 1 and 2 and found them acceptable for inclusion into the BFN CS and LPCI initiation systems.

The probability of containment failure was not increased with the inclusion of the PPL logic hardware while the consequences of accident mitigation was preserved. There were no changes to any Technical Specifications as a result of the original PPL modification. The addition of the PPL provides assurance that the plant responses are consistent with the accepted design basis accidents and transients discussed in the FSAR.

The original PPL modification was a hardware based change that did not rely on any programs or programmatic activity as compensatory measures. The PPL hardware is periodically tested to ensure that it functions as designed and as intended. The proposed TS 3.3.8.3 provides additional assurance that proper and appropriate operator actions are taken if a division or subdivision of PPL is inoperable.

The original PPL modifications were made to ensure that safety system operation, redundancy, independence, and diversity were maintained as per the original design of the affected BFN safety systems. The original PPL modifications and the addition of the proposed TS 3.3.8.3 ensure that there are appropriate restrictions in place to preclude simultaneous equipment outages that erode redundancy and diversity of the safety equipment and functions. The proposed PPL TS 3.3.8.3 does not require any compensatory actions to be taken when entering the proposed completion times (CT). The proposed TS 3.3.8.3 has no effect on the previously evaluated and approved safety functions of the low pressure coolant injection systems that are credited with mitigating design basis accidents.

Neither the original PPL modification nor the proposed TS 3.3.8.3 creates any common-cause failure (CCF) and does not introduce any new CCF mechanism that would adversely affect any CT or Safety Function (SF). The proposed TS 3.3.8.3 does request a change in Completion Time from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to seven days for consistency of application of times when a single PPL division is out of service. However, the PRA performed for the original submittal has shown that the proposed changes to the Core Damage Frequency (CDF) or Large Early Release Frequency (LERF) probabilities are negligible (Reference 2).

Neither the original PPL modification nor the proposed TS 3.3.8.3 results in any physical barrier being degraded or changed from those previously evaluated. No physical barriers were compromised as a result of the original PPL modification or the addition of the proposed TS 3.3.8.3.

Likewise, defenses against any human errors are maintained and do not change any expected operator responses or introduce any new human errors not previously considered. The proposed TS 3.3.8.3 would allow the operator to take the appropriate actions within allowable times.

Neither the original PPL modification nor the proposed TS 3.3.8.3 change the intent of the plants design criteria.

CNL-16-133 E- 8 of 20

Based on the above discussion, the addition of the proposed PPL TS 3.3.8.3 does not affect the licensing basis DID of any safety systems and is consistent with the DID philosophy. The intent of the DID principle is maintained and does not change the way DID is achieved. The use of PRA in evaluating the proposed TS 3.3.8.3 has shown that the increased completion times discussed above will not increase the estimated CDF and LERF values beyond a negligible amount. The proposed TS 3.3.8.3 does not affect the existing single failure criteria. Therefore, the proposed TS 3.3.8.3 meets the DID principle and is consistent with maintaining the DID philosophy and will not adversely affect the health and safety of the public.

Based on the discussions above, the proposed change requested in the original LAR and subsequent RAIs meets the defense-in-depth guidance provided in RG 1.174 and RG 1.177.

Thus, TVA considers this proposed TS amendment appropriate, is risk informed per NRC guidance, and continues to request NRC approval.

References:

1. Letter from NRC to TVA, Browns Ferry Nuclear Plant, Units 1, 2 and 3 - Issuance of Amendments Regarding the Emergency Core Cooling Systems (TAC Nos. MB8423, MB8424 and MB8425) (TS-424), dated April 1, 2004 (ML040710126)
2. Letter from TVA to NRC, CNL-15-073, "Application to Modify the Browns Ferry Nuclear Plant, Units 1, and 2 Technical Specifications by Adding New Specification TS 3.3.8.3,

'Emergency Core Cooling System Preferred Pump Logic, Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic,' and Unit 3 TS by adding New Specification TS 3.3.8.3, 'Common Accident Signal (CAS) Logic, and Unit Priority Re-Trip Logic,'

(BFN-TS-486)," dated September 16, 2015 (ML15260B125)

CNL-16-133 E- 9 of 20

APLA-RAI Single Unit Risk Contribution The response to APLA-RAl-4 states that "the ECCS PPL function is performed by Core Spray and RHR-LPCI [low-pressure coolant injection] system relays and components. Most of these components only provide an ECCS PPL function and do not have to operate for a normal RHR and Core Spray initiation with only one accident signal and no RHR or Core Spray pumps running on the non-accident unit." It further states that the "inoperable Core Spray relay 14A-K11A(B) would also make the affected division of Core Spray inoperable," and that "inoperable RHR relay 10A-K36A(B) would also make the affected division of RHR inoperable."

As described in the LAR and updated in response to APLA-RAl-2, 5, 6.d, and 14, it appears that the change in Core Damage Frequency reported in response to APLA-RAl-14 addresses the risk increase from inoperable ECCS PPL logic with coincident accident signals in Units 1 and 2. However, some PPL components may be shared with another signal such as CAS. In such instances PPL-related risks also incur CAS-related risks. In other words, single unit initiators would also be expected to contribute to the change in risk when a shared PPL component is inoperable (i.e., even if a PPL signal is not received). The response to APLA-RAl-5 states:

"The CS [core spray) relays that initiate Common Accident Signal (CAS) (relays 14A-K11A/B) are considered in the logic developed for ECCS PPL. The internal events PRA model used in this evaluation does not include logic for CAS, Pre-Accident Signal (PAS), or Unit Priority Re-Trip Logic (UPRTL)."

Based on this response, single unit risk incurred by shared PPL/CAS signals (or other signals that may share a PPL component) may not be included in the risk results. The NRC staff requests the licensee to address all risks associated with inoperable PPL components or clarify how this has been done for the reported risk analysis results.

TVA Response to APLA-RAI-18 Failures of individual components of the Common Accident Signal (CAS), PAS, RHR, and CS logic (including the components that perform the PPL and UPRTL functions) have been evaluated in a Failure Modes and Effects Analysis (FMEA). The multiple functions of each component were identified and evaluated for a failure of the component and potential effect on other systems (e.g., fails to operate when required or spuriously operates). The following relays are discussed as examples of this analysis:

The FMEA documents that the design of preferred pump logic accommodates a failure of the CS relay 14A-K11A(B) by providing a redundant preferred pump logic initiation signal from RHR relay 10A-K73A(B). Therefore, a failure of 14A-K11A or B would not prevent the initiation of the preferred pump logic. A failure of 14A-K11A or B would prevent the affected division CS logic from initiating its associated division of CAS logic.

However, the other division CS logic would initiate its associated division of CAS logic, which would perform all CAS functions.

CNL-16-133 E- 10 of 20

The FMEA documents that RHR relay 10A-K36A(B) is used in the preferred pump logic to keep a spurious accident signal from tripping the Division I preferred pumps for Unit 1 and the Division II preferred pumps for Unit 2. The relay also initiates the UPRTL and in conjunction with other RHR relays, the RHR (LPCI) injection valve control logic. If relay 10A-K36A or B were to fail to initiate as the design basis single failure, the other division of RHR would be unaffected.

The internal events PRA logic adequately and conservatively addresses single unit risk. The internal events PRA includes logic for automatic initiation and alignment of ECCS and does not take additional credit for additional redundant signals that can be credited during most LOCA scenarios (i.e., it only models low RPV level and high drywell pressure signals).

The change to single unit risk is zero or negligible for the following reasons:

The relays are part of the existing design.

The associated impacted subsystems are considered out of service if testing or maintenance is being performed on these relays.

Any testing or maintenance should be performed in the appropriate system window by work control. The test and maintenance term for the appropriate loop is already included in the PRA and updated based on plant specific data.

It should be noted that these relays (14A-K11A(B),10A-K36A(B)) are only included for the PPL for scenarios involving an accident signal in combination with a spurious or real signal in the other unit. Although, the single unit risk is negligible, an estimate is provided to address the RAI. In order to address single unit risk, the contribution to risk is estimated as follows:

The contribution to risk of logically equivalent failures is estimated.

The estimate is scaled based on the ratio of the probability of failure of the relays relative to the probability of failure of the logically equivalent events.

The effect of each of these relays is discussed below; Case #1 - A failure of 14A-K11A or B would prevent the affected division CS logic from initiating its associated division of CAS logic. However, the other division CS logic would initiate its associated division of CAS logic, which would perform all CAS functions.

Case #2 - A failure of 10A-K36A or B would affect the RHR (LPCI) injection valve control logic.

The effect of ECCS PPL unavailability and unreliability on UPRTL is not relevant for single unit risk because as noted in the response to APLA RAI 4, The Unit Priority Re-Trip (UPRT) logic ensures that the diesels are able to support the required ECCS loads in the event of a spurious accident signal from the non-accident unit as described in the UFSAR, Section 8.5.4.2.

The effect of ECCS PPL unavailability and unreliability on UPRTL is not relevant for scenarios involving coincident accident signals in Units 1 and 2 because as noted in the response to APLA RAI 5, the PRA model used in this evaluation conservatively assumes that unavailability or unreliability of an ECCS PPL division causes failure of CNL-16-133 E- 11 of 20

the two 4kV shutdown boards associated with that division in scenarios with simultaneous accident signals.

The contribution from Case #1 and Case #2 on CDF and LERF is discussed below.

Case #1 For failure of relays 14A-K11A or B, the risk contribution to CDF and LERF is derived based on the highest importance measures of components associated with the divisional low pressure permissive (i.e., Panel Power Supply Breaker fails). For Case #1 the estimate is only performed for CDF because cutsets involving these components were not generated for LERF.

Unit 1 (CDF = 1.0918E-05, LERF = 2.3255E-06 using the revised HRA floor value)

PANEL POWER SUPPLY BREAKER FAILS= 4.13E-06 Relay Failure to Change State on Demand = 9.92E-05 BREAKER DIV I FV(cdf) = 1.92E-06 CDF (relay contribution) = (1.0918E-05) * (1.92E-06) * (9.92E-05/4.13E-06)

CDF (relay contribution) = 5.035E-10 BREAKER DIV II FV(cdf) = 1.92E-06 CDF (relay contribution) = (1.0918E-05) * (1.92E-06) * (9.92E-05/4.13E-06)

CDF (relay contribution) = 5.035E-10 Unit 2 (CDF = 9.879E-06, LERF = 2.204E-06 using the revised HRA floor value)

PANEL POWER SUPPLY BREAKER FAILS= 4.13E-06 Relay Failure to Change State on Demand = 9.92E-05 BREAKER DIV I FV(cdf) = 2.13E-06 CDF (relay contribution) = (9.879E-06) * (2.13E-06) * (9.92E-05/4.13E-06)

CDF (relay contribution) = 5.054E-10 BREAKER DIV II FV(cdf) = 2.13E-06 CDF (relay contribution) = (9.879E-06) * (2.13E-06) * (9.92E-05/4.13E-06)

CDF (relay contribution) = 5.054E-10 CNL-16-133 E- 12 of 20

Case #2 For failure of relays 10A-K36A or B, the risk contribution to CDF and LERF is derived based on the importance measures and probabilities of the LPCI injection valves FCV-74-53 or FCV-74-67 (FAILS TO OPEN WHEN DEMANDED)

Unit 1 (CDF = 1.0918E-05, LERF = 2.3255E-06 using the revised HRA floor value)

MOV Failure to Open = 2.36E-03 Relay Failure to Change State on Demand = 9.92E-05 FCV-74-53 FV(cdf) = 7.50E-04 FV(lerf) = 9.10E-05 CDF (relay contribution) = (1.0918E-05) * (7.50E-04) * (9.92E-05/2.36E-03)

CDF (relay contribution) = 3.442E-10 LERF (relay contribution) = (2.326E-06) * (9.10E-05) * (9.92E-05/2.36E-03)

LERF (relay contribution) = 8.895E-12 FCV-74-67 FV(cdf) = 1.51E-03 FV(lerf) = 1.68E-04 CDF (relay contribution) = (1.0918E-05) * (1.51E-03) * (9.92E-05/2.36E-03)

CDF (relay contribution) = 6.930E-10 LERF (relay contribution) = (2.326E-06) * (1.68E-04) * (9.92E-05/2.36E-03)

LERF (relay contribution) = 1.642E-11 Unit 2 (CDF = 9.879E-06, LERF = 2.204E-06 using the revised HRA floor value)

MOV Failure to Open = 2.36E-03 Relay Failure to Change State on Demand = 9.92E-05 FCV-74-53 FV(cdf) = 6.13E-04 FV(lerf) = 2.24E-05 CDF (relay contribution) = (9.879E-06) * (6.13E-04) * (9.92E-05/2.36E-03)

CDF (relay contribution) = 2.546E-10 LERF (relay contribution) = (2.204E-06) * (2.24E-05) * (9.92E-05/2.36E-03)

LERF (relay contribution) = 2.075E-12 CNL-16-133 E- 13 of 20

FCV-74-67 FV(cdf) = 6.97E-04 FV(lerf) =1.16E-04 CDF (relay contribution) = (9.879E-06) * (6.97E-04) * (9.92E-05/2.36E-03)

CDF (relay contribution) = 2.894E-10 LERF (relay contribution) = (2.204E-06) * (1.16E-04) * (9.92E-05/2.36E-03)

LERF (relay contribution) = 1.075E-11 Total Single Unit Risk Contribution (not delta)

The following table shows the sum of the CDF or LERF for relays 14A-K11A ,14A-K11B, 10A-K36A and 10A-K36AB. The results below indicate that even if these relays were included in the model, the net contribution to CDF or LERF is negligible.

CDF LERF Unit 1 2.044E-09 2.532E-11 Unit 2 1.557E-09 1.282E-11 The single unit risk estimates include the contribution for all initiators. The results show that single unit risk (if any) is negligible. It should also be noted that in other non-fast acting scenarios, there is adequate time to align the shutdown boards and load the appropriate diesels (see response to RAI PRA-RAI-06.01). In most non-fast acting cases where High Pressure Coolant Injection (HPCI) and Reactor Core Isolation Cooling (RCIC) provide makeup to the Reactor Pressure Vessel (RPV), the operator would have many hours to realign the shutdown boards and load the diesels Even in the most limiting cases where these High Pressure Injection systems fail (no injection), the Modular Accident Analysis Program (MAAP) indicates that operators would have approximately 35 minutes to respond.

CNL-16-133 E- 14 of 20

APLA-RAI Fire Risk Contribution The response dated May 25, 2016, to APLA-RAl-12, TVA stated: "Any Fire PRA quantification results in subsequent RAls (i.e., APLA-RAl-14 to be submitted in a subsequent TVA letter) without the non-completed modifications would be considered as information only and not a valid risk insight." Also, in responses to APLA-RAl-13 dated May 25 and June 16, 2016, the licensee provided a bounding estimate due to fire for extending the completion time for the ECCS PPL.

Justify how this bounding estimate is credible for the current plant configuration, given that the fire PRA used in the analysis credits a number of plant modifications that have not yet been completed, and these modifications appear to have a significant impact on risk as provided in response to APLA-RAl-12, and that removal of these modifications for Fire PRA quantification results would be considered as not a valid risk insight according to the response to APLA-RAl-12.

TVA Response to APLA-RAI-19 To assure not modeling PPL was appropriate, TVA performed an evaluation in which the PPL was assumed to prevent Emergency Diesel Generator overloads in the FPRA model.

This was a very conservative approach given that the PPL logic itself has not been evaluated to the extent to demonstrate this function would be available during the modeled fires at BFN. This sensitivity was provided in TVA letter CNL-16-092, dated June 16, 2016.

This sensitivity demonstrated that the inclusion of the PPL in the BFN FPRA model was not warranted given the small impact on CDF and LERF per the American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS) PRA Standard ASME/ANS RA-Sa-2009, as endorsed by RG 1.200, Revision 2. Additionally, in the Fire Safe Shutdown Procedures, the accident signals in several zones are blocked by operator action to assure plant alignments are not disrupted by spurious or actual accident signals during fire events.

In the event of a fire in Fire Area 01-01, 01-02, 01-03, 01-04, 01-05,02-01, 02-02, 02-03,02-04, 02-05, 04, 05, 08, 09, 16, 17, or 18, credited BFN Fire PRA operator actions include inhibiting the Unit 1 and Unit 2 Low Pressure Coolant Injection (LPCI) and CS auto-initiations to prevent undesired actuations. With respect to ECCS PPL, inhibiting the Unit 1 and Unit 2 LPCI and CS auto-initiations also:

Inhibits the auto start of CS Pumps and the auto opening of CS injection valves for the respective division.

Inhibits the auto start of RHR Pumps and the auto opening of LPCI injection valves for the respective division.

Inhibits the ECCS PPL for CS and RHR for the respective division in the opposite Unit.

For Unit 1, fire zones that would require that accident signals be inhibited represents over 75% of the zones evaluated for CDF and 65% of the zones evaluated for LERF. The remaining CDF and LERF results from fires predominantly in the Turbine Building and Switchyard. Fires in these areas would not likely result in a PPL logic actuation without failure of ECCS systems, namely HPCI and RCIC. This further reduces any theoretical benefit of including PPL logic in the fire PRA and bolsters the validity of not including PPL in the BFN FPRA models.

CNL-16-133 E- 15 of 20

In conclusion, removal of the PPL logic from service has no calculable impact on either CDF or LERF because credit is not taken for the actuation of said logic with or without inclusion of installed modifications. The sensitivity discussed in letter CNL-16-092 dated June 16, 2016, demonstrated that inclusion of the PPL logic is not warranted, even with over estimation of the benefit of the PPL logic on fire CDF with respect to American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS) PRA Standard ASME/ANS RA-Sa-2009, as endorsed by RG 1.200, Revision 2. As such, any evaluation with or without credit for the planned modifications would only determine the risk impacts of the assumptions used in the evaluation of PPL, not the actual benefits (or delta risk) associated with PPL credit.

CNL-16-133 E- 16 of 20

APLA-RAI Tier 2 RG 1.177 for Tier 2, "Avoidance of Risk-Significant Plant Configuration," requires that the licensee identify "potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing, were also involved." The licensee, in response to APLA-RAl-15 dated May 25, 2016, stated that the risk of taking the ECCS PPL out of service combined with other equipment out of service was not analyzed and that "any potential work-significant configurations would be identified by the work control process evaluations performed several weeks prior to taking the ECCS PPL component out of service."

TVA response to APLA-RAl-15 does not address the information requested in RG 1.177 for Tier 2. Provide the Tier 2 required information as discussed in RG 1.177 Section 2.3 and Section 4, "Documentation and Submittal."

TVA Response to APLA-RAI-20 The components that perform the ECCS PPL function are RHR and CS relays, these relays are in the same electrical circuit as the rest of the RHR and CS logic.

Placing a PPL relay out of service results in placing the associated RHR and CS subsystems out of service. To effect repairs of a failed ECCS PPL component, the RHR or CS subsystem would be de-energized under a work order clearance boundary to replace the failed component. Therefore, any work or testing that would take the ECCS PPL out of service is controlled under the same process that evaluates the removal of an entire RHR or CS subsystem from service.

The Equipment Out of Service (EOOS) software was used to identify any potentially high-risk contributions. A schedule that included system or train availability was developed to help identify any potential high-risk configurations. A baseline EOOS profile was established to determine the impact of each train Out of Service (OOS). Subsequently, the schedule was modified to include items representing divisional PPL unavailability combined with each train in the EOOS timeline. To identify any high-risk configurations, the results for each PPL division were compared to the baseline results.

EOOS was then used to take each of the following PPL basic events in combination with the items considered out of service in the baseline schedule.

1. RELFD_ECCS_PPL_U1D1 - Failure of Unit 1 Div I PPL components
2. RELFD_ECCS_PPL_U1D2 - Failure of Unit 1 Div II PPL components
3. RELFD_ECCS_PPL_U2D1 - Failure of Unit 2 Div I PPL components
4. RELFD_ECCS_PPL_U2D2 - Failure of Unit 2 Div II PPL components CNL-16-133 E- 17 of 20

The baseline schedule included the following trains OOS:

UNIT COMPONENT DESCRIPTION 0 0GEN082000B DIESEL GENERATOR B 0 0GEN082000A DIESEL GENERATOR A 0 0GEN082000C DIESEL GENERATOR C 0 0GEN082000D DIESEL GENERATOR D 3 3GEN0820003A DIESEL GENERATOR 3A 3 3GEN0820003B DIESEL GENERATOR 3B 3 3GEN0820003C DIESEL GENERATOR 3C 3 3GEN0820003D DIESEL GENERATOR 3D 1 1PMP0710019 REACTOR CORE ISOLATION COOLING PUMP 1 1PMP0730054 HPCI TURBINE MAIN PUMP 1 1FCV0740053 RHR SYSTEM I INBD RECIRC LOOP VLV 1 1FCV0740067 RHR SYSTEM II INBD RECIRC LOOP VLV 1 1FCV0740059 RHR SYS I TEST VLV 1 1FCV0740073 RHR SYSTEM II TEST VLV 1 1FCV0740061 RHR SYS I CONTAINMENT SPRAY INBD VLV 1 1FCV0740075 RHR SYS II CNTMT SPRAY INBD VLV 1 1FCV0740047 RHR SHUT DN COOLING OUTBD VLV 1 1FCV0740048 RHR SHUT DN COOLING INBD VLV 1 1FCV0750025 CS SYSTEM 1 INBD DISCH VALVE 1 1FCV0750053 CS SYSTEM 2 INBD DISCH VALVE 1 1PMP0270026 CCW PUMP 1C 1 1PMP0270018 CCW PUMP 1B 1 1PMP0270010 CCW PUMP 1A 1 1FCV0640221 HARDENED SUPPR CHBR VENT INBD ISOL VLV 1 1FCV0640222 HARDENED SUPPR CHBR VENT OUTBD ISOL VLV 3 3FCV0850050 CRD EXHAUST LINE ISOLATION VALVE 1 1FCV0850050 CRD EXHAUST LINE ISOLATION VALVE 2 2FCV0850050 CRD EXHAUST LINE ISOLATION VALVE 3 3PMP0850002 CRD WATER PUMP MOTOR 3B 1 1PMP0850002 CRD WTR PMP 1B 2 2PMP0850001 DRIVE WATER PUMP 2A 1 1PMP0850001 CRD WTR PMP 1A 3 3PMP0850001 CRD WATER PUMP MOTOR 3A 1 1PMP0630006A STANDBY LIQ CONT PMP A 1 1PMP0630006B STANDBY LIQ CONT PMP B 1 1PCV0010041 MAIN STEAM LINE D RELIEF VALVE 1 1PCV0010179 MAIN STEAM LINE A RELIEF VALVE 1 1PCV0010031 MAIN STEAM LINE C RELIEF VALVE 1 1PCV0010030 MAIN STEAM LINE C RELIEF VALVE 1 1PCV0010034 MAIN STEAM LINE C RELIEF VALVE 1 1PCV0010022 MAIN STEAM LINE B RELIEF VALVE 1 1PCV0010042 MAIN STEAM LINE D RELIEF VALVE CNL-16-133 E- 18 of 20

UNIT COMPONENT DESCRIPTION 1 1PCV0010019 MAIN STEAM LINE B RELIEF VALVE 1 1PCV0010005 MAIN STEAM LINE A RELIEF VALVE 1 1PCV0010023 MAIN STEAM LINE B RELIEF VALVE 1 1PCV0010018 MAIN STEAM LINE B RELIEF VALVE 1 1PCV0010180 MAIN STEAM LINE D RELIEF VALVE 1 1PCV0010004 MAIN STEAM LINE A RELIEF VALVE 2 2PMP0710019 REACTOR CORE ISOLATION COOLING PUMP 2 2PMP0730054 HPCI TURBINE MAIN PUMP 2 2FCV0740053 RHR SYSTEM I INBD RECIRC LOOP VLV 2 2FCV0740067 RHR SYSTEM II LPCI INBD INJECTION VLV 2 2FCV0740059 RHR SYS I TEST VLV 2 2FCV0740073 RHR SYS II TEST VLV 2 2FCV0740061 RHR SYS I DRYWELL SPRAY INBD VLV 2 2FCV0740075 RHR SYS II DRYWELL SPRAY INBD VLV 2 2FCV0740048 RHR SHUT DN COOLING INBD VLV 2 2FCV0740047 RHR SHUT DN COOLING OUTBD VLV 2 2FCV0750025 CS SYS 1 INBD DISCH VALVE 2 2FCV0750053 CS SYS 2 INBD DISCH VALVE 2 2PMP0270018 CCW PUMP 2B 2 2PMP0270010 CCW PUMP 2A 2 2PMP0270026 CCW PUMP 2C 2 2FCV0640221 HARDENED SUPPR CHBR VENT INBD ISOL VLV 2 2FCV0640222 HARDENED SUPPR CHBR VENT OUTBD ISOL VLV 2 2PMP0630006B 2B SLC PUMP (GE112B) 2 2PMP0630006A 2A SLC PUMP (GE112A) 2 2PCV0010023 MSL B RELIEF VLV DISCH 2 2PCV0010022 MSL B RELIEF VLV DISCH 2 2PCV0010019 MSL B RELIEF VLV DISCH 2 2PCV0010018 MSL B RELIEF VLV DISCH 2 2PCV0010004 MSL A RELIEF VLV DISCH 2 2PCV0010180 MSL D RELIEF VLV DISCH 2 2PCV0010030 MSL C RELIEF VLV DISCH 2 2PCV0010005 MSL A RELIEF VLV DISCH 2 2PCV0010034 MSL C RELIEF VLV DISCH 2 2PCV0010041 MSL D RELIEF VLV DISCH 2 2PCV0010179 MSL A RELIEF VLV DISCH 2 2PCV0010042 MSL D RELIEF VLV DISCH 2 2PCV0010031 MSL C RELIEF VLV DISCH 3 3PMP0710019 REACTOR CORE ISOLATION COOLING PUMP 3 3PMP0730054 HPCI TURBINE MAIN PUMP 3 3FCV0740053 RHR SYSTEM I INBD RECIRC LOOP VLV 3 3FCV0740067 RHR LOOP II LPCI INBD INJECTION VLV 3 3FCV0740059 RHR SYS I TEST VLV 3 3FCV0740073 RHR LOOP II TEST VLV 3 3FCV0740061 RHR SYS I CONTAINMENT SPRAY INBD VLV CNL-16-133 E- 19 of 20

UNIT COMPONENT DESCRIPTION 3 3FCV0740075 RHR LOOP II CNTMT SPRAY INBD VLV 3 3FCV0740047 RHR SHUT DN COOLING OUTBD VLV 3 3FCV0740048 RHR SHUT DN COOLING INBD VLV 3 3FCV0750025 SYSTEM 1 INBD DISCH VALVE 3 3FCV0750053 SYSTEM 2 INBD DISCH VALVE 3 3PMP0270026 CCW PUMP 3C 3 3PMP0270010 CCW PUMP 3A 3 3PMP0270018 CCW PUMP 3B 3 3PMP0630006A STANDBY LIQ CONT PMP A 3 3PMP0630006B STANDBY LIQ CONT PMP B 3 3PCV0010030 MAIN STEAM LINE C RELIEF VLV 3 3PCV0010004 MAIN STEAM LINE A RELIEF VLV 3 3PCV0010005 MAIN STEAM LINE A RELIEF VLV 3 3PCV0010018 MAIN STEAM LINE B RELIEF VLV 3 3PCV0010019 MAIN STEAM LINE B RELIEF VLV 3 3PCV0010180 MAIN STEAM LINE D RELIEF VLV 3 3PCV0010023 MAIN STEAM LINE B RELIEF VLV 3 3PCV0010179 MAIN STEAM LINE A RELIEF VLV 3 3PCV0010031 MAIN STEAM LINE C RELIEF VLV 3 3PCV0010034 MAIN STEAM LINE C RELIEF VLV 3 3PCV0010041 MAIN STEAM LINE D RELIEF VLV 3 3PCV0010042 MAIN STEAM LINE D RELIEF VLV 3 3PCV0010022 MAIN STEAM LINE B RELIEF VLV Results While some of the individual results yielded slightly higher CDF or LERF, the comparison did not identify any high-risk configurations associated with PPL (i.e., the baseline and the sensitivity yielded nearly identical EOOS profiles). In a few cases where the baseline risk for a train was very close to the boundary color change threshold, there was a change in risk color from green to yellow. These cases were where multiple diesel generators in the same unit were simultaneously out of service (not an expected configuration) and a division of PPL was out of service (i.e., PPL failed in test or undergoing maintenance).

CNL-16-133 E- 20 of 20

Retrieved from "https://kanterella.com/w/index.php?title=CNL-16-133,_Response_to_NRC_Request_for_Additional_Information_Related_to_License_Amendment_Request_for_Adding_New_Specifications_to_Technical_Specification_3.3.8.3_(BFN-TS-486)_(CAC_Nos._MF6738,_MF6739,_and_MF6740)_-_Letter_7&oldid=2016875"