CPSES-200701127, Response to Request for Additional Information Related to License Amendment Request (LAR) 06-009, Revision to Technical Specification (TS) 3.8.1, AC Sources - Operating, Extension of Completion Times.

From kanterella
Jump to navigation Jump to search
Response to Request for Additional Information Related to License Amendment Request (LAR)06-009, Revision to Technical Specification (TS) 3.8.1, AC Sources - Operating, Extension of Completion Times.
ML073241326
Person / Time
Site: Comanche Peak  Luminant icon.png
Issue date: 11/15/2007
From: Blevins M
Luminant Power
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
CPSES-200701127, LAR 06-009, TXX-07110
Download: ML073241326 (84)
v  d  e


Text

Mike Blevins Luminant Power Executive Vice President P 0 Box 1002

& Chief Nuclear Officer 6322 North FM 56 Mike.Blevins@Luminant.com Glen Rose, TX 76043 Lumin AT 254 97 5209 C 817 559 9085 F 254 897 6652 CPSES-200701127 Ref. # 10CFR50.90 Log # TXX-07110 November 15, 2007 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555

SUBJECT:

COMANCHE PEAK STEAM ELECTRIC STATION (CPSES) DOCKET NOS. 50-445 AND 50-446, RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION RELATED TO LICENSE AMENDMENT REQUEST (LAR)06-009, REVISION TO TECHNICAL SPECIFICATION (TS) 3.8.1, "AC SOURCES - OPERATING," EXTENSION OF COMPLETION TIMES FOR DIESEL GENERATORS

REFERENCES:

1. TXU Power letter, logged TXX-07011, from Mike Blevins (Luminant Power) to the NRC dated January 18, 2007
2. Email from Mohan Thadani (NRC) to Fred Madden and Tim Hope (Luminant Power) with Request for Additional Information for LAR 06-009 dated June 21, 2007.
3. Email from Balwant Singal (NRC) to Tim Hope (Luminant Power) with an additional Request for information dated July, 25, 2007.

Dear Sir or Madam:

In Reference 1, Comanche Peak Steam Electric Station (CPSES) requested the Completion Time for Diesel Generators be extended from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days.

Attachment 1A to this letter provides a discussion that establishes a sound framework for review of Luminant Generation Company LLC's (Luminant Power, formerly known as TXU Power) request to change the plant Technical Specifications (TS) to extend the allowable Completion Time (CT) for restoration of an inoperable Emergency Diesel Generator (EDG). The introduction describes the technical quality of the PRA model in terms of completed reviews and resolution of issues. Important elements of the PRA model, such as modeling of the RCP Seal loss of coolant accident (LOCA), recovery from a loss of offsite power (LOOP) and external events analyses have been provided for background.

This information should be helpful to establish a context for review of the RAIs in Attachment lB. In addition, the discussion under the heading "Methodology and Results for the DG CT Re-analysis" summarizes the methodology and results from the CT re-analysis based on the updated Probability Risk Analysis (PRA) model. The PRA model was updated subsequent to the original submittal to refleIct the replacement of the Unit 1 steam generator and other minor changes. This updated model is now the basis model for the CT extension request.

A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway

  • Comanche Peak Diablo Canyon
  • Palo Verde South Texas Project
  • Wolf Creek

U. S. Nuclear Regulatory Commission TXX-07110 Page 2 11/15/2007 Based on questions provided by Mr. Mohan Thadani of the NRC in Reference 2, and additional questions provided by Mr. Balwant Sinrgal of the NRC in Reference 3, Luminant Power hereby provides responses to the requests for additional information (RAI) 1 to 16 related to the first request, and responses to RAIs 17 to 21 related to the second request. The NRC questions and Luminant Power's response are provided in Attachment 1B to this letter.

In Attachment 1B, RAI 3.b, the NRC asked that CPSES clarify the basis for the assumption of 15 minutes to connect the alternate alternating current power source (AACPS). In addition to responding to the request, CPSES has revised the 15 minutes to 13 minutes in Attachments 3 and 4 to this letter which are titled "Proposed Technical Specifications Bases Changes" and "Retyped Technical Specifications Bases Pages," respectively. In addition, the word "automatically" was added in Attachments 3 and 4, under the discussion of the defense in depth measure number 4, to specify that the AACPS would "automatically" connect to the bus. Attachment 3 of this letter will replace Page 7 of 8 of Attachment 3 to Reference 1 and of this letter will replace Page 6 of 7 of Attachment 5 to Reference 1.

The Westinghouse Owners Group (WOG) peer review of Comanche Peak (CP) Probability Risk Analysis (PRA) was performed during the spring of 2002. The conclusion of the peer assessment was that the CP PRA can be effectively used to support risk significance evaluations with deterministic input, subject to addressing the items identified as significant in the technical element summary and Facts & Observations (F&O) sheets. As stated in Attachment 1A and 1B and shown in Attachment 2, CPSES addressed each of the Categories A and B F&Os and incorporated those items into the PRA model and supporting calculations that formed the basis for the information used to support the DG CT extension. Attachment 2 is a list of the category A & B F&Os and their dispositions for information only. is a list of the proposed commitments associated with Reference 1. CPSES will implement the proposed commitments contained in Attachment 5 before the 14 day CT is invoked to assure continued safe operation of the plant.

In accordance with 10CFR50.91, a copy of this submittal is being provided to the designated Texas State official.

Should you have any questions, please contact Ms. Tamera J. Ervin at (254) 897-6902.

I state under penalty of perjury that the foregoing is true and correct.

U. S. Nuclear Regulatory Commission TXX-071 10 Page 3 11/15/2007 Executed on November 15, 2007.

Sincerely, Luminant Generation Company LLC Mike Blevins By:

Rafael F ores Site Vi erPresident A, "PRA Update" B, "Response to Request for Addition Information Related to License Amendment Request (LAR)06-002 Revision to Technical Specification (TS) 3.8.1, 'AC Sources - Operating,' Extension of Completion Times for Diesel Generators" , "Documentation of the Westinghouse Owners Group (WOG) Peer F&O Category A & B Dispositions , "Proposed Technical Specifications Bases Changes (For Information Only)" , "Retyped Technical Specifications Bases Pages (For Information Only)" , "Proposed Commitments" c - E. E. Collins, Region IV B. K. Singal, NRR Resident Inspectors, CPSES Ms. Alice Rogers Environmental & Consumer Safety Section Texas Department of State Health Services 1100 West 49th Street Austin, Texas 78756-3189 A to TXX-07110 Page 1 of 24 ATTACHMENT 1A TO TXX-07110 PRA UPDATE A to TXX-07110 Page 2 of 24 Introduction In January 2007, Luminant Power submitted a request to change the plant Technical Specifications (TS) to extend the allowable Completion Time (CT) for restoration of an inoperable Emergency Diesel Generator (EDG). Since that time Luminant has received two Requests for Additional Information (RAIs) from the Nuclear Regulatory Commission (NRC) that will be responded to in this response. In the interim, the Probability Risk Analysis (PRA) model has been updated to reflect the replacement of the steam generators for Unit 1 and an update of the emergency operating procedures that affect both units. Although the change in baseline risk was not significant with respect to Core Damage Frequency (CDF) and Large Early Release Frequency (LERF), Luminant elected to use the updated model instead of addressing the difference through a qualitative evaluation. The analyses for the base case and selected sensitivity studies were re-performed and those results are provided in the first part of the PRA portion of this response submittal. Some of the information developed in the RAI responses prompted Luminant to add further description of aspects of the model that pertain to this analysis, as well as additional discussion of the scope and quality of the model.

These discussions of the Comanche Peak Steam Electric Station (CPSES) PRA model are provided to aid in explaining the responses to the NRC's RAIs in the subsequent section.

The risk assessment methodology for the Diesel Generator (DG) CT request, while remaining essentially the same as in the previous evaluation which accompanied the submittal, has been changed to address the implications of questions raised in the RAIs and discussion with NRC. The principal changes are as follows:

  • Re-analysis using the current model of record
  • The base case is now the test and maintenance model
  • No compensatory measures are credited other than availability of the alternate alternating current power source (AACPS) for the duration of the extended CT
  • No credit is taken for reduction in initiating event frequency In addition to these considerations, CPSES is aware of the current initiatives to improve the scope and quality of PRAs, as evidenced by the issuance of Regulatory Guide (RG) 1.200 "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities." To address these matters fully as regards this submittal, CPSES has provided a detailed discussion of those elements of the PRA that bear most on the risk of this application, namely, 1) the reactor coolant pump (RCP) seal loss of coolant accident (LOCA) modeling, 2) the loss of offsite power (LOOP) modeling, and 3) the status of peer review level A and B Facts & Observations (F&Os). In addition, this last item is supplemented by discussing the historical quality aspects of the CPSES model and the current model of record.

The discussions that follow will address the scope and quality of the CPSES PRA model and provide background information to describe key aspects of the model. In particular, assumptions and methods for the modeling of the RCP Seal LOCA, the recovery from a LOOP, the DG CT specific methodology and results, internal flooding and the external events analysis are discussed to demonstrate that the model contains sufficient detail to form a sound basis for risk informed applications. After these discussions, the specific responses to each of the RAIs are provided.

Background

The proposed TS changes to extend the allowable CT associated with restoration of an inoperable EDG have.

been evaluated based on a probabilistic risk assessment. The assessment re-performs the analysis of the previous submittal because the PRA model developed for CPSES was subsequently updated to incorporate the replacement of the steam generators for Unit 1 and various minor changes in the PRA model of both units. The updated CPSES PRA model, the current Model of Record, Revision 3C (6/22/2007), is an internal events, all-MODES model that allows quantification of configurations to determine core damage frequency and large early release frequency at power (MODE 1), in transition (MODES 2 through 4), while shutdown (MODES 5 and 6) and core-off load configurations which includes spent fuel pool modeling. This evaluation

Attachment IA to TXX-07110 Page 3 of 24 of the proposed CT extension only analyzed the effects on the MODE 1 portion of the tree for both CDF and LERF.

This proposed TS change will still allow the current 3-day CT without an AACPS but will extend the EDG CT to 14 days with an AACPS. This will allow maintenance to be performed on the EDG which could exceed the present 3-day CT. It will also allow the present 3-day CT to be extended for emergent conditions provided an AACPS is available before the 3-day CT expires. The plant Technical Specifications will be modified to reflect this. The plant historical data shows that the 3-day CT has never been exceeded so it is unlikely that the 14-day CT will be used for emergent conditions.

Westinghouse Owners Group (WOG) and Other Independent Reviews A number of internal and external reviews have confirmed the CPSES PRA model is of high quality and is capable of providing appropriate risk insights for this CT extension. From the initial development of the Individual Plant Examination (IPE) to subsequent periodic updates, internal reviews have been part of the CPSES program and have been performed by qualified personnel who verify or check calculations and information used in PRA analyses. External reviews have also been conducted from the IPE forward by qualified personnel, including participation from industry peers and independent consultants.

A WOG peer review of the CPSES PRA model was performed during the spring of 2002. The conclusions of the peer assessment were that the CPSES PRA can be effectively used to support risk significance evaluations with deterministic input, subject to addressing the items identified as significant in the technical element summary and F&O sheets. There were three Level A F&Os and several Level B F&Os.

Two Level A F&Os involved steam generator (SG) tube rupture and the application of the 24-hour mission time concept for both CDF and LERF considerations. The basis and success paths for the SG tube rupture model were clarified to provide for actions beyond the 24-hour mission time to assure stable plant conditions.

To address this, it was determined that changes to the PRA event and fault trees were needed for long term cooling after a SG tube rupture. These changes were incorporated into the current PRA model.

A third Level A F&O was written to address cutsets with multiple human errors and to revise dependency calculations if necessary. This item was found not to adversely affect the technical adequacy of the PRA. To address this, a PRA utility program was used to identify unique combinations of multiple human actions.

These combinations were reviewed on a scenario basis to assure that dependencies were identified and handled as appropriate. Changes were made to the model where required to address these dependencies.

There were several Level B F&Os. CPSES addressed each of the Level B F&Os and incorporated those items into the PRA model. In summary, all of the Level A and B F&Os were fully resolved and where appropriate internal PRA guidance was strengthened. Attachment 2 lists these observations along with details of how they were resolved.

In addition to the peer review described above, the following reviews have been completed at various points in the evolution of the model.

As part of the IPE process, the PRA model was independently reviewed by outside experts as described in the IPE submittal to ensure that the PRA represented the as-built, as-operated plant. The IPE identified notable enhancements which were incorporated: 1) several procedural changes (e.g.,

adding explicit instruction for operators to manually throttle auxiliary feedwater (AFW) flow locally for conditions other than station blackout) and 2) modifications to retain the component cooling water cross connection function and seal replacement for all RCPs with the new "high temperature",

design. These improvements have been implemented and are reflected in the current PRA model.

The NRC review of the IPE identified issues with human reliability assumptions (HRA) and faulted equipment recovery that have been resolved through use of the HRA Calculator methodology and A to TXX-07110 Page 4 of 24 consideration for the effect of diagnostics and execution under emergency (vs. abnormal) conditions as a portion of the non-recovery probability. However, the result was that the overall probability is dominated by the non-recovery portion more than the human reliability portion. Screening values that were of concern have been re-assessed as part of periodic PRA updates; the dominant HRA events have been assessed in detail. Lastly, the NRC questioned trip of the RCPs within one minute to prevent severe seal LOCAs. This human error probability (HEP) and the associated logic has been incorporated in the seal LOCA model. The probabilities for a given size seal leakage are based on the latest Westinghouse Owners Group analysis, for seals with high temperature o-rings (WCAP-15603 Revision 1A). The RCP seals at CPSES have the high temperature o-rings. The CPSES RCP Seal LOCA modeling complies with the guidance in WCAP-16141 (RCP Seal Leakage Model Implementation Guidelines for Westinghouse PWRs).

The CPSES PRA has been used in support of several submittals to the NRC including the Risk-Informed Inservice Testing (RI-IST) program and the Risk-Informed Inservice Inspection program. In August 1998, the NRC provided a Safety Evaluation Report (SER) to CPSES approving the RI-IST application. As part of their review of the RI-IST submittal, the NRC performed an in-depth review of the CPSES PRA model of record at that time, the original IPE and Individual Plant Examination of External Events (IPEEE) submittal. The focus of the NRC's review was to establish that the CPSES PRA appropriately reflected the plant's design, actual operating conditions and practices. The NRC review also verified that the PRA model was of sufficient quality to provide a suitable technical basis to support the Safety Evaluation Report.

A focused, independent industry review of the Revision 3 changes was completed in the spring of 2005. The major model features addressed in this review included the RCP Seal LOCA model update to the WOG 2000 Model Revision 1A, which incorporated the NRC's SER comments, the thermo-hydraulic (T-H) analyses associated with seal LOCA scenarios, the LOOP model changes, and the quantification process. This review was based on American Society of Mechanical Engineers (ASME)

PRA Standard. No category A or B F&Os were identified by this review. All other F&O items were resolved and incorporated into Revision 3B of the model as appropriate.

In April 2006, CPSES completed the Mitigating Systems Performance Index (MSPI) which included a cross comparison and assessment of monitored components as a means to address PRA quality issues. The comparison revealed two potential outliers: 1) High Pressure Safety Injection (HPSI)

Chemical and Volume Control System (CVCS) pumps and 2) Low Pressure Safety Injection (LPSI)

Residual Heat Removal (RHR) pumps. These outliers were reviewed in detail with the NRC's MSPI expert panel and found to be acceptable based on validdesign and modeling considerations. CPSES results for alternating current (AC) power were found to be consistent with industry results.

Reviews specific to this submittal were conducted to ensure quality standards were met. These reviews covered EDG reliability data, Loss of Offsite Power and Station Blackout sequences, and the RCP Seal LOCA model. The scope of the existing PRA was compared with the intended application. For the EDG and its components, there are two key areas: (1) model aspects related to the EDG and electrical power systems; and (2) integrity and completeness of the RCP Seal LOCA model. The 6.9 kV AC system fault tree models and reliability data for the EDGs were'reviewed. This review included common cause failure parameters, unavailability parameters, failure rates, and level of detail of the system models. Similarly, the CPSES LOOP and Station Blackout (SBO) models were reviewed. The review of the RCP Seal LOCA model was performed because of the importance of the seal LOCA to plant metrics. As described above, revision 3B of the plant's model of record was found to be acceptable for this application. Since no changes were made to the RCP Seal LOCA model from revision 3B to 3C, the review done for 3B was deemed adequate. Reviews found these model attributes met the PRA quality review criteria of RGs 1.174 and 1.177.

The results of all independent review activities performed by internal and external reviewers have been included in the plant's PRA documentation. These reviews have confirmed the technical quality of the

Attachment 1A to TXX-07110 Page 5 of 24 CPSES PRA model and Reviewers were afforded ample access to all model documentation. The NRC has been afforded this same access to PRA documentation and recently requested a copy of the CPSES shutdown model. PRA analysts have worked with the NRC on the Standardized Plant Analysis Risk (SPAR) model of

'CPSES to aid in its enhancement. The current version of the CPSES model has no outstanding A or B category F&Os from the WOG peer review process or from any of the other third party independent reviews and is thus appropriate for use in support of the proposed EDG CT Extension.

RCP Seal Leakage Modeling The CPSES RCP seals are constant leakage seals:. therefore, the PRA modeling addresses excessive leakage when RCP Seal LOCAs are discussed. RCP Seal LOCA success criteria can be organized into two distinct groups, prevention of seal LOCA and mitigation of seal LOCA.

The CPSES PRA model gives limited credit to prevention of seal LOCA since timing requirements for restoration of seal cooling following an initial loss of seal injection/cooling are fairly stringent (i.e., within 13 minutes). This is a relatively common treatment within industry PRA models for Westinghouse pressurized water reactors (PWRs).

Prevention of a RCP Seal LOCA requires that seal cooling be maintained either through seal injection or thermal barrier cooling. The former requires the charging system and its associated supports and the latter requires the component cooling water system and its associated supports. At CPSES, the charging pumps do not directly rely on component cooling water (CCW). Given a loss of seal injection, the operators must restore seal injection within 13 minutes. The time requirement has been stipulated as 13 minutes for the AACPS design which includes starting, energizing the bus and sequencing on the loads. After 13 minutes, the risk of thermal shock to the seals and subsequent gross seal failure is too great to allow restoration of seal injection. CPSES Abnormal Conditions Procedures require a prompt trip of the reactor and the affected RCP if seal injection and thermal barrier cooling are unavailable or if seal temperatures exceed limits.

Mitigation of a RCP Seal LOCA requires a reactor coolant system (RCS) makeup source and its associated supports. Makeup sources are either the high head charging pumps or the intermediate head (safety injection (SI)) pumps (with RCS pressure control). As shown in Table 1, availability of the turbine driven auxiliary feedwater pump (TDAFW) significantly increases the time available before core uncovery. This is significant because the probability of recovering offsite power is proportional to the time available prior to core uncovery. CPSES-specific analysis demonstrates that core damage can be avoided if RCS makeup is initiated prior to core uncovery. Further, with TDAFW availability, the operators can depressurize the RCS, reducing the seal leakage rate and further extending time to core uncovery.

The CPSES-specific analysis demonstrates that with the smallest seal LOCA, RCS pressure drops to less than 1710 pounds per square inch absolute (psia) within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, provided that the TDAFW is available. This reduces the likelihood that smaller seal LOCAs will propagate to larger leakage rates. This assumption is common for industry PRA models for Westinghouse PWRs. TDAFW pump availability is supported by a 4-hour rated battery for pump control and a water supply from the Condensate Storage Tank with enough capacity for at least four hours of operation. Operator action is only required to control the TDAFWP flow on a loss of battery or air accumulators.

The key parameter for RCP seal leakage sequences is the time available for recovery. This is impactedý by the size of the seal leakage, the availability of direct current (DC) power (battery lifetime which is assumed to be 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />), the availability of Auxiliary Feedwater (typically the TDAFW pump), and the action of the operator to depressurize the RCS. This section describes the modeled RCP seal leakage rates and the resulting sequence timing.

For scenarios with RCP seal leakage, excess leakage is assumed to occur in all four RCPs. The probabilities for a given size seal leakage are based on the latest Westinghouse Owners Group analysis, for seals with high temperature o-rings (WCAP-15603 Revision 1A). The RCP seals at CPSES have the high temperature o-rings.

The CPSES RCP Seal LOCA modeling complies with the guidance in WCAP-16141 (RCP Seal Leakage Model A to TXX-07110 Page 6 of 24 Implementation Guidelines for Westinghouse PWRs). The following describes the modeling of four seal leakage sizes:

21 gpm/pump - This seal leakage is modeled as 21 gallons per minute (gpm) per pump, a total of 84 gpm. The probability for this leakage rate given loss of seal cooling is 7.9E-01. This leakage rate and probability are based on success of both the first and second stages of the RCP seal. With the high temperature o-rings, this is the most likely outcome.

76 gpm/ pump - This seal leakage. is modeled as 76 gpm per pump, a total of 304 gpm. The probability for this leakage rate, given loss of seal cooling, is 1E-02. This is based on failure of the first stage seal and success of the second stage seal.

182 gpm/ pump - This seal leakage is modeled as 182 gpm per pump, a total of 728 gpm. The probability for this leakage rate, given loss of seal cooling, is 1.98E-01. This is based on success of the first stage seal and failure of the second stage seal.

480 gpm/pump - This seal leakage is modeled as 480 gpm per pump, a total of 1920 gpm. The probability for a large seal leakage given loss of seal cooling is 2.5E-03. This is based on failure of-both the first and second stages of the RCP seal.

Note: Large seal leakage is guaranteed to occur for a loss of seal cooling scenario with failure to trip the RCPs. At CPSES, loss of one train of component cooling water (CCW) will not result in excessive RCP seal leakage since either train of CCW can supply the thermal barrier coolers.

The seal leakage sizes are used in the subsequent recovery events to determine the time available before core uncovery. Table 1 presents the Time to Core Uncovery. Time to core uncovery is provided as another reference point for the scenario. Table 1 includes a number 6f cases combining seal leakage size, success or failure of secondary side heat sink (TWAFW pump), success or failure of operator action to cooldown and depressurize the RCS, and battery lifetime. The times are calculated based on a series of CPSES-specific Modular Accident Analysis Program (MAAP) cases. Figure 1 shows the top logic for the RCP Seal LOCA branches.

Table 1. Time to Core Uncovery for Various Seal Leak Rates Seal Leak gpm/ Auxiliary Feedwater/Secondary Battery Depletion Core Uncovery (per pump) Depressurization Available (hours) (hours) 21 NO N/A 2.1 60 NO N/A 1.8 182 NO N/A 1.8 480 NO N/A 1.8 21 YES 4 20.6 76 YES 4 16.8 182 YES 4 9.9 480 YES 4 6.8 gpm - gallons per minute

Figure 1. Top Logic for CPSES RCP Seal LOCA I RCP SEALLOC:AWHIC:H

SMALL BREAK

  • iX IGNLXX04V$-ll X SEALLOCA (67RCP RCP SEALLOCA (21)

IMP)- GPM1PUMP] GPMtPUMP (E 1.98 E-01 1.0E-02 7.9 E-0i A to TXX-07110 Page 8 of 24 The existing RCP Seal LOCA model contains all of the failure modes identified in the NRC-approved Brookhaven RCP Seal LOCA model. The impact of using the Brookhaven RCP Seal LOCA model was then examined as a sensitivity analysis. This sensitivity analysis showed a small increase (6.50E-08 for CDF and 1.70E-09 for LERF) in the baseline risk if the Brookhaven RCP Seal LOCA model is used. This sensitivity showed that the CPSES model compares very favorably with the Brookhaven model.

CPSES LOSS OF OFFSITE POWER (LOOP) Modeling Initiating Event Frequency The LOOP initiator frequency for CPSES is developed in a fault tree. As shown in Figure 2, this fault tree includes specific contributions from four types of LOOP initiators, weather-centered (WC), grid-centered (GC), grid-centered-blackout (GCBO), and plant-centered (PC). The first three contributors are based on calculated means developed from Electric Power Research Institute (EPRI) data as described below. The plant centered LOOP frequency is developed from a fault tree to allow explicit modeling of switchyard faults in addition to reflecting the EPRI data.

Historical LOOP events experienced by nuclear power plants in the United States in the 20-year period from 1984 through 2003 (based on the EPRI data provided in EPRI reports TR-110398, TR-1002987, and TR-1009889) were reviewed. A number of the events were eliminated from consideration for various reasons, generally because they were only a partial loss of power or because CPSES is not susceptible to the same phenomena (e.g., salt spray) or has a significantly different offsite power supply arrangement (e.g., two independent switchyards).

The remaining LOOP events were grouped into four categories of events: plant-centered; grid-centered; weather-centered, and grid-centered-blackout. Table 2 provides a summary of calculated LOOP frequencies.

TABLE 2. Summary of Offsite Power Initiator Frequency LOOP Initiator LOPIiitr Mean 5%/ CL* 1950/ CL*

LOOP Initiator Description Event Error Factor Identification LOOP (Plant-Centered) INITX3PCDATA 1.37E-02 9.85E-03 1.83E-02 1.36E+00 LOOP (Grid-Centered) INIT-X3-GC 5.04E-03 2.86E-03 8.05E-03 1.68E+00 LOOP (Grid-Centered- INIT-X3-GCBO 7.79E-03 4.10E-031 1.31E-02 1.78E+00 Blackout)

LOOP (Weather-Centered) INIT-X3-WC 8.40E-03 5.48E-03 1.21E-02 1.49E+00

  • CL = calculated LOOP The CPSES PRA LOOP Initiator model (Figure 2) also includes two induced, or consequential, LOOP gates as well as degraded grid logic. Figures 3 and 4 show the general modeling for these events.

Figure 2. Top Structure for CPSES LOOP Initiator Model LOSS OF OF.FSrTE POVtER -LOSS Of OFFSfTE PO~'1v-.vM tSOF CTSEPV LOSSOF OFF$ M~E POYER

-GRID Q:NIEREQ GRID CENTEPRED: -MCATKE.RCETFE . . .. - PLANT 6 INTER!

JINIT-XZ'-GCBO 7 .INrTXiQ T3. .I1-~

T.9ET3 5.0&F--0 *. 1:

J. i

  • ii i i.

Am-S £IrrrurVepotAR. tAC INUICATINIO LC)

.. PLANTI CEIM5TER OFV$IYC P0\/EIA Or01

. ...O..

. . .X . .

.N~. .C.

.. . ~ A~LNLL z

LOOACFUIf POW~ER LO$.&,0 &Atrr'.

LC~~~~~'Sr OWS PFOFff Fovrc SCI IYADTOEA

.. . . .1~

.PIA. IMEP-LOOP-1EA2f A to TXX-07110 Page 10 of 24 Figure 3. Induced LOOP After Plant Trip LOOP = LOSP 1

2.10E-02 3.80E-03 Show Parent i SParents P of event INDUCEDLOOP J- ---...-.... . . . 0-EP-XEA2-LUUP - OFFSITE PUWEH IS NUT AVAILAB LETO 1 EA2 r -

I, Ii I-Ii I -

. . . . - .- *n l I,

I:

e;4oance -..

Figure 4. Induced LOOP from Degraded Voltage X

X h- Paren --- - -

Parents of event ILOOPDEGRAD "EP-XEA2-LO 0P - 0 FFSI T E P0'WER IS NOT AVAILABLE TO 1EA2 All 0K Cancel A to TXX-07110 Page 12 of 24 Offsite Power Recovery Modeling Plant specific thermal-hydraulic calculations typically show that core damage can be averted as long as a source of reactor coolant system inventory control and a source of heat removal are available prior to core uncovery. Availability of either one of these sources can significantly delay core damage (core uncovery) and therefore increase the likelihood of successful recovery of power sources and/or failed equipment.

EPRI sources (TR-110398, TR-1002987, and TR-1009889) provide restoration times for the loss of offsite power events that have occurred in the industry. These recovery times can be used to develop an offsite power hon-recovery probability distribution. This distribution demonstrates that the likelihood of not restoring offsite power (i.e., non-recovery probability) becomes smaller as post-LOOP event time increases. In other words, the longer the time after the SBO the more likely it is that offsite power will be recovered.

The thermal-hydraulic results, in combination with the offsite power recovery data, provide a reasonable basis for calculating non-recovery probabilities for every LOOP related cutset. The industry uses a variety of methods to calculate and assign non-recovery probabilities to groups of similar cutsets. These methods vary in the complexity of the approach, with the simpler methods tending to be more conservative (i.e., less realistic).

One of the more realistic approaches is a method called convolution. In general, this method recognizes that emergency diesel failures have some probability of occurring any time between the diesel start and the end of the (typical) 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time rather than always failing at the beginning of the event. Similarly, for all LOOP events, offsite power has some probability of being recovered prior to the diesel failure. Further' the longer that the diesel runs, the more time is available to restore offsite power prior to core uncovery. The EPRI data demonstrates that there is a high probability (i.e., low non-recovery probability) of recovering offsite power within a short time (e.g., 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) for many of the LOOP events.

As an example, the results of the CPSES convolution, assuming the worst case example of a 480 gpm per pump seal LOCA, show the following offsite power non-recovery probabilities for plant-centered events (which is representative of the other LOOP non-recovery probabilities):

Steam Driven Auxiliary Feedwater Run Time 0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Time to Core Uncovery 1.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> Emergency Diesel Generator Run Time 0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> 0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> Offsite Power Non-recovery Probability 2.80E-01 4.51E-04 The convolution method used at CPSES is described in EPRI TR-1009187 and basically develops a cumulative offsite power non-recovery probability approximated as a Weibull distribution for the four LOOP event categories (plant-centered, grid-related, weather-related, and grid-centered-blackout). The dominant CPSES LOOP core damage accident cutsets are those containing LOOP initiating events. These cutsets represent combinations of component and human failures that can result in core damage during a LOOP event. Failures of onsite alternating current (AC) equipment, of onsite AC support systems, Auxiliary Feedwater (AFW) equipment, and their support systems, can be found as component failures in the LOOP cutsets. Operational faults, such as the failure to assure adequate water for extended AFW operation, can also occur in the LOOP cutsets. The component failures may be categorized as either:

A to TXX-07110 Page 13 of 24 Type 1: Time dependent faults occurring prior to the initiator or time independent faults occurring at the start of or during the accident, or Type 2: Time dependent faults occurring during the accident.

Failures of the first type include both standby faults (e.g., normally-open valve transfers closed prior to a demand) and demand failures (e.g., pump fails to start on demand). Neither has a dependence on the length of the accident mission; thus, the probability density functions (PDFs) for Type 1 failures have no mission time dependence. The second type of failure consists of time dependent failures that occur during the accident mission (e.g., pump fails to continue running). Type 2 faults and thus their PDFs are dependent on the mission time. Human failures, whether prior to or during the accident, are assumed to be Type 1 faults. The LOOP initiating event which by definition, occurs at the beginning of the accident, is also considered a Type 1 fault. Recovery of offsite power is treated as a time-dependent event in the convolution analysis.

Data Review and Model Evaluation Through reviews, upgrades to address reviewers' observations, and planned updates, the CPSES PRA model has evolved and is technically adequate to allow calculations assessing a broad scope of risk contributors.

The PRA model has had three major updates since the individual plant examination (IPE) and the work has been reviewed by industry peers and independent consultants. With these updates, a number of areas of the PRA model have been strengthened. Notably for this evaluation, the generic equipment failure probabilities were updated with plant specific data using Bayesian techniques, the RCP seal model was updated, plant specific thermal-hydraulic timing studies for LOOP recovery and human error probabilities (HEPs) were done, and LOOP frequencies were updated using EPRI data.

The PRA model was updated to include separate branches for the components of loss of offsite power (plant-centered, weather-centered, grid-centered and grid-centered-blackout).

PRA quality considerations specific to the DG CT included a review of PRA and deterministic data related to the affected components, e.g., the EDGs. For the probabilistic portion, this consisted of a detailed review of PRA elements that directly model the component and related supporting documents that impact this evaluation. Consideration was given to each of the PRA tasks in order to define what documents needed to be reviewed in more detail. The review identified the following inputs for evaluation in support of extending the EDG CT.

  • CPSES Full Power PRA analysis files and computer model.
  • EDG common cause failure modeling data and techniques.
  • LOOP Initiating Event Frequency and post-initiator plant response.
  • SBO Initiating Event Frequency and post-initiator plant response.
  • Emergency Operating Procedures.
  • Maintenance Rule data for the EDG with historical outage times.

The scope of the existing PRA was reviewed to ensure its adequacy to evaluate the impact of the proposed CT extension. The 6.9 kV AC system fault tree models and EDG reliability data were reviewed. This review included common cause failure parameters, unavailability parameters, failure A to TXX-07110 Page 14 of 24 rates, and level of detail of these system models. Similarly, the CPSES LOOP and SBO models were reviewed.

Methodology and Results for DG CT Re-analysis Because a re-analysis of the DG CT extension has been performed, a discussion of methodology and results is appropriate. The re-analysis was performed due to Unit 1 having its steam generators replaced and changes to the emergency operating procedures occurring while this submittal was being reviewed by the NRC. The re-analysis ensures that the most recent plant configuration and procedures have been used. This requires that both Unit 1 and Unit 2 be analyzed since the plant configuration for the units is now different. Revision 3C of the model is being used and has been updated as of June 2007.

The alternate AC power supply (AACPS) is modeled as a temporary diesel, capable of supplying all the emergency loads for one train, to be credited when one of the installed 1E diesels is removed from service. The modeling of the AACPS accounts for equipment failure, a human action for manual start, failure of the 1E bus breaker to close and common cause failure of the 1E bus breakers. The AACPS is modeled such that the rest of the normal diesel modeling could be used. This allows for normal sequencing of loads by the blackout sequencer and the occurrence of associated equipment failures. Since the AACPS is to be manually started, no credit is taken for the AACPS during large break and medium break LOCA scenarios due to time constraints. The conceptual design for the AACPS includes requirements for the diesel starting, energizing the bus and sequencing on all the loads within 13 minutes.

For the purposes of PRA modeling, the requirement for an immediately available operator was assumed to be a dedicated operator stationed at the AACPS. The dedicated operator is required to support the HRA assessment. The dedicated operator can be replaced by a design feature such as auto start capability or manual control room start such that HRA timing constraints can be met.

The reliability values used for the AACPS failure to start and run are twice the failure rate of the plant emergency diesels. This is an industry standard practice of estimating the failure rate for non-safety related equipment. The failure rate for the operator to start the AACPS is calculated using the present procedure for starting the temporary outage diesel as a model and assuming that the operator is immediately available to start the AACPS. The failure probability of the AACPS 1E Bus Supply breaker is assumed to be the same as the permanent emergency diesel output breaker. The 1E Bus Supply breaker provides protection for the safe shutdown bus (1EA1/2) and will be of similar design as the permanent diesel output breaker. The common cause failure is modeled between the permanent emergency diesel generator output breaker and the AACPS 1E Bus Supply breaker. The AACPS 1E Bus Supply breaker will automatically close. Common cause failure is not modeled between the AACPS and the permanent emergency diesel generator because the AACPS will be of a different design than the permanent emergency diesel generators. No credit is assumed for recovery of the AACPS.

The following assumptions/methodologies were used in performing the re-analysis. In general, the methodology follows that used in the January submittal except that the base case now reflects inclusion of test and maintenance (no restrictions) and no credit for LOOP initiating event reduction:

1. The Incremental Conditional Core Damage probability (ICCDP) and Large Early Release Probability (ICLERP) are calculated by assuming the affected component is in maintenance without any compensatory actions, other than the AACPS, for the entire CT duration.

A to TXX-07110 Page 15 of 24 Component outage in the opposite train is not allowed (this would lead to Technical Specification 3.8.1 Condition E).

2. The delta CDF and LERF are calculated by assuming the affected component is in maintenance without any compensatory actions, other than the AACPS, for the CT duration and then adding the baseline CDF for the remainder of the duration (see 4 below). The basis for this is that the AACPS would not be available to provide power in a reasonable amount of time during the remainder of the year since it would not normally have an immediately available operator. This approachis, similar to the approach used in the NRC Significance Determination Process (SDP) inspection manual.
3. With respect to a LOOP scenario, the response of the two plant trains is similar. This can be seen in the risk importance measures for the two trains of the EDG which were found to be essentially the same. Therefore, this analysis only evaluated the change in risk for train B (for each Unit) for a 14-day CT.
4. CPSES will not plan maintenance that would lead to the switchyard being unavailable when work is being performed on the EDG. Also, CPSES would not plan maintenance during the time of the year when the weather at CPSES has historically been severe (i.e., tornado or thunderstorms). Neither weather effects nor restrictions on work activities were credited which provided some conservatism in the evaluation. Therefore, the average test and maintenance model is used as the basis for this evaluation. The equation described below was used to allow partitioned calculation since the AACPS would not be available for the whole year.

The criteria and guidance in RGs 1.174 and 1.177 were used in this evaluation. The following provides a discussion of the risk metrics used to evaluate the risk impacts of the extended EDG CT.

ACDFAVw = The change in the annual average CDF due to any increase in on-line maintenance unavailability of the EDG that could result from the increased allowed CT. This risk metric is used to compare against the criteria of RG 1.174 to determine whether a change in CDF is regarded as risk significant. These criteria are a function of the baseline annual average core damage frequency, CDFbase.

ALERFAVE = The change in the annual average LERF due to any increase in on-line maintenance unavailability of the EDG that could result from the increased CT extension.

This risk metric is used to compare against the criteria of RG 1.174 to determine whether a change in LERF is regarded as risk significant. These criteria are a function of the baseline annual average core damage frequency, LERFbaDe.

ICCDPIDGxY} = The incremental conditional core damage probability with EDG Y for Unit X out of service for a period equal to the proposed new allowed CT. This risk metric is used as suggested in RG 1.177 to determine whether a proposed increase in allowed CT will have an acceptable risk impact.

ICLERP{IDxy, = The incremental conditional large early release probability with EDG Y for Unit X out of service for a period equal to the proposed new allowed CT. This risk metric is used as suggested in RG 1.177 to determine whether a proposed increase in allowed CT will have an acceptable risk impact.

A to TXX-07110 Page 16 of 24 The change in core damage frequency (ACDF) and the change in large early release frequency (ALERF) are computed per the definitions from RG 1.174. In terms of the parameters defined above, the definitions are as follows:

ACDF = [(CDFtmbase

  • B/365) + (CDFAAcPs*CT/365)] - CDFtmbase And ALERF = (LERFtmbase
  • B/365) + (LERFAAcPs*CT/365) - LERFtmbase Where CDFtmbase = CDF (Model of Record, Test and Maintenance model)

CDFAACPS = CDF with the EDG out of service and the AACPS in service (Model of Record, Test and Maintenance model)

CT = Completion Time B= 365 - CT And LERFtmbase,= LERF (Model of Record, Test and Maintenance model)

LERFAACPs = LERF with the AACPS in the model Using the assumption in item 4 above, the Incremental Conditional Core Damage Probability (ICCDP) was calculated. The method used to calculate the ICCDP for the "At Power" model was to calculate the baseline CDF and the equipment out of service CDF with the AACPS in the model. The ACDF was calculated by subtracting the two CDFs and multiplying by the CT. The following equation was used to calculate the ICCDP:

ICCDP = (ACDF) * (CT/365)

And ICLERP = (ALERF)* (CT/365)

Where:

ACDF = CDF with the EDG out of service and the AACPS in service (Model of Record, Test and Maintenance model) minus the Baseline CDF (Model of Record, Test and Maintenance model) (See equation above)

ICLERP = Incremental Conditional Large Early Release Probability ALERF = LERF with the EDG out of service and the AACPS in service (Model of Record, Test and Maintenance model) minus the Baseline LERF (Model of Record, Test and Maintenance model) (See equation above)

5. The recovery of the EDG that is out of service for maintenance was not allowed. The recovery of the opposite train EDG was allowed. No credit was taken for any recovery of the AACPS. The recovery of a failure to start was not considered since it was assumed the AACPS would be manually started. Recovery of the AACPS one hour after it has started is a valid recovery but again was not credited in this analysis.

A to TXX-07110 Page 17 of 24 Several cases where analyzed to ensure that the metrics of RG1.177 were met. All cases, unless otherwise noted, were calculated using the average test and maintenance model. The analysis representing the extended CT change (configuration case) reflects the baseline model with one EDG removed from service and the AACPS available. The remaining cases represent the sensitivity analyses to capture the effects if various limitations were put into place. The table below contains the results of all cases calculated, followed by a brief discussion.

>i Table 3. CT Configuration Case and Sensitivity Results Meet RG 1.174 Case CDF LERF - ACDF* ALERF* ACDF** ALERF** ICCDP ICLERP and 1.177 00 9.62E- 4.91E-BASE TM UNIT 1 (MOR 3C) (CDFtmbase) 06 07 YES EDG WITH TM AND TMP DG UNIT 1 137E- 6.44E-1 1.56E- 5.98E- 2.25E-

"(Configuration Case) (CDFNTM) 05 07 07 5.87E-09 09 10 YES 1.32E- 6.23E- 1.38E- 5.29E- 1.94E-EDG WITH NTM AND TMP DG UNIT 1 05. 07 07 5.07E-09 09 10 YES BASE UNIT 1 TM INCREASED BY 9.74E- 4.95E- 2.52E- 9.67E- 3.46E-3.84%***(CDFTMtNC) 06 07 07 9.02E-09 09 10 YES UNIT 1 EDG TM INCREASED BY 14 1.47E- 6.86E- 5.11E- 1.95E- 1.96E- 7.46E-DAYS****(CDFAACPS) 05 07 06 07 07 09 N/A 9.78E- 6.23E-BASE TM UNIT 2 (MOR 3C) 06 07 YES E'DG WITH TM AND TMP DG UNIT 2' 1.39E_-1, 7.94E- 1.57E- 6.03E'- 2.52E-(ConfigurafionCase) ,05 :07, 07 6.56E-09 _09. 10 YES 1.34E- 7.60E- 1.38E- 5.31E- 2.02E-EDG WITH NTM AND TMP DG UNIT 2 05 07 07 5.27E-09 09 10 YES 9.90E- 6.28E- 2.55E- 9.77E- 4.OOE-BASE UNIT 2 TM INCREASED 3.84%*** 06 07 07 1.04E-08 09 10 YES 1.49E- 8.62E- 5.15E- 2.39E- 1.98E- 9.18E-UNIT 2 EDGTM INCREASED BY 14 DAYS**** 05 07 06 07 07 09 N/A MOR - Model of Record EDG - Diesel train B is out of service TMP DG - AACPS Generator (AACPS)

TM - Test and Maintenance NTM - No Test and Maintenance

  • Calculated by subtracting the base CDF/LERF from the calculated CDF/LERF. This is used when the model remains in one configuration for the whole year.

Calculated using the formula described item 4. This is used when there are compensatory actions that are only in effect for a short period of time (i.e., less than a year).

      • Is the increase of all TM (not just the EDGs) by a factor 14/365 due to the extended outage time. This was done to show the impact of deferring all TM during the CT. The formula used was ((CDFNTm
  • 14/ 365) + (CDFTmINc
  • 351/365)) - (CDFtmbase).
        • This is a case sensitivity used to evaluate the possible effect on the base model if both EDGs were out of service for additional days each year with no
  • compensatory actions (i.e., no AACPS, no planning, and no restriction on test and maintenance).

A to TXX-07110 Page 19 of 24 This analysis re-performed the quantifications, specifically, a configuration case and sensitivity cases.

The base quantification for both units used the test and maintenance model and compared the results to the various cases.

The results of the configuration case comparison which will be used for the submittal are as follows.

The ACDF was 1.56E-07 for Unit 1 and 1.57E-07 for Unit 2. The ALERF was 5.87E-09 for Unit 1 and 6.56E-09 for Unit 2. All of these values meet the requirements of RG 1.174. The ICCDP was 5.98E-09 for Unit I and 6.03E-09 for Unit 2. The ICLERP was 2.25E-10 for Unit 1 and 2.52E-10 for Unit 2. All of these values meet the requirements of RG 1.177. The other cases described below were calculated as sensitivities.

The sensitivity case in which the no test and maintenance was used meets the metric requirements of RG 1.174 and 1.177. This case represents the most restrictive plant configuration when one of the EDGs is out of service. For this sensitivity case, it was assumed that the plant will not plan maintenance on other risk significant equipment due to normal plant practices and the Maintenance Rule 10CFR50.65(a)(4) risk assessment requirements.

If work were to be restricted in the switchyard and if credit was taken for this then the plant-centered portion of the LOOP initiator could be reduced. This case was not recalculated for this response submittal; however, the previous evaluation showed that implementation of routine risk reducing plant practices is effective in further reducing overall risk.

The sensitivity case which increased all of the test and maintenance in the PRA model by 3.84%

(reflecting a restriction of work during the CT) meets the metric requirements of RG 1.174 and 1.177.

The test and maintenance events were increased to account for the maintenance that would not be performed during the CT but would be performed later in the year. The 3.84% was derived by dividing the time in the CT (14 days) by the days in the year (365 days). This is conservative since the complete CT is not expected to be used. Also, this is conservative because the case used for the submittal did not restrict any test and maintenance activities, except for the opposite train EDG, since the test and maintenance PRA model was used for the analysis. If test and maintenance was restricted, the increase in CDF would be less and thus the change in risk would decrease.

A sensitivity case was run where the average test and maintenance events that represent the EDGs unavailability were increased by 14 days (that is, the test and maintenance unavailability for both EDGs were simultaneously set to the equivalent of 14 days). The value of this sensitivity case is that it shows a bounding change in risk. This increase in risk is bounding since the compensatory actions such as the installation of an AACPS and/or controlling onsite work during the extended CT are not credited and the unavailability is maximized; that is, 14 days unavailability is used even though the extended CT is not expected to be entered yearly and, when entered, the full duration of CT is not expected to be used. As can be seen from Table 3, the delta risk values calculated for this bounding case exceed the threshold values for Regulatory Guide 1.174 by a relatively small factor. Comparing this bounding case with the cases with the compensatory actions credited provides a reasonableness measure for the requested extension..

The evaluation of the risk of performing a 14-day EDG maintenance activity at power meets the requirements for a permanent TS change in accordance with RGs 1.174 and 1.177. The requirement of RG 1.174 is a ACDF less than 1E-06 and a ALERF less than 1E-07. The requirement of RG 1.177 is an ICCDP less than 5E-07 and ICLERP less than 5E-08.

Tier 2 and 3 Considerations This section addresses the Tier 2 and Tier 3 considerations related to avoidance and control and management of high risk considerations.

/ A to TXX-07110 Page 20 of 24 Tier 2: Avoidance of Risk-Significant Plant Conditions In addition to the administrative controls proposed by this license amendment, CPSES has existing administrative guidelines to avoid or reduce the potential for risk-significant configurations from either emergent or planned work. These guidelines control configuration risk by avoiding or reducing the potential for risk-significant configurations from either emergent or planned work. CPSES has adopted administrative guidelines that go beyond the requirements set forth in the plant Technical Specifications. These guidelines control configuration risk by assessing the risk impact of equipment out of service during all modes of operation to assure that the plant is always being operated within acceptable risk guidelines.

CPSES employs a conservative approach to performing maintenance during power operations. The weekly planned maintenance schedules are train/channel based and prohibit opposite train activities without additional review, approvals, and/or administrative controls. The assessment process further minimizes risk by restricting the number and combination of systems/trains allowed to be simultaneously unavailable.

Unplanned or emergent work activities are factored into the plant's actual and projected condition, and the level of risk is re-evaluated. Based on the result of this re-evaluation, decisions are made concerning further actions required to achieve an acceptable level of risk.

Unplanned or emergent work activities are also evaluated to determine the impact on other, already planned activities and the effect the combinations would have on risk. This practice was not credited in the PRA analysis described in the previous sections.

The Configuration Risk Management Program (CRMP) required by Technical Specification 5.5.18 provides a proceduralized risk-informed assessment to manage the risk associated with equipment inoperability. The program applies to TS structures, systems, or components for which a risk-informed CT has been granted. The program includes the following elements:

a. Provisions for the control and implementation of a Level 1, at-power, internal events PRA-informed methodology. The assessment shall be capable of evaluating the applicable plant configuration.
b. Provisions for performing an assessment prior to entering the (Limiting Condition for Operation (LCO) Action for preplanned activities.
c. Provisions for performing an assessment after entering the LCO Action for unplanned entry into the LCO Action.
d. Provisions for assessing the need for additional actions after the discovery of additional equipment out of service conditions while in the LCO Action.
e. Provisions for considering other applicable risk significant contributors such as Level 2 issues, and external events, qualitatively or quantitatively.

Risk Significant Components While a Diesel Generator is Out of Service The following components and/or systems become risk-significant when a DG is out of service. The list provides those components and/or systems whose unavailability simultaneous with an out of service DG would likely place the plant in a high-risk A to TXX-07110 Page 21 of 24 configuration, based upon their Risk Achievement Worth (RAW) value (i.e., the increase in risk if the component is assumed to be failed at all times, expressed as a ratio of assumed risk to baseline risk). These are not necessarily in ranked order.

  • Electric Power - opposite train motive and control power
  • Refueling Water Storage Tank - tank and its associated discharge valves
  • Diesel Generator - opposite train
  • Condensate Storage Tank - source of water for the turbine driven auxiliary The Tier 3 risk management actions as described below will address the availability of these systems relative to the implementation of this CT.

Tier 3 Risk Informed Plant Configuration Control and Management The objective of the third tier is to ensure that the risk impact of out of service equipment is evaluated prior to performing any maintenance activity. As stated in Section 2.3 of Regulatory Guide 1.177, "a viable program would be one that is able to uncover risk significant plant equipment outage configurations in a timely manner during normal plant operation." The third tier requirement is an extension of the second tier requirement, but addresses the limitation of not being able to identify all possible risk significant plant configurations in the second tier evaluation. The risk impact associated with performance of maintenance and testing activities is evaluated in accordance with the CPSES Work Scheduling Process (Work Control Instruction WCI-203). A risk assessment is performed for activities as part of a weekly schedule review. Compensatory measures are addressed for activities deemed to be risk significant. The weekly scheduled activities and associated risk assessment are reviewed by the CPSES PRA Group. The Work Scheduling Process also addresses the impact on the risk assessment due to added or emergent activities and activities which have slipped from the schedule.

Internal Flood Analysis.

The internal flooding methodology is that used in the IPE. The CPSES PRA includes an extensive evaluation of the plant with respect to its susceptibility to internal floods. The internal flood initiating event assessment evaluated the potential flood sources in the plant, the propagation.,

pathways the water (or other liquid) would follow throughout the plant, and the equipment that could be failed if submerged in the flood waters. For the flood analysis, a detailed analysis was performed to identify flood tight doors in the plant, curbs that would keep water from entering a room, maximum potential water depths, and potential operator actions to stop the flood or mitigate its consequences. The internal flood analysis assumes a failure of all the equipment located in the flood zone where the flood initiates, and a failure of the equipment below the flood depth in the rooms into which the flood waters propagate. Although the internal flooding analysis uses thesame internal events model, the results are maintained separately.

While the methodology has remained unchanged from the IPE, the internal events model was recalculated when the PRA model was updated. As part of Revision 3 of the PRA, all internal flooding inputs were re-assessed and each of the individual compartments re-quantified. The results of the requantification were that internal flooding contributes less than 1% of the internal events CDF.

This represented a significant reduction from the IPE results which occurred because the dominant sequences were re-assessed to take credit for plant equipment mitigating flood propagation.

A to TXX-07110 Page 22 of 24 External Events Analysis The external events assessment performed in support of this DG Completion Time extension request was based on the work performed in support of the CPSES IPEEE. The NRC identified several approaches in this GL and NUREG-1407 that could be used for external events evaluations. Prior to responding to GL 88-20, Supplement 4, CPSES reviewed the various methods and options in GL 88-20, Supplement 4 and NUREG-1407 for the evaluations. At the present time, CPSES has not updated these IPEEE based assessments. However, the insights provided in thesestudies do provide a starting point to address the impact the requested CT extension may have on the plant's PRA external events.

The CPSES PRA internal events model does not include contributions from internal fires, internal floods, seismic events, and other external events. A combination of qualitative and quantitative evaluations of these events is provided in responses to RAIs 7 through 11. These quantitative and qualitative assessments demonstrate that when the potential for recovery of either the AACPS or recovery of offsite power is considered, the change in risk from external events is small.

The following provides an overview of the methodologies chosen in support of the CPSES IPEEE assessments.

Seismic Analysis CPSES chose the Seismic Margin Methodology that is based on the EPRI methodology described in EPRI NP-6041 for the seismic margin. This methodology consists of defining the equipment required to safely shutdown the plant following a review level seismic event and then evaluating the equipment through walkdowns and margin analysis to show that the equipment will survive at the review level seismic accelerations.

For a reduced-scope plant, the NRC specified that the review level earthquake should be the safe shutdown earthquake (SSE) ground response spectra and in-structure response spectra. The scope of the seismic margin evaluation for the reduced-scope plant consists of two principle tasks: first, to demonstrate the seismic design of SSE equipment at the SSE level and second, to perform field review/ walkdowns of the equipment.

The results of the IPEEE seismic margin evaluation demonstrate that there are no vulnerabilities from seismic events at CPSES. This evaluation further confirmed that the Seismic Category I and Seismic Category II structures at CPSES have been designed in accordance with the Final Safety Analysis Report (FSAR) requirements to withstand the loads generated due to the safe shutdown earthquake, and that the equipment required to function in order to safely shutdown the plant and provide containment isolation and cooling, given a seismic event, meets the design requirements for Seismic Category I equipment and is adequately installed with regard to anchorage and systems interaction considerations.

Internal Fire Analysis The analysis supporting the previous submittal is based on an internal events PRA model, but additional insights have been derived from the existing CPSES Fire Analysis with regards to scenarios that would be impacted by this requested DG CT extension. The Fire Analysis referred to is actually the CPSES Fire IPEEE that follows the methodology described in the EPRI Fire Risk Analysis Implementation Guide. The methodology evolves in four technical tasks following the progression of the fire accident from fire initiation to core damage and challenge to the containment integrity. The methodology incorporates these tasks into a blended approach that encompasses accident sequence A to TXX-07110 Page 23 of 24 development, data base development, spatial effects, Human Reliability Analysis, scoping issues, quantification and documentation.

The results of the Fire IPEEE study show the estimated total Core Damage Frequency (CDF) due to fire events for CPSES to be approximately 1/3 of the internal events CDF including internal fire as calculated for the IPE (2.09E-5 vs. 5.72E-05 per reactor year). The IPEEE fire results concluded that CPSES has no plant-specific vulnerability to severe accidents from fires.

High Winds The tornado risk assessment methodology used in the IPEEE study considers 1) the frequency and intensity of tornadoes which may strike CPSES, 2) the vulnerability of plant structures and components to tornadoes and tornado-generated missiles, and 3) plant accident sequence models to determine the probability of core damage given tornado-induced system/component failures. The core damage frequency is defined as the product of the tornado strike frequency and the conditional probability of core damage given a tornado strike.

The analysis included the development of a tornado hazard model using the reported tornado events in the statistical data base from the National Severe Storms Forecast Center for an area surrounding the CPSES plant site. Based on reviews of the CPSES tornado design criteria and detailed plant walkdowns, component and structural vulnerabilities were identified. Fragilities of these vulnerable structures were developed and integrated into a plant risk model, which was derived from the accident sequence models developed for analysis of internal events as part of the CPSES IPE.

The overall IPEEE core damage frequency due to tornadoes at CPSES is estimated to be 3.7E-06 per year. This is based on a total tornado strike frequency on the plant site of 5.OE-04 per year (with intensity F1 or higher). The overall results indicate that the core damage risk from a tornado strike at CPSES is quite low. The dominant sequences do not involve tornado-induced failures of plant structures or equipment; rather they involve tornado-induced loss of offsite power. This is due to the fact that nearly all risk-significant equipment is protected within Seismic Category I structures that are designed to withstand tornadoes up to the design basis tornado. These results demonstrate that there is no plant-specific vulnerability at CPSES from high winds.

External Floods The occurrence of external floods that can cause plant damage is also location specific. The CPSES IPEEE concludes that the Category I building structures (including the DG Buildings and Electrical and Control Buildings) are not under a threat from external flooding, even in the worst conditions of probable maximum precipitation or potential dam failures. Further, due to the plant's location, CPSES is not subject to floods that could cause a LOOP. Given the availability of an AACPS, which would also be unaffected by external flood, the risk associated with this extended CT due to external flooding events, is insignificant.

Other External Events Other external events include transportation accidents, accidents at nearby facilities, and the other external events listed in Table 4.1 of NUREG-1742. As concluded in the NUREG, these events do not account for a significant risk contribution in any of the IPEEE submittals. In addition, the plant events that could be caused by these external events do not require the EDGs for mitigation without additional failures. The requested CT extension relies heavily on the AACPS which would remain available following these kinds of events. This conclusion is consistent with the results and insights from the CPSES IPEEE and supports the requested CT extension.

A to TXX-07110 Page 24 of 24 Summary The preceding discussion establishes a sound framework for review of Luminant's request to change the plant Technical Specifications (TS) to extend the allowable Completion Time (CT) for restoration of an inoperable Emergency Diesel Generator (EDG). The introduction described the technical quality of the PRA model in terms of completed reviews and resolution of issues. The discussions identified the principal changes and summarized the methodology and results from the re-analysis based on the updated Probability Risk Analysis (PRA) model. Important elements of the PRA model, such as modeling of the RCP Seal LOCA, recovery from a LOOP and external events analyses have been provided for background. This information should be helpful to establish a context for review of the RAIs that follow.

B to TXX-07110 Page 1 of 39 ATTACHMENT 1B TO TXX-07110 RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION RELATED TO LICENSE AMENDMENT REQUEST (LAR)06-009 REVISION TO TECHNICAL SPECIFICATION (TS) 3.8.1, "AC SOURCES - OPERATING," EXTENSION OF COMPLETION TIMES FOR DIESEL GENERATORS B to TXX-07110 Page 2 of 39

1. The calculations of the change in core damage frequency (DCDF) and change in large early release frequency (DLERF) effectively assume a single entry into the extended 14-day completion time (CT) each year, but no such restrictions have been identified and the licensee specifically states they will use the 14-day CT for corrective maintenance if needed. The licensee has identified the recent corrective maintenance history, but has not identified frequencies and durations of any proposed planned preventive maintenance which would be implemented using the extended CT. The licensee is requested to justify the assumption of one 14-day CT per year, or provide appropriate risk analyses for more realistic assumptions, or proposed appropriate restrictions on the applicability of the extended CT.

CPSES RESPONSE:

RG 1.177 states that changes to the component unavailability model for test downtime and maintenance downtime should be based on a realistic estimate of expected surveillance and maintenance practices after the TS change is approved and implemented. It further states that the component unavailability model should be based on plant-specific or industry-wide operating experience, or both, as appropriate. The change that is under evaluation is a proposed TS change extending the DG Completion Time (CT) from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days.

Applying this proposed change in availability in an evaluation established that the change in risk is below the threshold set by the guidelines. RG 1.177 does not require pre-

,determination of specific frequencies and durations for planned maintenance, but it does require adjustment of the component availability model to reflect a realistic estimate of planned downtime. Such an adjustment has been evaluated based on the CPSES intention to use this CT only once a year for planned maintenance. This expectation does not constitute a restriction, i.e., it does not preclude use of this CT for unplanned maintenance. CPSES acknowledges that unplanned maintenance can affect actual accumulated downtime and those impacts will be captured in the periodic updates of plant data.

A case which increased the average test and maintenance in the model of record for the EDG by 14 days was analyzed. Although the results indicated that the change in CDF and LERF would exceed the threshold criteria in RG 1.174 and RG 1.177, this sensitivity case was not used as the basis for the requested CT extension. Increasing the average TM is conservative since the extended CT is not expected to be utilized each year for each EDG and, when entered, is not expected to be utilized for the full duration. In addition, for the purposes of the sensitivity analyses, compensatory actions, such as availability of a temporary power source and limitations on other maintenance activities were not considered.

It is anticipated that the extended CT will only be used for one DG once per cycle (18 months) per unit for planned maintenance. Historically the EDGs at Comanche Peak Steam Electric Station have never been out of service for more than 3 days while the units were at power.

Thus the assumption that this CT will only be used once per year for planned maintenance is realistic.

During the extended CT, the following maintenance items are typical examples of what would be considered for completion; this is not an all-inclusive list. Depending on the frequency of the maintenance items and their due date, the scope of work to be performed would have a duration of approximately 4-7 days followed by 2 days of post-maintenance work and testing.

B to TXX-07110 Page 3 of 39 PERIODIC MAINTENANCE FREQUENCY PERIODIC MAINTENANCE FREQUENCY

SUMMARY

(DAYS)

SUMMARY

(DAYS)

REPLACE FILTER ELEMENT 550 INSPECT PARTIAL DISCH CABLE 1098 PERFORM CLEAN FO BOOSTER PMP STRNR 550 A ELCLRC SAF.REL.CALIBR/CHECK 1098 REPLACE FUEL OIL STRAINER 550 REPLACE CALCON SWITCH 1098 CLEAN FO XFR PMP STRAINER 550 CHECK LOCKOUT 1098 LUBE GOV/FUEL PMP LINK 550 CONNECT TEMP AIR COMP BAR 1098 DEVICE REMOV/INSTALL MISSL SHLD AS FOUND FIRING PRESSURES 550 DGI-'L 1098 INSPECT ENGINE FOR LEAKS 550 TEMP OIL PUMP INSTALLATION 1098 REPLACE LUBE OIL FILTER 550 INSPECT/ADJUST DRESS TIE 1098 RODS POST MAINTENANCE/TESTING 550 PERFORM MSE-PO-0865 1098 REPLACE HOLD DOWN BOLTS 550 PERFORMNCE OF MSE-P1-0871A 1098 VERIFY TORQUE VOLD HOLD DOWN 550 REPLACE INTAKE AIR FILTERS 1098 BOLTS TEST/INSPECT/REWORK RELIEF 550 REPLACE MASTERFAN FILTER 1098 VALVE INSPECT EDG DOGHOUSE 550 REPL FLTR ELEM/REWRK BAR 1098 DEVIC REPLACE POWER ELEMENT 1098 REPLACE START AIR DIST 1098 FILTER CHNG OIL/FILTER/STRAINER/INSPECT 1098 REPLACE MASTERDRIVE FAN 1098 VALVE CAL.OF METERS & RELAYS 1098 REPLACE COUPLING AND 1098 GASKET CALIBRATE MULTIPLE SWITCHES 1098 TEST MPR-1 RELAY 1098 REPLACE ELASTOMERICS 1098 SUBCOVER BOSS LP 1830.

INSPECTION JACKET WATER KEEP WARM REPLACE/INSPECT INJECTORS 1098 PUMP/MOTOR TEARDOWN 2190 INSPECTION LUBE BUTTERFLY AIR 1098 REPLACE HAND SWITCHES 2190 VALVE/INSPECT REPLACE GOVERNOR DRIVE CALIBRATE AND INSPECT COUPLING ELEMENT MULTIPLE SWITCHES INSPECT ENGINE INTERNALS 1098 INC-2060 CALIBRATION 2190 INSPECT FOUNDATION BOLTS 1098 REPLACE 3-WAY VALVE & 2190 CALIBRATE INSPECT SUB COVER ASSEMBLY 1098 REPLACE P1 AND P2 2190 VISUAL INSPECTION REPL OVERSPEED TRIP GOV 2190 PISTONS/LINERS/BLOCK COUPLG INSPECT GEARS FROM 1098 INSPECT INTERCOOLER 2190 CRANKCASE TEST START AIR VALVES/BLOW 1098 CRANKSHAFT THRUST/COLD 2190 DIST LINES WEB INSPECT ENGINE CONTROL 1098 RECORD HOT WEB 2190 CABINET DEFLECTIONS INSPECT ENGINE CONTROL 1098 REPL SOL VALVES UNIT 1 A-TRN 2190 PANEL PERFORM START/STOP LOGIC INSPECT METERING DEVICE TEST 1098 SHAFT 2190 INSPECT GENERATOR CONTROL 1098 REPLACE BATTERY FOR MPR- 2190 PANEL 1/lEG1 CHANGE GOVERNOR OIL 1098 INSPECT FLEX CONNECTION 2190 REPLACE FILTER ELEMENT 1098 REPLACE DIGITAL SPEED 2190 CONTROLLER CLEAN LUBE OIL STRAINER 1098 REPLACE RONAN ANNUCIATOR 2190 CARDS CLEAN STRAINER BASKET 1098 REPLACE GASKETS ON 2190 TURBOCHARGER B to TXX-07110 Page 4 of 39

2. The licensee stated with regards to the potential for common cause failure (CCF) of the remaining operable diesel generator (DG), that if a common mode failure exists, Technical Specification (TS) 3.0.3 would require the plant to be shutdown. It is not clear to the staff why TS 3.0.3 would always apply under these circumstances, since the existing TS 3.8.1 provides action requirements. The licensee is requested to clarify the TS applicability in the event of a discovery of a CCF mode affecting the DGs, including any cross-unit considerations.

CPSES RESPONSE:

The potential for common cause failures is addressed in both the Technical Specifications and in the PRA model. TS 3.8.1 Condition H, with three or more required AC sources inoperable, would require the plant to enter LCO 3.0.3 immediately. Condition H corresponds to a level of degradation in which all redundancy in the AC electric power supplies has been lost. However, if two EDGs were inoperable, TS 3.8.1, Condition E would be entered to restore one DG to OPERABLE status within two hours. If Condition E is not satisfied, TS 3.8.1 Condition G requires a unit shutdown to Mode 3 and Mode 5 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />, respectively. The action requirements from the existing TS 3.8.1 govern independent of the length of the CT.

There are no cross connect capabilities between unit EDGs. However, plant practices and TS 3.8.1, Required Action B.3.1 states, "Determine OPERABLE DG(s) is not inoperable due to common cause failure," and therefore would trigger the other unit's EDGs to be checked if a common cause failure mode were to be identified. The other unit would then take actions as necessary to comply with the Technical Specifications.

3. The licensee has identified the modeling assumptions with regards to the alternate AC power source (AACPS). The staff has additional questions regarding how the AACPS is credited in the risk analyses supporting this proposed change:
a. It is not clear whether the model assumes an automatic start and load capability of the AACPS with manual operator backup, or whether the manual operator action is always required. Section 1.0 of Attachment 1 of the licensee submittal states that the AACPS would be started manually or automatically, and connected to the bus when it has achieved rated voltage and speed.

Section 4.2.4.2 however states that no credit is taken for scenarios due to insufficient time for manual starting and loading. The licensee is requested to clarify the specific assumptions for the risk analyses with regards to starting the AACPS, connecting it to the emergency bus, and starting the required equipment, including whether actions are accomplished locally or from the control room. If local actions are required, the licensee should further discuss how human reliability for the AACPS was evaluated, including dependencies with other potential actions required by the probabilistic risk assessment (PRA) model and by Comanche Peak Steam Electrical Station (CPSES) emergency procedures for station blackout.

CPSES RESPONSE: I The AACPS was assumed to be started with a local manual action by an immediately available operator for the PRA analysis. This was the worst case since no credit could be taken during a large LOCA or medium LOCA strictly due to timing considerations. The manual start assumption is based on B to TXX-07110 Page 5 of 39 preliminary design and does not preclude provision for an automatic start feature.

Connection to the emergency bus and stafting the required equipment are assumed to be automatic. The AACPS output breaker will be automatically closed as will be the 1E bus breaker. This latter breaker will have logic to prevent closing on a live bus. The AACPS output breaker logic also prevents closing prior to the diesel being able to supply the correct voltage at the correct frequency.

The AACPS will then be connected to the bus automatically and the appropriate equipment will be loaded automatically by the sequencer. The blackout sequencer is armed when the bus loses power. When the bus is re-energized, the sequencer starts automatically. The logic in the plant PRA for load sequencing will be the same for the CT analysis since the same sequencer will be used.

The value used for the operator failure to start the AACPS was based on human reliability analysis (HRA) performed using the EPRI HRA Calculator software.

The considerations in this analysis were that a procedure would exist, an operator would be immediately available to accomplish this task, and timing requirements for prevention of an RCP Seal LOCA would be in place.

In addition, RAI response 17 describes the AACPS conceptual design criteria specifications.

b. The licensee stated an assumption that the AACPS would be connected to the emergency bus within 15 minutes of detection of a loss of offsite power.

(LOOP), and therefore the AACPS would have the capacity required for safe shutdown. No basis was provided for the 15-minute time, and additional time to manually start required loads was not addressed. The licensee further identified that the reactor coolant pump seal loss of coolant accident (LOCA) model used in the PRA model uses Westinghouse Commercial Atomic Power (WCAP)-15603 Revision 1-A. This model assumes that a 13-minute interruption of pump seal cooling may result in the development of excessive leakage. The licensee is requested to clarify the basis for the assumption of 15 minutes to connect the AACPS and its potential impact on the assumptions of the PRA model with regards to seal LOCAs.

CPSES RESPONSE:

The original 15 minutes was provided as an initial input parameter for the design of the AACPS primarily to communicate the need for an automatic start capability or the assignment of an immediately available operator. The time requirement has since been stipulated as 13 minutes for the AACPS design which includes starting the AACPS, energizing the bus, and sequencing on all the loads.

It should be noted that the PRA model had already incorporated the WCAP limitations with respect to the 13 minutes. This meets the requirements of WCAP-15603, Revision 1A. Thus, this change did not affect the methodology or numerical results of the analysis.

c. It is not clear from the licensee's submittal if a specific AACPS has been identified, either permanent or temporary. Therefore, specific assumptions in B to TXX-07110 Page 6 of 39 the risk analyses regarding the reliability of the AACPS, its fuel supply, its output breaker, procedures for operation, human reliability and the associated procedural bases, are not defined. The licensee is requested to provide a basis for the assumptions regarding reliability of the AACPS as a system (including the above specific items) being equivalent to the existing DGs.

CPSES RESPONSE:

The description of modeling for the AACPS indicated an assumption that the failure probability assigned to the 1E bus breaker was the same as that of the existing EDG output breaker. The reliability of the AACPS as a system (including its output breaker and fuel supply) was not assumed to be the same as the installed EDGs. The failure rate of the AACPS system hardware was increased by a factor of 2. This reliability assumption is consistent with industry practice when non-safety related equipment is used in lieu of safety related equipment.

The failure of the operator to start the AACPS was calculated using the present procedure for starting a temporary outage diesel assuming that the AACPS would have an immediately available operator. The AACPS output breaker was assumed to have the same failure probability as the permanent EDG output breaker since it will provide the 1E protection for the safe shutdown bus (1EA1/2) and will be of similar design as the present EDG output breaker.

Common cause for this breaker was included in the model for the AACPS and the EDG output breaker. This new 1E bus breaker will automatically close. It was also assumed that since the AACPS would be manually started that it could not be credited during either a large or medium break loss of coolant accident (LOCA) due to time constraints. Common cause failure was not modeled for the AACPS mechanical system since the AACPS will be of a different design than the currently installed EDGs.

d. The licensee stated that the AACPS would require a 24-hour fuel oil supply.

This is less than the 7-day supply required by the CPSES TS 3.8.4. Typically, the PRA mission time is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, but this assumes a safe stable end state has been achieved, which would not be the case if the AACPS did not have fuel oil beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The licensee is requested to discuss the availability of additional fuel oil beyond 24-hours to support the continued use of the AACPS under emergency conditions.

CPSES RESPONSE:

The design of the AACPS will have enough fuel to run for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and there will be means to provide fuel until either offsite power is restored or the EDG is made operable. Several methods are available to accomplish this. The AACPS design will require a fuel tank that with sufficient capacity for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation at maximum rated load. After that time, CPSES will refill the tank by either using the inventory in the existing EDG fuel oil tank, an offsite fuel oil vendor by way of a contractual arrangement, or other existing diesel fuel oil tanks onsite (i.e., auxiliary boiler fuel tank). Therefore, the AACPS will have sufficient fuel oil available for operation until either offsite power is restored or an emergency diesel. is restored to OPERABLE.

B to TXX-07110 Page 7 of 39

4. The licensee is requested to identify the specific version and date of the probabilistic risk assessment (PRA) model applied for the risk evaluations supporting the proposed change, and identify any plant changes (i.e., modifications, procedure revisions, or other items) not yet incorporated into the PRA model, including justification that such unincorporated changes do not adversely impact the stated risk impact.

CPSES RESPONSE:

The revision of the PRA model being used for this RAI response submittal is Revision 3C dated June 2007. The original CT extension request was based on Revision 3B dated May 2005. CPSES Unit 1 steam generators were replaced during the twelfth refueling outage (1RF12) which was included in Revision 3C. For this reason the analysis supporting this CT extension request was re-performed to ensure that the latest plant changes were in the model used for this RAI submittal. The introduction to these responses contains the results of the re-analysis. Plant changes are routinely reviewed for impact on risk as assessed in the current model of record. The Revision 3C model had no outstanding issues and had resolved all peer review comments. At this time there are no -

unincorporated plant changes that would adversely affect the stated risk impact.

5. The licensee stated that the computation of incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP) were per the definitions in Regulatory Guide (RG) 1.177, and identified specific equations used to perform the calculations. However, RG 1.177 uses the increase above the nominal baseline risk, including contributions from nominal expected equipment unavailability, while the licensee calculations specify the use of the baseline CDF without test or maintenance contributions included. The licensee is requested to clarify its calculation basis, which appears to be different than the specific RG 1.177 guidance.

CPSES RESPONSE:

The initial analysis used the baseline without test and maintenance for the specific period where those activities had restrictions applied and the average test and maintenance model for the remaining duration. However, this re-analysis does not credit restrictions and therefore, the average test and maintenance model is used.

During the current review of the response submittal, a re-analysis was performed to ensure the most recent plant configuration is used. The re-analysis used the Revision 3C (dated June 2007) of the PRA model which reflects installation of replacement steam generators in Unit 1. For the re-analysis, the calculation was based on the average Test and Maintenance model for the plant. The results are documented and explained in the introductory paragraphs under "Methodology and Results for DG CT Re-analysis." The re-analysis meets the requirements of RG 1.177 in calculation of the risk increase from nominal baseline risk.

6. The licensee stated that for emergent repair-type use of the extended CT, the AACPS would be in place prior to exceeding the 72-hour CT, consistent with the TS Required Actions as proposed; however, the analyses of risk assume the availability of the AACPS throughout the 14-day CT. The licensee is requested to provide the applicable risk analyses without crediting the AACPS for the first 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> consistent with its stated intent of AACPS availability to support emergent repairs.

B to TXX-07110 Page 8 of 39 CPSES RESPONSE:

CPSES TS presently allow a 72-hour CT to accomplish either emergent work (repair) or planned work. The current 72-hour CT complies with the guidance in RG 1.93 (1974) and applies without an AACPS in place, so this initial period imposes no added risk.

Historical plant data for EDG unavailability due to emergent conditions has shown that CPSES has never exceeded the 72-hour CT. The LCO action and associated CT may be entered more than once a year for emergent repair-type activities. Historically at CPSES, there has been more than one such entry per year; however, the average duration of these entries is sufficiently low relative to the current CT, i.e., less than 0.5% total unavailability for the three year rolling average ending in the third Quarter of 2007. This average is not expected to change with the requested extended CT; however, there may be cases where the corrective or repair-type maintenance takes longer than the historical times. If necessary, Luminant will use the full CT to do the repairs. This will be tracked by the requirements of the Maintenance Rule and any actions required will be instituted.

In the rare instance, when emergent work for the EDG might exceed the currently approved 72-hour CT, extension of the CT up to 14 days would be appropriate provided an AACPS could be made available prior to the expiration of the current, non-risk informed 72-hour CT. Though use of the CT extension is not anticipated for emergent conditions, the existing TS together with the risk analysis crediting the AACPS for the extended CT support such an application.

7. The licensee's qualitative evaluation of external events including internal fires and floods considers only events which may cause a LOOP but which specifically do not impact the DGs or their support systems. The staff does not agree with this approach, since there may be internal flooding or fire scenarios which can cause a LOOP and also affect one of the two safety trains, which would be potentially significant for this application. The licensee is requested to identify whether there are such scenarios possible given the physical layout and separation of the offsite power circuits with regards to internal fires and floods, and if necessary provide additional analyses to disposition these scenarios.

CPSES RESPONSE:

The qualitative evaluation of external events previously provided has been revisited to address the concerns of this RAI and are provided in the response to this and later RAIs.

The existing PRA internal fire and flood evaluation addresses scenarios that could cause a LOOP and affect one of the two safety trains. These scenarios include areas such as the control room and cable spreading room where control functions associated with the EDGs and offsite power could be simultaneously impacted. However, fire or flood in individual EDG compartments cannot propagate into the other EDG compartment since there are barriers between the compartments designed to prevent that. As will be discussed in later RAIs, the availability of the AACPS when an EDG is removed from service during the extended CT is important as a replacement for the function lost due to removing an EDG from service. The AACPS and its associated equipment will be located and/or protected appropriately to preclude losing offsite power, the remaining EDG and the AACPS due to a single internal fire or flood event. Though design of the AACPS is in the conceptual stage, key requirements have been defined and are detailed in RAI 17.

B to TXX-07110 Page 9 of 39 Internal flooding currently contributes less than 1% of the internal events CDF. The dominant flooding scenarios do not impact the EDGs. Additionally, with the exception of a multi-compartment scenario there are no internal flood scenarios that would impact both EDGs simultaneously. The placement of the AACPS will be such that it will not be affected by internal flooding caused by plant system piping breaks. Therefore, no internal flooding scenarios exist that would simultaneously impact the AACPS and either of the permanent EDGs. The AACPS will be air cooled and thus will not have any source of flooding to disable it. The AACPS design will preclude the use of common support systems with the existing plant EDGs. The cable routing will be designed such that it will not be affected b' internal flooding. Thus internal flooding is not a concern with the AACPS.

Similarly for internal fires, because of the location, cable routing and spatial consideration with respect to the remaining EDG, the AACPS can be considered independent and appropriately separated. Therefore, except for the difference that results from the assumption of a higher failure rate, the AACPS is considered a replacement for the EDG. The fire scenarios that were potentially risk significant (Control Room and Cable Spreading Room) were the same scenarios identified in the IPEEE as they can impact both offsite power and the remaining EDG. However, as discussed above and in the following RAIs, the AACPS provides an alternate AC power source that minimizes the risk increase associated with this CT extension request.

8. A seismically-induced LOOP frequency of 5E-5 per year was demonstrated and compared to the nominal LOOP frequency of 3.49E-2 per year to conclude that the additional risk from seismic events was small. However, for this application, the non-seismic LOOP events can be mitigated by the AACPS which would not be available after a seismic event. Further, recovery of offsite power following a seismic eventis not likely until some significant time after the event. The licensee is requested to provide additional evaluation of the conditional core damage probability given a seismically -induced LOOP, with no credit for offsite power recovery, no credit for AACPS, and one DG unavailable over the 14-day extended CT, to provide a more conclusive argument for low risk of seismic events.

CPSES RESPONSE:

The following additional evaluation is provided to support the conclusion that the risk from seismic events can be considered low.

The current PRA model (Revision 3C, see earlier discussion on model revision) was recalculated using the following assumptions/configurations to obtain a conditional core damage probability (CCDP) given a seismically induced LOOP, with no credit for offsite power recovery, no credit for AACPS, and one EDG unavailable.

The baseline, full power plant alignment file was used. This aligns the plant model to a configuration where train "A" is the running train and train."B" is the standby train. This configuration allows for the current set of test and maintenance events modeled in the PRA to be considered in this case unless otherwise stated.

Setting all initiating events to "false" with the exception of the initiating event that represents the loss of offsite power associated with grid-centered events.

This initiating event was set to "true." This will put the model into a B to TXX-07110 Page 10 of 39 configuration where offsite power is not available. In addition, by setting the grid-centered initiating event to "true," no offsite power recovery can be applied.

The event associated with train "B" EDG being in test and maintenance was set to "true." This ensures that no credit will be given to the availability of that EDG and that credit to recover that EDG also would not be credited.

The event associated with train "A" EDG being in test and maintenance was set to "false." This was done to account for TS limitations which prevent work being done on the remaining EDG.

The calculation of conditional core damage probability (CCDP) does not credit the presence of the AACPS, due to its non-seismic design. However, as CPSES is located in an area of low seismicity, there is a potential (although not credited) that the AACPS may remain available following a seismic event.

No additional failure of the remaining plant equipment was assumed due to the seismic initiating event. CPSES has been identified as being in a region of low seismicity and was classified as a reduced scope plant during the plant's IPEEE assessment. A seismic margin evaluation was performed in support of the IPEEE.

In summary, based on its review, the Seismic Review Team (SRT) concluded that the Seismic Category I and Seismic Category II structures at CPSES have been designed in accordance with the FSAR requirements to withstand the loads generated due to the SSE.

The SRT has also concluded that the equipment required to function in order to safely shutdown the plant and provide containment isolation and cooling given a seismic event meets the design requirements for Seismic Category I equipment and is adequately installed with regard to anchorage and systems interaction considerations. The results of the seismic margin evaluation demonstrated that there were no vulnerabilities from seismic events at CPSES. Therefore, no additional failures of plant equipment will be assumed.

Seismic events can cause a LOOP by impacting the plant's electrical distribution system.

The LOOP could occur within the plant's switchyard or by an event that impacts the offsite power supply (grid) to the plant. The weak point of the electrical power distribution system, with regard to seismic events, is the ceramic insulators. A typical high confidence low probability of failure (HCLPF) acceleration for a ceramic insulator is 0.1 g (ground acceleration). If it is assumed that at this ground acceleration level a LOOP will occur, then the frequency of a LOOP can be determined from the annual probability of exceedence for peak ground acceleration (Apkendix A of NUREG-1488, "Revised Livermore Seismic Hazard Estimates for Sixty-Nine Nuclear Power Plant Sites East of the Rocky Mountains"). The seismically induced LOOP frequency, based on the mean values, would be approximately 5E-05.

The PRA model was re-evaluated. A CCDP was found that represents the loss of all offsite power and the failure of the remaining EDG, its supports or its controls. That conditional probability was found to be 4.20E-02. Applying this configuration based CCDP, the risk associated with a seismically-induced LOOP, with no credit for offsite power recovery, no credit for the non-seismic designed AACPS, and one EDG unavailable over the 14-day extended CT can be calculated as follows:

B to TXX-07110 Page 11 of 39 CDF = Seismically-induced LOOP frequency

  • CCDPLOOP-1EDG OOS- No Offsite Recovery
  • 4.20E-02
  • 14/365.

CDF = 8.05E-08 The likelihood that either offsite power or the AACPS would be available or recoverable (due to the low seismic region associated with the CPSES location) would lower this configuration risk.

Based on the results of the above assessment, it can be concluded that the risk due to a seismically-induced LOOP during the proposed CT is acceptable.

9. The licensee identified insights from the CPSES Fire PRA with regards to scenarios which cause a LOOP. The staff has additional questions regarding these events:
a. The licensee had previously stated that it only had an internal events PRA model; it is not clear to what the "CPSES Fire PRA" refers.

CPSES RESPONSE:

The "CPSES Fire PRA" referred to in the question above is the fire assessment performed in support of the IPEEE. The Fire IPEEE follows the methodology described in the EPRI Fire Risk Analysis Implementation Guide. The methodology evolves in four technical tasks following the progression of the fire accident from fire initiation to core damage and challenge to the containment integrity. The Fire IPEEE methodology incorporates these tasks into a blended approach, which is outlined below:

  • Fire-induced Accident Sequence Analysis
  • Fire Data Base Development
  • Fire-induced Accident Scenario Development
  • Multi-Compartment Analysis
  • Control Room/Cable Spreading Room Analysis
  • Human Reliability Analysis
  • Documentation and Closure of Fire Risk Scoping Study Issues
  • Quantification and Documentation The methodology begins by developing the IPEEE Fire scenarios containing fire-induced sequences. These fire-induced sequences start with a fire in an area followed by a combination of random and fire-induced equipment failures and human failures that lead to core damage. This was done in two steps, first by screening the fire areas and compartments to determine if any fixed ignition sources or targets related to an accident initiator or IPE components were present, and then by modifying the IPE models to incorporate fire-induced initiators and appropriate equipment failure modes. The resulting IPEEE/Fire scenario was then linked to the plant equipment location database.

Plant specific and industry databases were used for the fire evaluation. In order to determine the impact of a fire on the plant, it was necessary to know what equipment in a particular area can cause a fire and at what frequency, and given a fire, to know what equipment could be damaged. Two plant-wide databases were used to obtain information representative of the as-built plant to identify B to TXX-07110 Page 12 of 39 equipment in the fire areas/fire zones and to obtain cable location and connecting data for raceways transiting an area/zone. Using these databases, several other plant specific databases were created for use in this study. In addition, equipment location databases were created to link fire scenarios to the IPEEE Fire analysis.

Fire-induced scenarios were developed with respect to ignition sources, targets; propagation and potential damage, and suppression. The fire scenarios were defined by identifying the ignition sources and the potential target or target set(s). These target sets uniquely impact the plant response to the fire damage.

Fire propagation and damage were evaluated using the IPE/fire model and the databases. The response of the fire suppression system to the fire ignition and propagation was also modeled. In developing fire scenarios, both automatic and manual means of suppression were considered using the information derived from the Fire Events Databases.

The quantification of core damage frequency due to fire for various fire scenarios was performed consistent with the IPE quantification approach. Fire-induced accident sequences and their associated system fault tree models were quantified using the Computer Aided Fault Tree Analysis (CAFTA) computer software.

First, CCDP associated with random failures and fire-induced equipment.failures for the various scenarios were calculated. Then, each CCDP was combined with a fire ignition frequency, and where appropriate for the specific scenario, with human error probabilities and non-suppression probabilities to obtain a CDF for the scenario.

To .determine risk of Control Room and Cable Spreading Room fires, it is necessary to evaluate the functions that are disabled and to determine the resulting core damage frequency. This was done using the guidelines in Appendix J of the Fire Risk Analysis Implementation Guide.

A human reliability analysis (HRA) was done. The methodology used for this analysis is a continuation of methodology developed for use in the IPE study.

The purpose of the human reliability analysis was to study the required operator responses to fires in the control room, the cable spreading room and. other locations in the plant and to quantify the effectiveness of operators in taking various actions as determined by the Fire IPEEE. The responses of the operators to fires at CPSES are coordinated by the use of the Abnormal Conditions Procedures (ABNs) and .the Emergency Operating Procedures (EOPs), as appropriate. These procedures, in conjunction with operator training programs and simulator experience, are the basis for this study.

Multi-compartment scenarios address the effects on plant safety should a fire propagate beyond a single fire compartment. If the fire is severe enough and fire protection systems or personnel fail to suppress it, the fire or its products of

\ combustion may reach another compartment.

b. Three control room cabinet fires were identified as causing a LOOP but no further details were provided. The licensee should discuss: 1) the frequency of occurrence of these events (identified only as "very low"), 2) mitigation of these events, and 3) the capability to restore offsite power given the expected fire damage.

B to TXX-07110 Page 13 of 39 CPSES RESPONSE:

The three Control Room cabinets discussed in the request for the extended CT have a total initiating event frequency of 1.86E-04 per year. This value was derived in the original IPEEE Fire analysis. The Fire Events Database for U.S.

-Nuclear Power Plants (FEDB) provides a generic source of data that was used to support calculations of fire frequencies and ignition sources in the IPEEE assessments.

The FEDB categorizes Control Room fires as associated with relays, associated with circuit boards, and other incidental fires., The likelihood that a Control Room fire would occur in a critical cabinet was based on the number of fire initiating components in the cabinet. Therefore, the cabinets were reviewed to determine loadings of fire initiating components and the results were used to apportion the fire frequency over the cabinets. The above mentioned frequency of other incidental fires, as defined in the FEDB, was equally distributed over all the Control Room cabinets.

Fire in the group of cabinets discussed in the RAI question has the potential to cause loss of offsite power control from the Control Room but the EDGs remain available. This group includes cabinets CP1-ECPRCR-10, CP1-ECPRCR-41 and CP1-ECPRCB-12. ABN-803A,"Response to a Fire in the Control Room or Cable Spreading Room," requires operators to trip offsite power (if it were not already lost due to the fire in these cabinets) to lEA1 and locally start an EDG generator.

Therefore, offsite power is considered to be lost, as suppression of these cabinet fires prior to loss of function is not credited.

Recovery of offsite power would require some special local recovery action since controls are lost for either the startup transformers (XST1 and XST2) or the high voltage switchyard. Recovery of offsite power could be done from the remote shutdown panel (RSP), but ABN-803A currently provides no guidance for this action.

Therefore, using a CCDP which represents the loss of offsite power, no credit for recovery of offsite power and the failure of the remaining EDG, its supports or its controls (conditional probability was found to be 4.20E-02, refer to RAI 8), the risk associated with this proposed CT configuration can be assessed.

Given this CCDP the risk associated with a Control Room fire-induced LOOP, with no credit for offsite power recovery, one EDG unavailable over the 14-day extended CT can be calculated as follows:

Risk from Control Room fire event that leads to an induced LOOP during the CT

= Control Room fire -induced LOOP frequency

  • CCDPLOOP-1EDG OOS- No Offsite Recovery
  • time in configuration, Risk from fire event during the CT = 1.86E-04
  • 4.20E-02
  • 14/365, Risk from fire event during the CT = 3.OOE-07 B to TXX-07110 Page 14 of 39 As discussed below, the AACPS would remain available following a Control Room fire. The calculated risk from Control Room fires (3.OOE-07) would be reduced based on the reliability of the AACPS/Operator actions associated with this compensatory measure. The value used in the PRA model to support the DG CT was found to be 9.58E-02 based on quantifying the AACPS fault tree developed in support of this CT extension request. This represents an additional component failure which further reduces the risk from a fire induced event.

The risk from these fires can then be calculated taking into account the AACPS as follows:

Risk from fire event during the CT with AACPS = 3.OOE-07

  • 9.58E-02 = 2.87E-08 The design of the AACPS (as discussed previously in the Response to RAI 7 and later in RAI .17) is such that fire in the Control Room would not affect the AACPS beyond the Control Room staff notifying the designated operator to start the AACPS. Furthermore, the design of the AACPS considers fire and flood spatial considerations once inside the plant physical structures. That is the power cables from the AACPS to the switchgear rooms will be routed with consideration for train separation such that a fire in an area containing the remaining EDG equipment/cabling would not cause damage/loss of the AACPS or its associated cabling. This design consideration ensures continued capability of the AACPS to perform its compensatory function.

Based on the results of the above assessment, it can be concluded that the risk due to Control Room fire-induced LOOP during the proposed CT is acceptably small.

10. The licensee's analysis of high wind events stated that such events which cause a LOOP are already included in the internal event PRA model LOOP initiating event frequency. However, the licensee stated that the AACPS is not protected from natural phenomena or abnormal environmental or dynamic effects. Therefore, the availability of the AACPS is not assured by the licensee for these types of LOOP events. The licensee is requested to provide additional justification that the risk of such events is not significant for this application.

CPSES RESPONSE:

As identified in the initial submittal and in the NRC RAI question number 11, the CPSES tornado strike frequency from the IPEEE was found to be 5E-4 per year. The basic assumption in the IPEEE was that offsite power is lost due to high winds or generated missiles.

Therefore, using a CCDP which represents the loss of offsite power with no credit for recovery of offsite power and the failure of the remaining EDG, its supports or its controls (conditional probability was found to be 4.20E-02, refer to RAI 8), the risk associated with the extended CT can be calculated as follows:

Risk from high wind/tornado event that leads to an induced LOOP during the CT = high wind/tornado -induced LOOP frequency

  • CCDPLOOP-1EDG OOS - No OffSite Recovery
  • time in configuration, B to TXX-07110 Page 15 of 39 Q Risk from tornado event during the CT = 5E-04
  • 4.20E-02
  • 14/365, Risk from tornado event during the CT = 8.05E-07 This value does not consider potential risk reductions associated with the AACPS remaining available or some level of offsite power recovery in the calculation of high wind/tornado configuration risk.

First, the design of the AACPS enclosure structure, although not designed- for all tornado levels, will meet current building codes. Consequently, for lower level high.

wind/ tornados, there is some likelihood of the structure and AACPS to remain functional. F1 level tornados are defined as "moderate damage," having wind speeds between 73 and 112 mile per hour. The strike frequency for F1 tornados is 3.1E-04 per year compared to the total of 5E-04 per year used in this assessment. Therefore, the AACPS may remain available for these lower (more likely) tornados.

A second consideration is the recovery of offsite power. Although this simplified assessment assumes that offsite power is not recoverable, the current CPSES analyses provide some insight into the probability of offsite power being recoverable based on data associated with weather and grid centered events.

As discussed previously, CPSES uses the EPRI convolution method to address the offsite power recovery modeling. This method develops a set of non-recovery probabilities for each of the four LOOP event categories (plant-centered, grid-centered, weather-centered and grid-centered-blackout). A value of 5.OOE-01 was obtained for the non-recovery probability associated with loss of offsite power due to weather-centered events given the failure of the EDG, TDAFW pump failure to start, and the shortest available recovery.

time (1.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />). Similarly, a value of 9.65E-01 was found for grid-centered-blackout non-recovery probability given a failure of the EDG, TDAFW pump, and a 1.8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> time window. These values provide a range of non-recovery probabilities that can be applied for the scenario of interest, a tornado/high-wind induced LOOP. That is, the weather-centered data includes the impact from high winds and the plant-centered data provides information associated with longer duration recovery events. From this information, one can assume that some level of recovery can be applied which would further lower the

-risk associated with this CT extension request.

While this is an annualized calculation, it is recognized that severe weather risk and tornado risk in particular, is seasonal. That is, there are periods during the year when the likelihood of tornado strike is significantly reduced compared to the average. However, it is a good risk management practice to restrict scheduled maintenance using the extended CT to times of historically lower tornado frequency.

Based on the results of the above assessment, and the potentiaifor recovery of power from either the AACPS or recovery of offsite power, it can be concluded that the risk due to high wind/tornado-induced LOOP during the proposed CT is acceptable.

11. The licensee's analysis of tornado events identifies a strike frequency of 5E-4 per year, and identifies that the risk exposure over the 11 additional days of the extended CT is very small. The licensee then states that "offsite power non-recovery probability is very small beyond 3 days." The staff does not understand the significance of the 3-day period identified. As previously noted by the staff for these types of events, offsite power recovery may be significantly delayed due to the damage incurred, and a simple B to TXX-07110 Page 16 of 39 comparison with the nominal LOOP frequency is an inadequate justification that the risk impact is small. Further, as noted in RAI 10, the AACPS is not protected from natural phenomena and therefore may be unavailable to mitigate the impact of a tornado. The licensee is requested to provide additional justification that this external event is not a significant risk contributor.

CPSES Response:

The additional justification that tornado/high wind external event is not a significant risk contributor is provided in the response to RAI 10 above.

With discussion of the potential for recovery beyond 3 days, Luminant Power was trying to indicate that the likelihood of the event remains relatively small even when adding the additional Completion Time (11/365 days times the Initiating Event Frequency). The non-recovery probability for weather-centered events is such that if offsite power was not recovered in a relatively short period of time (in the first few hours) then the likelihood of recovery of offsite power does not change markedly (by an order of magnitude) until a significant period of time (on the order of weeks) has elapsed. That is, as the NRC has stated, "offsite power recovery may be significantly delayed due to the damage incurred." Because of the potential for delayed recovery an assessment of risk without crediting recovery has been provided in the response to RAI 10. That assessment concluded the risk due to high wind/tornado-induced LOOP during the proposed CT is acceptable.

12. The licensee's analysis of internal floods stated that these events contribute "less than 1% of the internal events risk". The licensee had previously stated that it only had an internal events PRA model which did not include contributions from internal floods.

The licensee is requested to discuss the basis for this quantitative assessment of risk.

CPSES RESPONSE:

The internal flood analysis is not an integrated portion of the internalevents model, thus the statement that the internal events model did not include contributions from internal flooding is an accurate description of the CPSES PRA model.

The statement on the relative contribution of internal flood to internal events risk is based on the updated flood analysis. The internal flood contribution was quantified as part of the Revision 3 model update and found to be approximately 7E-08.- This value represents less than 1% of the Revision 3 model's internal events CDF. Risk insights relative to flood analysis are based on Revision 3 of the model.

As discussed in RAI 7, the dominant flooding scenarios do not impact the EDGs.

Additionally, with the exception of a multi-compartment scenario there are no internal flood scenarios that would simultaneously impact the AACPS or the remaining operable EDG. The design and placement of the AACPS precludes internal flooding scenarios that would impact both the AACPS and either of the permanent EDGs. Therefore, the increase of the internal CDF cited above would be due to the decrease in reliability of the AACPS as compared to the out of service EDG. This decrease in reliability, which is small, is somewhat offset by the AACPS being independent of EDG and its support systems. Consequently, the change in risk due to internal floods would be a small contribution to overall risk.

B to TXX-07110 Page 17 of 39

13. The licensee's submittal did not identify if the risk analyses provided point estimates of the mean or actual means, nor was there any discussion of uncertainty analyses to support the calculations. The licensee is requested to address PRA model and parametric uncertainty using the guidance of RG 1.174 Section 2.2.5.

CPSES RESPONSE:

The risk analysis provides a best-estimate determination of the mean. This could be considered a point estimate since CAFTA does not propagate uncertainties within the solution.

Considering RG 1.174 Sections 2.2.5.2, "Parameter Uncertainty," and 2.2.5.3, "Model Uncertainty," since both RG 1.174 and RG 1.177 use change in risk as the base input to the associated metrics, model and parametric uncertainty exist for both the base and analysis cases and are thus not typically important to the conclusions of the analysis. The recent NRC clarification to RG 1.200 Revision 1 further recognizes that parametric uncertainty is addressed in the model quantification.

The analysis for the EDG CT extension request addresses completeness uncertainty (RG 1.174 Section 2.2.5.4) through evaluation of sensitivity cases and the external events risk assessments that have been previously described (RAI Responses 8, 9, 10, and 12). Based on the internal events model results and the external events analysis previously described, there is high confidence that the baseline, full scope, at power core damage frequency for CPSES is substantially less than 1E-04 (RG 1.174, Section 2.2.5.5 and Figure 3).

14. Section 4.1 of the licensee's submittal identifies administrative controls which would be applicable during the extended CT. In addition, Section 4.2.3 identifies plant equipment and activities which, if unavailable simultaneous with the DG, would likely result in a high risk configuration. The staff has additional questions regarding these portions of the submittal:
a. The licensee's submittal does not specifically identify whether these statements represent commitments. The staff notes that the licensee's risk analysis assumes no other testing or maintenance activities on other plant equipment. The licensee is requested to clarify their intent with regards to the RG 1.177 tier two portion of their request.

CPSES RESPONSE:

In CPSES' response to the NRC's request for additional information (RAI) number 18 below, CPSES has identified proposed restrictions when the Completion Time (CT) for the emergency diesel generators would exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. These compensatory measures and existing administrative controls will evaluate equipment according to plant risk and via 10CFR50.65(a)(4) and the CRMP when the extended CT is invoked. As stated in the amendment request, Station procedures will be revised as necessary and appropriate training will be provided to ensure adequate defense against human errors are maintained.

Station procedures will ensure consideration of prevailing conditions, including other equipment out of service, and implementation of administrative controls and proposed restrictions to ensure adequate defense-in-depth whenever a DG is out of service.

B to TXX-07110 Page 18 of 39 In addition, an AACPS with capacity equal to or greater than the capacity of the inoperable DG will be available as a backup to the inoperable DG prior to entering the 14-day CT. After entering the extended CT, availability of the AACPS will be verified every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and treated as protected equipment. In any event, if an AACPS of the required capacity is not available after entering the extended Completion Time period (after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> into the 14-day CT), the current TS 3.8.1 Condition G requirement to be in at least hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in cold shutdown within the following 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> would apply.

Furthermore, CPSES has a CRMP which has the characteristics of the Model Configuration Risk Management Program described in RG 1.177 and which was approved by the NRC on December 29, 1998 (Amendment numbers 62 and 48) for application to risk informed TS CTs. Its description has been incorporated into the plant TS (TS 5.5.18). In addition, CPSES has committed to NUMARC 93-01, "Industry Guideline For Monitoring The Effectiveness Of Maintenance At Nuclear Power Plants."

Currently CPSES uses the Safety Monitor software to perform online risk assessment. All PRA components are represented in Safety Monitor with the ability to take one or multiple components out of service. After the activities have been added (i.e., component taken out of service) the model is re-quantified and the CDF and LERF are re-calculated. The risk is then compared to preset values. Colors are used for the preset values based on the risk, where red indicates the most risk significant activity. Plant procedures require Management approval for entry into a LCO for planned maintenance activities that would exceed 50% of the applicable LCo CT or when the Safety Monitor software assessment indication shows red. Thus if the planned DG maintenance activity requires greater than 50% of the requested CT (i.e., greater than 7 days of

  • theproposed CT), existing plant procedures would ensure specific Management attention and heightened plant awareness in support of the planned activity.

This process is performed for all activities that affect a PRA component, initiating event, or recovery. The Work Control Group uses the weekly schedule to calculate the plant risk for the week on an activity basis. The proposed CT would be planned and added to the weekly schedule. The risk for the activity would be calculated with the weekly schedule. The weekly risk assessment will be reviewed and the appropriate Management approval will be obtained as required by plant procedures.

The process is the same for emergent activities. The risk is assessed prior to the emergent activity being worked. The risk is calculated and already scheduled activities may be moved to a later date or equipment put back in service to ensure that the plant risk remains acceptable. Again the risk will be reviewed and appropriate Management approval will be obtained as required by plant procedures.

The above compensatory measures, existing administrative controls, and process meet the RG 1.177 tier two requirements for avoidance of risk significant plant configurations.

B to TXX-07110 Page 19 of 39

b. The staff notes that the section 4.1 administrative controls items 2 and 3 are worded subtly different specifically, "weather conditions must be conducive to perform planned maintenance," and "offsite power supply and switchyard conditions must be conducive to perform maintenance". The licensee is requested to clarify the intent, if any, of the use and omission of the word "planned."

CPSES RESPONSE:

CPSES is required by plant procedures to consider the potential for severe weather when scheduling work. Specifically, plant procedures STA-604 and WCI-203 state, "Weekly Surveillance/Work Scheduling," requires, "The consideration and evaluation of potential external events such as severe weather, flooding, equipment lifting activities, etc. shall be applied to the Maintenance Risk Assessment when warranted by the potential for the external event."

Moreover, plant procedure ABN-907, "Acts of Nature," describes the operator actions to be taken in the event of severe weather and other acts of nature that may occur during any mode of operation. Specifically, the National Weather Service (NWS) has a continuous radio broadcast service of weather conditions in the Dallas-Fort Worth area. A receiver capable of receiving and decoding the NWS alert tone for severe weather notifications is monitored in the Control Room and Alternate Access Point for the issuance or cancellation of Severe Thunderstorm and Tornado Watches. Security personnel on duty in the Alternate Access Point will keep the Control Room informed of all watches or warnings issued or canceled by the NWS. Visual observations will be made by Security Officers and Safety Services personnel during the performance of their normal duties when a watch has been issued. The Control Room will be kept informed of visual observations regarding weather conditions by radio or telephone. Plant Equipment Operators are trained as SKYWARN spotters and may be utilized to determine weather severity.

The consideration for weather is based on historical data taken from the National Oceanic and Atmospheric Administration database. The data for CPSES was plotted based on the day of the year. From this graph it was evident that the April to June timeframe had the greatest probability of severe weather. It was, concluded that if this work was performed during any other time of the year the weather centered portion of the LOOP could be reduced. Therefore, administrative control number 2 was worded such that DG maintenance would not be scheduled to occur during those times of the year when weather conditions are not historically conducive. Note that when either planned or unplanned maintenance is performed on a DG, if weather conditions deteriorate, after commencement of the activity, such that risk to the plant increases, the DG will be restored to operable status if possible, or work will be either postponed or suspended, or other compensatory measures will be initiated to reduce risk. If approaching the end of the proposed extended CT and the DG cannot be restored to operable and if weather conditions are still deteriorated, the requirement to be in at least hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in cold shutdown within the following 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> would apply as required by CPSES' TS 3.8.1, Condition G.

B to TXX-07110 Page 20 of 39 Administrative control number 3 was worded so that planned or unplanned maintenance would not be performed if offsite power and switchyard conditions were not conducive to perform maintenance. Plant considerations related to avoidance and control and management of high risk considerations are explained in the Tier 2 and Tier 3 discussion in this attachment.

Lastly, the proposed restrictions in response 18 would be applied in addition to the plant procedures to consider the potential for severe weather, offsite power and switchyard conditions when scheduling work and operator actions as discussed above.

c. Section 4.1 states "switchyard access will be monitored and controlled," and discusses the procedure STA-629. It is not clear that this represents any unique administrative control, since switchyard access should normally be so monitored and controlled using approved plant procedures. The licensee is requested to clarify the intent of this administrative control as regards its representing a unique additional restriction on switchyard activities.

CPSES RESPONSE:

The statement that "switchyard access will be monitored and controlled" is not, and was not intended to imply, a unique additional restriction since CPSES normally monitors and controls the switchyard procedurally and administratively.

Work in the switchyard is controlled procedurally by Work Control, the Switchyard Coordinator, and Operations. The Work Control group coordinates plant work by means of a weekly schedule. The Switchyard Coordinator is responsible for all work in the switchyard. The Coordinator ensures that the work being performed in the switchyard is coordinated with the plant and in particular with the Work Control group and Operations. Operations has the overall responsibility for plant configuration and any work being performed is reviewed and approved by Operations. Work in the switchyard is administratively controlled by the Shift Manager of Operations who, by plant procedure STA-629, has sole authority to grant access to the switchyard.

These three groups ensure that the work being performed onsite is administratively controlled. Based on the above noted controls which physically limit access to the switchyard, this is not considered optimistic program assumptions. The final check is that the work being performed in the plant is reviewed for risk implications by both the Work Control group and the Risk Assessment Applications on a weekly basis.

Currently CPSES uses the Safety Monitor software to perform online risk assessment. All PRA components are represented in Safety Monitor with the ability to take one or multiple components out of service. After the activities have been added (i.e., component taken out of service) the model is re-quantified and the CDF and LERF are calculated. The risk is then compared to preset values. Colors are used for the preset values based on the risk, where red indicates the most risk significant activity. Plant procedures require management approval for entry into a limiting condition for operation (LCO) for planned maintenance activities that would exceed 50% of the required LCO CT B to TXX-07110 Page 21 of 39 or when the Safety Monitor software assessment indication shows red. Thus if the planned DG maintenance activity requires greater than 50% of the requested CT, existing plant procedures would ensure specific management attention and heightened plant awareness in support of the planned activity. External events are evaluated qualitatively to determine their impact on the configuration risk.

This process is performed for all activities that affect a PRA component, initiating event, or recovery. The Work Control Group uses the weekly schedule to calculate the plant risk for the week on an activity basis. The proposed CT would be planned and added to the weekly schedule. The risk for the activity would be calculated with the weekly schedule. The weekly risk assessment will be reviewed and the appropriate management approval will be obtained if required.

The process is the same for emergent activities. The risk is assessed prior to the emergent activity being worked. The risk is calculated and scheduled activities may be moved to a later date or equipment put back in service to ensure that the risk is acceptable. Again the risk will be reviewed and appropriate management approval will be obtained if required.

In addition, the CPSES response to the NRC's RAI number 18, CPSES has proposed compensatory actions on switchyard maintenance when invoking the extended CT for the emergency diesel generators. Specifically that, "The scheduling of DG preplanned maintenance will be avoided during seasons when the probability of severe weather or grid stress conditions are high or forecasted to be high."

d. Section 4.2.3 does not explicitly identify that the potential high risk configurations would be prohibited, consistent with the assumptions of the risk analysis, during the extended CT. In fact, the submittal states that Tier 3 risk management actions will address the availability of these systems. The licensee is requested to clarify the intent of identifying these configurations in the tier 2 section of their submittal, and identify any associated commitments consistent with RG 1.177 for tier 2.

CPSES RESPONSE:

Section 4.2.3 of the submittal, identified risk significant components when an EDG is out of service per RG 1.177 "Tier 2:Avoidance of Risk-Significant Plant Configurations."

In addition, the submittal stated, "As an additional defense-in-depth measure, when the option of an extended allowable out of service time for a DG is exercised, an alternate AC power source (AACPS) will be provided with the capability of supplying the same loads as the existing DG. Additionally, the AACPS would be started manually or automatically and automatically connected to the bus when it has achieved its rated voltage and speed."

Furthermore, the AACPS connection to the bus will be automatic and occur within 13 minutes of detection of a LOOP. Thus the AACPS would serve as backup to the out of service EDG and would have the capacity required for safe shutdown such that performance of powered equipment is acceptable after a LOOP to the bus.

B to TXX-07110 Page 22 of 39 Adequate defenses against human errors will be maintained. Station procedures will be revised as necessary and appropriate training will be provided to ensure adequate defense against human errors are maintained. These procedures will ensure consideration of prevailing.conditions, including other equipment out of service, and implementation of administrative controls to ensure adequate defense-in-depth whenever a DG is out of service. Qualified personnel will continue to perform DG maintenance and overhauls whether they are performed on-line or during shutdown.

Each startup transformer has the capacity to supply the required Class 1E loads of both units during all modes of plant operation. In the event one startup transformer (e.g., XST1, a preferred source) becomes unavailable to its Class 1E buses, power is made available from the other startup transformer (e.g., XST2, an alternate source) by an automatic transfer scheme. For the loss of a startup transformer, the load transfer only takes place in the unit for which the transformer was the preferred source. If it becomes necessary to safely shut down both units simultaneously, sharing of these offsite power sources between the two units has no effect on the station electrical system reliability because each transformer is capable of supplying the required. safety-related loads of both units although the design criteria require consideration of a Design Basis Accident on one unit only. Component testing or maintenance on the startup transformers will be avoided.

During the extended CT, the turbine-driven auxiliary feedwater pump will not be voluntarily removed from service for planned maintenance while a DG is out of service for extended maintenance.

After entering the extended CT, availability of the AACPS will be verified every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and the AACPS will be treated as protected equipment.

Currently CPSES uses the Safety Monitor software to perform online risk assessment. All PRA components are represented in Safety Monitor with the ability to take one or multiple components out of service. After the activities have been added (i.e., component taken out of service) the model is re-quantified and the CDF and LERF are re-calculated. The risk is then compared to preset values. Colors are used for the preset values based on the risk, where red 4indicates the most risk significant activity. Plant procedures require Management approval for entry into a LCO for planned maintenance activities that would exceed 50% of the applicable LCO CT or when the Safety Monitor software assessment indication shows red. Thus if the planned DG maintenance activity requires greater than 50% of the requested CT (i.e., greater than 7 days of the proposed CT), existing plant procedures would ensure specific Management attention and heightened plant awareness in support of the planned activity.

This process is performed for all activities that affect a PRA component,, initiating event, or recovery. The Work Control Group uses the weekly schedule to calculate the plant risk for the week on an activity basis. The proposed CT would be planned and added to the weekly schedule. The risk for the activity would be calculated with the weekly schedule. The weekly, risk assessment will be reviewed. and the appropriate Management approval will be obtained as requiredjby plant procedures. The PRA model developed for CPSES was B to TXX-07110 Page 23 of 39 subsequently updated to incorporate the replacement of the steam generators for Unit 1 and various minor changes in the PRA model of both units.

The process is the same for emergent activities. The risk is assessed prior to the emergent activity being worked. The risk is calculated and already scheduled activities may be moved to a later date or equipment put back in service to ensure that the plant risk remains acceptable. Again the risk will be reviewed and appropriate Management approval will be obtained as required by plant procedures.

The above activities, existing administrative controls and process, and compensatory measures discussed in RAI response 18 meet the RG 1.177 tier two requirements for avoidance of risk significant plant configurations.

15. RG 1.177 Section 2.3.7 describes various attributes of contemporaneous configuration control and the CRMP which can support risk-informed decision making. Certain aspects of the licensee's program have not been adequately described to assure that the guidance of RG 1.177 is met. Specifically, the licensee only states that added or emergent activities, or activities which have slipped from the scheduled completion time, are "addressed." RG 1.77 Section 2.3.7.1 requires specific descriptions to be provided, as to their capability to perform contemporaneous assessment of overall plant safety impact of proposed plant configurations, how the tools or other processes are used to ensure risk-significant configurations are not entered, and that appropriate actions will be taken when unforseen events put the plant in a risk-significant configuration. Further, it identifies four key components of the CRMP, which have not been addressed by the licensee. The licensee is requested to confirm and describe how their CRMP conforms to the RG 1*177 Section 2.3.7 guidance.

CPSES RESPONSE:

CPSES has a CRMP (RG 1.177 2.3.7.2, Key Component number 1) which has the characteristics of the Model Configuration Risk Management Program described in RG 1.177 and which was approved by the NRC on December 29, 1998 (Amendment numbers 62 and 48) for application to risk informed TS CTs. Its description has been incorporated into the plant TS (TS 5.5.18) and will be applied per 10CFR50.65(a)(4). In addition, CPSES has committed to NUMARC 93-01, "Industry Guideline For Monitoring The Effectiveness Of Maintenance At Nuclear Power Plants."

Specifically, the Configuration Risk Management Program (CRMP) required by Technical Specification 5.5.18 provides a proceduralized risk-informed assessment to manage the risk associated with equipment inoperability (RG 1.177 2.3.7.2, Key Component number,'

2). The program applies to TS structures, systems, or components for which a risk-informed CT has been granted. The program includes the following elements:

a. Provisions for the control and implementation of a Level 1, at-power, internal events PRA-informed methodology. The assessment shall be capable of evaluating the applicable plant configuration.

/

b. Provisions for performing an assessment prior to entering the (Limiting Condition for Operation (LCO) Action for preplanned activities.

C. Provisions for performing an assessment after entering the LCO Action for unplanned entry into the LCO Action.

B to TXX-07110 Page 24 of 39

d. Provisions for assessing the need for additional actions after the discovery of additional equipment out of service conditions while in the LCO Action.
e. Provisions for considering other applicable risk significant contributors such as Level 2 issues, and external events, qualitatively or quantitatively (RG 1.177 2.3.7.2, Key Component number 4).

Currently, CPSES uses the Safety Monitor software to perform online risk assessment (RG 1.177 2.3.7.2, Key Component number 3). All PRA components are represented in Safety Monitor with the ability to take one or multiple components out of service. After the activities have been added (i.e., component taken out of service) the model is re-quantified and the CDF and LERF are calculated. The risk is then compared to preset values. Colors are used for the preset values based on the risk, where red indicates the most risk significant activity. Plant procedures require management approval for entry into a LCO for planned maintenance activities that would exceed 50% of the required LCO CT or when the Safety Monitor software assessment indication shows red. Thus if the planned DG maintenance activity requires greater than 50 % of the requested CT, existing plant procedures would ensure specific management attention and heightened plant awareness in support of the planned activity. External events are evaluated qualitatively to determine their impact on the configuration risk.

This process is performed for all activities that affect a PRA component, initiating event, or recovery. The Work Control Group uses the weekly schedule to calculate the plant risk for the week on an activity basis. EDG maintenance activities requiring use of the proposed CT would be planned and added to the weekly schedule. The risk for the activity would be calculated with the weekly schedule. The weekly risk assessment will be reviewed and the appropriate management approval will be obtained as required by plant procedures.

The process would be the same for emergent EDG maintenance activities. The risk is assessed prior to the emergent activity being worked. The risk is calculated and other, already scheduled activities may be moved to a later date or equipment put back in service to ensure that the risk is acceptable. Again the risk will be reviewed and appropriate management approval will be obtained if required by plant procedures.

The above process meets the four Key Component requirements of RG 1.177 Section 2.3.7. 2 "Key Components of the CRMP."

Specifically, CPSES responseto RAI 18 proposes to implement compensatory measures when invoking the extended CT. In addition, the Configuration Risk Management Program (CRMP) (TS 5.5.18) will be applied per 10CFR50.65(a)(4).

16. The licensee has submitted a proposed change to extend the CT for LCO 3.8.1 with regards to one inoperable offsite circuit from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 30 days. The staff requests clarification of certain aspects of the proposed change which may impact the proposed changes for the DGs.

a The second CT of LCO 3.8.1 applicable to contiguous application of the actions of the TS 3.8.1 is proposed to be increased from 6 days to 17days in this amendment request, and from 6 days to 33 days for the offsite circuit request.

The licensee is requested to identify the proposed final CT. The staff also B to TXX-07110 Page 25 of 39 notes that TSTF-439-A eliminated this second CT, and the licensee may want to consider implementation of this TSTF along with these amendment requests.

CPSES RESPONSE:

LAR 06-012 was sul5mitted to the NRC on December 19, 2006 for approval. This LAR was based on TSTF-439-A to eliminate the second CT, but has yet to be approved.

LAR-06-007 was withdrawn via Luminant Power letter logged TXX-07139, from Mike Blevins to the NRC dated October 22, 2007.

If LAR 06-012 is approved before the approval of the requested change to the DG CT, the DG CT LAR submitted in Reference 1 will be modified as appropriate'.

b. Because these two requests are directly related to AC power sources, the staff considers them to be a combined change request as defined by RG 1.174 Sections 2.1.1 and 2.1.2. The licensee is requested to submit the additional information identified in RG 1.174 with regards to the synergistic impacts of the proposed changes.

CPSES RESPONSE:

LAR-06-007 was withdrawn via Luminant Power letter logged TXX-07139, from Mike Blevins to the NRC dated October 22, 2007; therefore, no synergistic impacts exist.

17. Describe the design, capability, capacity, and reliability of the AACPS. Describe the testing and maintenance program for the AACPS and its associated components.

RESPONSE

The AACPS conceptual design criteria described below will provide an AACPS which will meet as minimum the following specifications:

Provide 6900 V, three phase, neutral high resistance grounded, 60 Hz output voltage, and 7000 kW output power.

In 13 minutes the AACPS 1E safeguard bus supply breaker will automatically close on a LOOP, the AACPS will start, manually or automatically, the AACPS breaker will automatically close after the AACPS has reached rated voltage and frequency, and then blackout sequencer will automatically load the bus.

  • Overload capability of not less than 10 percent for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> out of each 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Maximum voltage dip on load acceptance not to exceed 20 percent of rated voltage, except for the initial voltage dip resulting from the energization of the two 2000/2667 kVA, 6900/480 V load center transformers upon application of the first load block upon closing of the AACPS breaker.

  • Maximum frequency dip on load acceptance not to exceed 5% of rated frequency.

B to TXX-07110 Page 26 of 39 Restore voltage to 90% of nominal and frequency to 98% of nominal in less than 40% of each load sequence time interval.

Maintain voltage and frequency within 2% of rated values under steady state operation.

Recover from transients caused by step load increases, or resulting from the disconnection of the largest single load, with the speed of the diesel generator not exceeding 75 percent of the difference between nominal speed and the over speed trip setpoint or 115 percent of nominal, whichever is lower.

The AACPS will have sufficient fuel oil available for operation until either offsite power is restored or an emergency diesel is restored to OPERABLE. (See RAI response number 19 for more detail.)

Prior to relying on its availability, a permanent or temporary AACPS would be determined to be available by starting the AACPS and verifying proper operation.

The design and location of the AACPS and its supports will be such that spatial and functional independence from the EDGs is maintained. This will include requirements for the cable routing, internal and external events, i.e. fire, flood and wind.

18. The staff believes that certain compensatory measures in the form of regulatory commitments are needed during the extended DG CT to assure continued safe operation of the plant. In the past, other licensees have provided the following regulatory commitments in their DG CT extension requests. Provide a discussion as to how you would address each commitment listed below as it relates to CPSES:

The extended CT will be typically used to perform infrequent (i.e., no more frequently than once every 24 months) diesel manufacturer's recommended inspections and preventive maintenance activities.

CPSES Response:

The PRA analysis assessed and justified entering the extended CT more than once a year for preventive or corrective maintenance; therefore, including the extended CT to be entered more than once a year and to include corrective maintenance is acceptable.

Furthermore, the Bases for Technical Requirement 13.8.31 titled "AC Sources (Diesel Generator Requirements)" in the Technical Requirements Manual (TRM) states "The diesel's preventative maintenance program is commensurate for nuclear standby service, which takes into consideration the following factors:

manufacturer's recommendations, diesel owners group's recommendations, engine run time, equipment performance, calendar time, and plant preventative maintenance programs." Consequently, the proposed NRC commitment will be revised to reflect the TRM requirement.

B to TXX-07110 Page 27 of 39 CPSES will invoke the following compensatory measure to assure continued safe operation of the plant.

The extended CT will be typically used to perform EDG infrequent inspections and preventive or corrective maintenance activities in accordance with procedures prepared in conjunction with the diesel owners group's preventive maintenance program.

No maintenance or testing that affects the reliability of the train associated with the OPERABLE DG will be scheduled during the extended CT. If any testing and maintenance activities must be performed while the extended CT is in effect, an evaluation will be performed in accordance with Title 10 of the Code of Federal Regulations (10 CFR) Section 50.65(a)(4).

CPSES Response:

The compensatory measure was revised to clarify the subject train is the train of safeguards equipment associated with the remaining OPERABLE EDG. CPSES will invoke the following compensatory measures to assure continued safe operation of the plant.

No maintenance or testing that affects the reliability of the train of safeguards equipment associated with the OPERABLE EDG will be scheduled during the extended CT.

If any testing or maintenance activities affecting safeguards equipment associated with the remaining OPERABLE EDG must be performed while the extended CT is in effect, an evaluation will be performed in accordance with Title 10 of the Code of Federal Regulations (10 CFR)

Section 50.65(a)(4) and TS 5.5.18, "Configuration Risk Management Program" prior to performance of the activity.

AACPS with capacity equal to or greater than the capacity of the inoperable DG will be available as a backup to the inoperable DG. After entering the extended CT, availability of the AACPS will be verified every8 hours and treated as protected equipment.

CPSES Response:

The AACPS will be treated as protected equipment (i.e., no niaintenance will be performed on the AACPS) during the extended CT. This proposed commitment above was revised to emphasize the difference between planned and unplanned DG outages when an AACPS will be available as backup to the inoperable DG.

CPSES will invoke the following compensatory measures to assure continued safe operation of the plant.

After entering the extended CT, availability of the AACPS will be verified every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and the AACPS will be treated as protected equipment.

M For unplanned DG outages, the capability to provide an AACPS with capacity equal to or greater than the capacity of the inoperable DG will B to TXX-07110 Page 28 of 39 be available as backup upon entering the allowed outage period extension (i.e., by 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> into the 14-day Completion Time).

For DG outages intentionally planned to exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, an AACPS with capacity equal to or greater than the capacity of the inoperable DG will be provided as backup prior to entering the 14-day Completion Time.

The scheduling of DG preplanned maintenance will be avoided during seasons when the probability of severe weather or grid stress conditions are high or forecasted to be high.

CPSES Response:

CPSES will invoke the following compensatory measure to assure continued safe operation of the plant.

  • *The scheduling of DG preplanned maintenance will be avoided during seasons when the probability of severe weather or grid stress conditions are high or forecasted to be high.

The system load dispatcher will be contacted once per day to ensure no significant grid perturbations are expected during the extended CT. Also, the system load dispatcher should inform the plant operator if conditions change during the extended CT (e.g., unacceptable voltages could result due to a trip of the nuclear unit).

CPSES Response:

This proposed commitment was revised to correctly reflect the stations relationship with ERCOT (Electric Reliability Council of Texas) and entities that operate the transmission system as described in Attachment 8.F of STA-629 "Communication Protocol." CPSES will invoke the following compensatory measures to assure continued safe operation of the plant.

During the extended CT, the transmission grid controller (TGC) and generation controller will be contacted once per day to ensure no significant grid perturbations are expected.

The generation controller via ERCOT will inform the plant operator if grid conditions change during the extended CT.

Component testing or maintenance of safety systems and important non-safety equipment including offsite power systems (auxiliary and startup transformers) that increase the likelihood of a plant transient or loss-of-offsite power will be avoided. In addition, no discretionary switchyard maintenance will be allowed.

CPSES Response:

CPSES revised this proposed commitment by replacing the word "discretionary" with the words "risk significant."

B to TXX-07110 Page 29 of 39 CPSES' responses to RAI 14, 15, and 21 detail the extensive evaluations (10CFR50.65(a)(4)), programs (CRMP and work scheduling), and multiple procedures (e.g., STA-629, STA-604, etc.) that define a robust design which retains desired design features such as defense-in-depth. Therefore, the words "risk significant" implies that the risk associated' with performance of switchyard maintenance has been evaluated in accordance with approved programs and procedures.

CPSES will invoke the following compensatory measures to assure continued safe operation of the plant.

Component testing or maintenance of safety systems and important non-safety equipment, including offsite power systems (auxiliary and startup transformers), that increase the likelihood of a plant transient or loss of offsite power will be avoided.

No risk significant switchyard maintenance will be allowed while an EDG is inoperable.

TS requirements of verification that the required systems, subsystems, trains, components, and devices that depend on the remaining DG(s) are operable and positive measures will be provided to preclude subsequent testing or maintenance activities on these systems, subsystems, trains, components, and devices.

CPSES Response:

Luminant Power believes that the compensatory measures in the response to the second bulleted item under RAI 18 adequately addresses operability requirements for systems, subsystems, trains, components, and devices that depend on the remaining OPERABLE EDG.

Turbine-driven auxiliary feedwater pump will be controlled as "protected equipment," and will not be taken out of service for planned maintenance while an DG is out of service for extended maintenance.

CPSES Response:

This proposed commitment was revised to clarify that during the extended CT, the TDAFW pump will not be voluntarily removed from service for planned maintenance while in the proposed extended CT. CPSES will invoke the following compensatory measure to assure contifiued safe operation of the plant.

During the extended CT, the turbine-driven auxiliary feedwater pump will not be voluntarily removed from service for planned maintenance while a DG is out of service for extended maintenance.

Any component testing or maintenance that increases the likelihood of a plant transient would be avoided; plant operation should be stable during the DG CT.

B to TXX-07110 Page 30 of 39 CPSES Response:

This proposed commitment was revised to clarify that during the extended CT, certain equipment would not be removed from service concurrent with the inoperable EDG that would cause a plant transient or unstable operation of the plant. CPSES will invoke the following compensatory measure to assure continued safe operation of the plant.

Evolutions that could cause a plant transient will be avoided or coordinated with EDG maintenance such that these evolutions will not be concurrent to assure plant stability during EDG inoperability.

CPSES Response:

In addition to the compensatory measures above, CPSES makes the following compensatory measures below:

In 13 minutes the AACPS 1E safeguard bus supply breaker will automatically close on a LOOP, the AACPS will start manually or automatically, the AACPS breaker will automatically close after the AACPS has reached rated voltage and frequency, and the blackout sequencer. will automatically load the bus.

  • The AACPS will have sufficient fuel oil available for operation until either offsite power is restored or an emergency diesel is restored to OPERABLE.
19. In the past, the staff expects TS requirements'to demonstrate that the AACPS is available and functional prior to removing a DG from service for an extended period.

The TS requirements should also address the AACPS availability during the extended DG maintenance period including actions to be taken if the AACPS becomes unavailable during the extended DG outage. Discuss how the above staff expectations would be satisfied.

CPSES RESPONSE:

To address the staff's concern that TS requirements demonstrate that an AACPS is available and functional and address actions to be taken if the AACPS becomes unavailable, the following revision to the Bases for TS 3.8.1 was proposed as part of INSERT D of Attachment 3 of TXX-07011:

"As a defense-in-depth measure, when the option of an extended allowable out of service time for an emergency DG is exercised, an AACPS will be provided with capability of supplying the same loads as the existing DG with the criteria noted below. Thus, the AACPS will be capable of supplying safe shutdown loads after a LOOP to the bus. For unplanned DG outages, an AACPS will be available upon entering the allowed outage period extension (i.e., by 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> into the 14-day Completion Time). For DG outages planned to exceed an initial 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time, an AACPS will be provided within one hour of entering the extended Completion Time. In any event, if an AACPS B to TXX-07110 Page 31 of 39 of the required capacity is not available after entering the extended Completion Time period (after 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> into the 14-day Completion Time), the requirement to be in at least hot standby within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in cold shutdown within the following 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> would apply."

In addition, the following two paragraphs were also included in the proposed INSERT D to address the staff's concern that TS requirements demonstrate that an AACPS is available and functional prior to relying on its availability:

"Prior to relying on its availability, a temporary AACPS would be determined to be available by: (1) starting the AACPS and verifying proper operation; (2) verifying that sufficient fuel is available onsite to support 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation; and (3) ensuring that the AACPS is in the correct electrical alignment to supply power to the required safe shutdown loads. Subsequently, when not in operation, a status check for availability will also be performed once every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This check will consist of (1) verifying the AACPS is mechanically and electrically ready for operation; (2) verifying that sufficient fuel is available onsite to support 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation; and (3) ensuring that the AACPS is in the correct electrical alignment to supply power to the required safe shutdown loads.

Prior to relying on its availability, a permanent AACPS would be determined to be available by starting the AACPS and verifying proper operation. In addition, initial and periodic testing, surveillances, and maintenance will conform to NUMARC 87-00, Revision 1, Appendix B, "Alternate AC Power Criteria" guidelines. Functional testing, timed starts, and load capacity testing on a fuel cycle basis, and surveillance and maintenance will consider manufacturer's recommendations."

Furthermore, CPSES will comply with the compensatory measures discussed in RAI response number 18 during the extended DG CT to assure continued safe operation of the plant.

20. It is the staff's understanding that the purpose of the requested amendment is to allow an increased D G outage time during power operation for performing DG inspection, maintenance, and overhaul, which would include disassembly of the DG. DG operability verification after a major maintenance or overhaul may require a full-load rejection test. If a full-load rejection test is performed at power, please address the following:
a. What would be the typical and worst-case voltage transients on the 6.9 kilo-volt safety buses as a result of a full-load rejection?

CPSES RESPONSE:

CPSES performs the full load rejection test with the associated 6.9 kV electrical bus synchronized to the grid which is considered an infinite bus as compared to the DG. As the infinite bus maintains its constant voltage, therefore, the 6.9 kV bus voltage is nominally impacted by the impedance of the circuit between the infinite bus and 6.9 kV bus.

After reaching full load limits, the DG is divorced from the 6.9 kV bus by opening the DG output breaker on the associated 6.9 kV bus, and the infinite bus remains connected to the 6.9 kV bus. Any DG mis-operation while synchronized B to TXX-07110 Page 32 of 39 to the 6.9 kV bus and prior to the load rejection, such as load swings or voltage transients, are seen as megawatt and megavar transients on DG out put and the associated 6.9 kV bus voltage may be nominally impacted by the component of these MW and MVAR flow thru the impedance of the circuit between the infinite bus and 6.9 kV bus. The evaluation of 6.9 kV bus voltages during and after the test, with the DG at its rated load and DG full load rejection, shows that after rejection of DG load the safety bus may see a voltage change of about 200 V. This voltage change will appear only as a step change to conform to the constant voltage of the infinite bus. The review of test data shows that the maximum step voltage experienced by the safety buses during DG full load rejection test is about 170 Volts.

b. If a full-load rejection test is used to test the DG governor after maintenance, provide assurance that an unsafe transient condition on the safety bus (i.e.,

load swing or voltage transient) due to improperly performed maintenance or repair of a governor would not occur.

CPSES RESPONSE:

CPSES performs the full load rejection test with the associated 6.9 kV electrical bus synchronized to the grid which is considered an infinite bus as compared to the DG. As the infinite bus maintains its constant voltage, therefore, the 6.9 kV bus voltage is nominally impacted by the impedance of the circuit between the infinite bus and 6.9 kV bus.

If the full load rejection test is used to test the DG governor after maintenance, after reaching full load limits, the DG is divorced from the 6.9 kV bus by opening the DG output breaker on the associated 6.9 kV bus, and the infinite bus remains connected to the 6.9 kV bus. Any DG mis-operation while synchronized to the 6.9 kV bus and prior to the load rejection, such as load swings or voltage transients, are seen as megawatt and megavar transients on DG out put and the associated 6.9 kV bus voltage may be nominally impacted by the component of these MW and MVAR flow thru the impedance of the circuit between the infinite bus and 6.9 kV bus. The evaluation of 6.9 kV bus voltages during and after the test, with the DG at its rated load and DG full load rejection, shows that after rejection of DG load the safety bus may see a voltage change of about 200 V. This voltage change will appear only as a step change to conform to the constant voltage of the infinite bus. The review of test data shows that the maximum step voltage experienced by the safety buses during DG full load rejection test is about 170 Volts.

As outlined in the response to RAI 20.c, all previous full load rejection testing performed on CPNPP emergency diesel generators have been performed without any transient conditions occurring on the associated 6.9 kV busses. This historical data, in addition to the above response, provides assurance that unsafe transient conditions will not occur during routine or post maintenance full load rejection testing.

c. Using maintenance and testing experience on the DG, identify possible transient conditions caused by improperly performed maintenance on the DG governor and voltage regulator. Discuss the electrical system response to these transients.

B to TXX-07110 Page 33 of 39 CPSES RESPONSE:

Work order history for Full Load Reject testing of all four CPSES DGs since 1995 was researched. Work order comments, data sheet comments, related activities and related items sections were reviewed to identify any transient conditions that may have occurred during the testing. The results are tabulated below. No electrical transient conditions during any testing activity were identified.

B to TXX-07110 Page 34 of 39 DG Work Order Test Criteria Transient condition SMF (1)

CP1-MEDGEE-01 5-96-500927-AA Sat None None 5-97-500927-AA Sat None None 5-99-500927-AB Sat None None 5-99-500927-AC Sat None None 5-01-500927-AA Sat None None 5-02-500927-AA Sat None None 5-04-500927-AA Sat None None 5-05-500927-AA Sat None None CP1-MEDGEE-02 5-96-501595-AA Sat None None 5-97-501595-AA Sat None None 5-99-501595-AB Sat None None 5-99-501595-AC Sat None None 5-01-501595-AA Sat None None 5-02-501595-AA Sat None None 5-04-501595-AA Sat None None 5-05-501595-AA Sat None None CP2-MEDGEE-01 5-95-500459-AA Sat None None 5-97-500459-AA' Sat None None 5-98-500459-AA Sat None None 5-99-500459-AA Sat None None 5-00-500459-AA Sat None None 5-02-500459-AA Sat None None 5-03-500459-AA Sat None None 5-05-500459-AA Sat None None CP2-MEDGEE-02 5-95-501596-AA Sat None None 5-97-501596-AA Sat None None

-' 5-98-501596-AA Sat None None 5-99-501596-AA Sat None None 5-00-501596-AA Sat None None 5-02-501596-AA Sat None None 5-03-501596-AA, Sat None None 5-05-501596-AA Sat None None (1) SMF is an acronym representing the CPSES Corrective Action Program (CAP) tracking process. Any transients that may have occurred during DG full load reject testing would have been entered into the CAP and tracked using the SMF (Smart Form) process.

B to TXX-07110 Page 35 of 39

d. Provide the tests to be performed after overhaul to declare the DG operable and provide justification of performing those tests at power.

CPSES Response:

Several procedures are in place to test the DGs after overhaul to verify operability. The scope of the work performed determines which procedures are performed.

Procedure Responsible Scope of Testing Performed Origination Soeo etn Emergency Diesel

& Relay Generator DSC As required for DSC digital MSE-C-0866 Meter R Digital Governor governor rework or replacement.

Control Emergency Diesel MSE-CO-0868 Meter & Relay Generator As required for automatic voltage Thyripart regulator rework or replacement Excitation System Start Up and Break in Run for MSE-PO-0861 Meter & Relay Emergency Diesel As required for engine overhaul, Generators with major part replacement DSC Digital Governors Diesel Generator As required for engine overhaul, Pneumatic Logic major part replacement or after MSE-PO-0864 Meter & Relay and Start/Stop rework or replacement of Circuit Test significant components of the Excitation System pneumatic logic control device Emergency Diesel As required for engine overhaul, MSE-PO-0865 Meter & Relay Generator Start Up major part replacement Testing Diesel Generator As required when the overspeed MSE-PO-0866 Meter & Relay Overspeed Trip trip device is replaced.

Test Diesel Generator As required for engine overhaul, MSE-Sl,2-0880 Meter & Relay Load Rejection major part replacement As required for engine overhaul, Diesel Generator major part replacement. This test OPT-214AB Operations D bieeliy G enator verifies DG operability and is sOperability Test performed after completion of all maintenance testing activities.

DSC - digital speed control B to TXX-07110 Page 36 of 39 Applicable sections of the listed procedures are performed as required based on the particular type of DG maintenance performed. Successful completion of the required testing ensures the DGs meet all TS operability requirements. Upon completion of all maintenance testing activities, a final operability test of the DG is performed prior to declaring the DG operable.

All test procedures have been successfully performed as written on all four DGs during refueling outage work windows. In addition, portions of MSE-S2-0880 and MSE-PO-0861 have been performed at power following emergent DG maintenance. The methodology for testing at power will be the same as for testing performed during outages. No changes to any existing procedures are required for at power post maintenance testing.

Since the specified testing is required to declare the DG operable, all the tests have been performed successfully in the past during both refueling outages and at power, and previous tests have not resulted in any 6.9 kV bus voltage or frequency transients1 performance of the testing utilizing the current testing procedures and methodology is acceptable.

21. Due to the importance of the offsite power system:
a. Discuss the considerations given to not performing extended DG maintenance when the offsite grid condition or configuration is degraded or when adverse or extreme weather conditions (i.e., high winds, lightning, etc.) are expected.

CPSES RESPONSE:

See the discussions under "Tier # 2 and 3 Considerations" and "High Winds" and responses to RAIs 14 and 15.

b. Discuss how you consider the amount of time needed to complete the extended DG maintenance and the ability to accurately forecast weather conditions that are expected to occur during the maintenance.

CPSES RESPONSE:

The considerations and actions taken by the Cooper-Enterprise Clearinghouse (the EDG owners group) to issue a maintenance program for the Emergency Diesel Generators is based upon the physical results of inspections of twenty engines. The maintenance model provides a "results oriented" maintenance approach which is intended to maintain or increase the current reliability levels, increase availability, and optimize the utilization of limited resources. The amount of time needed to complete the extended EDG maintenance is based on experience and the Cooper Enterprise Clearinghouse (CEC) physical results of inspections of twenty engines.

The diesel's preventative maintenance program is commensurate for nuclear standby service, which takes into consideration the manufacturer's recommendations; diesel owners group's recommendations, engine run time, equipment performance, calendar time, and plant preventative maintenance programs.

B to TXX-07110 Page 37 of 39 The following table provides some insights into the scope of the planned work for the next several outages. Some or all of this work could be moved from the refueling outage scope to on-line maintenance.

TOTAL TOTAL TO N UNIT WORK SCOPE DURATION WORKED SCOPE0 DGRA-02 AND RF EDG - 01 DGEDG - 02(Day YEAR EDG - 01 (Dy) EDG - 02 NME(Dy)

NUMBER (Days) (Days) (Days) 2006 2RF09 R 3 R, 3,6 10 2007 1RF12 R, 3, GEN 10 R, GEN 7 2008 2RF10 R, 3,6 10 R 3 2008 1RF13 R 3 R, 3, 6, GOV 11 2009 2RFl1 R 3 R, 3, FT, T 12 2010 1RF14 R, 3, 6, FT 12 R 3 2011 2RF12 R, 3, FT, T, GOV 13 R 3 2011 1RF15 R 3 R, 3, FT, T 12 2012 2RF13 R R, 3, 6, 12, T, 15 GOV 2013 1RF16 R, 3, 6, 12, T 14 R 3 2014 2RF14 R, 3, 6,12 14 R 3 2014 1RF17 R 3 R, 3, 6,12 14 2015 2RF15 R 3 R, 3 6 2016 1RF18 R, 3, 6, 15, T 17 R 3 2017 2RF16 R, 3, 15, T 17 R 3 2017 1RF19 R 3 R, 3,15, T 17 2018 2RF17 R 3 R, 3,15 17 2019 1RF20 R, 3, GOV 7 R 3 2020 2RF18 R, 3,6 10 R 3 2020 1RF21 R 3 R, 3,6 10 2021 2RF19 R 3 R, 3, T 6 2022 1RF22 R, 3, 6, FT 12 R 3 R = A standard 18 month refuel outage scope of work when worked alone will take three days and when worked concurrent during the 3, 6, 12, 15 year refueling outage inspections or other work scopes (RF, T, GEN, or GOV) the times will overlap.

RF = Refueling Outage T = Turbocharger teardown GEN = Generator disassembly and inspection GOV = Mechanical governor actuator SCOPE AND DURATION NOTES:

1. R, 3, 6, 12, and 15 are outage work scopes as identified by the Cooper Enterprise Clearinghouse and incorporated into site procedure TSP-503, and the site Technical Requirements Manual (TRM). Work durations are 1, 4, 8, 12, and 14 days respectively.

B to TXX-07110 Page 38 of 39

2. Additional work scopes specified as FT for fuel tank cleaning, T for turbocharger teardown, GEN for generator disassembly and inspection, and GOV for mechanical governor actuator are added to the scopes identified in number 1 above. The Work durations for these additions are 10 days, 4 days, 4 days, and 1 day respectively. They will work in parallel with the work duration above and in some cases become the long leg duration.
3. Post work requirement testing durations for all outages include the two days for clearance release, re-filling the systems, and heat-up of the systems while controls testing goes on in parallel. Post maintenance runs would then follow before the operability run can take place.
4. Additional post work testing (PWT) testing durations are as follows:

GOV-Governor work testing 1 day, (involves a slow start, fast start, manual loading of an isolated bus with isochronous loads, automatic loss of offsite power/safety injection (LOOP/S I) loading of the isolated bus, full load reject, major load reject), while the 15 YEAR outage scope requires I day, (additional testing time for the 16"hour break-in runs and the overspeed testing).

The consideration for weather is based on historical data taken from the National Oceanic and Atmospheric Administration database. The data for CPSES was plotted based on the day of the year. From this graph it was evident that the April to June timeframe had the greatest probability of severe weather. It was concluded that if this work was performed during any other time of the year the weather centered portion of the LOOP could be reduced.

CPSES is required by plant procedures to consider the potential for severe weather when scheduling work. Specifically, plant procedures STA-604 and WCI-203 state, "Weekly Surveillance/Work Scheduling," requires, "The consideration and evaluation of potential external events such as severe weather, flooding, equipment lifting activities, etc. shall be applied to the Maintenance Risk Assessment when warranted by the potential for the external event."

The National Weather Service (NWS) has a continuous radio broadcast service of weather conditions in the Dallas-Fort Worth area. A receiver capable of receiving and decoding the NWS alert tone for severe weather notifications is monitored in the Control Room and Alternate Access Point for the issuance or cancellation of Severe Thunderstorm and Tornado Watches. Security personnel on duty in the Alternate Access Point will keep the Control Room informed of all watches or warnings issued or canceled by the NWS. Visual observations will be made by Security Officers and Safety Services personnel during the performance of their normal duties when a watch has been issued. The Control Room will be kept informed of visual observations regarding weather conditions by radio or telephone. Plant Equipment Operators are trained as SKYWARN spotters and may be utilized to determine weather severity.

To summarize, the amount of time needed to complete DG the extended maintenance is based on diesel generators owner's group recommendations which is based on experience, historical performance, and vendor's recommendations. The ability to forecast weather is based on historical data-B to TXX-07110 Page 39 of 39 taken from the National Oceanic and Atmospheric Administration database.

From data for CPSES that was plotted based on the day of the year, it was evident that the April to June timeframe had the greatest probability of severe weather. Thus, in summary, considering the generally short durations for the EDG maintenance activities and careful selection of time of year, these provide a reasonable window for accurately planning and scheduling the work to avoid severe weather.

to TXX-07110 Page I of 11 ATTACHMENT 2 TO TXX-07110 DOCUMENTATION OF THE WESTINGHOUSE OWNERS GROUP (WOG) PEER F&O CATEGORY A & B DISPOSITIONS to TXX-07110 Page 2 of 11 The Westinghouse Owners Group (WOG) peer review was performed during the spring of 2002.

The conclusion of the peer assessment was that the Comanche Peak PRA can be effectively used to support risk significance evaluations with deterministic input, subject to addressing the items identified as significant in the technical element summary and Facts & Observations (F&O) sheets. As stated previously, CPSES addressed each of the Categories A and B F&Os and incorporated those items into the PRA model and supporting calculations that formed the basis for the information used to support the DG CT extension. Below is a list of the category A & B F&Os and their dispositions.

Number Description Summary Disposition AS-01 Provide guidance for and discussion of the This item does not adversely affect the technical adequacy of the PRA because it is process for applying Probability Risk associated with documentation. A new notebook to address post recovery file 0

Analysis (PRA) recovery terms. development and maintenance has been developed. Notebook is R&R-PN-039 "Post -3 Quantification Files." X X

L

-HR-03 The input received from the operators in This item does not adversely affect the technical adequacy of the PRA because it is the recent round of comments should be associated with documentation. Original operator interview records of conversation documented as part of the analysis to are available as background information and can be used to demonstrate PRA fidelity demonstrate continuing PRA fidelity with with the as-operated plant. The human reliability analysis (HRA) documentation has the as-operated plant. been updated to use the Electric Power Research Institute (EPRI) HRA Calculator and the updated operator interviews have been summarized and documented with the HRA Calculator. PRA desktop instruction R&R-DI-005 "Human Reliability Analysis' section 4.0 was revised to document future operator interviews and training practice changes in the HRA notebook rather than in more informal records of conversation.

HR-04' Resolution of discrepancies in the This item does not adversely affect the technical adequacy of the PRA because it is quantification of human error associated with documentation discrepancies and lack of detail. Revised guideline probabilities (HEPs) including insufficient R&R-DI-005 "Human Reliability Analysis" to ensure documentation is sufficient to documentation detail to reproduce human reproduce human error probabilities. This was achieved as part of Revision 3 update error probabilities. of the HRA guideline.

HR-05 Applicability of using only 2 Cause Based This item does not adversely affect the technical adequacy of the PRA. The Decision Trees for Human Reliability methodology used for the CPSES HRA was considered appropriate and was found Analysis and development of a Cause acceptable by the NRC. HRA methods have evolved and improved over time.

Based Decision Tree basis. Since the Guideline R&R-DI-005 "Human Reliability Analysis,"'was revised to ensure HRA manner in which the selected approach is updates use current, clearly defined methodology, data and tools. The current implemented can affect the results, the revision of the guideline uses the EPRI HRA Calculator to "quantify" the HEP values.

implementation should be clearly explained, with key assumptions noted.

Number Description Summary Disposition HR-06 Improve HRA documentation for operator This item does not adversely affect the technical adequacy of the PRA.

action time window basis. Documentation exists in previous analysis referenced by the current documentation.

Guideline R&R-DI-005 "Human Reliability Analysis," was revised to reduce references X to previous analysis such that analysis traceability is improved. Revision 3 of the HRA analysis provided enhanced documentation of the Operator action, time windows available, and time required to perform the action.

HR-10 Evaluate cutsets with multiple human This item was found not to adversely affect the technical adequacy of the PRA. A PRA errors and revise dependency calculations utility program identified unique combinations of multiple human actions. These if necessary. were reviewed based on the scenario to ensure dependencies were identified and handled as appropriate. This process of evaluating cutsets with multiple human errors is included in the quantification guide (R&R-DI-002) and shown in the revised HRA notebook.

IE-02 The process for developing the loss of Use of the recommended Bayesian update process is not appropriate for the EPRI data offsite frequency at CPSES involves because it already contains CPSES data and a Bayesian update would result in double screening events from an EPRI database. counting. The data screening performed by CPSES is straightforward and is This screening process is somewhat defendable (e.g., screened out events involving salt spray, etc.) The actual value subjective and leads to questions currently being used at Comanche Peak Steam Electric Station (CPSES) was concerning deletion of events. A process considered to be adequate by the peer reviewer. No action needed.

more accepted in the industry is to take a generic distribution and Bayesian update with plant specific in formation. The frequency obtained is approximately the same as the CPSES frequency but is simpler and easier to defend.

IE-04 Include the other unit station service A 4/4 failure of the SSW pumps was input into the Dual Unit Model (PRA model water.(SSW) pumps in the common cause Revision 2) during the time of the peer review. The change is documented in R&R-group. PN-006 "Service Water System." No additional action is needed.

al Number Description Summary Disposition IE-05 The ISLOCA analysis does not include a The Nuclear Safety Analysis Center (NSAC) is operated by EPRI. The ISLOCA Cl correlation of variables for cutsets that analysis was performed using the guidance from NSAC-154 "ISLOCA Evaluation contain, for a given lambda, a lambda Guidelines" which does not include the described lambda squared term. This squared term. This is a required step, as methodology is judged to be acceptable and no action is needed.

described in such documents as Volume 5 of NUREG/CR-4350, NUREG/CR-5102, and NUREG/CR-5744.

L2-01 Incorporate flooding sequences in the This item does not adversely affect the technical adequacy of the PRA. Flood large early release frequency (LERF) sequences potentially impact containment spray and containment isolation. However, calculation. CPSES has a large dry containment and important containment isolation valves fail closed such that containment spray and isolation have a small impact on LERF. No action needed.

L2-03 The Steam Generator Tube Rupture Steam Generator related modeling observations were evaluated incorporated and contribution to LERF appears to be documented as appropriate during implementation of the Dual Unit Model (PRA unusually low relative to contributions model Rev. 2). Results of the requantification resulted in a SGTR LERF contribution typically found in other PRAs. Address change from less than 1% up to 18%. This is a significant increase that clearly the potential for Steam Generator Tube indicates the potential for SGTR is represented in the new PRA model. No additional Ruptures (SGTR) to be under represented action is needed.

in the LERF analysis.

L2-04 Expand on the analysis of LERF This item does not adversely affect the technical adequacy of the PRA. Sufficient contributions to discuss contributions information is available to derive LERF contribution conclusions and additional from containment failure modes including documentation has been added to the quantification notebook that addresses LERF those mapped in from the individual plant contribution from initiating events and equipment. Furthermore, core damage examination (IPE), and provide a frequency (CDF) dominates risk importance considerations at CPSES. Revised R&R-perspective on the degree of conservatism DI-007 "Containment Performance Analysis" so that LERF contributions are clearly inherent in the current LERF model, to documented when Level 2 analysis updates occur.

support LERF sensitive applications.

ID r)

Number Description Summary Disposition L2-05 Potential for SGTR to be under Steam Generator related modeling observations were evaluated; incorporated and represented in the LERF analysis because documented as appropriate during implementation of the Dual Unit Model (PRA the success criteria for SGTR appear to model Rev. 2). These changes included consideration of safety impact beyond 24 have misapplied the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time hours for Steam Generator Tube Ruptures. The requantification resulted in a SGTR X X

concept. LERF contribution change from less than 1% in the Revision I and up to 18% in the Revision 2 of the PRA model. This is a significant increase in the SGTR LERF contribution that clearly indicates that the SGTR is correctly represented in the new PRA model. The success path basis, specific model changes and requantification results are documented inR&R-PN-004 "Auxiliary Feedwater System", R&R-PN-013 "Accident Sequence Analysis" and R&R-PN-022 "Accident Sequence Quantification."

No additional action is needed. I L2-07 Review the level 2 analysis and remove This item does not adversely affect the technical adequacy of the PRA. Core damage conservatisms as they relate to severe frequency dominates risk importance considerations at CPSES. In the case of LERF, accident phenomena. The dominance of core damage bins (accident sequence groups) provide the input from the Level 1 to Loss of Offsite Power (LOOP) in the LERF Level 2 PRA analysis. The core damage bin that contains LOOP sequences also analyses could mask other LERF contains other sequences that require similar containment response. Therefore, it is contributions. not appropriate to imply that LOOP could mask other LERF contributions.

Conservatisms are associated with industry accepted Level 2 methodologies were in use at the time the analysis was performed. Revised R&R-DI-007 "Containment Performance Analysis" to consider the latest methodologies when performing Level 2 analysis updates.

QU-06 Perform a parametric uncertainty analysis A parametric uncertainty analysis is not necessary at CPSES because sensitivity sufficient to characterize CDF/LERF as studies are performed to address uncertainties on a case by case basis. Included mean values. sensitivity analysis guidelines in desktop instruction R&R-DI-014 "PRA Applications."

The revision 3 of the quantification notebook provides additional insights with respect to sensitivity analyses that were performed for key assumptions and modeling approaches.

Number Description Summary Disposition TH-01 Large break analysis Modular Accident The concern with MAAP providing valid results for the early blowdown phase of Analysis Program (MAAP) code and LOCAs, applies to cold leg breaks. The concern is that because it doesn't have a success criteria issues for large LOCAs. momentum equation, the code cannot capture the ECCS bypass phenomenon. This is X

a short lived phenomenon that lasts on the order of 15-20 seconds for double-ended The MAAP code has been used for several guillotine breaks. Accumulator water from intact cold legs, instead of falling into the analyses supporting success criteria bases. downcomer and entering the core, is sucked around the periphery of the downcomer Most of these analyses are within the and out the break levitated on the reversed downcomer steam flow caused by the generally accepted capabilities of this blowdown. There are several reasons why MAAP's inability to model this code. However, at least one of the phenomenon is not a concern for the conclusions in calculation RXE-LA-CPX/0-062.

analyses was intended to determine requirements for Emergency Core Cooling First, large break LOCAs are defined in PRA as breaks between 6" and double-ended System (ECCS) injection following a large guillotine break (DEGB). Therefore, the success criteria must be determined over this LOCA (case sb6in4, RXE-LA-CPX/0-062 range. The Accumulator and low pressure injection (LPI) success criteria are dictated RO). The MAAP code, even recent by the DEGB and those breaks, while affected by the bypass phenomena, were versions such as MAAP 4.0, is generally analyzed with Luminant's large break LOCA 10CFR50.46 Evaluation Model, which not accepted as providing accurate results captures it. The lower end of the range (6") is examined to determine the need for AF for the early blowdown phases of certain and the need for high head injection. That is where the SB6IN4 MAAP4 run was used.

classes of large breaks (or for certain rapid For that purpose, for which the 6" break was used, the ECCS bypass phenomenon has depressurizations in general). Hence, its no bearing on results. This is because the cladding heat up occurs around 1800 usage in this case may not provide a seconds at which time any bypass would be over, if it ever even occurred, given that defendable outcome. Although MAAP 4.0 with the much smaller break flow, there will always be substantial downflow in the addresses some of the documented downcomer in all phases of the accident. Therefore, the conclusions of SB6IN4 and the limitations of MAAP 3B for analysis of this Validity of MAAP4 for the application stand.

class of events, care is still required in its application. For example, while MAAP Considering the second statement regarding use of engineering judgment to conclude 4.0 may reasonably represent plant that 2/4 accumulators are sufficient for the large LOCA, although all 4 are used in EM response to large hot leg breaks, it may models, that judgment is based on extensive experience in LOCA analysis. The not be appropriate for use in predicting Evaluation Models (EMs) must include the features of 10 CFR 50.46 Appendix K plant response for some larger cold leg which are not required of the PRA success criteria, which can be a best estimate breaks. analysis. Of these requirements, the 1.2 multiplier in decay heat and the zero heat transfer coefficient between end of bypass and BOCREC alone, more than offset the 2 Further, in the discussion in RXE-LA- accumulators. Nevertheless, a calculation using Luminant's EM model (with the

Number Description Summary Disposition CPX/0-062 RO on LLOCA, there is a Appendix K required inputs off) was performed for the conditions of the success statement that "The 6" break can be criteria and the Peak Cladding Temperature (PCT) was found to be -300 degree F

.0 successful without CVCS PUMPs, SIPs, or lower than the licensing basis PCT. This calculation is documented in the new -3 AF, but accumulators (2/4 should be - revision (Revision 1) of RXE-LA-CPX/0-062. Thus, the conclusion of the previous adequate) and 1 train of RHR are required, revision is unchanged. Revision 1 merely provides a calculation basis to reinforce the based on MAAP4 run sb6in4." The basis previous engineering judgment basis for the conclusion.

for determining that 2/4 accumulators is adequate is not stated, and therefore must No further action is needed be interpreted as a judgment by the analyst. A similar judgment is made regarding requirements for accumulators for the larger end of the break spectrum.

Additional justification/explanation of how the analysis results support this judgment should be provided.

TH-02 Additional guidance is needed for success Analysis and methodology for PRA success criteria have been documented in a new criteria basis development. PRA notebook, R&R-PN-040, "PRA Success Criteria Notebook."

TH-03 Small Break LOCA success path with AF Although RXE-LA-CPX/0-062 states that success cannot be achieved without AF, that failed - provide thermal-hydraulic does not mean that success cannot be achieved with the next procedural evolution, analysis or remove from event tree. namely, feed and bleed. What the cited run (SB2IN5) showed was that success could not be achieved a priori without AF, as it can with larger breaks. The discussion is about the need for AF for LOCAs. The larger break ranges are shown not to require AF for success. Feed and bleed follows procedurally any loss of secondary cooling, which would result from say the unavailability of AF. Cases which require AF but where AF is not available will then move to the next recovery evolution: feed and bleed. The success criteria for feed and bleed are given in Section 2.9 of RXE-LA-CPX/0-062. Thus, for small LOCAs, Table 6 in that section applies, and in fact, it would be conservative, since the depressurization from the break itself would help with the bleed part of the feed and bleed evolution. Therefore, the question is answered here and a note was added to the affected calculation. No action is needed.

Number Description Summary Disposition .

TH-04 The basis for the PRA success criteria The success criterion is the one described in the conclusions section of RXE-LA-analyses should be a clearly-stated CPX/0-055. The observation that the success criterion should be placed "up front" will definition of core damage that is suited to be addressed by placing the success criterion in the "Success Criteria Notebook" that the analytical tools used. has been developed. X The various comments on the actual success criterion used are addressed by the following clarification of the CPSES success criterion. Note that the discussion below merely clarifies the CPSES success criterion to address the issues raised in this observation, but the criterion itself is unchanged from what has been used throughout the CPSES IPE and PRA.

"The CPSES PRA criterion for success is avoidance of the significant core damage, associated with a severe accident. The word significant applies both to the degree of core damage and to how widespread that damage is.

Thus, local occurrence of departure from nucleate boiling (DNB) or exceeding PCT locally is tolerated. This is because exceeding these criteria for hot rods and/or for hot channels, even though possibly resulting in very localized fuel damage, would not necessarily constitute a severe accident. This is an important consideration that distinguishes a PRA success criterion from acceptance criteria used in accident analysis. Accident analysis acceptance criteria are applied locally, i.e., to the hot spot, hot rod and/or hot channel to ensure that no part of the core, even the most minute fraction, would exceed the criteria. However, for there to be "core damage" in the PRA sense there must be damage to a broader region of the core. For the CPSES PRA, the' breadth of damage is set to be 100%/7/11 = 1.3% of the core. This is accomplished by nodalizing the core into 7 radial regions and 11 axial regions in MAAP4 and having the PRA success criterion tested at the hottest node. While arbitrary, this criterion that at least 1.3% of the core must exceed the success criterion is in line with the 10CFR50.46 acceptance criterion for LOCA that sets core-wide oxidation at 1%.

Regarding the degree of damage, the PRA success criterion is as conservative as, or perhaps more so, than that of 10CFR50.46 for LOCA analyses. The core damage

Number Description Summary Disposition criterion is the onset of oxidation of this 1.3% of the core. That was translated as core nodal temperatures (TCRHOT), the hottest core nodal temperature in MAAP, should 0

be less than 1500 K (-2200 degree F). This temperature marks the onset of the ýi exothermal Zirconium-water reaction which precedes significant Zr oxidation, X X

eventual clad embrittlement and damage. These TCRHOT are radial averages across a representative fuel rod for that region, while the oxidation threshold (-2200 degree F) applies to the clad temperature. This means that this criterion is applied conservatively because the average pin temperature is higher than the clad surface temperature, which is subject to oxidation."

An issue is also raised in this observation that uncertainties in the MAAP calculations require that the success criterion itself add conservatisms to bound these uncertainties.

All calculational models are analytical representations. There is. always a mismatch between the actual phenomenon and its calculation. The standard for phenomenology calculations involving severe accidents is "best estimate." The MAAP models were benchmarked against a licensing version of RELAP5/MOD2 in RXE-LA-CPX/0-055 for feed and bleed calculations and found to provide equivalent results. Therefore, the CPSES MAAP results are not more uncertain than recognized analytical methods and to select an overly conservative success criterion that bounds uncertainties defeats the purpose of PRA and is at odds with the universally accepted "best estimate" standard.

Definition of core damage is documented in the new PRA notebook, R&R-PN-040 "PRA Success Criteria Notebook."

TH-07 Clarify the definition of "stable condition" PRA success criteria and the definition of "stable condition" is provided in the PRA and check that modeled end states are notebook, R&R-PN-040 "PRA Success Criteria Notebook."

consistent as practical across modeled sequences.

TH-08 Clarify the basis and success paths for the Steam Generator related modeling observations were evaluated and it was steam generator tube rupture model and determined that changes to PRA event and fault trees were needed for long term modify the model if necessary. cooling after a steam generator tube rupture event. These changes were incorporated

Number Description Summary Disposition into the Dual Unit Model (PRA model Revision 2). The success path basis, specific 0 model changes and requantification results are documented in R&R-PN-004 "Auxiliary Feedwater System", R&R-PN-013 "Accident Sequence Analysis" and R&R- 0 PN-022 "Accident Sequence Quantification." No additional action is needed.

TH-09 Provide references to specific thermal- Revised guideline R&R-DI-005 "Human Reliability Analysis" to ensure appropriate hydraulic analyses, or other bases, for references are made for time critical human actions. The Success Criteria notebook

'accident sequence timing, including the and other Thermal-Hydraulic calculations provide time basis for the available window time available for operator actions. for operator actions or other accident sequence timings.

to TXX-07110 Page 1 of 2 ATTACHMENT 3 to TXX-07110 PROPOSED TECHNICAL SPECIFICATIONS BASES CHANGES (Markup For Information Only)

Pages INSERTS to TXX-07110 Page 2 of 2 INSERTS (continued)

3. An AACPS would not be required to be protected against natural phenomena (GDC 2 events) or abnormal environmental or dynamic effects (GDC 4 events).
4. An AACPS would be started manually or automatically and automatically connected to the bus when it has achieved its rated voltage and speed. The AACPS connection to the bus will occur within 13 minutes of detection of a LOOP. Thus the AACPS would have the capacity required for safe shutdown such that performance of powered equipment is acceptable after a LOOP to the bus.

Prior to relying on its availability, a temporary AACPS would be determined to be available by: (1) starting the AACPS and verifying proper operation; (2) verifying that sufficient fuel is available onsite to support 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation; and (3) ensuring that the AACPS is in the correct electrical alignment to supply power to designated safe shutdown loads. Subsequently, when not in operation, a status check for availability will also be performed once every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This check consists of (1) verifying the AACPS is mechanically and electrically ready for operations; (2) verifying that sufficient fuel is available onsite to support 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation; and (3) ensuring that the AACPS is in the correct electrical alignment to supply power to designated safe shutdown loads.

Prior to relying on its availability, a permanent AACPS would be determined to be available by starting the AACPS and Verifying proper operation. In addition, initial and periodic testing, surveillances, and maintenance conform to NUMARC 87-00, Revision 1, Appendix B, "Alternate AC Power Criteria" guidelines. Functional testing, timed starts and load capacity testing on a fuel cycle basis, and surveillance and maintenance will consider manufacturer's recommendations.

The following is a listing of administrative controls when utilizing the extended 14 day CT that will be applicable during DG maintenance windows (as applicable) to deterministically enhance the capability of the plant.

1. The Configuration Risk Management Program (CRMP) (TS 5.5.18) will be applied per 10CFR50.65(a)(4).
2. Weather conditions must be historically conducive to perform planned maintenance on the DG.
3. The offsite power supply and switchyard conditions are conducive to perform maintenance on the DG.
4. Switchyard access will be monitored and controlled.

The second Completion Time for Required Action B.4.2 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to to TXX-07110 Page 1 of 2 ATTACHMENT 4 to TXX-07110 RETYPED TECHNICAL SPECIFICATIONS BASES PAGES (Markup For Information Only)

Pages B 3.8-13

AC Sources - Operating B 3.8.1 Attachment 4 to TXX-07110 Page 2 of 2 BASES ACTIONS B.4.2 (continued)

1. An AACPS may be of a temporary or permanent nature and would not be required to satisfy Class 1E requirements.
2. Dynamic effects of an AACPS failure (GDC 4 events) would not adversely affect safety related plant equipment.
3. An AACPS would not be required to be protected against natural phenomena (GDC 2 events) or abnormal environmental or dynamic effects (GDC 4 events).
4. An AACPS would be started manually or automatically and automatically connected to the bus when it has achieved its rated voltage and speed. The AACPS connection to the bus will occur within 13 minutes of detection of a LOOP. Thus the AACPS would have the capacity required for safe shutdown such that performance of powered equipment is acceptable after a LOOP to the bus.

Prior to relying on its availability, a temporary AACPS would be determined to be available by: (1) starting the AACPS and verifying proper operation; (2) verifying that sufficient fuel is available onsite to support 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation; and (3) ensuring that the AACPS is in the correct electrical alignment to supply power to designated safe shutdown loads.

Subsequently, when not in operation, a status check for availability will also be performed once every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This check consists of (1) verifying the AACPS is mechanically and electrically ready for operations; (2) verifying.

that sufficient fuel is available onsite to support 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation; and (3) ensuring that the AACPS is in the correct electrical alignment to supply power to designated safe shutdown loads.

Prior to relying on its availability, a permanent AACPS would be determined to be available by starting the AACPS and verifying proper operation. In addition, initial and periodic testing, surveillances, and maintenance conform to NUMARC 87-00, Revision 1, Appendix B, "Alternate AC Power Criteria" guidelines. Functional testing, timed starts and load capacity testing on a fuel cycle basis, and surveillance and maintenance will consider manufacturer's recommendations.

The following is a listing of administrative controls when utilizing the extended 14 day CT that will be applicable during DG maintenance windows (as applicable) to deterministically enhance the capability of the plant.

1. The Configuration Risk Management Program (CRMP) (TS 5.5.18) will be applied per 10CFR50.65(a)(4).

(continued)

COMANCHE PEAK - UNITS 1 AND 2 B 3.8-13 Revision to TXX-07110 Page 1 of 3 ATTACHMENT 5 to TXX-07110 PROPOSED COMMITMENTS to TXX-07110 Page 2 of 3 Commitment Commitments Due Date/Event Number 27471 No risk significant switchyard maintenance will be allowed Administrative while an EDG is inoperable. controls in place before CPSES invokes the 14 day CT.

27472 No maintenance or testing that affects the reliability of the train Administrative of safeguards equipment associated with the OPERABLE EDG controls in place will be scheduled during the extended CT. before CPSES invokes the 14 day CT.

27473 For unplanned DG outages, the capability to provide an AACPS Administrative with capacity equal to or greater than the capacity of the controls in place inoperable DG will be available as backup upon entering the before CPSES invokes allowed outage period extension (i.e., by 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> into the 14- the 14 day CT.

day Completion Time).

27474 The scheduling of DG preplanned maintenance will be avoided Administrative during seasons when the probability of severe weather or grid controls in place stress conditions are high or forecasted .to be high. before CPSES invokes the 14 day CT.

27475 For DG outages intentionally planned to exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, an Administrative AACPS with capacity equal to or greater than the capacity of the controls in place inoperable DG will be provided as backup prior to entering the before CPSES invokes 14-day Completion Time. the 14 day CT.

27476 During the extended CT, the transmission grid controller (TGC) Administrative and generation controller will be contacted once per day to controls in place ensure no significant grid perturbations are expected. before CPSES invokes the 14 day CT.

27477 Component testing or maintenance of safety systems and Administrative important non-safety equipment, including offsite power controls in place systems (auxiliary and startup transformers), that increase the before CPSES invokes' likelihood of a plant transient or loss of offsite power will be the 14 day CT.

avoided.

27478 During the extended CT, the turbine-driven auxiliary feedwater Administrative pump will not be voluntarily removed from service for planned controls in place maintenance while a DG is out of service for extended before CPSES invokes maintenance. the 14 day CT.

to TXX-07110 Page 3 of 3 Commitment Commitments Due Date/Event Number 27479 The AACPS will have sufficient fuel oil available for operation Administrative until either offsite power is restored or an emergency diesel is controls in place restored to OPERABLE. before CPSES invokes the 14 day CT.

27482 If any testing or maintenance activities affecting safeguards Administrative equipment associated with the remaining OPERABLE EDG must controls in place be performed while the extended CT is in effect, an evaluation before CPSES invokes will be performed in accordance with Title 10 of the Code of the 14 day CT.

Federal Regulations (10 CFR) Section 50.65(a)(4) and TS 5.5.18, "Configuration Risk Management Program" prior to performance of the activity.

27483 In 13 minutes the AACPS 1E safeguard bus supply breaker will Administrative automatically close on a LOOP, the AACPS will start manually controls in place or automatically, the AACPS breaker will automatically close before CPSES invokes after the AACPS has reached rated voltage and frequency, and the 14 day CT.

the blackout sequencer will automatically load the bus.

27484 The extended CT will be typically used to perform EDG Administrative infrequent inspections and preventive or corrective maintenance controls in place activities in accordance with procedures prepared in conjunction before CPSES invokes with the diesel owners group's preventive maintenance the 14 day CT.

program.

27485 Evolutions that could cause a plant transient will be avoided or Administrative coordinated with EDG maintenance such that these evolutions controls in place will not be concurrent to assure plant stability during EDG before CPSES invokes inoperability. the 14 day CT.

27486 After entering the extended CT, availability of the AACPS will Administrative be verified every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and the AACPS will be treated as controls in place protected equipment. before CPSES invokes the 14 day CT.

27487 The generation controller via ERCOT will inform the plant Administrative operator if conditions change during the extended CT. controls in place before CPSES invokes the 14 day CT.

The Commitment number is used by Luminant Power for the internal tracking of CPSES commitments. CPSES will implement the proposed commitments before invoking the 14 day CT to assure continued safe operation of the plant.

Retrieved from "https://kanterella.com/w/index.php?title=CPSES-200701127,_Response_to_Request_for_Additional_Information_Related_to_License_Amendment_Request_(LAR)_06-009,_Revision_to_Technical_Specification_(TS)_3.8.1,_AC_Sources_-_Operating,_Extension_of_Completion_Times.&oldid=2572962"